From patchwork Thu Nov 19 23:47:14 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Westphal X-Patchwork-Id: 1403370 X-Patchwork-Delegate: matthieu.baerts@tessares.net Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.01.org (client-ip=198.145.21.10; helo=ml01.01.org; envelope-from=mptcp-bounces@lists.01.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=strlen.de Received: from ml01.01.org (ml01.01.org [198.145.21.10]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4CcbvP70cpz9sVH for ; Fri, 20 Nov 2020 10:47:29 +1100 (AEDT) Received: from ml01.vlan13.01.org (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 0A0EA100EF257; Thu, 19 Nov 2020 15:47:26 -0800 (PST) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2a0a:51c0:0:12e:520::1; helo=chamillionaire.breakpoint.cc; envelope-from=fw@breakpoint.cc; receiver= Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [IPv6:2a0a:51c0:0:12e:520::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id A49EE100EF251 for ; Thu, 19 Nov 2020 15:47:23 -0800 (PST) Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92) (envelope-from ) id 1kfte4-0005aD-Ar; Fri, 20 Nov 2020 00:47:20 +0100 From: Florian Westphal To: Cc: Florian Westphal Date: Fri, 20 Nov 2020 00:47:14 +0100 Message-Id: <20201119234714.8519-1-fw@strlen.de> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 Message-ID-Hash: X6RNZP6M2VMDITQLTT45JU5VY5HJXQMN X-Message-ID-Hash: X6RNZP6M2VMDITQLTT45JU5VY5HJXQMN X-MailFrom: fw@breakpoint.cc X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.1.1 Precedence: list Subject: [MPTCP] [PATCH mptcp] squashto: mptcp: protect the rx path with the msk socket spinlock List-Id: Discussions regarding MPTCP upstreaming Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Looks like the arguments are inverted. Intention seems to move the msk rx queue to the sk one so it can be purged from the destroy function. This avoids: unreferenced object 0xffff888105cd3800 (size 512): comm "packetdrill", pid 1648, jiffies 4294677515 (age 433.463s) hex dump (first 32 bytes): 3c 33 30 3e 4e 6f 76 20 32 30 20 30 30 3a 32 33 <30>Nov 20 00:23 3a 34 38 20 73 79 73 74 65 6d 64 5b 31 5d 3a 20 :48 systemd[1]: backtrace: [<00000000b794d231>] __kmalloc_reserve.isra.0+0x2d/0x90 [<000000000421e158>] __alloc_skb+0x90/0x260 [<00000000d46c1201>] alloc_skb_with_frags+0x5e/0x250 [<00000000357464a5>] sock_alloc_send_pskb+0x265/0x2a0 [<00000000a73deb72>] tun_get_user+0x4dc/0x1840 [<00000000ba538b49>] tun_chr_write_iter+0x51/0x80 [<000000004f72fd7e>] do_iter_readv_writev+0x1c6/0x2b0 [<00000000c606f908>] do_iter_write+0xb1/0x230 [<0000000088092c0e>] vfs_writev+0xcb/0x130 [<00000000f9881e25>] do_writev+0x8c/0x150 [<00000000dc31e12e>] do_syscall_64+0x2d/0x40 [<0000000019b09572>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 plus WARN()s from nonzero sk_forward_alloc. --- net/mptcp/protocol.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index 92236a2ccbea..e62d34034d9e 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -2707,7 +2707,9 @@ void mptcp_destroy_common(struct mptcp_sock *msk) __mptcp_clear_xmit(sk); - skb_queue_splice_tail_init(&sk->sk_receive_queue, &msk->receive_queue); + /* move to sk_receive_queue, sk_stream_kill_queues will purge it */ + skb_queue_splice_tail_init(&msk->receive_queue, &sk->sk_receive_queue); + skb_rbtree_purge(&msk->out_of_order_queue); mptcp_token_destroy(msk); mptcp_pm_free_anno_list(msk);