From: Andi Kleen <andi@firstfloor.org>
To: netdev@vger.kernel.org
Subject: [RFC] [PATCH] Don't destroy TCP sockets twice
Date: Fri, 6 Aug 2010 13:05:11 +0200 [thread overview]
Message-ID: <20100806110511.GA16448@basil.fritz.box> (raw)
While working on something else I noticed that tcp_v4/6_destroy_sock()
can get called twice on a socket. This happens because when a reset or
similar happens tcp_done destroys the connection socket state, and
then eventually when the socket is released it is destroyed again.
Problem here is that the socket can actually still transmit packets
even after having been destroyed by tcp_done: this happens because
tcp_close is called after tcp_done, tcp_close calls tcp_send_fin which
then sends the FIN at least.
With my local modifications this lead to crashes (I destroyed some
additional state in destroy_sock that is needed for sending any
packets). But I think it's broken even without any changes: tcp_*_destroy
sock removes a lot of state, including MD5 state, congestion control
state and some others.
At least for MD5 it's easy to argue that the the FIN still needs this
state. I haven't tested that, but I think what will happen is that
you'll see FINs which are not MD5 signed after a reset (there is no
crash because zero MD5 state is ignored) There might be other similar
problems with congestion avoidance state and the FIN packet.
Overall it also seems inefficient to destroy twice.
The only thing in tcp_*_destroy sock that I think really needs to be
done is clearing the timers, but tcp_done does this already too.
So this patch changes tcp_done to not call inet_csk_destroy_sock()
and leave the destruction to the later final release or close.
The only drawback is that the buffers could be freed a bit later
for the RST case (e.g. when there is a reference to user space
it will wait for the user close), but that doesn't seem like a big
issue.
I made this a RFC for now because it needs some more review.
Signed-off-by: Andi Kleen <ak@linux.intel.com>
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 6596b4f..f7cae15 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -3171,8 +3171,6 @@ void tcp_done(struct sock *sk)
if (!sock_flag(sk, SOCK_DEAD))
sk->sk_state_change(sk);
- else
- inet_csk_destroy_sock(sk);
}
EXPORT_SYMBOL_GPL(tcp_done);
next reply other threads:[~2010-08-06 11:05 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-08-06 11:05 Andi Kleen [this message]
2010-08-09 21:30 ` [RFC] [PATCH] Don't destroy TCP sockets twice Herbert Xu
2010-08-10 8:30 ` Andi Kleen
2010-08-10 10:24 ` Herbert Xu
2010-08-10 10:32 ` Andi Kleen
2010-08-10 10:39 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100806110511.GA16448@basil.fritz.box \
--to=andi@firstfloor.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).