[Patch net] tcp: reset sk_rx_dst in tcp_disconnect()

[Patch net] tcp: reset sk_rx_dst in tcp_disconnect()

[Cong Wang]

We have to reset the sk->sk_rx_dst when we disconnect a TCP
connection, because otherwise when we re-connect it this
dst reference is simply overridden in tcp_finish_connect().

This fixes a dst leak which leads to a loopback dev refcnt
leak. It is a long-standing bug, Kevin reported a very similar
(if not same) bug before. Thanks to Andrei for providing such
a reliable reproducer which greatly narrows down the problem.

Fixes: 41063e9dd119 ("ipv4: Early TCP socket demux.")
Reported-by: Andrei Vagin <avagin@gmail.com>
Reported-by: Kevin Xu <kaiwen.xu@hulu.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
---
 net/ipv4/tcp.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index b5ea036..40aca78 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2330,6 +2330,8 @@ int tcp_disconnect(struct sock *sk, int flags)
 	tcp_init_send_head(sk);
 	memset(&tp->rx_opt, 0, sizeof(tp->rx_opt));
 	__sk_dst_reset(sk);
+	dst_release(sk->sk_rx_dst);
+	sk->sk_rx_dst = NULL;
 	tcp_saved_syn_free(tp);
 
 	/* Clean up fastopen related fields */
-- 
2.5.5

Re: [Patch net] tcp: reset sk_rx_dst in tcp_disconnect()

[David Miller]

From: Cong Wang <xiyou.wangcong@gmail.com>
Date: Sat, 24 Jun 2017 23:50:30 -0700

> We have to reset the sk->sk_rx_dst when we disconnect a TCP
> connection, because otherwise when we re-connect it this
> dst reference is simply overridden in tcp_finish_connect().
> 
> This fixes a dst leak which leads to a loopback dev refcnt
> leak. It is a long-standing bug, Kevin reported a very similar
> (if not same) bug before. Thanks to Andrei for providing such
> a reliable reproducer which greatly narrows down the problem.
> 
> Fixes: 41063e9dd119 ("ipv4: Early TCP socket demux.")
> Reported-by: Andrei Vagin <avagin@gmail.com>
> Reported-by: Kevin Xu <kaiwen.xu@hulu.com>
> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>

Applied and queued up for -stable, thanks!

Re: [Patch net] tcp: reset sk_rx_dst in tcp_disconnect()

[Jamie Bainbridge]

On 25 June 2017 at 16:50, Cong Wang <xiyou.wangcong@gmail.com> wrote:
> We have to reset the sk->sk_rx_dst when we disconnect a TCP
> connection, because otherwise when we re-connect it this
> dst reference is simply overridden in tcp_finish_connect().
>
> This fixes a dst leak which leads to a loopback dev refcnt
> leak. It is a long-standing bug, Kevin reported a very similar
> (if not same) bug before. Thanks to Andrei for providing such
> a reliable reproducer which greatly narrows down the problem.
>
> Fixes: 41063e9dd119 ("ipv4: Early TCP socket demux.")
> Reported-by: Andrei Vagin <avagin@gmail.com>
> Reported-by: Kevin Xu <kaiwen.xu@hulu.com>
> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>

Are you able to supply the reproducer for this?

I did search for a previous thread about it but could not find.

Jamie

Re: [Patch net] tcp: reset sk_rx_dst in tcp_disconnect()

[Cong Wang]

On Tue, Jul 4, 2017 at 11:54 PM, Jamie Bainbridge
<jamie.bainbridge@gmail.com> wrote:
> On 25 June 2017 at 16:50, Cong Wang <xiyou.wangcong@gmail.com> wrote:
>> We have to reset the sk->sk_rx_dst when we disconnect a TCP
>> connection, because otherwise when we re-connect it this
>> dst reference is simply overridden in tcp_finish_connect().
>>
>> This fixes a dst leak which leads to a loopback dev refcnt
>> leak. It is a long-standing bug, Kevin reported a very similar
>> (if not same) bug before. Thanks to Andrei for providing such
>> a reliable reproducer which greatly narrows down the problem.
>>
>> Fixes: 41063e9dd119 ("ipv4: Early TCP socket demux.")
>> Reported-by: Andrei Vagin <avagin@gmail.com>
>> Reported-by: Kevin Xu <kaiwen.xu@hulu.com>
>> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
>
> Are you able to supply the reproducer for this?
>
> I did search for a previous thread about it but could not find.

Here it is:
http://marc.info/?l=linux-kernel&m=149825461307610&w=2