From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Tuong Lien <tuong.t.lien@dektech.com.au>,
Ying Xue <ying.xue@windriver.com>, Jon Maloy <jmaloy@redhat.com>,
Thang Ngo <thang.h.ngo@dektech.com.au>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net
Subject: [PATCH AUTOSEL 4.19 162/206] tipc: fix memory leak in service subscripting
Date: Thu, 17 Sep 2020 22:07:18 -0400 [thread overview]
Message-ID: <20200918020802.2065198-162-sashal@kernel.org> (raw)
In-Reply-To: <20200918020802.2065198-1-sashal@kernel.org>
From: Tuong Lien <tuong.t.lien@dektech.com.au>
[ Upstream commit 0771d7df819284d46cf5cfb57698621b503ec17f ]
Upon receipt of a service subscription request from user via a topology
connection, one 'sub' object will be allocated in kernel, so it will be
able to send an event of the service if any to the user correspondingly
then. Also, in case of any failure, the connection will be shutdown and
all the pertaining 'sub' objects will be freed.
However, there is a race condition as follows resulting in memory leak:
receive-work connection send-work
| | |
sub-1 |<------//-------| |
sub-2 |<------//-------| |
| |<---------------| evt for sub-x
sub-3 |<------//-------| |
: : :
: : :
| /--------| |
| | * peer closed |
| | | |
| | |<-------X-------| evt for sub-y
| | |<===============|
sub-n |<------/ X shutdown |
-> orphan | |
That is, the 'receive-work' may get the last subscription request while
the 'send-work' is shutting down the connection due to peer close.
We had a 'lock' on the connection, so the two actions cannot be carried
out simultaneously. If the last subscription is allocated e.g. 'sub-n',
before the 'send-work' closes the connection, there will be no issue at
all, the 'sub' objects will be freed. In contrast the last subscription
will become orphan since the connection was closed, and we released all
references.
This commit fixes the issue by simply adding one test if the connection
remains in 'connected' state right after we obtain the connection lock,
then a subscription object can be created as usual, otherwise we ignore
it.
Acked-by: Ying Xue <ying.xue@windriver.com>
Acked-by: Jon Maloy <jmaloy@redhat.com>
Reported-by: Thang Ngo <thang.h.ngo@dektech.com.au>
Signed-off-by: Tuong Lien <tuong.t.lien@dektech.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tipc/topsrv.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/tipc/topsrv.c b/net/tipc/topsrv.c
index 41f4464ac6cc5..ec9a7137d2677 100644
--- a/net/tipc/topsrv.c
+++ b/net/tipc/topsrv.c
@@ -407,7 +407,9 @@ static int tipc_conn_rcv_from_sock(struct tipc_conn *con)
return -EWOULDBLOCK;
if (ret == sizeof(s)) {
read_lock_bh(&sk->sk_callback_lock);
- ret = tipc_conn_rcv_sub(srv, con, &s);
+ /* RACE: the connection can be closed in the meantime */
+ if (likely(connected(con)))
+ ret = tipc_conn_rcv_sub(srv, con, &s);
read_unlock_bh(&sk->sk_callback_lock);
if (!ret)
return 0;
--
2.25.1
next prev parent reply other threads:[~2020-09-18 2:11 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200918020802.2065198-1-sashal@kernel.org>
2020-09-18 2:04 ` [PATCH AUTOSEL 4.19 004/206] ath10k: fix array out-of-bounds access Sasha Levin
2020-09-18 2:04 ` [PATCH AUTOSEL 4.19 005/206] ath10k: fix memory leak for tpc_stats_final Sasha Levin
2020-09-18 2:04 ` [PATCH AUTOSEL 4.19 017/206] net: silence data-races on sk_backlog.tail Sasha Levin
2020-09-18 2:05 ` [PATCH AUTOSEL 4.19 043/206] neigh_stat_seq_next() should increase position index Sasha Levin
2020-09-18 2:05 ` [PATCH AUTOSEL 4.19 044/206] rt_cpu_seq_next " Sasha Levin
2020-09-18 2:05 ` [PATCH AUTOSEL 4.19 045/206] ipv6_route_seq_next " Sasha Levin
2020-09-18 2:05 ` [PATCH AUTOSEL 4.19 048/206] sctp: move trace_sctp_probe_path into sctp_outq_sack Sasha Levin
2020-09-18 2:05 ` [PATCH AUTOSEL 4.19 061/206] ar5523: Add USB ID of SMCWUSBT-G2 wireless adapter Sasha Levin
2020-09-18 2:05 ` [PATCH AUTOSEL 4.19 065/206] Bluetooth: Fix refcount use-after-free issue Sasha Levin
2020-09-18 2:05 ` [PATCH AUTOSEL 4.19 068/206] Bluetooth: prefetch channel before killing sock Sasha Levin
2020-09-18 2:05 ` [PATCH AUTOSEL 4.19 071/206] skbuff: fix a data race in skb_queue_len() Sasha Levin
2020-09-18 2:05 ` [PATCH AUTOSEL 4.19 079/206] mt76: clear skb pointers from rx aggregation reorder buffer during cleanup Sasha Levin
2020-09-18 2:06 ` [PATCH AUTOSEL 4.19 087/206] bpf: Remove recursion prevention from rcu free callback Sasha Levin
2020-09-18 2:06 ` [PATCH AUTOSEL 4.19 095/206] Bluetooth: guard against controllers sending zero'd events Sasha Levin
2020-09-18 2:06 ` [PATCH AUTOSEL 4.19 102/206] ath10k: use kzalloc to read for ath10k_sdio_hif_diag_read Sasha Levin
2020-09-18 2:06 ` [PATCH AUTOSEL 4.19 104/206] Bluetooth: L2CAP: handle l2cap config request during open state Sasha Levin
2020-09-18 2:06 ` [PATCH AUTOSEL 4.19 130/206] SUNRPC: Fix a potential buffer overflow in 'svc_print_xprts()' Sasha Levin
2020-09-18 2:06 ` [PATCH AUTOSEL 4.19 131/206] svcrdma: Fix leak of transport addresses Sasha Levin
2020-09-18 2:07 ` [PATCH AUTOSEL 4.19 149/206] net: openvswitch: use u64 for meter bucket Sasha Levin
2020-09-18 2:07 ` [PATCH AUTOSEL 4.19 155/206] atm: fix a memory leak of vcc->user_back Sasha Levin
2020-09-18 2:07 ` [PATCH AUTOSEL 4.19 160/206] Bluetooth: Handle Inquiry Cancel error after Inquiry Complete Sasha Levin
2020-09-18 2:07 ` Sasha Levin [this message]
2020-09-18 2:07 ` [PATCH AUTOSEL 4.19 170/206] e1000: Do not perform reset in reset_task if we are already down Sasha Levin
2020-09-18 2:07 ` [PATCH AUTOSEL 4.19 183/206] perf metricgroup: Free metric_events on error Sasha Levin
2020-09-18 2:07 ` [PATCH AUTOSEL 4.19 186/206] wlcore: fix runtime pm imbalance in wl1271_tx_work Sasha Levin
2020-09-18 2:07 ` [PATCH AUTOSEL 4.19 187/206] wlcore: fix runtime pm imbalance in wlcore_regdomain_config Sasha Levin
2020-09-18 2:08 ` [PATCH AUTOSEL 4.19 205/206] net: openvswitch: use div_u64() for 64-by-32 divisions Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200918020802.2065198-162-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=davem@davemloft.net \
--cc=jmaloy@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=thang.h.ngo@dektech.com.au \
--cc=tipc-discussion@lists.sourceforge.net \
--cc=tuong.t.lien@dektech.com.au \
--cc=ying.xue@windriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).