[PATCH net 0/2] rds-tcp: sock_graft() leak

[PATCH net 0/2] rds-tcp: sock_graft() leak

[Sowmini Varadhan]

Following up on the discussion at
  https://www.spinics.net/lists/netdev/msg442859.html
- make rds_tcp_accept_one() call sock_create_lite()
- add a WARN_ON() to sock_graft() 

Tested by running an infinite while() loop that does
(module-load; rds-stress; module-unload) and monitors
TCP slabinfo while the test is running.

Sowmini Varadhan (2):
  rds: tcp: use sock_create_lite() to create the accept socket
  net/sock: add WARN_ON(parent->sk) in sock_graft()

 include/net/sock.h   |    1 +
 net/rds/tcp_listen.c |    2 +-
 2 files changed, 2 insertions(+), 1 deletions(-)

[PATCH net 1/2] rds: tcp: use sock_create_lite() to create the accept socket

[Sowmini Varadhan]

There are two problems with calling sock_create_kern() from
rds_tcp_accept_one()
1. it sets up a new_sock->sk that is wasteful, because this ->sk
   is going to get replaced by inet_accept() in the subsequent ->accept()
2. The new_sock->sk is a leaked reference in sock_graft() which
   expects to find a null parent->sk

Avoid these problems by calling sock_create_lite().

Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
---
 net/rds/tcp_listen.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/rds/tcp_listen.c b/net/rds/tcp_listen.c
index c6dc8ca..c061d6e 100644
--- a/net/rds/tcp_listen.c
+++ b/net/rds/tcp_listen.c
@@ -136,7 +136,7 @@ int rds_tcp_accept_one(struct socket *sock)
 	if (!sock) /* module unload or netns delete in progress */
 		return -ENETUNREACH;
 
-	ret = sock_create_kern(sock_net(sock->sk), sock->sk->sk_family,
+	ret = sock_create_lite(sock->sk->sk_family,
 			       sock->sk->sk_type, sock->sk->sk_protocol,
 			       &new_sock);
 	if (ret)
-- 
1.7.1

[PATCH net 2/2] net/sock: add WARN_ON(parent->sk) in sock_graft()

[Sowmini Varadhan]

sock_graft() unilaterally sets up parent->sk based on the
assumption that the existing parent->sk is null. If this
condition is not true, then the existing parent->sk would
be leaked, so add a WARN_ON() to alert callers who may fall
in this category.

Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
---
 include/net/sock.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/include/net/sock.h b/include/net/sock.h
index 48e4d5c..8c85791 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -1697,6 +1697,7 @@ static inline void sock_orphan(struct sock *sk)
 
 static inline void sock_graft(struct sock *sk, struct socket *parent)
 {
+	WARN_ON(parent->sk);
 	write_lock_bh(&sk->sk_callback_lock);
 	sk->sk_wq = parent->wq;
 	parent->sk = sk;
-- 
1.7.1

Re: [PATCH net 1/2] rds: tcp: use sock_create_lite() to create the accept socket

[Santosh Shilimkar]

On 7/6/2017 8:15 AM, Sowmini Varadhan wrote:
> There are two problems with calling sock_create_kern() from
> rds_tcp_accept_one()
> 1. it sets up a new_sock->sk that is wasteful, because this ->sk
>     is going to get replaced by inet_accept() in the subsequent ->accept()
> 2. The new_sock->sk is a leaked reference in sock_graft() which
>     expects to find a null parent->sk
> 
> Avoid these problems by calling sock_create_lite().
> 
> Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
> ---
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>

Re: [PATCH net 0/2] rds-tcp: sock_graft() leak

[David Miller]

From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Date: Thu,  6 Jul 2017 08:15:05 -0700

> Following up on the discussion at
>   https://www.spinics.net/lists/netdev/msg442859.html
> - make rds_tcp_accept_one() call sock_create_lite()
> - add a WARN_ON() to sock_graft() 
> 
> Tested by running an infinite while() loop that does
> (module-load; rds-stress; module-unload) and monitors
> TCP slabinfo while the test is running.

This looks great, thanks for following up on this.

Series applied and queued up for -stable.