diff mbox series

mptcp: put subflow sock on connect error

Message ID 20210217154205.7379-1-fw@strlen.de
State Accepted, archived
Commit b2dc043f86c3eff19482580ef7fbeb5b84b15ba4
Delegated to: Matthieu Baerts
Headers show
Series mptcp: put subflow sock on connect error | expand

Commit Message

Florian Westphal Feb. 17, 2021, 3:42 p.m. UTC 
mptcp_add_pending_subflow() performs a sock_hold() on the subflow,
then adds the subflow to the join list.

Without a sock_put the subflow sk won't be freed in case connect() fails.

unreferenced object 0xffff88810c03b100 (size 3000):
[..]
    sk_prot_alloc.isra.0+0x2f/0x110
    sk_alloc+0x5d/0xc20
    inet6_create+0x2b7/0xd30
    __sock_create+0x17f/0x410
    mptcp_subflow_create_socket+0xff/0x9c0
    __mptcp_subflow_connect+0x1da/0xaf0
    mptcp_pm_nl_work+0x6e0/0x1120
    mptcp_worker+0x508/0x9a0

Fixes: 5b950ff4331ddda ("mptcp: link MPC subflow into msk only after accept")
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/mptcp/subflow.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Mat Martineau Feb. 18, 2021, 12:17 a.m. UTC | #1 
On Wed, 17 Feb 2021, Florian Westphal wrote:

> mptcp_add_pending_subflow() performs a sock_hold() on the subflow,
> then adds the subflow to the join list.
>
> Without a sock_put the subflow sk won't be freed in case connect() fails.
>
> unreferenced object 0xffff88810c03b100 (size 3000):
> [..]
>    sk_prot_alloc.isra.0+0x2f/0x110
>    sk_alloc+0x5d/0xc20
>    inet6_create+0x2b7/0xd30
>    __sock_create+0x17f/0x410
>    mptcp_subflow_create_socket+0xff/0x9c0
>    __mptcp_subflow_connect+0x1da/0xaf0
>    mptcp_pm_nl_work+0x6e0/0x1120
>    mptcp_worker+0x508/0x9a0
>
> Fixes: 5b950ff4331ddda ("mptcp: link MPC subflow into msk only after accept")
> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
> net/mptcp/subflow.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c
> index 06e233410e0e..e411be079c44 100644
> --- a/net/mptcp/subflow.c
> +++ b/net/mptcp/subflow.c
> @@ -1291,6 +1291,7 @@ int __mptcp_subflow_connect(struct sock *sk, const struct mptcp_addr_info *loc,
> 	spin_lock_bh(&msk->join_list_lock);
> 	list_del(&subflow->node);
> 	spin_unlock_bh(&msk->join_list_lock);
> +	sock_put(mptcp_subflow_tcp_sock(subflow));
>
> failed:
> 	subflow->disposable = 1;
> -- 
> 2.26.2

Thanks for the fix, Florian.

Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>

--
Mat Martineau
Intel
Matthieu Baerts Feb. 22, 2021, 5:15 p.m. UTC | #2 
Hi Florian, Mat,

On 17/02/2021 16:42, Florian Westphal wrote:
> mptcp_add_pending_subflow() performs a sock_hold() on the subflow,
> then adds the subflow to the join list.
> 
> Without a sock_put the subflow sk won't be freed in case connect() fails.

Thank you for the patch and the review!

With a bit of delay, sorry for that, it is now in our tree with Mat's 
RvB tag:

- b2dc043f86c3: mptcp: put subflow sock on connect error
- Results: 253897668c44..356eae3ba43b

Tests + export are in progress!

Cheers,
Matt
diff mbox series

Patch

diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c
index 06e233410e0e..e411be079c44 100644
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -1291,6 +1291,7 @@  int __mptcp_subflow_connect(struct sock *sk, const struct mptcp_addr_info *loc,
 	spin_lock_bh(&msk->join_list_lock);
 	list_del(&subflow->node);
 	spin_unlock_bh(&msk->join_list_lock);
+	sock_put(mptcp_subflow_tcp_sock(subflow));
 
 failed:
 	subflow->disposable = 1;