Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp853769pxk; Thu, 17 Sep 2020 19:09:14 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzGMDEXFKEaQZNDLJjDyyTzms+SDHXDiEGZuhxNb27avZ2sVSyKwrq/Lzxe1ccUDVaGgJhP X-Received: by 2002:a50:ccd2:: with SMTP id b18mr35963069edj.51.1600394954646; Thu, 17 Sep 2020 19:09:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600394954; cv=none; d=google.com; s=arc-20160816; b=a7OuNhL0QIaVeSEgIPCrn4vUICZ7+kMv8x6OFnq1QVqN+Br4cIYF0Ru6+gQ4uvI0y5 4irhGQxiRwsCW+H59l8jw8MGo031nNyvuZIzIRgRT/DoUAU0ngV4ZxMZl/H2dbXNzoOp G6+d2upRXrYGDfwTj+HAoMA/2dbm5k9Ia3AZ2LGOWcX0oWMFGLwtsZ1DNFIjClLYbxOR FL0pXEWMJnmvW8Whdk8gnww992iJolhKJ9yurt0pq9peOn+kZAVrWvfMsDyaTG3y3H6q 3m6vVhluqld6QNC4tLe3pxv+v+BG8Lx2BcTZkvfL84u+wk5v6/VBO8Qhxgf21pFgf2Bc d2Zw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=PYIjqX7HGOWzPO8ARAy1VvOu4Tn3oom6gHhlphUaCo4=; b=sNO7Gs6tEIYwWbIpdhb9+8t7/GHrVQO2dfnL3yKtuT8J8BTJXQeu+xFJYAciZbx+7z odpKib16YhZjrrxKrjQbFXQGC3cn93JBFcDjSToivDRDrsIi+7qwI2Fvblla+1rp2shm 89nlelzkqeqgxhp74r/jyzC6Glx4yhVKxXBfvoDy7VR8mfBXAtLx0Hh6cACOC/VBbupj TNMNp2j5ThEwPQxRZ3tkZHMYzYLHuWmDcUEeoAsN0BisSp+ks5rbyGyGNk8lkcCEUx0a iNtq1AUBUUCnMJ619rl9AyiKiANr1RYYjLO3kPo7N0hKyvH+79gdOSz4V1u5kK/Vpe4f 5Xqg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=js3U5nsn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u8si1246035ejg.578.2020.09.17.19.08.51; Thu, 17 Sep 2020 19:09:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=js3U5nsn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727016AbgIRCGt (ORCPT + 99 others); Thu, 17 Sep 2020 22:06:49 -0400 Received: from mail.kernel.org ([198.145.29.99]:56004 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727785AbgIRCGf (ORCPT ); Thu, 17 Sep 2020 22:06:35 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B41152376F; Fri, 18 Sep 2020 02:06:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1600394794; bh=mQuNhQ2qow8drIVBTh6YiAbV1CoN1qj3OWdYWoENEcI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=js3U5nsnGQXf7qXlgCBNsMPD+sqoW+5lxSIzYZDW6cSwzImVRZudwXDm+irePDj/4 XI6BIAMvdMxl6EQyB55WKh5G3ZOD4qB0g75JzUtx7XFAquoNwMx2MUCi99+/7Gmn+P ujBpe3rpePftQiHKMxN4wiAipZ0IZV611f4qKEEs= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Tuong Lien , Ying Xue , Jon Maloy , Thang Ngo , "David S . Miller" , Sasha Levin , netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net Subject: [PATCH AUTOSEL 5.4 264/330] tipc: fix memory leak in service subscripting Date: Thu, 17 Sep 2020 22:00:04 -0400 Message-Id: <20200918020110.2063155-264-sashal@kernel.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200918020110.2063155-1-sashal@kernel.org> References: <20200918020110.2063155-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Tuong Lien [ Upstream commit 0771d7df819284d46cf5cfb57698621b503ec17f ] Upon receipt of a service subscription request from user via a topology connection, one 'sub' object will be allocated in kernel, so it will be able to send an event of the service if any to the user correspondingly then. Also, in case of any failure, the connection will be shutdown and all the pertaining 'sub' objects will be freed. However, there is a race condition as follows resulting in memory leak: receive-work connection send-work | | | sub-1 |<------//-------| | sub-2 |<------//-------| | | |<---------------| evt for sub-x sub-3 |<------//-------| | : : : : : : | /--------| | | | * peer closed | | | | | | | |<-------X-------| evt for sub-y | | |<===============| sub-n |<------/ X shutdown | -> orphan | | That is, the 'receive-work' may get the last subscription request while the 'send-work' is shutting down the connection due to peer close. We had a 'lock' on the connection, so the two actions cannot be carried out simultaneously. If the last subscription is allocated e.g. 'sub-n', before the 'send-work' closes the connection, there will be no issue at all, the 'sub' objects will be freed. In contrast the last subscription will become orphan since the connection was closed, and we released all references. This commit fixes the issue by simply adding one test if the connection remains in 'connected' state right after we obtain the connection lock, then a subscription object can be created as usual, otherwise we ignore it. Acked-by: Ying Xue Acked-by: Jon Maloy Reported-by: Thang Ngo Signed-off-by: Tuong Lien Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/tipc/topsrv.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/tipc/topsrv.c b/net/tipc/topsrv.c index 73dbed0c4b6b8..931c426673c02 100644 --- a/net/tipc/topsrv.c +++ b/net/tipc/topsrv.c @@ -400,7 +400,9 @@ static int tipc_conn_rcv_from_sock(struct tipc_conn *con) return -EWOULDBLOCK; if (ret == sizeof(s)) { read_lock_bh(&sk->sk_callback_lock); - ret = tipc_conn_rcv_sub(srv, con, &s); + /* RACE: the connection can be closed in the meantime */ + if (likely(connected(con))) + ret = tipc_conn_rcv_sub(srv, con, &s); read_unlock_bh(&sk->sk_callback_lock); if (!ret) return 0; -- 2.25.1