Page MenuHomeFreeBSD
Differential D8211

Fix a double-free when an inp transitions to INP_TIMEWAIT state after having been dropped.
ClosedPublic
Actions

Authored by jch on Oct 10 2016, 11:09 AM.
Tags
None
Referenced Files
Unknown Object (File)
Nov 14 2024, 2:31 AM
Unknown Object (File)
Nov 10 2024, 3:09 PM
Unknown Object (File)
Nov 10 2024, 1:16 AM
Unknown Object (File)
Nov 9 2024, 9:54 PM
Unknown Object (File)
Nov 9 2024, 6:55 PM
Unknown Object (File)
Nov 9 2024, 6:38 PM
Unknown Object (File)
Nov 9 2024, 4:36 PM
Unknown Object (File)
Nov 9 2024, 3:01 PM
View All 76 Files
Subscribers
imp

Details

Reviewers
girgen
hiren
gnn
slw_zxy.spb.ru
Group Reviewers
transport
Summary

Fix a double-free when an inp transitions to INP_TIMEWAIT state after having been dropped.

This fixes enforces in_pcbdrop() logic in tcp_input():

"in_pcbdrop() is used by TCP to mark an inpcb as unused and avoid future packet
delivery or event notification when a socket remains open but TCP has closed."

PR: 203175
Reported by: Slawa Olhovchenkov, Palle Girgensohn, Urmas Lett, imp
Tested by: Slawa Olhovchenkov
MFC after: 1 week

Test Plan

Slawa can test this patch in 11, Palle might have time to test it in 10.

Diff Detail

Event Timeline

jch updated this revision to Diff 21227.Oct 10 2016, 11:09 AM
jch retitled this revision from to Fix a double-free when an inp transitions to INP_TIMEWAIT state after having been dropped..
jch updated this object.
jch edited the test plan for this revision. (Show Details)
jch added a reviewer: hiren.
Herald added a reviewer: transport. · View Herald TranscriptOct 10 2016, 11:09 AM
Herald added a subscriber: imp. · View Herald Transcript
jch added reviewers: slw_zxy.spb.ru, girgen.Oct 10 2016, 11:10 AM

Currently only @slw_zxy.spb.ru and @girgen have reproduced this issue thus are able to validate this change, I have not been able to reproduce it but our TCP QA is all good with this change.

slw_zxy.spb.ru edited edge metadata.Oct 10 2016, 11:22 AM

I think imp also have reproduced this issue (https://lists.freebsd.org/pipermail/freebsd-stable/2016-September/085518.html)
Also report Urmas Lett <urmas.lett@eenet.ee> (email to jch)

jch updated this object.Oct 10 2016, 11:36 AM
jch edited edge metadata.
jch updated this revision to Diff 21228.Oct 10 2016, 11:41 AM

Fix a comment typo

Herald edited edge metadata. · View Herald TranscriptOct 10 2016, 11:41 AM
jch added a comment.Oct 10 2016, 11:42 AM
In D8211#170331, @slw_zxy.spb.ru wrote:

I think imp also have reproduced this issue (https://lists.freebsd.org/pipermail/freebsd-stable/2016-September/085518.html)
Also report Urmas Lett <urmas.lett@eenet.ee> (email to jch)

You are right, added imp and Urmas in "Reported by:".

jch mentioned this in D8072: Remove an extraneous call to soisconnected() in syncache_socket(), introduced with r261242..Oct 12 2016, 6:52 AM
jch updated this revision to Diff 21348.Oct 13 2016, 9:21 AM
jch edited edge metadata.

Review from Slawa:

  • log(LOG_ERR) and workaround a difficult to debug case when INVARIANT is not defined
  • Add a tcp_twstart KASSERT
Herald edited edge metadata. · View Herald TranscriptOct 13 2016, 9:21 AM
slw_zxy.spb.ru added a comment.Oct 17 2016, 10:38 AM

I was testing this patch in 3 days.
No TCP related problems.

PS: Just for record: issuse present from 7.0

jch added a comment.Oct 17 2016, 11:03 AM
In D8211#171925, @slw_zxy.spb.ru wrote:

I was testing this patch in 3 days.
No TCP related problems.

Excellent, thanks for your time testing it, I am going to push it in HEAD and MFC it.

jch added a reviewer: gnn.Oct 17 2016, 1:58 PM

Still need someone from -transport to approve this review though. :)

gnn accepted this revision.Oct 17 2016, 2:01 PM
gnn edited edge metadata.
This revision is now accepted and ready to land.Oct 17 2016, 2:01 PM
jch added a comment.Oct 19 2016, 1:17 PM

gnn accepted this revision.

Thanks @gnn! Change pushed to HEAD, will be MFC in stable branches.

jch closed this revision.Oct 25 2016, 12:56 PM
jch added a comment.Oct 25 2016, 12:59 PM

Fixed and MFC'ed with rS307551: Fix a double-free when an inp transitions to INP_TIMEWAIT state.

Revision Contents
Changeset List

PathSize
sys/
netinet/
18 lines
4 lines
23 lines

Diff 21348

View Options

sys/netinet/tcp_input.c

Loading...
View Options

sys/netinet/tcp_timewait.c

Loading...
View Options

sys/netinet/tcp_usrreq.c

Loading...