mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-12 13:55:32 +00:00
Code Issues Releases Wiki Activity
linux-stable/net/tipc
History
Tuong Lien 0771d7df81 tipc: fix memory leak in service subscripting 
Upon receipt of a service subscription request from user via a topology
connection, one 'sub' object will be allocated in kernel, so it will be
able to send an event of the service if any to the user correspondingly
then. Also, in case of any failure, the connection will be shutdown and
all the pertaining 'sub' objects will be freed.

However, there is a race condition as follows resulting in memory leak:

       receive-work       connection        send-work
              |                |                |
        sub-1 |<------//-------|                |
        sub-2 |<------//-------|                |
              |                |<---------------| evt for sub-x
        sub-3 |<------//-------|                |
              :                :                :
              :                :                :
              |       /--------|                |
              |       |        * peer closed    |
              |       |        |                |
              |       |        |<-------X-------| evt for sub-y
              |       |        |<===============|
        sub-n |<------/        X    shutdown    |
    -> orphan |                                 |

That is, the 'receive-work' may get the last subscription request while
the 'send-work' is shutting down the connection due to peer close.

We had a 'lock' on the connection, so the two actions cannot be carried
out simultaneously. If the last subscription is allocated e.g. 'sub-n',
before the 'send-work' closes the connection, there will be no issue at
all, the 'sub' objects will be freed. In contrast the last subscription
will become orphan since the connection was closed, and we released all
references.

This commit fixes the issue by simply adding one test if the connection
remains in 'connected' state right after we obtain the connection lock,
then a subscription object can be created as usual, otherwise we ignore
it.

Acked-by: Ying Xue <ying.xue@windriver.com>
Acked-by: Jon Maloy <jmaloy@redhat.com>
Reported-by: Thang Ngo <thang.h.ngo@dektech.com.au>
Signed-off-by: Tuong Lien <tuong.t.lien@dektech.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-05-13 12:33:18 -07:00
..
addr.c tipc: initialise addr_trail_end when setting node addresses 2019-08-11 21:40:04 -07:00
addr.h
bcast.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2019-12-22 15:15:05 -08:00
bcast.h tipc: update replicast capability for broadcast send link 2019-11-22 09:29:50 -08:00
bearer.c tipc: introduce variable window congestion control 2019-12-10 17:31:15 -08:00
bearer.h tipc: introduce variable window congestion control 2019-12-10 17:31:15 -08:00
core.c tipc: fix ordering of tipc module init and exit routine 2019-12-06 12:01:09 -08:00
core.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2019-11-16 21:51:42 -08:00
crypto.c tipc: Fix potential tipc_aead refcnt leak in tipc_crypto_rcv 2020-04-18 13:17:04 -07:00
crypto.h tipc: introduce TIPC encryption & authentication 2019-11-08 14:01:59 -08:00
diag.c
discover.c tipc: fix use-after-free in tipc_disc_rcv() 2019-12-10 17:45:04 -08:00
discover.h
eth_media.c tipc: introduce variable window congestion control 2019-12-10 17:31:15 -08:00
group.c tipc: clean up skb list lock handling on send path 2019-08-18 14:01:07 -07:00
group.h
ib_media.c tipc: introduce variable window congestion control 2019-12-10 17:31:15 -08:00
Kconfig tipc: introduce TIPC encryption & authentication 2019-11-08 14:01:59 -08:00
link.c tipc: fix incorrect increasing of link window 2020-04-15 16:23:33 -07:00
link.h tipc: introduce variable window congestion control 2019-12-10 17:31:15 -08:00
Makefile tipc: remove meaningless assignment in Makefile 2020-01-08 12:38:54 -08:00
monitor.c tipc: add NULL pointer check to prevent kernel oops 2020-03-15 00:07:00 -07:00
monitor.h tipc: update mon's self addr when node addr generated 2019-11-12 19:45:45 -08:00
msg.c tipc: simplify trivial boolean return 2020-03-15 00:07:00 -07:00
msg.h tipc: Add a missing case of TIPC_DIRECT_MSG type 2020-03-26 11:21:02 -07:00
name_distr.c tipc: improve throughput between nodes in netns 2019-10-29 17:55:38 -07:00
name_distr.h
name_table.c tipc: fix name table rbtree issues 2019-12-10 17:45:04 -08:00
name_table.h tipc: support in-order name publication events 2019-11-22 09:29:50 -08:00
net.c tipc: make legacy address flag readable over netlink 2019-12-20 21:18:42 -08:00
net.h tipc: make legacy address flag readable over netlink 2019-12-20 21:18:42 -08:00
netlink.c tipc: add missing attribute validation for MTU property 2020-03-03 13:28:49 -08:00
netlink.h net: tipc: allocate attrs locally instead of using genl_family_attrbuf in compat_dumpit() 2019-10-06 15:44:47 +02:00
netlink_compat.c tipc: eliminate KMSAN: uninit-value in __tipc_nl_compat_dumpit error 2020-01-06 13:24:31 -08:00
node.c tipc: Fix potential tipc_node refcnt leak in tipc_rcv 2020-04-18 13:24:20 -07:00
node.h tipc: add support for AEAD key setting via netlink 2019-11-08 14:01:59 -08:00
socket.c tipc: fix large latency in smart Nagle streaming 2020-05-13 12:33:18 -07:00
socket.h
subscr.c
subscr.h
sysctl.c tipc: introduce TIPC encryption & authentication 2019-11-08 14:01:59 -08:00
topsrv.c tipc: fix memory leak in service subscripting 2020-05-13 12:33:18 -07:00
topsrv.h
trace.c
trace.h
udp_media.c tipc: introduce variable window congestion control 2019-12-10 17:31:15 -08:00
udp_media.h