leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

vhost/vsock: fix reset orphans race with close timeout

Browse Source 
If a local process has closed a connected socket and hasn't received a
RST packet yet, then the socket remains in the table until a timeout
expires.

When a vhost_vsock instance is released with the timeout still pending,
the socket is never freed because vhost_vsock has already set the
SOCK_DONE flag.

Check if the close timer is pending and let it close the socket.  This
prevents the race which can leak sockets.

Reported-by: Maximilian Riemensberger <riemensberger@cadami.net>
Cc: Graham Whaley <graham.whaley@gmail.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
This commit is contained in:
Stefan Hajnoczi 2018-12-06 19:14:34 +00:00 committed by Michael S. Tsirkin
parent 2595646791
commit c38f57da42
1 changed files with 15 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
drivers/vhost/vsock.c
View File

@ -563,13 +563,21 @@ static void vhost_vsock_reset_orphans(struct sock *sk)
* executing. * executing.
*/ */
if (!vhost_vsock_get(vsk->remote_addr.svm_cid)) { /* If the peer is still valid, no need to reset connection */
sock_set_flag(sk, SOCK_DONE); if (vhost_vsock_get(vsk->remote_addr.svm_cid))
vsk->peer_shutdown = SHUTDOWN_MASK; return;
sk->sk_state = SS_UNCONNECTED;
sk->sk_err = ECONNRESET; /* If the close timeout is pending, let it expire. This avoids races
sk->sk_error_report(sk); * with the timeout callback.
} */
if (vsk->close_work_scheduled)
return;
sock_set_flag(sk, SOCK_DONE);
vsk->peer_shutdown = SHUTDOWN_MASK;
sk->sk_state = SS_UNCONNECTED;
sk->sk_err = ECONNRESET;
sk->sk_error_report(sk);
} }
static int vhost_vsock_dev_release(struct inode *inode, struct file *file) static int vhost_vsock_dev_release(struct inode *inode, struct file *file)