Re: [PATCH net,v2] tcp: fix forever orphan socket caused by tcp_abort

[Xueming Feng]

On Mon, Aug 14, 2024 at 7:34 AM Lorenzo Colitti <lorenzo@xxxxxxxxxx> wrote:
> On Mon, Aug 12, 2024 at 7:53 PM Xueming Feng <kuro@xxxxxxxx> wrote:
> > The -ENOENT code comes from the associate patch Lorenzo made for
> > iproute2-ss; link attached below.
> 
> ENOENT does seem reasonable. It's the same thing that would happen if
> userspace passed in a nonexistent cookie (we have a test for that).

In the latest TCP RFC 9293, section 3.10.5 on the ABORT CALL, it mentions
that an "error: connection does not exist" to be returned for a CLOSED 
STATE. I noticed this while verifying whether a reset in the FIN-WAIT 
STATE is legal, which it is.

> I'd guess this could happen if userspace was trying to destroy a
> socket but it lost the race against the process owning a socket
> closing it?

Yes, that’s exactly the scenario I'm addressing. I tested this locally
by calling tcp_diag twice with the same socket pointer.

> 
> >        bh_unlock_sock(sk);
> >        local_bh_enable();
> > -       tcp_write_queue_purge(sk);
> 
> Is this not necessary in any other cases? What if there is
> retransmitted data, shouldn't that be cleared?

The tcp_write_queue_purge() function is indeed invoked within 
tcp_done_with_error(). In this patch, the tcp_done_with_error is elevated
to the same logical level where tcp_write_queue_purge would typically be 
called. The difference is that the purge happens just before tcp_done.
So the queue should still be cleared in other scenarios as well.