Re: [PATCH net,v2] tcp: fix forever orphan socket caused by tcp_abort

From: Xueming Feng
Date: Wed Aug 14 2024 - 04:46:43 EST


On Mon, Aug 14, 2024 at 7:34 AM Lorenzo Colitti <lorenzo@xxxxxxxxxx> wrote:
> On Mon, Aug 12, 2024 at 7:53 PM Xueming Feng <kuro@xxxxxxxx> wrote:
> > The -ENOENT code comes from the associate patch Lorenzo made for
> > iproute2-ss; link attached below.
>
> ENOENT does seem reasonable. It's the same thing that would happen if
> userspace passed in a nonexistent cookie (we have a test for that).

In the latest TCP RFC 9293, section 3.10.5 on the ABORT CALL, it mentions
that an "error: connection does not exist" to be returned for a CLOSED
STATE. I noticed this while verifying whether a reset in the FIN-WAIT
STATE is legal, which it is.

> I'd guess this could happen if userspace was trying to destroy a
> socket but it lost the race against the process owning a socket
> closing it?

Yes, that’s exactly the scenario I'm addressing. I tested this locally
by calling tcp_diag twice with the same socket pointer.

>
> > bh_unlock_sock(sk);
> > local_bh_enable();
> > - tcp_write_queue_purge(sk);
>
> Is this not necessary in any other cases? What if there is
> retransmitted data, shouldn't that be cleared?

The tcp_write_queue_purge() function is indeed invoked within
tcp_done_with_error(). In this patch, the tcp_done_with_error is elevated
to the same logical level where tcp_write_queue_purge would typically be
called. The difference is that the purge happens just before tcp_done.
So the queue should still be cleared in other scenarios as well.