| From foo@baz Thu Apr 10 22:03:04 PDT 2014 |
| From: Ying Xue <ying.xue@windriver.com> |
| Date: Thu, 6 Mar 2014 14:40:17 +0100 |
| Subject: tipc: fix connection refcount leak |
| |
| From: Ying Xue <ying.xue@windriver.com> |
| |
| [ Upstream commit 4652edb70e8a7eebbe47fa931940f65522c36e8f ] |
| |
| When tipc_conn_sendmsg() calls tipc_conn_lookup() to query a |
| connection instance, its reference count value is increased if |
| it's found. But subsequently if it's found that the connection is |
| closed, the work of sending message is not queued into its server |
| send workqueue, and the connection reference count is not decreased. |
| This will cause a reference count leak. To reproduce this problem, |
| an application would need to open and closes topology server |
| connections with high intensity. |
| |
| We fix this by immediately decrementing the connection reference |
| count if a send fails due to the connection being closed. |
| |
| Signed-off-by: Ying Xue <ying.xue@windriver.com> |
| Acked-by: Erik Hugne <erik.hugne@ericsson.com> |
| Reviewed-by: Jon Maloy <jon.maloy@ericsson.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/tipc/server.c | 6 ++++-- |
| 1 file changed, 4 insertions(+), 2 deletions(-) |
| |
| --- a/net/tipc/server.c |
| +++ b/net/tipc/server.c |
| @@ -427,10 +427,12 @@ int tipc_conn_sendmsg(struct tipc_server |
| list_add_tail(&e->list, &con->outqueue); |
| spin_unlock_bh(&con->outqueue_lock); |
| |
| - if (test_bit(CF_CONNECTED, &con->flags)) |
| + if (test_bit(CF_CONNECTED, &con->flags)) { |
| if (!queue_work(s->send_wq, &con->swork)) |
| conn_put(con); |
| - |
| + } else { |
| + conn_put(con); |
| + } |
| return 0; |
| } |
| |
