216680 – suspicious sock leak

Bug 216680 - suspicious sock leak

Summary: suspicious sock leak

Status:	NEW

Alias:	None

Product:	Networking
Classification:	Unclassified
Component:	IPV4 (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	Stephen Hemminger

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-11-11 13:59 UTC by bianmingkun
Modified:	2022-11-11 13:59 UTC (History)
CC List:	0 users

See Also:
Kernel Version:	4.18.0
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description bianmingkun 2022-11-11 13:59:04 UTC

1. A HTTP Server，I will insert a node to ebpf map(BPF_MAP_TYPE_LRU_HASH) by BPF_MAP_UPDATE_ELEM when receving a "HTTP GET" packet,
ebpf map
key: cookie(by SO_COOKIE)
value: saddr sport daddr dport

2. I will delete the corresponding ebpf map node by "kprobe __sk_free" in ebpf.

3. Sending pressure "HTTP GET" to HTTP Server for a while，then stop sending and closing the HTTP Server, then wait a long time, we can not see any tcpinfo by "netstat -anp", then error occurs：
    
   We can see some node which is not deleted by "bpftool map dump id **"， it seems look like "sock leak", but the sockstat's inuse does not increase quickly.

4. I did some more experiments by ebpf' kprobe, I find that a sock* does not come int __sock_free, but the same sock* will be reused by another tcp connection(the most frequent is "127.0.0.1") after a while.
   What I doubt is that why a new tcp connection can resue a old sock while the old sock does not come in __sk_free

Note You need to log in before you can comment on or make changes to this bug.