net: tcp: Fix TCP connection ref counting

rlubos · fabiobaltieri · commit 79461a378c83 · 2023-01-26T12:34:04.000Z
The net_context/TCP connection context ref counting needed to be fixed,
to avoid situation where TCP connection context could be released
before net_context is released.

Generally, this commit modifies the ref counting of the above as
follows:
* net_context is referenced both by the application and TCP stack, when
  created.
* TCP context is referenced by the application when created. The TCP
  stack adds ref to the TCP context only after connection has been
  established.
* TCP stack needs to call the final upper layer callback when connection
  is closed, but before the TCP context is released (i. e. to give upper
  layer chance to dereference the context on its side). For this,
  tcp_conn_close() was introduced which is called from within TCP stack
  instead of directly dereferencing the TCP context.
* TCP stack dereferences the net_context only after the TCP context has
  been released (i. e. upper layer has dereferenced TCP context on it's
  side and connection has been tear down, if established).

Signed-off-by: Robert Lubos &lt;robert.lubos@nordicsemi.no&gt;
diff --git a/subsys/net/ip/net_context.c b/subsys/net/ip/net_context.c
@@ -359,8 +359,6 @@ int net_context_unref(struct net_context *context)
 
 	k_mutex_lock(&context->lock, K_FOREVER);
 
-	net_tcp_unref(context);
-
 	if (context->conn_handler) {
 		if (IS_ENABLED(CONFIG_NET_TCP) || IS_ENABLED(CONFIG_NET_UDP) ||
 		    IS_ENABLED(CONFIG_NET_SOCKETS_CAN) ||
diff --git a/subsys/net/ip/tcp.c b/subsys/net/ip/tcp.c
@@ -393,23 +393,13 @@ static void tcp_send_queue_flush(struct tcp *conn)
 	}
 }
 
-#if CONFIG_NET_TCP_LOG_LEVEL >= LOG_LEVEL_DBG
-#define tcp_conn_unref(conn, status)				\
-	tcp_conn_unref_debug(conn, status, __func__, __LINE__)
 
-static int tcp_conn_unref_debug(struct tcp *conn, int status,
-				const char *caller, int line)
-#else
-static int tcp_conn_unref(struct tcp *conn, int status)
-#endif
+static int tcp_conn_unref(struct tcp *conn)
 {
 	int ref_count = atomic_get(&conn->ref_count);
 	struct net_pkt *pkt;
 
-#if CONFIG_NET_TCP_LOG_LEVEL >= LOG_LEVEL_DBG
-	NET_DBG("conn: %p, ref_count=%d (%s():%d)", conn, ref_count,
-		caller, line);
-#endif
+	NET_DBG("conn: %p, ref_count=%d", conn, ref_count);
 
 #if !defined(CONFIG_NET_TEST_PROTOCOL)
 	if (conn->in_connect) {
@@ -444,11 +434,6 @@ static int tcp_conn_unref(struct tcp *conn, int status)
 		conn->context->conn_handler = NULL;
 	}
 
-	if (conn->context->recv_cb) {
-		conn->context->recv_cb(conn->context, NULL, NULL, NULL,
-				       status, conn->recv_user_data);
-	}
-
 	conn->context->tcp = NULL;
 
 	net_context_unref(conn->context);
@@ -485,12 +470,34 @@ int net_tcp_unref(struct net_context *context)
 	NET_DBG("context: %p, conn: %p", context, context->tcp);
 
 	if (context->tcp) {
-		ref_count = tcp_conn_unref(context->tcp, 0);
+		ref_count = tcp_conn_unref(context->tcp);
 	}
 
 	return ref_count;
 }
 
+#if CONFIG_NET_TCP_LOG_LEVEL >= LOG_LEVEL_DBG
+#define tcp_conn_close(conn, status)				\
+	tcp_conn_close_debug(conn, status, __func__, __LINE__)
+
+static int tcp_conn_close_debug(struct tcp *conn, int status,
+				const char *caller, int line)
+#else
+static int tcp_conn_close(struct tcp *conn, int status)
+#endif
+{
+#if CONFIG_NET_TCP_LOG_LEVEL >= LOG_LEVEL_DBG
+	NET_DBG("conn: %p closed by TCP stack (%s():%d)", conn, caller, line);
+#endif
+
+	if (conn->context->recv_cb) {
+		conn->context->recv_cb(conn->context, NULL, NULL, NULL,
+				       status, conn->recv_user_data);
+	}
+
+	return tcp_conn_unref(conn);
+}
+
 static bool tcp_send_process_no_lock(struct tcp *conn)
 {
 	bool unref = false;
@@ -569,7 +576,7 @@ static void tcp_send_process(struct k_work *work)
 	k_mutex_unlock(&conn->lock);
 
 	if (unref) {
-		tcp_conn_unref(conn, -ETIMEDOUT);
+		tcp_conn_close(conn, -ETIMEDOUT);
 	}
 }
 
@@ -1074,7 +1081,7 @@ static int tcp_out_ext(struct tcp *conn, uint8_t flags, struct net_pkt *data,
 		k_work_schedule_for_queue(&tcp_work_q,
 					  &conn->send_timer, K_NO_WAIT);
 	} else if (tcp_send_process_no_lock(conn)) {
-		tcp_conn_unref(conn, -ETIMEDOUT);
+		tcp_conn_close(conn, -ETIMEDOUT);
 	}
 out:
 	return ret;
@@ -1334,7 +1341,7 @@ static void tcp_resend_data(struct k_work *work)
 	k_mutex_unlock(&conn->lock);
 
 	if (conn_unref) {
-		tcp_conn_unref(conn, -ETIMEDOUT);
+		tcp_conn_close(conn, -ETIMEDOUT);
 	}
 }
 
@@ -1345,16 +1352,15 @@ static void tcp_timewait_timeout(struct k_work *work)
 
 	NET_DBG("conn: %p %s", conn, tcp_conn_state(conn, NULL));
 
-	/* Extra unref from net_tcp_put() */
-	net_context_unref(conn->context);
+	(void)tcp_conn_close(conn, -ETIMEDOUT);
 }
 
 static void tcp_establish_timeout(struct tcp *conn)
 {
 	NET_DBG("Did not receive %s in %dms", "ACK", ACK_TIMEOUT_MS);
 	NET_DBG("conn: %p %s", conn, tcp_conn_state(conn, NULL));
 
-	(void)tcp_conn_unref(conn, -ETIMEDOUT);
+	(void)tcp_conn_close(conn, -ETIMEDOUT);
 }
 
 static void tcp_fin_timeout(struct k_work *work)
@@ -1370,8 +1376,7 @@ static void tcp_fin_timeout(struct k_work *work)
 	NET_DBG("Did not receive %s in %dms", "FIN", tcp_fin_timeout_ms);
 	NET_DBG("conn: %p %s", conn, tcp_conn_state(conn, NULL));
 
-	/* Extra unref from net_tcp_put() */
-	net_context_unref(conn->context);
+	(void)tcp_conn_close(conn, -ETIMEDOUT);
 }
 
 static void tcp_send_zwp(struct k_work *work)
@@ -1731,13 +1736,13 @@ static struct tcp *tcp_conn_new(struct net_pkt *pkt)
 	net_context_set_family(conn->context, net_pkt_family(pkt));
 
 	if (tcp_endpoint_set(&conn->dst, pkt, TCP_EP_SRC) < 0) {
-		net_context_unref(context);
+		net_context_put(context);
 		conn = NULL;
 		goto err;
 	}
 
 	if (tcp_endpoint_set(&conn->src, pkt, TCP_EP_DST) < 0) {
-		net_context_unref(context);
+		net_context_put(context);
 		conn = NULL;
 		goto err;
 	}
@@ -1772,7 +1777,7 @@ static struct tcp *tcp_conn_new(struct net_pkt *pkt)
 	ret = net_context_bind(context, &local_addr, sizeof(local_addr));
 	if (ret < 0) {
 		NET_DBG("Cannot bind accepted context, connection reset");
-		net_context_unref(context);
+		net_context_put(context);
 		conn = NULL;
 		goto err;
 	}
@@ -1796,7 +1801,7 @@ static struct tcp *tcp_conn_new(struct net_pkt *pkt)
 				&context->conn_handler);
 	if (ret < 0) {
 		NET_ERR("net_conn_register(): %d", ret);
-		net_context_unref(context);
+		net_context_put(context);
 		conn = NULL;
 		goto err;
 	}
@@ -2188,6 +2193,7 @@ static enum net_verdict tcp_in(struct tcp *conn, struct net_pkt *pkt)
 			k_work_cancel_delayable(&conn->establish_timer);
 			tcp_send_timer_cancel(conn);
 			next = TCP_ESTABLISHED;
+			tcp_conn_ref(conn);
 			net_context_set_state(conn->context,
 					      NET_CONTEXT_CONNECTED);
 
@@ -2228,6 +2234,7 @@ static enum net_verdict tcp_in(struct tcp *conn, struct net_pkt *pkt)
 			}
 
 			next = TCP_ESTABLISHED;
+			tcp_conn_ref(conn);
 			net_context_set_state(conn->context,
 					      NET_CONTEXT_CONNECTED);
 			tcp_out(conn, ACK);
@@ -2518,7 +2525,7 @@ static enum net_verdict tcp_in(struct tcp *conn, struct net_pkt *pkt)
 	 * to a deadlock.
 	 */
 	if (do_close) {
-		tcp_conn_unref(conn, close_status);
+		tcp_conn_close(conn, close_status);
 	}
 
 	return verdict;
@@ -2569,16 +2576,11 @@ int net_tcp_put(struct net_context *context)
 
 			conn_state(conn, TCP_FIN_WAIT_1);
 		}
-
-		/* Make sure we do not delete the connection yet until we have
-		 * sent the final ACK.
-		 */
-		net_context_ref(context);
 	}
 
 	k_mutex_unlock(&conn->lock);
 
-	net_context_unref(context);
+	net_tcp_unref(context);
 
 	return 0;
 }
@@ -2677,7 +2679,7 @@ int net_tcp_queue_data(struct net_context *context, struct net_pkt *pkt)
 
 	ret = tcp_send_queued_data(conn);
 	if (ret < 0 && ret != -ENOBUFS) {
-		tcp_conn_unref(conn, ret);
+		tcp_conn_close(conn, ret);
 		goto out;
 	}
 
@@ -2861,7 +2863,7 @@ int net_tcp_connect(struct net_context *context,
 		if (k_sem_take(&conn->connect_sem, timeout) != 0 &&
 		    conn->state != TCP_ESTABLISHED) {
 			conn->in_connect = false;
-			tcp_conn_unref(conn, -ETIMEDOUT);
+			tcp_conn_close(conn, -ETIMEDOUT);
 			ret = -ETIMEDOUT;
 			goto out;
 		}
@@ -3169,7 +3171,7 @@ enum net_verdict tp_input(struct net_conn *net_conn,
 
 				conn = (void *)sys_slist_peek_head(&tcp_conns);
 				context = conn->context;
-				while (tcp_conn_unref(conn, 0))
+				while (tcp_conn_close(conn, 0))
 					;
 				tcp_free(context);
 			}
