inet: fix possible panic in reqsk_queue_unlink()

[ 3897.923145] BUG: unable to handle kernel NULL pointer dereference at 0000000000000080 [ 3897.931025] IP: [<ffffffffa9f27686>] reqsk_timer_handler+0x1a6/0x243 There is a race when reqsk_timer_handler() and tcp_check_req() call inet_csk_reqsk_queue_unlink() on the same req at the same time. Before commit fa76ce7328b2 ("inet: get rid of central tcp/dccp listener timer"), listener spinlock was held and race could not happen. To solve this bug, we change reqsk_queue_unlink() to not assume req must be found, and we return a status, to conditionally release a refcount on the request sock. This also means tcp_check_req() in non fastopen case might or not consume req refcount, so tcp_v6_hnd_req() & tcp_v4_hnd_req() have to properly handle this. (Same remark for dccp_check_req() and its callers) inet_csk_reqsk_queue_drop() is now too big to be inlined, as it is called 4 times in tcp and 3 times in dccp. Fixes: fa76ce7328b2 ("inet: get rid of central tcp/dccp listener timer") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Yuchung Cheng <ycheng@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Eric Dumazet <edumazet@google.com> 2015-04-23 21:03:44 -0400
committer: David S. Miller <davem@davemloft.net> 2015-04-24 11:39:15 -0400
commit: b357a364c57c940ddb932224542494363df37378 (patch)
tree: 84657c956c5c64a2ae058b8285271f778b1aea67 /include/net/request_sock.h
parent: 1d8dc3d3c8f1d8ee1da9d54c5d7c8694419ade42 (diff)
1 files changed, 0 insertions, 18 deletions
diff --git a/include/net/request_sock.h b/include/net/request_sock.h
index fe41f3ceb008..9f4265ce8892 100644
--- a/include/net/request_sock.h
+++ b/include/net/request_sock.h
@@ -212,24 +212,6 @@ static inline int reqsk_queue_empty(struct request_sock_queue *queue)
        return queue->rskq_accept_head == NULL;
 }
-static inline void reqsk_queue_unlink(struct request_sock_queue *queue,
-                                      struct request_sock *req)
-{
-        struct listen_sock *lopt = queue->listen_opt;
-        struct request_sock **prev;
-        spin_lock(&queue->syn_wait_lock);
-        prev = &lopt->syn_table[req->rsk_hash];
-        while (*prev != req)
-                prev = &(*prev)->dl_next;
-        *prev = req->dl_next;
-        spin_unlock(&queue->syn_wait_lock);
-        if (del_timer(&req->rsk_timer))
-                reqsk_put(req);
-}
 static inline void reqsk_queue_add(struct request_sock_queue *queue,
                                   struct request_sock *req,
                                   struct sock *parent,
author	Eric Dumazet <edumazet@google.com>	2015-04-23 21:03:44 -0400
committer	David S. Miller <davem@davemloft.net>	2015-04-24 11:39:15 -0400
commit	b357a364c57c940ddb932224542494363df37378 (patch)
tree	84657c956c5c64a2ae058b8285271f778b1aea67 /include/net/request_sock.h
parent	1d8dc3d3c8f1d8ee1da9d54c5d7c8694419ade42 (diff)

diff --git a/include/net/request_sock.h b/include/net/request_sock.h index fe41f3ceb008..9f4265ce8892 100644 --- a/include/net/request_sock.h +++ b/include/net/request_sock.h
@@ -212,24 +212,6 @@ static inline int reqsk_queue_empty(struct request_sock_queue *queue)
212	return queue->rskq_accept_head == NULL;	212	return queue->rskq_accept_head == NULL;
213	}	213	}
214		214
215	static inline void reqsk_queue_unlink(struct request_sock_queue *queue,
216	struct request_sock *req)
217	{
218	struct listen_sock *lopt = queue->listen_opt;
219	struct request_sock **prev;
220
221	spin_lock(&queue->syn_wait_lock);
222
223	prev = &lopt->syn_table[req->rsk_hash];
224	while (*prev != req)
225	prev = &(*prev)->dl_next;
226	*prev = req->dl_next;
227
228	spin_unlock(&queue->syn_wait_lock);
229	if (del_timer(&req->rsk_timer))
230	reqsk_put(req);
231	}
232
233	static inline void reqsk_queue_add(struct request_sock_queue *queue,	215	static inline void reqsk_queue_add(struct request_sock_queue *queue,
234	struct request_sock *req,	216	struct request_sock *req,
235	struct sock *parent,	217	struct sock *parent,