tcp: fix a possible lockdep splat in tcp_done()

syzbot found that if __inet_inherit_port() returns an error,
we call tcp_done() after inet_csk_prepare_forced_close(),
meaning the socket lock is no longer held.

We might fix this in a different way in net-next, but
for 5.4 it seems safer to relax the lockdep check.

Fixes: d983ea6f16b8 ("tcp: add rcu protection around tp->fastopen_rsk")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 6 insertions, 2 deletions

diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index b2ac4f074e2d..42187a3b82f4 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -3842,8 +3842,12 @@ void tcp_done(struct sock *sk)
 {
         struct request_sock *req;
 
-        req = rcu_dereference_protected(tcp_sk(sk)->fastopen_rsk,
-                                        lockdep_sock_is_held(sk));
+        /* We might be called with a new socket, after
+         * inet_csk_prepare_forced_close() has been called
+         * so we can not use lockdep_sock_is_held(sk)
+         */
+        req = rcu_dereference_protected(tcp_sk(sk)->fastopen_rsk, 1);
+
         if (sk->sk_state == TCP_SYN_SENT || sk->sk_state == TCP_SYN_RECV)
                 TCP_INC_STATS(sock_net(sk), TCP_MIB_ATTEMPTFAILS);