tcp: Fix race in tcp_poll

If a RST comes in immediately after checking sk->sk_err, tcp_poll will
return POLLIN but not POLLOUT.  Fix this by checking sk->sk_err at the end
of tcp_poll.  Additionally, ensure the correct order of operations on SMP
machines with memory barriers.

Signed-off-by: Tom Marshall <tdm.code@gmail.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

2 files changed, 7 insertions, 2 deletions

diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 3fb1428e526e..95d75d443927 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -386,8 +386,6 @@ unsigned int tcp_poll(struct file *file, struct socket *sock, poll_table *wait)
          */
 
         mask = 0;
-        if (sk->sk_err)
-                mask = POLLERR;
 
         /*
          * POLLHUP is certainly not done right. But poll() doesn't
@@ -457,6 +455,11 @@ unsigned int tcp_poll(struct file *file, struct socket *sock, poll_table *wait)
                 if (tp->urg_data & TCP_URG_VALID)
                         mask |= POLLPRI;
         }
+        /* This barrier is coupled with smp_wmb() in tcp_reset() */
+        smp_rmb();
+        if (sk->sk_err)
+                mask |= POLLERR;
+
         return mask;
 }
 EXPORT_SYMBOL(tcp_poll);
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index e663b78a2ef6..149e79ac2891 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -4048,6 +4048,8 @@ static void tcp_reset(struct sock *sk)
         default:
                 sk->sk_err = ECONNRESET;
         }
+        /* This barrier is coupled with smp_rmb() in tcp_poll() */
+        smp_wmb();
 
         if (!sock_flag(sk, SOCK_DEAD))
                 sk->sk_error_report(sk);