diff options
| author | Eric Dumazet <eric.dumazet@gmail.com> | 2009-12-03 22:47:42 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2009-12-08 23:17:51 -0500 |
| commit | 3cdaedae635b17ce23c738ce7d364b442310cdec (patch) | |
| tree | af07cdf6c31cca8d1a094bd104efa65e1e95e270 /net/ipv4/inet_hashtables.c | |
| parent | 9327f7053e3993c125944fdb137a0618319ef2a0 (diff) | |
tcp: Fix a connect() race with timewait sockets
When we find a timewait connection in __inet_hash_connect() and reuse
it for a new connection request, we have a race window, releasing bind
list lock and reacquiring it in __inet_twsk_kill() to remove timewait
socket from list.
Another thread might find the timewait socket we already chose, leading to
list corruption and crashes.
Fix is to remove timewait socket from bind list before releasing the bind lock.
Note: This problem happens if sysctl_tcp_tw_reuse is set.
Reported-by: kapil dakhane <kdakhane@gmail.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4/inet_hashtables.c')
| -rw-r--r-- | net/ipv4/inet_hashtables.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c index c4201b7ece38..2b79377b468d 100644 --- a/net/ipv4/inet_hashtables.c +++ b/net/ipv4/inet_hashtables.c | |||
| @@ -502,6 +502,8 @@ ok: | |||
| 502 | inet_sk(sk)->inet_sport = htons(port); | 502 | inet_sk(sk)->inet_sport = htons(port); |
| 503 | twrefcnt += hash(sk, tw); | 503 | twrefcnt += hash(sk, tw); |
| 504 | } | 504 | } |
| 505 | if (tw) | ||
| 506 | twrefcnt += inet_twsk_bind_unhash(tw, hinfo); | ||
| 505 | spin_unlock(&head->lock); | 507 | spin_unlock(&head->lock); |
| 506 | 508 | ||
| 507 | if (tw) { | 509 | if (tw) { |