Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDenis Kirjanov <dkirjanov@suse.com>2019-03-21 11:55:36 +0100
committerDenis Kirjanov <dkirjanov@suse.com>2019-03-21 11:55:36 +0100
commit4e8b58b7c56da1c4c6441a858e78efd7ee4a6e1b (patch)
treef5b441d40a332a0e2679865c233921f9d7b4d894
parentfb85ef51edefb8ac1c4de6a8dc72a5a91e8d5252 (diff)
tcp: handle inet_csk_reqsk_queue_add() failures (git-fixes).
-rw-r--r--patches.fixes/0001-tcp-handle-inet_csk_reqsk_queue_add-failures.patch63
-rw-r--r--series.conf1
2 files changed, 64 insertions, 0 deletions
diff --git a/patches.fixes/0001-tcp-handle-inet_csk_reqsk_queue_add-failures.patch b/patches.fixes/0001-tcp-handle-inet_csk_reqsk_queue_add-failures.patch
new file mode 100644
index 0000000000..38aeab73a5
--- /dev/null
+++ b/patches.fixes/0001-tcp-handle-inet_csk_reqsk_queue_add-failures.patch
@@ -0,0 +1,63 @@
+From: Guillaume Nault <gnault@redhat.com>
+Subject: tcp: handle inet_csk_reqsk_queue_add() failures
+Patch-mainline: v5.1-rc1
+Git-commit: 9d3e1368bb45893a75a5dfb7cd21fdebfa6b47af
+References: git-fixes
+
+Commit 7716682cc58e ("tcp/dccp: fix another race at listener
+dismantle") let inet_csk_reqsk_queue_add() fail, and adjusted
+{tcp,dccp}_check_req() accordingly. However, TFO and syncookies
+weren't modified, thus leaking allocated resources on error.
+
+Contrary to tcp_check_req(), in both syncookies and TFO cases,
+we need to drop the request socket. Also, since the child socket is
+created with inet_csk_clone_lock(), we have to unlock it and drop an
+extra reference (->sk_refcount is initially set to 2 and
+inet_csk_reqsk_queue_add() drops only one ref).
+
+For TFO, we also need to revert the work done by tcp_try_fastopen()
+(with reqsk_fastopen_remove()).
+
+Fixes: 7716682cc58e ("tcp/dccp: fix another race at listener dismantle")
+Signed-off-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv4/syncookies.c | 7 ++++++-
+ net/ipv4/tcp_input.c | 8 +++++++-
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/syncookies.c
++++ b/net/ipv4/syncookies.c
+@@ -216,7 +216,12 @@ struct sock *tcp_get_cookie_sock(struct
+ atomic_set(&req->rsk_refcnt, 1);
+ tcp_sk(child)->tsoffset = tsoff;
+ sock_rps_save_rxhash(child, skb);
+- inet_csk_reqsk_queue_add(sk, req, child);
++ if (!inet_csk_reqsk_queue_add(sk, req, child)) {
++ bh_unlock_sock(child);
++ sock_put(child);
++ child = NULL;
++ reqsk_put(req);
++ }
+ } else {
+ reqsk_free(req);
+ }
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -6373,7 +6373,13 @@ int tcp_conn_request(struct request_sock
+ af_ops->send_synack(fastopen_sk, dst, &fl, req,
+ &foc, TCP_SYNACK_FASTOPEN);
+ /* Add the child socket directly into the accept queue */
+- inet_csk_reqsk_queue_add(sk, req, fastopen_sk);
++ if (!inet_csk_reqsk_queue_add(sk, req, fastopen_sk)) {
++ reqsk_fastopen_remove(fastopen_sk, req, false);
++ bh_unlock_sock(fastopen_sk);
++ sock_put(fastopen_sk);
++ reqsk_put(req);
++ goto drop;
++ }
+ sk->sk_data_ready(sk);
+ bh_unlock_sock(fastopen_sk);
+ sock_put(fastopen_sk);
diff --git a/series.conf b/series.conf
index b7877479e2..39f4e7cf2f 100644
--- a/series.conf
+++ b/series.conf
@@ -20895,6 +20895,7 @@
patches.fixes/tipc-fix-RDM-DGRAM-connect-regression.patch
patches.drivers/enic-fix-build-warning-without-CONFIG_CPUMASK_OFFSTA.patch
patches.fixes/0001-vxlan-Fix-GRO-cells-race-condition-between-receive-a.patch
+ patches.fixes/0001-tcp-handle-inet_csk_reqsk_queue_add-failures.patch
patches.fixes/bpf-fix-replace_map_fd_with_map_ptr-s-ldimm64-second.patch
patches.fixes/0001-vxlan-test-dev-flags-IFF_UP-before-calling-gro_cells.patch
patches.drivers/input-raspberrypi-ts-select-config_input_polldev.patch