Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 805c4bc0 authored by Eric Dumazet's avatar Eric Dumazet Committed by David S. Miller
Browse files

tcp: fix req->saved_syn race 



For the reasons explained in commit ce105008 ("tcp/dccp: fix
ireq->pktopts race"), we need to make sure we do not access
req->saved_syn unless we own the request sock.

This fixes races for listeners using TCP_SAVE_SYN option.

Fixes: e994b2f0 ("tcp: do not lock listener to process SYN packets")
Fixes: 079096f1 ("tcp/dccp: install syn_recv requests into ehash table")
Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Reported-by: default avatarYing Cai <ycai@google.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 428ad1bc

include/linux/tcp.h

+7 −0
Original line number Diff line number Diff line
@@ -397,6 +397,13 @@ static inline void fastopen_queue_tune(struct sock *sk, int backlog) 
	queue->fastopenq.max_qlen = min_t(unsigned int, backlog, somaxconn);

}



static inline void tcp_move_syn(struct tcp_sock *tp,

				struct request_sock *req)

{

	tp->saved_syn = req->saved_syn;

	req->saved_syn = NULL;

}



static inline void tcp_saved_syn_free(struct tcp_sock *tp)

{

	kfree(tp->saved_syn);

net/ipv4/tcp_ipv4.c

+2 −0
Original line number Diff line number Diff line
@@ -1326,6 +1326,8 @@ struct sock *tcp_v4_syn_recv_sock(const struct sock *sk, struct sk_buff *skb, 
	if (__inet_inherit_port(sk, newsk) < 0)

		goto put_and_exit;

	*own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash));

	if (*own_req)

		tcp_move_syn(newtp, req_unhash);



	return newsk;

net/ipv4/tcp_minisocks.c

+0 −3
Original line number Diff line number Diff line
@@ -551,9 +551,6 @@ struct sock *tcp_create_openreq_child(const struct sock *sk, 
		newtp->rack.mstamp.v64 = 0;

		newtp->rack.advanced = 0;



		newtp->saved_syn = req->saved_syn;

		req->saved_syn = NULL;



		TCP_INC_STATS_BH(sock_net(sk), TCP_MIB_PASSIVEOPENS);

	}

	return newsk;

net/ipv6/tcp_ipv6.c

+12 −8
Original line number Diff line number Diff line
@@ -1140,8 +1140,11 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * 
		goto out;

	}

	*own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash));

	if (*own_req) {

		tcp_move_syn(newtp, req_unhash);



		/* Clone pktoptions received with SYN, if we own the req */

	if (*own_req && ireq->pktopts) {

		if (ireq->pktopts) {

			newnp->pktoptions = skb_clone(ireq->pktopts,

						      sk_gfp_atomic(sk, GFP_ATOMIC));

			consume_skb(ireq->pktopts);
@@ -1149,6 +1152,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * 
			if (newnp->pktoptions)

				skb_set_owner_r(newnp->pktoptions, newsk);

		}

	}



	return newsk;