linux/net/dccp
Eric Dumazet 7716682cc5 tcp/dccp: fix another race at listener dismantle
Ilya reported following lockdep splat:

kernel: =========================
kernel: [ BUG: held lock freed! ]
kernel: 4.5.0-rc1-ceph-00026-g5e0a311 #1 Not tainted
kernel: -------------------------
kernel: swapper/5/0 is freeing memory
ffff880035c9d200-ffff880035c9dbff, with a lock still held there!
kernel: (&(&queue->rskq_lock)->rlock){+.-...}, at:
[<ffffffff816f6a88>] inet_csk_reqsk_queue_add+0x28/0xa0
kernel: 4 locks held by swapper/5/0:
kernel: #0:  (rcu_read_lock){......}, at: [<ffffffff8169ef6b>]
netif_receive_skb_internal+0x4b/0x1f0
kernel: #1:  (rcu_read_lock){......}, at: [<ffffffff816e977f>]
ip_local_deliver_finish+0x3f/0x380
kernel: #2:  (slock-AF_INET){+.-...}, at: [<ffffffff81685ffb>]
sk_clone_lock+0x19b/0x440
kernel: #3:  (&(&queue->rskq_lock)->rlock){+.-...}, at:
[<ffffffff816f6a88>] inet_csk_reqsk_queue_add+0x28/0xa0

To properly fix this issue, inet_csk_reqsk_queue_add() needs
to return to its callers if the child as been queued
into accept queue.

We also need to make sure listener is still there before
calling sk->sk_data_ready(), by holding a reference on it,
since the reference carried by the child can disappear as
soon as the child is put on accept queue.

Reported-by: Ilya Dryomov <idryomov@gmail.com>
Fixes: ebb516af60 ("tcp/dccp: fix race at listener dismantle phase")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-02-18 11:35:51 -05:00
..
ccids dccp: re-enable debug macro 2014-02-16 23:45:00 -05:00
ackvec.c dccp: drop null test before destroy functions 2015-09-15 16:49:43 -07:00
ackvec.h net: dccp: Remove extern from function prototypes 2013-10-19 19:12:11 -04:00
ccid.c dccp: drop null test before destroy functions 2015-09-15 16:49:43 -07:00
ccid.h net: dccp: Remove extern from function prototypes 2013-10-19 19:12:11 -04:00
dccp.h tcp/dccp: fix hashdance race for passive sessions 2015-10-23 05:42:21 -07:00
diag.c sock_diag: specify info_size per inet protocol 2015-06-15 19:49:22 -07:00
feat.c dccp: kerneldoc warning fixes 2014-11-18 15:26:31 -05:00
feat.h net: dccp: Remove extern from function prototypes 2013-10-19 19:12:11 -04:00
input.c dccp: spelling s/reseting/resetting 2014-11-18 15:26:32 -05:00
ipv4.c tcp/dccp: fix another race at listener dismantle 2016-02-18 11:35:51 -05:00
ipv6.c tcp/dccp: fix another race at listener dismantle 2016-02-18 11:35:51 -05:00
ipv6.h inet: includes a sock_common in request_sock 2013-10-10 00:08:07 -04:00
Kconfig net/dccp: remove depends on CONFIG_EXPERIMENTAL 2013-01-11 11:39:34 -08:00
Makefile dccp: Policy-based packet dequeueing infrastructure 2010-12-07 13:47:12 +01:00
minisocks.c tcp/dccp: fix hashdance race for passive sessions 2015-10-23 05:42:21 -07:00
options.c dccp: remove obsolete code 2014-01-04 20:18:49 -05:00
output.c net: Generalise wq_has_sleeper helper 2015-11-30 14:47:33 -05:00
probe.c Use 64-bit timekeeping 2015-11-01 17:01:16 -05:00
proto.c net: rename SOCK_ASYNC_NOSPACE and SOCK_ASYNC_WAITDATA 2015-12-01 15:45:05 -05:00
qpolicy.c dccp qpolicy: Parameter checking of cmsg qpolicy parameters 2010-12-07 13:47:12 +01:00
sysctl.c dccp: make the request_retries minimum is 1 2014-05-14 15:34:16 -04:00
timer.c inet: get rid of central tcp/dccp listener timer 2015-03-20 12:40:25 -04:00