tcp: fix req->saved_syn race

edumazet · davem330 · commit 805c4bc05705 · 2015-11-05T14:36:09.000-05:00
For the reasons explained in commit ce10500 ("tcp/dccp: fix ireq->pktopts race"), we need to make sure we do not access req->saved_syn unless we own the request sock. This fixes races for listeners using TCP_SAVE_SYN option. Fixes: e994b2f ("tcp: do not lock listener to process SYN packets") Fixes: 079096f ("tcp/dccp: install syn_recv requests into ehash table") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Ying Cai <ycai@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
diff --git a/include/linux/tcp.h b/include/linux/tcp.h
@@ -397,6 +397,13 @@ static inline void fastopen_queue_tune(struct sock *sk, int backlog)
 	queue->fastopenq.max_qlen = min_t(unsigned int, backlog, somaxconn);
 }
 
+static inline void tcp_move_syn(struct tcp_sock *tp,
+				struct request_sock *req)
+{
+	tp->saved_syn = req->saved_syn;
+	req->saved_syn = NULL;
+}
+
 static inline void tcp_saved_syn_free(struct tcp_sock *tp)
 {
 	kfree(tp->saved_syn);
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
@@ -1326,6 +1326,8 @@ struct sock *tcp_v4_syn_recv_sock(const struct sock *sk, struct sk_buff *skb,
 	if (__inet_inherit_port(sk, newsk) < 0)
 		goto put_and_exit;
 	*own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash));
+	if (*own_req)
+		tcp_move_syn(newtp, req_unhash);
 
 	return newsk;
 
diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
@@ -551,9 +551,6 @@ struct sock *tcp_create_openreq_child(const struct sock *sk,
 		newtp->rack.mstamp.v64 = 0;
 		newtp->rack.advanced = 0;
 
-		newtp->saved_syn = req->saved_syn;
-		req->saved_syn = NULL;
-
 		TCP_INC_STATS_BH(sock_net(sk), TCP_MIB_PASSIVEOPENS);
 	}
 	return newsk;
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
@@ -1140,14 +1140,18 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
 		goto out;
 	}
 	*own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash));
-	/* Clone pktoptions received with SYN, if we own the req */
-	if (*own_req && ireq->pktopts) {
-		newnp->pktoptions = skb_clone(ireq->pktopts,
-					      sk_gfp_atomic(sk, GFP_ATOMIC));
-		consume_skb(ireq->pktopts);
-		ireq->pktopts = NULL;
-		if (newnp->pktoptions)
-			skb_set_owner_r(newnp->pktoptions, newsk);
+	if (*own_req) {
+		tcp_move_syn(newtp, req_unhash);
+
+		/* Clone pktoptions received with SYN, if we own the req */
+		if (ireq->pktopts) {
+			newnp->pktoptions = skb_clone(ireq->pktopts,
+						      sk_gfp_atomic(sk, GFP_ATOMIC));
+			consume_skb(ireq->pktopts);
+			ireq->pktopts = NULL;
+			if (newnp->pktoptions)
+				skb_set_owner_r(newnp->pktoptions, newsk);
+		}
 	}
 
 	return newsk;

Original file line number	Diff line number	Diff line change
`@@ -397,6 +397,13 @@ static inline void fastopen_queue_tune(struct sock *sk, int backlog)`
`397`	`397`	`queue->fastopenq.max_qlen = min_t(unsigned int, backlog, somaxconn);`
`398`	`398`	`}`
`399`	`399`
	`400`	`+static inline void tcp_move_syn(struct tcp_sock *tp,`
	`401`	`+ struct request_sock *req)`
	`402`	`+{`
	`403`	`+ tp->saved_syn = req->saved_syn;`
	`404`	`+ req->saved_syn = NULL;`
	`405`	`+}`
	`406`	`+`
`400`	`407`	`static inline void tcp_saved_syn_free(struct tcp_sock *tp)`
`401`	`408`	`{`
`402`	`409`	`kfree(tp->saved_syn);`
Original file line number	Diff line number	Diff line change
`@@ -551,9 +551,6 @@ struct sock tcp_create_openreq_child(const struct sock sk,`
`551`	`551`	`newtp->rack.mstamp.v64 = 0;`
`552`	`552`	`newtp->rack.advanced = 0;`
`553`	`553`
`554`		`- newtp->saved_syn = req->saved_syn;`
`555`		`- req->saved_syn = NULL;`
`556`		`-`
`557`	`554`	`TCP_INC_STATS_BH(sock_net(sk), TCP_MIB_PASSIVEOPENS);`
`558`	`555`	`}`
`559`	`556`	`return newsk;`