summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorEric Dumazet <edumazet@google.com>2019-10-14 06:47:57 -0700
committerDavid S. Miller <davem@davemloft.net>2019-10-15 20:13:33 -0700
commitcab209e571a9375f7dc6db69a6c40d2d98e57e3b (patch)
tree0a02520a515cd2b22e5fe2e0f2b178b28cb8e31f /net
parentc9b96eb6da2a4eadf1d82d27e503ce0cd2ca43fd (diff)
downloadlinux-cab209e571a9375f7dc6db69a6c40d2d98e57e3b.tar.gz
linux-cab209e571a9375f7dc6db69a6c40d2d98e57e3b.tar.bz2
linux-cab209e571a9375f7dc6db69a6c40d2d98e57e3b.zip
tcp: fix a possible lockdep splat in tcp_done()
syzbot found that if __inet_inherit_port() returns an error, we call tcp_done() after inet_csk_prepare_forced_close(), meaning the socket lock is no longer held. We might fix this in a different way in net-next, but for 5.4 it seems safer to relax the lockdep check. Fixes: d983ea6f16b8 ("tcp: add rcu protection around tp->fastopen_rsk") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/ipv4/tcp.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index b2ac4f074e2d..42187a3b82f4 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -3842,8 +3842,12 @@ void tcp_done(struct sock *sk)
{
struct request_sock *req;
- req = rcu_dereference_protected(tcp_sk(sk)->fastopen_rsk,
- lockdep_sock_is_held(sk));
+ /* We might be called with a new socket, after
+ * inet_csk_prepare_forced_close() has been called
+ * so we can not use lockdep_sock_is_held(sk)
+ */
+ req = rcu_dereference_protected(tcp_sk(sk)->fastopen_rsk, 1);
+
if (sk->sk_state == TCP_SYN_SENT || sk->sk_state == TCP_SYN_RECV)
TCP_INC_STATS(sock_net(sk), TCP_MIB_ATTEMPTFAILS);