• Eric Dumazet's avatar
    tcp/dccp: fix another race at listener dismantle · a88b9534
    Eric Dumazet authored
    BugLink: http://bugs.launchpad.net/bugs/1553179
    
    [ Upstream commit 7716682c ]
    
    Ilya reported following lockdep splat:
    
    kernel: =========================
    kernel: [ BUG: held lock freed! ]
    kernel: 4.5.0-rc1-ceph-00026-g5e0a311 #1 Not tainted
    kernel: -------------------------
    kernel: swapper/5/0 is freeing memory
    ffff880035c9d200-ffff880035c9dbff, with a lock still held there!
    kernel: (&(&queue->rskq_lock)->rlock){+.-...}, at:
    [<ffffffff816f6a88>] inet_csk_reqsk_queue_add+0x28/0xa0
    kernel: 4 locks held by swapper/5/0:
    kernel: #0:  (rcu_read_lock){......}, at: [<ffffffff8169ef6b>]
    netif_receive_skb_internal+0x4b/0x1f0
    kernel: #1:  (rcu_read_lock){......}, at: [<ffffffff816e977f>]
    ip_local_deliver_finish+0x3f/0x380
    kernel: #2:  (slock-AF_INET){+.-...}, at: [<ffffffff81685ffb>]
    sk_clone_lock+0x19b/0x440
    kernel: #3:  (&(&queue->rskq_lock)->rlock){+.-...}, at:
    [<ffffffff816f6a88>] inet_csk_reqsk_queue_add+0x28/0xa0
    
    To properly fix this issue, inet_csk_reqsk_queue_add() needs
    to return to its callers if the child as been queued
    into accept queue.
    
    We also need to make sure listener is still there before
    calling sk->sk_data_ready(), by holding a reference on it,
    since the reference carried by the child can disappear as
    soon as the child is put on accept queue.
    Reported-by: default avatarIlya Dryomov <idryomov@gmail.com>
    Fixes: ebb516af ("tcp/dccp: fix race at listener dismantle phase")
    Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: default avatarTim Gardner <tim.gardner@canonical.com>
    a88b9534
inet_connection_sock.h 10.4 KB