From patchwork Wed Oct 14 12:58:38 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 530165 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 579F2140187 for ; Wed, 14 Oct 2015 23:59:02 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b=Sx+A+nnn; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753571AbbJNM65 (ORCPT ); Wed, 14 Oct 2015 08:58:57 -0400 Received: from mail-pa0-f42.google.com ([209.85.220.42]:33541 "EHLO mail-pa0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753562AbbJNM6k (ORCPT ); Wed, 14 Oct 2015 08:58:40 -0400 Received: by pabrc13 with SMTP id rc13so54185834pab.0 for ; Wed, 14 Oct 2015 05:58:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:subject:from:to:cc:date:content-type:mime-version :content-transfer-encoding; bh=+FOVicMmyWHm/HHhKt1qtr/gL0A5dNI8WbMPelX77/Q=; b=Sx+A+nnnm/x/f2XZyC2kgsuoqKgfsAsVTphvWya9LHcL/rAgq95Pj3R8smE6pRveZn tO9SI4ja2dZsJl2+y/CTN8tGVYNTNvjr+rFh404ULvpNczZKllr7GAukxvWR/uMwtewS JPiANmvPIzhjuRtVBx6g0wK6qB4s6hM4FJ0IGJrINd2SJi181n1Y/7MDOS6hW9SCqvjn J/3KNMlzlGVGfOqT1d7LSFncwSxRex7wgIV1RZr7M/ss/XybpxCgGdSPSSSkqjbPn4oF TW58so4egpfNKzRYWyTR4+EKhHgMgyAy5g0YKTPgKCj0jAErAUL4WaJv8pPXLUEy2tCY Ja2g== X-Received: by 10.68.232.162 with SMTP id tp2mr3681045pbc.162.1444827519745; Wed, 14 Oct 2015 05:58:39 -0700 (PDT) Received: from [172.29.167.40] ([172.29.167.40]) by smtp.gmail.com with ESMTPSA id qn5sm9694074pac.41.2015.10.14.05.58.38 (version=TLSv1.2 cipher=AES128-GCM-SHA256 bits=128/128); Wed, 14 Oct 2015 05:58:38 -0700 (PDT) Message-ID: <1444827518.4166.27.camel@edumazet-glaptop2.roam.corp.google.com> Subject: [PATCH net-next] tcp/dccp: fix potential NULL deref in __inet_inherit_port() From: Eric Dumazet To: David Miller Cc: netdev Date: Wed, 14 Oct 2015 05:58:38 -0700 X-Mailer: Evolution 3.10.4-0ubuntu2 Mime-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Eric Dumazet As we no longer hold listener lock in fast path, it is possible that a child is created right after listener freed its bound port, if a close() is done while incoming packets are processed. __inet_inherit_port() must detect this and return an error, so that caller can free the child earlier. Fixes: e994b2f0fb92 ("tcp: do not lock listener to process SYN packets") Fixes: 079096f103fa ("tcp/dccp: install syn_recv requests into ehash table") Signed-off-by: Eric Dumazet --- net/ipv4/inet_hashtables.c | 4 ++++ 1 file changed, 4 insertions(+) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c index 08643a3616af..958728a22001 100644 --- a/net/ipv4/inet_hashtables.c +++ b/net/ipv4/inet_hashtables.c @@ -137,6 +137,10 @@ int __inet_inherit_port(const struct sock *sk, struct sock *child) spin_lock(&head->lock); tb = inet_csk(sk)->icsk_bind_hash; + if (unlikely(!tb)) { + spin_unlock(&head->lock); + return -ENOENT; + } if (tb->port != port) { /* NOTE: using tproxy and redirecting skbs to a proxy * on a different listener port breaks the assumption