diff options
author | Eric Dumazet <eric.dumazet@gmail.com> | 2009-12-04 03:47:42 +0000 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2009-12-08 20:17:51 -0800 |
commit | 3cdaedae635b17ce23c738ce7d364b442310cdec (patch) | |
tree | af07cdf6c31cca8d1a094bd104efa65e1e95e270 /include/net | |
parent | 9327f7053e3993c125944fdb137a0618319ef2a0 (diff) | |
download | kernel_samsung_crespo-3cdaedae635b17ce23c738ce7d364b442310cdec.zip kernel_samsung_crespo-3cdaedae635b17ce23c738ce7d364b442310cdec.tar.gz kernel_samsung_crespo-3cdaedae635b17ce23c738ce7d364b442310cdec.tar.bz2 |
tcp: Fix a connect() race with timewait sockets
When we find a timewait connection in __inet_hash_connect() and reuse
it for a new connection request, we have a race window, releasing bind
list lock and reacquiring it in __inet_twsk_kill() to remove timewait
socket from list.
Another thread might find the timewait socket we already chose, leading to
list corruption and crashes.
Fix is to remove timewait socket from bind list before releasing the bind lock.
Note: This problem happens if sysctl_tcp_tw_reuse is set.
Reported-by: kapil dakhane <kdakhane@gmail.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/net')
-rw-r--r-- | include/net/inet_timewait_sock.h | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/include/net/inet_timewait_sock.h b/include/net/inet_timewait_sock.h index b801ade..79f67ea 100644 --- a/include/net/inet_timewait_sock.h +++ b/include/net/inet_timewait_sock.h @@ -201,6 +201,9 @@ extern void inet_twsk_put(struct inet_timewait_sock *tw); extern int inet_twsk_unhash(struct inet_timewait_sock *tw); +extern int inet_twsk_bind_unhash(struct inet_timewait_sock *tw, + struct inet_hashinfo *hashinfo); + extern struct inet_timewait_sock *inet_twsk_alloc(const struct sock *sk, const int state); |