tcp: Fix a connect() race with timewait sockets
authorEric Dumazet <eric.dumazet@gmail.com>
Fri, 4 Dec 2009 03:47:42 +0000 (03:47 +0000)
committerDavid S. Miller <davem@davemloft.net>
Wed, 9 Dec 2009 04:17:51 +0000 (20:17 -0800)
commit3cdaedae635b17ce23c738ce7d364b442310cdec
treeaf07cdf6c31cca8d1a094bd104efa65e1e95e270
parent9327f7053e3993c125944fdb137a0618319ef2a0
tcp: Fix a connect() race with timewait sockets

When we find a timewait connection in __inet_hash_connect() and reuse
it for a new connection request, we have a race window, releasing bind
list lock and reacquiring it in __inet_twsk_kill() to remove timewait
socket from list.

Another thread might find the timewait socket we already chose, leading to
list corruption and crashes.

Fix is to remove timewait socket from bind list before releasing the bind lock.

Note: This problem happens if sysctl_tcp_tw_reuse is set.

Reported-by: kapil dakhane <kdakhane@gmail.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
include/net/inet_timewait_sock.h
net/ipv4/inet_hashtables.c
net/ipv4/inet_timewait_sock.c