lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1363455885.29475.68.camel@edumazet-glaptop>
Date:	Sat, 16 Mar 2013 10:44:45 -0700
From:	Eric Dumazet <eric.dumazet@...il.com>
To:	dormando <dormando@...ia.net>
Cc:	Cong Wang <xiyou.wangcong@...il.com>, linux-kernel@...r.kernel.org,
	netdev@...r.kernel.org
Subject: Re: BUG: IPv4: Attempt to release TCP socket in state 1

On Sat, 2013-03-16 at 10:36 -0700, Eric Dumazet wrote:
> On Fri, 2013-03-15 at 00:19 +0100, Eric Dumazet wrote:
> 
> > Thanks thats really useful, we might miss to increment socket refcount
> > in a timer setup.
> > 
> 
> Hmm, please add following debugging patch as well
> 
> diff --git a/include/net/sock.h b/include/net/sock.h
> index 14f6e9d..fe7c8a6 100644
> --- a/include/net/sock.h
> +++ b/include/net/sock.h
> @@ -530,7 +530,9 @@ static inline void sock_hold(struct sock *sk)
>   */
>  static inline void __sock_put(struct sock *sk)
>  {
> -	atomic_dec(&sk->sk_refcnt);
> +	int newref = atomic_dec_return(&sk->sk_refcnt);
> +
> +	BUG_ON(newref <= 0);
>  }
>  
>  static inline bool sk_del_node_init(struct sock *sk)
> diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
> index 786d97a..a445e15 100644
> --- a/net/ipv4/inet_connection_sock.c
> +++ b/net/ipv4/inet_connection_sock.c
> @@ -739,7 +739,7 @@ void inet_csk_prepare_forced_close(struct sock *sk)
>  {
>  	/* sk_clone_lock locked the socket and set refcnt to 2 */
>  	bh_unlock_sock(sk);
> -	sock_put(sk);
> +	__sock_put(sk);
>  
>  	/* The below has to be done to allow calling inet_csk_destroy_sock */
>  	sock_set_flag(sk, SOCK_DEAD);
> @@ -835,13 +835,13 @@ void inet_csk_listen_stop(struct sock *sk)
>  			 * tcp_v4_destroy_sock().
>  			 */
>  			tcp_sk(child)->fastopen_rsk = NULL;
> -			sock_put(sk);
> +			__sock_put(sk);
>  		}
>  		inet_csk_destroy_sock(child);
>  
>  		bh_unlock_sock(child);
>  		local_bh_enable();
> -		sock_put(child);
> +		__sock_put(child);
>  

Please don't include the last line : this should stay as

 sock_put(child);



--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ