inet: reqsk_alloc() needs to take care of dead listeners
authorEric Dumazet <edumazet@google.com>
Fri, 1 Apr 2016 15:52:16 +0000 (08:52 -0700)
committerDavid S. Miller <davem@davemloft.net>
Tue, 5 Apr 2016 02:11:19 +0000 (22:11 -0400)
We'll soon no longer take a refcount on listeners,
so reqsk_alloc() can not assume a listener refcount is not
zero. We need to use atomic_inc_not_zero()

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
include/net/request_sock.h

index f49759decb287c99fcad4795a89143b476ce2cf5..6ebe13eb1c4cbcd84c4b3345b051b3320d7591e6 100644 (file)
@@ -85,24 +85,23 @@ reqsk_alloc(const struct request_sock_ops *ops, struct sock *sk_listener,
        struct request_sock *req;
 
        req = kmem_cache_alloc(ops->slab, GFP_ATOMIC | __GFP_NOWARN);
-
-       if (req) {
-               req->rsk_ops = ops;
-               if (attach_listener) {
-                       sock_hold(sk_listener);
-                       req->rsk_listener = sk_listener;
-               } else {
-                       req->rsk_listener = NULL;
+       if (!req)
+               return NULL;
+       req->rsk_listener = NULL;
+       if (attach_listener) {
+               if (unlikely(!atomic_inc_not_zero(&sk_listener->sk_refcnt))) {
+                       kmem_cache_free(ops->slab, req);
+                       return NULL;
                }
-               req_to_sk(req)->sk_prot = sk_listener->sk_prot;
-               sk_node_init(&req_to_sk(req)->sk_node);
-               sk_tx_queue_clear(req_to_sk(req));
-               req->saved_syn = NULL;
-               /* Following is temporary. It is coupled with debugging
-                * helpers in reqsk_put() & reqsk_free()
-                */
-               atomic_set(&req->rsk_refcnt, 0);
+               req->rsk_listener = sk_listener;
        }
+       req->rsk_ops = ops;
+       req_to_sk(req)->sk_prot = sk_listener->sk_prot;
+       sk_node_init(&req_to_sk(req)->sk_node);
+       sk_tx_queue_clear(req_to_sk(req));
+       req->saved_syn = NULL;
+       atomic_set(&req->rsk_refcnt, 0);
+
        return req;
 }