From: Fan Du Date: Mon, 23 Mar 2015 22:00:41 +0000 (-0700) Subject: inet: fix double request socket freeing X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=c69736696cf3742b37d850289dc0d7ead177bb14;p=GitHub%2FLineageOS%2FG12%2Fandroid_kernel_amlogic_linux-4.9.git inet: fix double request socket freeing Eric Hugne reported following error : I'm hitting this warning on latest net-next when i try to SSH into a machine with eth0 added to a bridge (but i think the problem is older than that) Steps to reproduce: node2 ~ # brctl addif br0 eth0 [ 223.758785] device eth0 entered promiscuous mode node2 ~ # ip link set br0 up [ 244.503614] br0: port 1(eth0) entered forwarding state [ 244.505108] br0: port 1(eth0) entered forwarding state node2 ~ # [ 251.160159] ------------[ cut here ]------------ [ 251.160831] WARNING: CPU: 0 PID: 3 at include/net/request_sock.h:102 tcp_v4_err+0x6b1/0x720() [ 251.162077] Modules linked in: [ 251.162496] CPU: 0 PID: 3 Comm: ksoftirqd/0 Not tainted 4.0.0-rc3+ #18 [ 251.163334] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 251.164078] ffffffff81a8365c ffff880038a6ba18 ffffffff8162ace4 0000000000009898 [ 251.165084] 0000000000000000 ffff880038a6ba58 ffffffff8104da85 ffff88003fa437c0 [ 251.166195] ffff88003fa437c0 ffff88003fa74e00 ffff88003fa43bb8 ffff88003fad99a0 [ 251.167203] Call Trace: [ 251.167533] [] dump_stack+0x45/0x57 [ 251.168206] [] warn_slowpath_common+0x85/0xc0 [ 251.169239] [] warn_slowpath_null+0x15/0x20 [ 251.170271] [] tcp_v4_err+0x6b1/0x720 [ 251.171408] [] ? _raw_read_lock_irq+0x3/0x10 [ 251.172589] [] ? inet_del_offload+0x40/0x40 [ 251.173366] [] icmp_socket_deliver+0x65/0xb0 [ 251.174134] [] icmp_unreach+0xc2/0x280 [ 251.174820] [] icmp_rcv+0x2bd/0x3a0 [ 251.175473] [] ip_local_deliver_finish+0x82/0x1e0 [ 251.176282] [] ip_local_deliver+0x88/0x90 [ 251.177004] [] ip_rcv_finish+0xf0/0x310 [ 251.177693] [] ip_rcv+0x2dc/0x390 [ 251.178336] [] __netif_receive_skb_core+0x713/0xa20 [ 251.179170] [] __netif_receive_skb+0x1a/0x80 [ 251.179922] [] process_backlog+0x94/0x120 [ 251.180639] [] net_rx_action+0x1e2/0x310 [ 251.181356] [] __do_softirq+0xa7/0x290 [ 251.182046] [] run_ksoftirqd+0x19/0x30 [ 251.182726] [] smpboot_thread_fn+0x153/0x1d0 [ 251.183485] [] ? SyS_setgroups+0x130/0x130 [ 251.184228] [] kthread+0xee/0x110 [ 251.184871] [] ? kthread_create_on_node+0x1b0/0x1b0 [ 251.185690] [] ret_from_fork+0x58/0x90 [ 251.186385] [] ? kthread_create_on_node+0x1b0/0x1b0 [ 251.187216] ---[ end trace c947fc7b24e42ea1 ]--- [ 259.542268] br0: port 1(eth0) entered forwarding state Remove the double calls to reqsk_put() [edumazet] : I got confused because reqsk_timer_handler() _has_ to call reqsk_put(req) after calling inet_csk_reqsk_queue_drop(), as the timer handler holds a reference on req. Signed-off-by: Fan Du Signed-off-by: Eric Dumazet Reported-by: Erik Hugne Fixes: fa76ce7328b2 ("inet: get rid of central tcp/dccp listener timer") Signed-off-by: David S. Miller --- diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c index 6310b8b19598..2b4f21d34df6 100644 --- a/net/dccp/ipv4.c +++ b/net/dccp/ipv4.c @@ -208,6 +208,7 @@ void dccp_req_err(struct sock *sk, u64 seq) if (!between48(seq, dccp_rsk(req)->dreq_iss, dccp_rsk(req)->dreq_gss)) { NET_INC_STATS_BH(net, LINUX_MIB_OUTOFWINDOWICMPS); + reqsk_put(req); } else { /* * Still in RESPOND, just remove it silently. @@ -217,7 +218,6 @@ void dccp_req_err(struct sock *sk, u64 seq) */ inet_csk_reqsk_queue_drop(req->rsk_listener, req); } - reqsk_put(req); } EXPORT_SYMBOL(dccp_req_err); diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index a57615062b66..4e90217003e8 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -324,6 +324,7 @@ void tcp_req_err(struct sock *sk, u32 seq) if (seq != tcp_rsk(req)->snt_isn) { NET_INC_STATS_BH(net, LINUX_MIB_OUTOFWINDOWICMPS); + reqsk_put(req); } else { /* * Still in SYN_RECV, just remove it silently. @@ -331,10 +332,9 @@ void tcp_req_err(struct sock *sk, u32 seq) * created socket, and POSIX does not want network * errors returned from accept(). */ - inet_csk_reqsk_queue_drop(req->rsk_listener, req); NET_INC_STATS_BH(net, LINUX_MIB_LISTENDROPS); + inet_csk_reqsk_queue_drop(req->rsk_listener, req); } - reqsk_put(req); } EXPORT_SYMBOL(tcp_req_err);