Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp268795img;
        Mon, 18 Mar 2019 02:42:37 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwOayKmYWseVfCnnxhb1ZOqKjq1YOz4eWlGOUUy9qIlBd3Ux2A6UeUANNKeF8E5eHWIE6QJ
X-Received: by 2002:a17:902:2bab:: with SMTP id l40mr17631989plb.273.1552902157667;
        Mon, 18 Mar 2019 02:42:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1552902157; cv=none;
        d=google.com; s=arc-20160816;
        b=BZYnJL/l31tRFZ+srFLVpFT1LgDC76tBy396diFKY7Uu7LISM1V/chf0LUzNYPFzMC
         +wJBIAACAoa4m8T417JG/3tmhWFBkkP3xwzD+W2fI7bRS0K9KE7tcnfqxODS9vt7PHWI
         kP7GQOWWZxLWgKw4cTLqJzsw8NJCJjxACj2hTCtH2Mh077VRQi84aZS9p2EeniHckWtv
         PE5War1D8eAFCVDcKBjL9BZd4cdJR31oISEOQV6EAPvFzNhsFb8FlezFH0kJ6F83hV+2
         Vk3VF72e6J5XHswOTkP9HQgLFVSs+KKedWvCYiMpKRRSaZlPhiQWumnfdJ8Rbpts76hg
         dSuA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=BYOHn9KQtr5v9NHh6cA55hU0zbVOKhvrJRtaEaAY35I=;
        b=CbfYfAhX9DHjKX+2srCC5sb7RJV2X2w2VIlWiev/pK+YzB16VXOm2cB1FCx7Df3zAc
         sDv1kimMfRyO/3VLXhg9viDzaoUIcN3Uk8i1wSKrOA6k0pfNTx2pEFBgqpVzj9xkxGNh
         gkEJMKIqtGakofvlRLYrIlEk00cHMQ/BI9iHWTMP0M8YJeY5VXOZaq5Dwo88z3BT6wYF
         mvgaNUKAu4lfDilU4cIj4teAwdIyZfyVBvyuFa7EfNV3OUMlOkzkUnF1rLick/TIpWSi
         p/ksgE7VsQ5XXWsSKsQUheRDD8R36sEJ3+po2pzbXkYGR5BYn3WkgZ6FV2voBNFNElby
         k0uQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=XvvVdOLV;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id j24si5607628pff.90.2019.03.18.02.42.22;
        Mon, 18 Mar 2019 02:42:37 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=XvvVdOLV;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729044AbfCRJeo (ORCPT <rfc822;parkch98@gmail.com> + 99 others);
        Mon, 18 Mar 2019 05:34:44 -0400
Received: from mail.kernel.org ([198.145.29.99]:43080 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1729033AbfCRJej (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 18 Mar 2019 05:34:39 -0400
Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id BA3632175B;
        Mon, 18 Mar 2019 09:34:38 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1552901679;
        bh=+SEbrTykt3WSChnilwTKQ9FEIo6V/W2G/JduYL505Fs=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=XvvVdOLV2I8jR/sx3q+fX+6qmfVpenk421ACOSIX31MBS79MZAHO/fkwfPDxLZpPj
         VY2587h+awF0iDZgXQp+eKUJvggeL1BZmx6fWiyZI5e70voRKaRN4Zkyw5Tdy8oLAr
         tziw25oIvU2IYwc8A0Wx6xbmqbhN7JUHZA7Oms+w=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Guillaume Nault <gnault@redhat.com>,
        Eric Dumazet <edumazet@google.com>,
        "David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.14 16/34] tcp: handle inet_csk_reqsk_queue_add() failures
Date:   Mon, 18 Mar 2019 10:25:40 +0100
Message-Id: <20190318084146.917722087@linuxfoundation.org>
X-Mailer: git-send-email 2.21.0
In-Reply-To: <20190318084144.657740413@linuxfoundation.org>
References: <20190318084144.657740413@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
X-Patchwork-Hint: ignore
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <gnault@redhat.com>

[  Upstream commit 9d3e1368bb45893a75a5dfb7cd21fdebfa6b47af ]

Commit 7716682cc58e ("tcp/dccp: fix another race at listener
dismantle") let inet_csk_reqsk_queue_add() fail, and adjusted
{tcp,dccp}_check_req() accordingly. However, TFO and syncookies
weren't modified, thus leaking allocated resources on error.

Contrary to tcp_check_req(), in both syncookies and TFO cases,
we need to drop the request socket. Also, since the child socket is
created with inet_csk_clone_lock(), we have to unlock it and drop an
extra reference (->sk_refcount is initially set to 2 and
inet_csk_reqsk_queue_add() drops only one ref).

For TFO, we also need to revert the work done by tcp_try_fastopen()
(with reqsk_fastopen_remove()).

Fixes: 7716682cc58e ("tcp/dccp: fix another race at listener dismantle")
Signed-off-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/syncookies.c |    7 ++++++-
 net/ipv4/tcp_input.c  |    8 +++++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

--- a/net/ipv4/syncookies.c
+++ b/net/ipv4/syncookies.c
@@ -216,7 +216,12 @@ struct sock *tcp_get_cookie_sock(struct
 		refcount_set(&req->rsk_refcnt, 1);
 		tcp_sk(child)->tsoffset = tsoff;
 		sock_rps_save_rxhash(child, skb);
-		inet_csk_reqsk_queue_add(sk, req, child);
+		if (!inet_csk_reqsk_queue_add(sk, req, child)) {
+			bh_unlock_sock(child);
+			sock_put(child);
+			child = NULL;
+			reqsk_put(req);
+		}
 	} else {
 		reqsk_free(req);
 	}
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -6406,7 +6406,13 @@ int tcp_conn_request(struct request_sock
 		af_ops->send_synack(fastopen_sk, dst, &fl, req,
 				    &foc, TCP_SYNACK_FASTOPEN);
 		/* Add the child socket directly into the accept queue */
-		inet_csk_reqsk_queue_add(sk, req, fastopen_sk);
+		if (!inet_csk_reqsk_queue_add(sk, req, fastopen_sk)) {
+			reqsk_fastopen_remove(fastopen_sk, req, false);
+			bh_unlock_sock(fastopen_sk);
+			sock_put(fastopen_sk);
+			reqsk_put(req);
+			goto drop;
+		}
 		sk->sk_data_ready(sk);
 		bh_unlock_sock(fastopen_sk);
 		sock_put(fastopen_sk);