diff mbox series

[stable,5.4,2/2] Revert "tcp: Clean up kernel listener's reqsk in inet_twsk_purge()"

Message ID 20240506031750.3169282-3-shaozhengchao@huawei.com (mailing list archive)
State Superseded
Delegated to: Netdev Maintainers
Headers show
Series Revert the patchset for fix CVE-2024-26865 | expand

Checks

Context Check Description
netdev/tree_selection success Guessing tree name failed - patch did not apply

Commit Message

shaozhengchao May 6, 2024, 3:17 a.m. UTC 
This reverts commit 53fab9cec2cda43d7161257dad5b546ea4be0018.

There's no "pernet" variable in the struct hashinfo. The "pernet" variable
is introduced from v6.1-rc1. Revert this patch.

Fixes:
Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
---
 net/ipv4/inet_timewait_sock.c | 15 +--------------
 1 file changed, 1 insertion(+), 14 deletions(-)

Comments

shaozhengchao May 6, 2024, 4:21 a.m. UTC | #1 
The patchset's format is incorrect, please drop it.

On 2024/5/6 11:17, Zhengchao Shao wrote:
> This reverts commit 53fab9cec2cda43d7161257dad5b546ea4be0018.
> 
> There's no "pernet" variable in the struct hashinfo. The "pernet" variable
> is introduced from v6.1-rc1. Revert this patch.
> 
> Fixes:
> Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
> ---
>   net/ipv4/inet_timewait_sock.c | 15 +--------------
>   1 file changed, 1 insertion(+), 14 deletions(-)
> 
> diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c
> index 04726bbd72dc..c411c87ae865 100644
> --- a/net/ipv4/inet_timewait_sock.c
> +++ b/net/ipv4/inet_timewait_sock.c
> @@ -268,21 +268,8 @@ void inet_twsk_purge(struct inet_hashinfo *hashinfo, int family)
>   		rcu_read_lock();
>   restart:
>   		sk_nulls_for_each_rcu(sk, node, &head->chain) {
> -			if (sk->sk_state != TCP_TIME_WAIT) {
> -				/* A kernel listener socket might not hold refcnt for net,
> -				 * so reqsk_timer_handler() could be fired after net is
> -				 * freed.  Userspace listener and reqsk never exist here.
> -				 */
> -				if (unlikely(sk->sk_state == TCP_NEW_SYN_RECV &&
> -					     hashinfo->pernet)) {
> -					struct request_sock *req = inet_reqsk(sk);
> -
> -					inet_csk_reqsk_queue_drop_and_put(req->rsk_listener, req);
> -				}
> -
> +			if (sk->sk_state != TCP_TIME_WAIT)
>   				continue;
> -			}
> -
>   			tw = inet_twsk(sk);
>   			if ((tw->tw_family != family) ||
>   				refcount_read(&twsk_net(tw)->count))
diff mbox series

Patch

diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c
index 04726bbd72dc..c411c87ae865 100644
--- a/net/ipv4/inet_timewait_sock.c
+++ b/net/ipv4/inet_timewait_sock.c
@@ -268,21 +268,8 @@  void inet_twsk_purge(struct inet_hashinfo *hashinfo, int family)
 		rcu_read_lock();
 restart:
 		sk_nulls_for_each_rcu(sk, node, &head->chain) {
-			if (sk->sk_state != TCP_TIME_WAIT) {
-				/* A kernel listener socket might not hold refcnt for net,
-				 * so reqsk_timer_handler() could be fired after net is
-				 * freed.  Userspace listener and reqsk never exist here.
-				 */
-				if (unlikely(sk->sk_state == TCP_NEW_SYN_RECV &&
-					     hashinfo->pernet)) {
-					struct request_sock *req = inet_reqsk(sk);
-
-					inet_csk_reqsk_queue_drop_and_put(req->rsk_listener, req);
-				}
-
+			if (sk->sk_state != TCP_TIME_WAIT)
 				continue;
-			}
-
 			tw = inet_twsk(sk);
 			if ((tw->tw_family != family) ||
 				refcount_read(&twsk_net(tw)->count))