diff mbox series

[v2,net,5/5] tcp: Add assertion for reqsk->rsk_listener->sk_net_refcnt.

Message ID 20240227011041.97375-6-kuniyu@amazon.com (mailing list archive)
State Superseded
Headers show
Series tcp/rds: Fix use-after-free around kernel TCP reqsk. | expand

Commit Message

Kuniyuki Iwashima Feb. 27, 2024, 1:10 a.m. UTC 
syzbot demonstrated that a reqsk timer could be fired after netns
dismantle if the timer was kicked by kernel TCP listener.

Regardless of the owner of the socket, TCP listener always has to
hold netns refcount.

Let's make sure that new user will not create kernel TCP listener
without holding netns refcount.

Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
---
 net/ipv4/tcp_input.c | 2 ++
 1 file changed, 2 insertions(+)
diff mbox series

Patch

diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index df7b13f0e5e0..341dd5bb3fd1 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -6972,6 +6972,8 @@  struct request_sock *inet_reqsk_alloc(const struct request_sock_ops *ops,
 	if (req) {
 		struct inet_request_sock *ireq = inet_rsk(req);
 
+		DEBUG_NET_WARN_ON_ONCE(!sk_listener->sk_net_refcnt);
+
 		ireq->ireq_opt = NULL;
 #if IS_ENABLED(CONFIG_IPV6)
 		ireq->pktopts = NULL;