syzbot demonstrated that a reqsk timer could be fired after netns
dismantle if the timer was kicked by kernel TCP listener.
Regardless of the owner of the socket, TCP listener always has to
hold netns refcount.
Let's make sure that new user will not create kernel TCP listener
without holding netns refcount.
Suggested-by: Eric Dumazet <edumazet@xxxxxxxxxx>
Signed-off-by: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>
---
net/ipv4/tcp_input.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index df7b13f0e5e0..341dd5bb3fd1 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -6972,6 +6972,8 @@ struct request_sock *inet_reqsk_alloc(const struct request_sock_ops *ops,
if (req) {
struct inet_request_sock *ireq = inet_rsk(req);
+ DEBUG_NET_WARN_ON_ONCE(!sk_listener->sk_net_refcnt);
+
ireq->ireq_opt = NULL;
#if IS_ENABLED(CONFIG_IPV6)
ireq->pktopts = NULL;
--
2.30.2
