Eric Dumazet a écrit : > [PATCH] tcp: Fix a connect() race with timewait sockets > > When we find a timewait connection in __inet_hash_connect() and reuse > it for a new connection request, we have a race window, releasing bind > list lock and reacquiring it in __inet_twsk_kill() to remove timewait > socket from list. > > Another thread might find the timewait socket we already chose, leading to > list corruption and crashes. > > Fix is to remove timewait socket from bind list before releasing the lock. I cooked two patches on top of net-next-2.6 to solve the two last race problems I am aware of. Kapil, if you want to test them, make sure you take last net-next-2.6 snapshot. First patch changes __inet_hash_nolisten() and __inet6_hash() to get a timewait parameter to be able to unhash it from ehash at same time the new socket is inserted into ehash. Second patch is a respin of the first patch I sent : It makes sure __inet_has_connect() cannot give same timewait socket to different threads. Thanks ! Reported-by: kapil dakhane <kdakhane@xxxxxxxxx> Signed-off-by: Eric Dumazet <eric.dumazet@xxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
