From mboxrd@z Thu Jan  1 00:00:00 1970
From: Lorenzo Colitti <lorenzo@google.com>
Subject: [PATCH net] net: diag: Don't double-free TCP_NEW_SYN_RECV sockets in tcp_abort
Date: Sat,  7 Jul 2018 16:31:40 +0900
Message-ID: <20180707073140.202004-1-lorenzo@google.com>
Cc: astrachan@google.com, subashab@codeaurora.org,
        eric.dumazet@gmail.com, davem@davemloft.net,
        Lorenzo Colitti <lorenzo@google.com>,
        David Ahern <dsa@cumulusnetworks.com>
To: netdev@vger.kernel.org
Return-path: <netdev-owner@vger.kernel.org>
Received: from mail-pl0-f66.google.com ([209.85.160.66]:45321 "EHLO
        mail-pl0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751887AbeGGHbt (ORCPT
        <rfc822;netdev@vger.kernel.org>); Sat, 7 Jul 2018 03:31:49 -0400
Received: by mail-pl0-f66.google.com with SMTP id bi1-v6so3834158plb.12
        for <netdev@vger.kernel.org>; Sat, 07 Jul 2018 00:31:49 -0700 (PDT)
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

When tcp_diag_destroy closes a TCP_NEW_SYN_RECV socket, it first
frees it by calling inet_csk_reqsk_queue_drop_and_and_put in
tcp_abort, and then frees it again by calling sock_gen_put.

Since tcp_abort only has one caller, and all the other codepaths
in tcp_abort don't free the socket, just remove the free in that
function.

Cc: David Ahern <dsa@cumulusnetworks.com>
Tested: passes Android sock_diag_test.py, which exercises this codepath
Fixes: d7226c7a4dd1 ("net: diag: Fix refcnt leak in error path destroying socket")
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
---
 net/ipv4/tcp.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index e7b53d2a97..c959bb6ea4 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -3720,8 +3720,7 @@ int tcp_abort(struct sock *sk, int err)
 			struct request_sock *req = inet_reqsk(sk);
 
 			local_bh_disable();
-			inet_csk_reqsk_queue_drop_and_put(req->rsk_listener,
-							  req);
+			inet_csk_reqsk_queue_drop(req->rsk_listener, req);
 			local_bh_enable();
 			return 0;
 		}
-- 
2.18.0.203.gfac676dfb9-goog