commit 1616b38f201945f5fc88aa09b525e3625777aa7c
author Tom Herbert <tom@herbertland.com> Tue Aug 23 11:55:31 2016 -0700
committer David S. Miller <davem@davemloft.net> Tue Aug 23 16:23:12 2016 -0700
tree 0d5f890a7b0d21fa7c4d7580a70e0bfcae2c0738
parent cff6a334e63420e95ec40dc7fcdc0b8258615760

kcm: Fix locking issue

Lock the lower socket in kcm_unattach. Release during call to strp_done
since that function cancels the RX timers and work queue with sync.

Also added some status information in psock reporting.

Signed-off-by: Tom Herbert <tom@herbertland.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

net/kcm/kcmsock.c

diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
index eedbe40..eb731ca 100644
--- a/net/kcm/kcmsock.c
+++ b/net/kcm/kcmsock.c
@@ -1477,12 +1477,13 @@
 	return err;
 }
 
-/* Lower socket lock held */
 static void kcm_unattach(struct kcm_psock *psock)
 {
 	struct sock *csk = psock->sk;
 	struct kcm_mux *mux = psock->mux;
 
+	lock_sock(csk);
+
 	/* Stop getting callbacks from TCP socket. After this there should
 	 * be no way to reserve a kcm for this psock.
 	 */
@@ -1514,7 +1515,10 @@
 
 	write_unlock_bh(&csk->sk_callback_lock);
 
+	/* Call strp_done without sock lock */
+	release_sock(csk);
 	strp_done(&psock->strp);
+	lock_sock(csk);
 
 	bpf_prog_put(psock->bpf_prog);
 
@@ -1564,6 +1568,8 @@
 		fput(csk->sk_socket->file);
 		kmem_cache_free(kcm_psockp, psock);
 	}
+
+	release_sock(csk);
 }
 
 static int kcm_unattach_ioctl(struct socket *sock, struct kcm_unattach *info)
@@ -1749,11 +1755,8 @@
 	/* Release psocks */
 	list_for_each_entry_safe(psock, tmp_psock,
 				 &mux->psocks, psock_list) {
-		if (!WARN_ON(psock->unattaching)) {
-			lock_sock(psock->strp.sk);
+		if (!WARN_ON(psock->unattaching))
 			kcm_unattach(psock);
-			release_sock(psock->strp.sk);
-		}
 	}
 
 	if (WARN_ON(mux->psocks_cnt))