udp: fix race between close() and udp_abort()

[ Upstream commit a8b897c7bc ] Kaustubh reported and diagnosed a panic in udp_lib_lookup(). The root cause is udp_abort() racing with close(). Both racing functions acquire the socket lock, but udp{v6}_destroy_sock() release it before performing destructive actions. We can't easily extend the socket lock scope to avoid the race, instead use the SOCK_DEAD flag to prevent udp_abort from doing any action when the critical race happens. Diagnosed-and-tested-by: Kaustubh Pandey <kapandey@codeaurora.org> Fixes: 5d77dca828 ("net: diag: support SOCK_DESTROY for UDP sockets") Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org>
2026-06-06 13:37:36 +02:00 · 2021-06-09 11:49:01 +02:00 · 2021-06-09 11:49:01 +02:00 · 8729ec8a22
commit 8729ec8a22
parent 7dd7b1e4d9
2 changed files with 13 additions and 0 deletions
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@ -2569,6 +2569,9 @@ void udp_destroy_sock(struct sock *sk)
 {
 	struct udp_sock *up = udp_sk(sk);
 	bool slow = lock_sock_fast(sk);
 	/* protects from races with udp_abort() */
 	sock_set_flag(sk, SOCK_DEAD);
 	udp_flush_pending_frames(sk);
 	unlock_sock_fast(sk, slow);
 	if (static_branch_unlikely(&udp_encap_needed_key)) {
@ -2819,10 +2822,17 @@ int udp_abort(struct sock *sk, int err)
 {
 	lock_sock(sk);
 	/* udp{v6}_destroy_sock() sets it under the sk lock, avoid racing
 	 * with close()
 	 */
 	if (sock_flag(sk, SOCK_DEAD))
 		goto out;
 	sk->sk_err = err;
 	sk->sk_error_report(sk);
 	__udp_disconnect(sk, 0);
 out:
 	release_sock(sk);
 	return 0;
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@ -1596,6 +1596,9 @@ void udpv6_destroy_sock(struct sock *sk)
 {
 	struct udp_sock *up = udp_sk(sk);
 	lock_sock(sk);
 	/* protects from races with udp_abort() */
 	sock_set_flag(sk, SOCK_DEAD);
 	udp_v6_flush_pending_frames(sk);
 	release_sock(sk);