[Devel] [PATCH rh7] net: Use {get, put}_net() in inet_twsk_{alloc, free}()

[Kirill Tkhai]

hold_net() doesn't increment net refcounter if NETNS_REFCNT_DEBUG
is not defined. In this case inet_twdr_do_twkill_work() may happen
after network is destoyed and lead to memory corruption like this
happened in https://jira.sw.ru/browse/PSBM-33755.

The patch replaces {hold,release}_net with {get,put}_net, which
makes refcounters be incremented always.

Such object changes, which extends its lifetime, should be checked
for safety of refcouter waiters, who wait for 0 refcounter. I mean
the sequence of net device shutdown for example, see
netdev_wait_allrefs() for details.

Luckily, we don't have the same issues with struct net, because nobody
waits for it.

PCS6 also needs the same patch.

Signed-off-by: Kirill Tkhai <ktkhai at odin.com>
---
 net/ipv4/inet_timewait_sock.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c
index e2bda07..526e3b5 100644
--- a/net/ipv4/inet_timewait_sock.c
+++ b/net/ipv4/inet_timewait_sock.c
@@ -103,7 +103,7 @@ void inet_twsk_free(struct inet_timewait_sock *tw)
 #ifdef CONFIG_BEANCOUNTERS
 	put_beancounter(tw->tw_ub);
 #endif
-	release_net(twsk_net(tw));
+	put_net(twsk_net(tw));
 	kmem_cache_free(tw->tw_prot->twsk_prot->twsk_slab, tw);
 	module_put(owner);
 }
@@ -202,7 +202,7 @@ struct inet_timewait_sock *inet_twsk_alloc(const struct sock *sk, const int stat
 		tw->tw_ipv6only	    = 0;
 		tw->tw_transparent  = inet->transparent;
 		tw->tw_prot	    = sk->sk_prot_creator;
-		twsk_net_set(tw, hold_net(sock_net(sk)));
+		twsk_net_set(tw, get_net(sock_net(sk)));
 		/*
 		 * Because we use RCU lookups, we should not set tw_refcnt
 		 * to a non null value before everything is setup for this