tcp: fix races in tcp_abort()

tcp_abort() has the same issue than the one fixed in the prior patch
in tcp_write_err().

In order to get consistent results from tcp_poll(), we must call
sk_error_report() after tcp_done().

We can use tcp_done_with_error() to centralize this logic.

Fixes: c1e64e298b8c ("net: diag: Support destroying TCP sockets.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Link: https://lore.kernel.org/r/20240528125253.1966136-4-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 2a8f8d8..5fa68e7 100644 (file)
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -4576,14 +4576,10 @@ int tcp_abort(struct sock *sk, int err)
        bh_lock_sock(sk);
 
        if (!sock_flag(sk, SOCK_DEAD)) {
-               WRITE_ONCE(sk->sk_err, err);
-               /* This barrier is coupled with smp_rmb() in tcp_poll() */
-               smp_wmb();
-               sk_error_report(sk);
                if (tcp_need_reset(sk->sk_state))
                        tcp_send_active_reset(sk, GFP_ATOMIC,
                                              SK_RST_REASON_NOT_SPECIFIED);
-               tcp_done(sk);
+               tcp_done_with_error(sk, err);
        }
 
        bh_unlock_sock(sk);