Unverified Commit 063e0f47 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!8716 CVE-2024-35910 

Merge Pull Request from: @ci-robot 
 
PR sync from: Liu Jian <liujian56@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/3DHBXSY4G7PSYWGUXNCGH5H2VMQHP32V/ 
CVE-2024-35910

Eric Dumazet (1):
  tcp: properly terminate timers for kernel sockets

Geliang Tang (1):
  mptcp: add sk_stop_timer_sync helper


-- 
2.34.1
 
https://gitee.com/src-openeuler/kernel/issues/I9QG5Z 
 
Link:https://gitee.com/openeuler/kernel/pulls/8716

 

Reviewed-by: default avatarLiu YongQiang <liuyongqiang13@huawei.com>
Reviewed-by: default avatarYue Haibing <yuehaibing@huawei.com>
Signed-off-by: default avatarZhang Changzhong <zhangchangzhong@huawei.com>
parents 5f7c9fb3 6803d084

include/net/inet_connection_sock.h

+1 −0
Original line number Diff line number Diff line
@@ -177,6 +177,7 @@ void inet_csk_init_xmit_timers(struct sock *sk, 
			       void (*delack_handler)(struct timer_list *),

			       void (*keepalive_handler)(struct timer_list *));

void inet_csk_clear_xmit_timers(struct sock *sk);

void inet_csk_clear_xmit_timers_sync(struct sock *sk);



static inline void inet_csk_schedule_ack(struct sock *sk)

{

include/net/sock.h

+9 −0
Original line number Diff line number Diff line
@@ -1631,6 +1631,13 @@ static inline void sock_owned_by_me(const struct sock *sk) 
#endif

}



static inline void sock_not_owned_by_me(const struct sock *sk)

{

#ifdef CONFIG_LOCKDEP

	WARN_ON_ONCE(lockdep_sock_is_held(sk) && debug_locks);

#endif

}



static inline bool sock_owned_by_user(const struct sock *sk)

{

	sock_owned_by_me(sk);
@@ -2241,6 +2248,8 @@ void sk_reset_timer(struct sock *sk, struct timer_list *timer, 


void sk_stop_timer(struct sock *sk, struct timer_list *timer);



void sk_stop_timer_sync(struct sock *sk, struct timer_list *timer);



int __sk_queue_drop_skb(struct sock *sk, struct sk_buff_head *sk_queue,

			struct sk_buff *skb, unsigned int flags,

			void (*destructor)(struct sock *sk,

net/core/sock.c

+7 −0
Original line number Diff line number Diff line
@@ -2826,6 +2826,13 @@ void sk_stop_timer(struct sock *sk, struct timer_list* timer) 
}

EXPORT_SYMBOL(sk_stop_timer);



void sk_stop_timer_sync(struct sock *sk, struct timer_list *timer)

{

	if (del_timer_sync(timer))

		__sock_put(sk);

}

EXPORT_SYMBOL(sk_stop_timer_sync);



void sock_init_data_uid(struct socket *sock, struct sock *sk, kuid_t uid)

{

	sk_init_common(sk);

net/ipv4/inet_connection_sock.c

+14 −0
Original line number Diff line number Diff line
@@ -568,6 +568,20 @@ void inet_csk_clear_xmit_timers(struct sock *sk) 
}

EXPORT_SYMBOL(inet_csk_clear_xmit_timers);



void inet_csk_clear_xmit_timers_sync(struct sock *sk)

{

	struct inet_connection_sock *icsk = inet_csk(sk);



	/* ongoing timer handlers need to acquire socket lock. */

	sock_not_owned_by_me(sk);



	icsk->icsk_pending = icsk->icsk_ack.pending = 0;



	sk_stop_timer_sync(sk, &icsk->icsk_retransmit_timer);

	sk_stop_timer_sync(sk, &icsk->icsk_delack_timer);

	sk_stop_timer_sync(sk, &sk->sk_timer);

}



void inet_csk_delete_keepalive_timer(struct sock *sk)

{

	sk_stop_timer(sk, &sk->sk_timer);

net/ipv4/tcp.c

+2 −0
Original line number Diff line number Diff line
@@ -2521,6 +2521,8 @@ void tcp_close(struct sock *sk, long timeout) 
	lock_sock(sk);

	__tcp_close(sk, timeout);

	release_sock(sk);

	if (!sk->sk_net_refcnt)

		inet_csk_clear_xmit_timers_sync(sk);

	sock_put(sk);

}

EXPORT_SYMBOL(tcp_close);