Commit 59a4ff7c authored by Jason Xing's avatar Jason Xing Committed by Zhao Wenhui
Browse files

netrom: Fix data-races around sysctl_netrom_network_ttl_initialiser 

stable inclusion
from stable-v5.10.213
commit d1261bde59a3a087ab0c81181821e194278d9264
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q91I
CVE: CVE-2024-27428

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=d1261bde59a3a087ab0c81181821e194278d9264



--------------------------------

[ Upstream commit 119cae5ea3f9e35cdada8e572cc067f072fa825a ]

We need to protect the reader reading the sysctl value because the
value can be changed concurrently.

Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Signed-off-by: default avatarJason Xing <kernelxing@tencent.com>
Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarZhao Wenhui <zhaowenhui8@huawei.com>
parent db8faa59

net/netrom/nr_dev.c

+1 −1
Original line number Diff line number Diff line
@@ -81,7 +81,7 @@ static int nr_header(struct sk_buff *skb, struct net_device *dev, 
	buff[6] |= AX25_SSSID_SPARE;

	buff    += AX25_ADDR_LEN;



	*buff++ = sysctl_netrom_network_ttl_initialiser;

	*buff++ = READ_ONCE(sysctl_netrom_network_ttl_initialiser);



	*buff++ = NR_PROTO_IP;

	*buff++ = NR_PROTO_IP;

net/netrom/nr_out.c

+1 −1
Original line number Diff line number Diff line
@@ -204,7 +204,7 @@ void nr_transmit_buffer(struct sock *sk, struct sk_buff *skb) 
	dptr[6] |= AX25_SSSID_SPARE;

	dptr += AX25_ADDR_LEN;



	*dptr++ = sysctl_netrom_network_ttl_initialiser;

	*dptr++ = READ_ONCE(sysctl_netrom_network_ttl_initialiser);



	if (!nr_route_frame(skb, NULL)) {

		kfree_skb(skb);

net/netrom/nr_subr.c

+3 −2
Original line number Diff line number Diff line
@@ -182,7 +182,8 @@ void nr_write_internal(struct sock *sk, int frametype) 
		*dptr++ = nr->my_id;

		*dptr++ = frametype;

		*dptr++ = nr->window;

		if (nr->bpqext) *dptr++ = sysctl_netrom_network_ttl_initialiser;

		if (nr->bpqext)

			*dptr++ = READ_ONCE(sysctl_netrom_network_ttl_initialiser);

		break;



	case NR_DISCREQ:
@@ -236,7 +237,7 @@ void __nr_transmit_reply(struct sk_buff *skb, int mine, unsigned char cmdflags) 
	dptr[6] |= AX25_SSSID_SPARE;

	dptr += AX25_ADDR_LEN;



	*dptr++ = sysctl_netrom_network_ttl_initialiser;

	*dptr++ = READ_ONCE(sysctl_netrom_network_ttl_initialiser);



	if (mine) {

		*dptr++ = 0;