Commit 8eac3e06 authored by Eric Dumazet's avatar Eric Dumazet Committed by Liu Jian
Browse files

net: annotate data-races around sk->sk_dst_pending_confirm 

stable inclusion
from stable-v5.10.202
commit 22fa35ded3ec67add6db4abeeadf0b8d800816d9
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA436B
CVE: CVE-2024-36971

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=22fa35ded3ec67add6db4abeeadf0b8d800816d9



--------------------------------

[ Upstream commit eb44ad4e635132754bfbcb18103f1dcb7058aedd ]

This field can be read or written without socket lock being held.

Add annotations to avoid load-store tearing.

Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarLiu Jian <liujian56@huawei.com>
parent 9901ab29

include/net/sock.h

+3 −3
Original line number Diff line number Diff line
@@ -2025,7 +2025,7 @@ static inline void __dst_negative_advice(struct sock *sk) 
		if (ndst != dst) {

			rcu_assign_pointer(sk->sk_dst_cache, ndst);

			sk_tx_queue_clear(sk);

			sk->sk_dst_pending_confirm = 0;

			WRITE_ONCE(sk->sk_dst_pending_confirm, 0);

		}

	}

}
@@ -2042,7 +2042,7 @@ __sk_dst_set(struct sock *sk, struct dst_entry *dst) 
	struct dst_entry *old_dst;



	sk_tx_queue_clear(sk);

	sk->sk_dst_pending_confirm = 0;

	WRITE_ONCE(sk->sk_dst_pending_confirm, 0);

	old_dst = rcu_dereference_protected(sk->sk_dst_cache,

					    lockdep_sock_is_held(sk));

	rcu_assign_pointer(sk->sk_dst_cache, dst);
@@ -2055,7 +2055,7 @@ sk_dst_set(struct sock *sk, struct dst_entry *dst) 
	struct dst_entry *old_dst;



	sk_tx_queue_clear(sk);

	sk->sk_dst_pending_confirm = 0;

	WRITE_ONCE(sk->sk_dst_pending_confirm, 0);

	old_dst = xchg((__force struct dst_entry **)&sk->sk_dst_cache, dst);

	dst_release(old_dst);

}

net/core/sock.c

+1 −1
Original line number Diff line number Diff line
@@ -532,7 +532,7 @@ struct dst_entry *__sk_dst_check(struct sock *sk, u32 cookie) 


	if (dst && dst->obsolete && dst->ops->check(dst, cookie) == NULL) {

		sk_tx_queue_clear(sk);

		sk->sk_dst_pending_confirm = 0;

		WRITE_ONCE(sk->sk_dst_pending_confirm, 0);

		RCU_INIT_POINTER(sk->sk_dst_cache, NULL);

		dst_release(dst);

		return NULL;

net/ipv4/tcp_output.c

+1 −1
Original line number Diff line number Diff line
@@ -1373,7 +1373,7 @@ static int __tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, 
	skb_set_hash_from_sk(skb, sk);

	refcount_add(skb->truesize, &sk->sk_wmem_alloc);



	skb_set_dst_pending_confirm(skb, sk->sk_dst_pending_confirm);

	skb_set_dst_pending_confirm(skb, READ_ONCE(sk->sk_dst_pending_confirm));



	/* Build TCP header and checksum it. */

	th = (struct tcphdr *)skb->data;