Unverified Commit 953610e6 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!11638 Fix CVE-2024-44991 

Merge Pull Request from: @ci-robot 
 
PR sync from: Wang Liang <wangliang74@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/DFHIYETHQ4GVFS666X27CC2TQCX5YBGM/ 
Eric Dumazet (3):
  tcp/dccp: bypass empty buckets in inet_twsk_purge()
  tcp/dccp: do not care about families in inet_twsk_purge()
  tcp: do not export tcp_twsk_purge()

Florian Westphal (1):
  tcp: prevent concurrent execution of tcp_sk_exit_batch


-- 
2.34.1
 
https://gitee.com/src-openeuler/kernel/issues/IAOXZW 
 
Link:https://gitee.com/openeuler/kernel/pulls/11638

 

Reviewed-by: default avatarYue Haibing <yuehaibing@huawei.com>
Signed-off-by: default avatarZhang Peng <zhangpeng362@huawei.com>
parents 70522ace 8bc2fa04

include/net/inet_timewait_sock.h

+1 −1
Original line number Diff line number Diff line
@@ -114,7 +114,7 @@ static inline void inet_twsk_reschedule(struct inet_timewait_sock *tw, int timeo 


void inet_twsk_deschedule_put(struct inet_timewait_sock *tw);



void inet_twsk_purge(struct inet_hashinfo *hashinfo, int family);

void inet_twsk_purge(struct inet_hashinfo *hashinfo);



static inline

struct net *twsk_net(const struct inet_timewait_sock *twsk)

include/net/tcp.h

+1 −1
Original line number Diff line number Diff line
@@ -349,7 +349,7 @@ void tcp_rcv_established(struct sock *sk, struct sk_buff *skb); 
void tcp_rcv_space_adjust(struct sock *sk);

int tcp_twsk_unique(struct sock *sk, struct sock *sktw, void *twp);

void tcp_twsk_destructor(struct sock *sk);

void tcp_twsk_purge(struct list_head *net_exit_list, int family);

void tcp_twsk_purge(struct list_head *net_exit_list);

ssize_t tcp_splice_read(struct socket *sk, loff_t *ppos,

			struct pipe_inode_info *pipe, size_t len,

			unsigned int flags);

net/dccp/ipv4.c

+1 −1
Original line number Diff line number Diff line
@@ -1042,7 +1042,7 @@ static void __net_exit dccp_v4_exit_net(struct net *net) 


static void __net_exit dccp_v4_exit_batch(struct list_head *net_exit_list)

{

	inet_twsk_purge(&dccp_hashinfo, AF_INET);

	inet_twsk_purge(&dccp_hashinfo);

}



static struct pernet_operations dccp_v4_ops = {

net/dccp/ipv6.c

+0 −6
Original line number Diff line number Diff line
@@ -1122,15 +1122,9 @@ static void __net_exit dccp_v6_exit_net(struct net *net) 
	inet_ctl_sock_destroy(pn->v6_ctl_sk);

}



static void __net_exit dccp_v6_exit_batch(struct list_head *net_exit_list)

{

	inet_twsk_purge(&dccp_hashinfo, AF_INET6);

}



static struct pernet_operations dccp_v6_ops = {

	.init   = dccp_v6_init_net,

	.exit   = dccp_v6_exit_net,

	.exit_batch = dccp_v6_exit_batch,

	.id	= &dccp_v6_pernet_id,

	.size   = sizeof(struct dccp_v6_pernet),

};

net/ipv4/inet_timewait_sock.c

+9 −7
Original line number Diff line number Diff line
@@ -279,14 +279,18 @@ void __inet_twsk_schedule(struct inet_timewait_sock *tw, int timeo, bool rearm) 
EXPORT_SYMBOL_GPL(__inet_twsk_schedule);



/* Remove all non full sockets (TIME_WAIT and NEW_SYN_RECV) for dead netns */

void inet_twsk_purge(struct inet_hashinfo *hashinfo, int family)

void inet_twsk_purge(struct inet_hashinfo *hashinfo)

{

	struct inet_ehash_bucket *head = &hashinfo->ehash[0];

	unsigned int ehash_mask = hashinfo->ehash_mask;

	struct hlist_nulls_node *node;

	unsigned int slot;

	struct sock *sk;



	for (slot = 0; slot <= hashinfo->ehash_mask; slot++) {

		struct inet_ehash_bucket *head = &hashinfo->ehash[slot];

	for (slot = 0; slot <= ehash_mask; slot++, head++) {

		if (hlist_nulls_empty(&head->chain))

			continue;



restart_rcu:

		cond_resched();

		rcu_read_lock();
@@ -298,15 +302,13 @@ void inet_twsk_purge(struct inet_hashinfo *hashinfo, int family) 
					     TCPF_NEW_SYN_RECV))

				continue;



			if (sk->sk_family != family ||

			    refcount_read(&sock_net(sk)->ns.count))

			if (refcount_read(&sock_net(sk)->ns.count))

				continue;



			if (unlikely(!refcount_inc_not_zero(&sk->sk_refcnt)))

				continue;



			if (unlikely(sk->sk_family != family ||

				     refcount_read(&sock_net(sk)->ns.count))) {

			if (refcount_read(&sock_net(sk)->ns.count)) {

				sock_gen_put(sk);

				goto restart;

			}