Commit 995f9b67 authored by Eric Dumazet's avatar Eric Dumazet Committed by Yongqiang Liu
Browse files

net: annotate data-races around sk->sk_dst_pending_confirm 

stable inclusion
from stable-v4.19.300
commit ac41b10e834f5f7479f91220668e90c505808d1c
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I8UH13


CVE: NA

--------------------------------

[ Upstream commit eb44ad4e635132754bfbcb18103f1dcb7058aedd ]

This field can be read or written without socket lock being held.

Add annotations to avoid load-store tearing.

Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarYongqiang Liu <liuyongqiang13@huawei.com>
parent c2ff4dad

include/net/sock.h

+3 −3
Original line number Original line Diff line number Diff line
@@ -1965,7 +1965,7 @@ static inline void dst_negative_advice(struct sock *sk) 
		if (ndst != dst) {

		if (ndst != dst) {

			rcu_assign_pointer(sk->sk_dst_cache, ndst);

			rcu_assign_pointer(sk->sk_dst_cache, ndst);

			sk_tx_queue_clear(sk);

			sk_tx_queue_clear(sk);

			sk->sk_dst_pending_confirm = 0;

			WRITE_ONCE(sk->sk_dst_pending_confirm, 0);

		}

		}

	}

	}

}

}
@@ -1976,7 +1976,7 @@ __sk_dst_set(struct sock *sk, struct dst_entry *dst) 
	struct dst_entry *old_dst;

	struct dst_entry *old_dst;





	sk_tx_queue_clear(sk);

	sk_tx_queue_clear(sk);

	sk->sk_dst_pending_confirm = 0;

	WRITE_ONCE(sk->sk_dst_pending_confirm, 0);

	old_dst = rcu_dereference_protected(sk->sk_dst_cache,

	old_dst = rcu_dereference_protected(sk->sk_dst_cache,

					    lockdep_sock_is_held(sk));

					    lockdep_sock_is_held(sk));

	rcu_assign_pointer(sk->sk_dst_cache, dst);

	rcu_assign_pointer(sk->sk_dst_cache, dst);
@@ -1989,7 +1989,7 @@ sk_dst_set(struct sock *sk, struct dst_entry *dst) 
	struct dst_entry *old_dst;

	struct dst_entry *old_dst;





	sk_tx_queue_clear(sk);

	sk_tx_queue_clear(sk);

	sk->sk_dst_pending_confirm = 0;

	WRITE_ONCE(sk->sk_dst_pending_confirm, 0);

	old_dst = xchg((__force struct dst_entry **)&sk->sk_dst_cache, dst);

	old_dst = xchg((__force struct dst_entry **)&sk->sk_dst_cache, dst);

	dst_release(old_dst);

	dst_release(old_dst);

}

}

net/core/sock.c

+1 −1
Original line number Original line Diff line number Diff line
@@ -496,7 +496,7 @@ struct dst_entry *__sk_dst_check(struct sock *sk, u32 cookie) 




	if (dst && dst->obsolete && dst->ops->check(dst, cookie) == NULL) {

	if (dst && dst->obsolete && dst->ops->check(dst, cookie) == NULL) {

		sk_tx_queue_clear(sk);

		sk_tx_queue_clear(sk);

		sk->sk_dst_pending_confirm = 0;

		WRITE_ONCE(sk->sk_dst_pending_confirm, 0);

		RCU_INIT_POINTER(sk->sk_dst_cache, NULL);

		RCU_INIT_POINTER(sk->sk_dst_cache, NULL);

		dst_release(dst);

		dst_release(dst);

		return NULL;

		return NULL;

net/ipv4/tcp_output.c

+1 −1
Original line number Original line Diff line number Diff line
@@ -1143,7 +1143,7 @@ static int __tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, 
	skb_set_hash_from_sk(skb, sk);

	skb_set_hash_from_sk(skb, sk);

	refcount_add(skb->truesize, &sk->sk_wmem_alloc);

	refcount_add(skb->truesize, &sk->sk_wmem_alloc);





	skb_set_dst_pending_confirm(skb, sk->sk_dst_pending_confirm);

	skb_set_dst_pending_confirm(skb, READ_ONCE(sk->sk_dst_pending_confirm));





	/* Build TCP header and checksum it. */

	/* Build TCP header and checksum it. */

	th = (struct tcphdr *)skb->data;

	th = (struct tcphdr *)skb->data;