Commit acd99e6a authored by Jason Xing's avatar Jason Xing Committed by Zhao Wenhui
Browse files

netrom: Fix data-races around sysctl_netrom_network_ttl_initialiser 

stable inclusion
from stable-v4.19.310
commit acc653e8a3aaab1b7103f98645f2cce7be89e3d3
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q91I
CVE: CVE-2024-27428

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=acc653e8a3aaab1b7103f98645f2cce7be89e3d3



--------------------------------

[ Upstream commit 119cae5ea3f9e35cdada8e572cc067f072fa825a ]

We need to protect the reader reading the sysctl value because the
value can be changed concurrently.

Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Signed-off-by: default avatarJason Xing <kernelxing@tencent.com>
Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarZhao Wenhui <zhaowenhui8@huawei.com>
parent 80ab23a8

net/netrom/nr_dev.c

+1 −1
Original line number Diff line number Diff line
@@ -84,7 +84,7 @@ static int nr_header(struct sk_buff *skb, struct net_device *dev, 
	buff[6] |= AX25_SSSID_SPARE;

	buff    += AX25_ADDR_LEN;



	*buff++ = sysctl_netrom_network_ttl_initialiser;

	*buff++ = READ_ONCE(sysctl_netrom_network_ttl_initialiser);



	*buff++ = NR_PROTO_IP;

	*buff++ = NR_PROTO_IP;

net/netrom/nr_out.c

+1 −1
Original line number Diff line number Diff line
@@ -207,7 +207,7 @@ void nr_transmit_buffer(struct sock *sk, struct sk_buff *skb) 
	dptr[6] |= AX25_SSSID_SPARE;

	dptr += AX25_ADDR_LEN;



	*dptr++ = sysctl_netrom_network_ttl_initialiser;

	*dptr++ = READ_ONCE(sysctl_netrom_network_ttl_initialiser);



	if (!nr_route_frame(skb, NULL)) {

		kfree_skb(skb);

net/netrom/nr_subr.c

+3 −2
Original line number Diff line number Diff line
@@ -184,7 +184,8 @@ void nr_write_internal(struct sock *sk, int frametype) 
		*dptr++ = nr->my_id;

		*dptr++ = frametype;

		*dptr++ = nr->window;

		if (nr->bpqext) *dptr++ = sysctl_netrom_network_ttl_initialiser;

		if (nr->bpqext)

			*dptr++ = READ_ONCE(sysctl_netrom_network_ttl_initialiser);

		break;



	case NR_DISCREQ:
@@ -238,7 +239,7 @@ void __nr_transmit_reply(struct sk_buff *skb, int mine, unsigned char cmdflags) 
	dptr[6] |= AX25_SSSID_SPARE;

	dptr += AX25_ADDR_LEN;



	*dptr++ = sysctl_netrom_network_ttl_initialiser;

	*dptr++ = READ_ONCE(sysctl_netrom_network_ttl_initialiser);



	if (mine) {

		*dptr++ = 0;