Commit e8b13ebd authored Jun 07, 2024 by Geliang Tang

inet: lock the socket in ip_sock_set_tos()

mainline inclusion
from mainline-v6.7-rc1
commit 878d951c6712b655c38e78ac1ee63c35cd913b22
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I9VYQ9
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=878d951c6712b655c38e78ac1ee63c35cd913b22



--------------------------------

Christoph Paasch reported a panic in TCP stack [1]

Indeed, we should not call sk_dst_reset() without holding
the socket lock, as __sk_dst_get() callers do not all rely
on bare RCU.

[1]
BUG: kernel NULL pointer dereference, address: 0000000000000000
PGD 12bad6067 P4D 12bad6067 PUD 12bad5067 PMD 0
Oops: 0000 [#1] PREEMPT SMP
CPU: 1 PID: 2750 Comm: syz-executor.5 Not tainted 6.6.0-rc4-g7a5720a344e7 #49
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
RIP: 0010:tcp_get_metrics+0x118/0x8f0 net/ipv4/tcp_metrics.c:321
Code: c7 44 24 70 02 00 8b 03 89 44 24 48 c7 44 24 4c 00 00 00 00 66 c7 44 24 58 02 00 66 ba 02 00 b1 01 89 4c 24 04 4c 89 7c 24 10 <49> 8b 0f 48 8b 89 50 05 00 00 48 89 4c 24 30 33 81 00 02 00 00 69
RSP: 0018:ffffc90000af79b8 EFLAGS: 00010293
RAX: 000000000100007f RBX: ffff88812ae8f500 RCX: ffff88812b5f8f01
RDX: 0000000000000002 RSI: ffffffff8300f080 RDI: 0000000000000002
RBP: 0000000000000002 R08: 0000000000000003 R09: ffffffff8205eca0
R10: 0000000000000002 R11: ffff88812b5f8f00 R12: ffff88812a9e0580
R13: 0000000000000000 R14: ffff88812ae8fbd2 R15: 0000000000000000
FS: 00007f70a006b640(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000012bad7003 CR4: 0000000000170ee0
Call Trace:
<TASK>
tcp_fastopen_cache_get+0x32/0x140 net/ipv4/tcp_metrics.c:567
tcp_fastopen_cookie_check+0x28/0x180 net/ipv4/tcp_fastopen.c:419
tcp_connect+0x9c8/0x12a0 net/ipv4/tcp_output.c:3839
tcp_v4_connect+0x645/0x6e0 net/ipv4/tcp_ipv4.c:323
__inet_stream_connect+0x120/0x590 net/ipv4/af_inet.c:676
tcp_sendmsg_fastopen+0x2d6/0x3a0 net/ipv4/tcp.c:1021
tcp_sendmsg_locked+0x1957/0x1b00 net/ipv4/tcp.c:1073
tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1336
__sock_sendmsg+0x83/0xd0 net/socket.c:730
__sys_sendto+0x20a/0x2a0 net/socket.c:2194
__do_sys_sendto net/socket.c:2206 [inline]

Fixes: e08d0b3d1723 ("inet: implement lockless IP_TOS")
Reported-by: Christoph Paasch <cpaasch@apple.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20231018090014.345158-1-edumazet@google.com


Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Geliang Tang <tanggeliang@kylinos.cn>

parent f5518257

include/net/ip.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -258,7 +258,7 @@ static inline u8 ip_sendmsg_scope(const struct inet_sock *inet,

		static inline __u8 get_rttos(struct ipcm_cookie* ipc, struct inet_sock *inet)
		{
		return (ipc->tos != -1) ? RT_TOS(ipc->tos) : RT_TOS(inet->tos);
		return (ipc->tos != -1) ? RT_TOS(ipc->tos) : RT_TOS(READ_ONCE(inet->tos));
		}

		/* datagram.c */

include/net/route.h

+2 −2

Original line number	Diff line number	Diff line
		@@ -37,7 +37,7 @@

		#define RTO_ONLINK 0x01

		#define RT_CONN_FLAGS(sk) (RT_TOS(inet_sk(sk)->tos) \| sock_flag(sk, SOCK_LOCALROUTE))
		#define RT_CONN_FLAGS(sk) (RT_TOS(READ_ONCE(inet_sk(sk)->tos)) \| sock_flag(sk, SOCK_LOCALROUTE))
		#define RT_CONN_FLAGS_TOS(sk,tos) (RT_TOS(tos) \| sock_flag(sk, SOCK_LOCALROUTE))

		static inline __u8 ip_sock_rt_scope(const struct sock *sk)
		@@ -50,7 +50,7 @@ static inline __u8 ip_sock_rt_scope(const struct sock *sk)

		static inline __u8 ip_sock_rt_tos(const struct sock *sk)
		{
		return RT_TOS(inet_sk(sk)->tos);
		return RT_TOS(READ_ONCE(inet_sk(sk)->tos));
		}

		struct ip_tunnel_info;

net/dccp/ipv4.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -511,7 +511,7 @@ static int dccp_v4_send_response(const struct sock sk, struct request_sock req
		err = ip_build_and_send_pkt(skb, sk, ireq->ir_loc_addr,
		ireq->ir_rmt_addr,
		rcu_dereference(ireq->ireq_opt),
		inet_sk(sk)->tos);
		READ_ONCE(inet_sk(sk)->tos));
		rcu_read_unlock();
		err = net_xmit_eval(err);
		}

net/ipv4/inet_diag.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -134,7 +134,7 @@ int inet_diag_msg_attrs_fill(struct sock sk, struct sk_buff skb,
		* hence this needs to be included regardless of socket family.
		*/
		if (ext & (1 << (INET_DIAG_TOS - 1)))
		if (nla_put_u8(skb, INET_DIAG_TOS, inet->tos) < 0)
		if (nla_put_u8(skb, INET_DIAG_TOS, READ_ONCE(inet->tos)) < 0)
		goto errout;

		#if IS_ENABLED(CONFIG_IPV6)

net/ipv4/ip_output.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -546,7 +546,7 @@ EXPORT_SYMBOL(__ip_queue_xmit);

		int ip_queue_xmit(struct sock sk, struct sk_buff skb, struct flowi *fl)
		{
		return __ip_queue_xmit(sk, skb, fl, inet_sk(sk)->tos);
		return __ip_queue_xmit(sk, skb, fl, READ_ONCE(inet_sk(sk)->tos));
		}
		EXPORT_SYMBOL(ip_queue_xmit);

		@@ -1440,7 +1440,7 @@ struct sk_buff __ip_make_skb(struct sock sk,
		iph = ip_hdr(skb);
		iph->version = 4;
		iph->ihl = 5;
		iph->tos = (cork->tos != -1) ? cork->tos : inet->tos;
		iph->tos = (cork->tos != -1) ? cork->tos : READ_ONCE(inet->tos);
		iph->frag_off = df;
		iph->ttl = ttl;
		iph->protocol = sk->sk_protocol;