tcp: add rcu protection around tp->fastopen_rsk

Both tcp_v4_err() and tcp_v6_err() do the following operations while they do not own the socket lock : fastopen = tp->fastopen_rsk; snd_una = fastopen ? tcp_rsk(fastopen)->snt_isn : tp->snd_una; The problem is that without appropriate barrier, the compiler might reload tp->fastopen_rsk and trigger a NULL deref. request sockets are protected by RCU, we can simply add the missing annotations and barriers to solve the issue. Fixes: 168a8f58059a ("tcp: TCP Fast Open Server - main code path") Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Eric Dumazet <edumazet@google.com> 2019-10-10 23:17:38 -0400
committer: David S. Miller <davem@davemloft.net> 2019-10-13 13:13:08 -0400
commit: d983ea6f16b835dcde2ee9a58a1e764ce68bfccc (patch)
tree: 2bc283f36a6769e0247c49420f0c2149f147f08c /include/linux/tcp.h
parent: 8caf8a91f34d55e8e3b1355ee8d658cb472146e2 (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/include/linux/tcp.h b/include/linux/tcp.h
index 99617e528ea2..668e25a76d69 100644
--- a/include/linux/tcp.h
+++ b/include/linux/tcp.h
@@ -393,7 +393,7 @@ struct tcp_sock {
        /* fastopen_rsk points to request_sock that resulted in this big
         * socket. Used to retransmit SYNACKs etc.
         */
-        struct request_sock *fastopen_rsk;
+        struct request_sock __rcu *fastopen_rsk;
        u32     *saved_syn;
 };
@@ -447,8 +447,8 @@ static inline struct tcp_timewait_sock *tcp_twsk(const struct sock *sk)
 static inline bool tcp_passive_fastopen(const struct sock *sk)
 {
-        return (sk->sk_state == TCP_SYN_RECV &&
+        return sk->sk_state == TCP_SYN_RECV &&
-                tcp_sk(sk)->fastopen_rsk != NULL);
+               rcu_access_pointer(tcp_sk(sk)->fastopen_rsk) != NULL;
 }
 static inline void fastopen_queue_tune(struct sock *sk, int backlog)
author	Eric Dumazet <edumazet@google.com>	2019-10-10 23:17:38 -0400
committer	David S. Miller <davem@davemloft.net>	2019-10-13 13:13:08 -0400
commit	d983ea6f16b835dcde2ee9a58a1e764ce68bfccc (patch)
tree	2bc283f36a6769e0247c49420f0c2149f147f08c /include/linux/tcp.h
parent	8caf8a91f34d55e8e3b1355ee8d658cb472146e2 (diff)

diff --git a/include/linux/tcp.h b/include/linux/tcp.h index 99617e528ea2..668e25a76d69 100644 --- a/include/linux/tcp.h +++ b/include/linux/tcp.h
@@ -393,7 +393,7 @@ struct tcp_sock {
393	/* fastopen_rsk points to request_sock that resulted in this big	393	/* fastopen_rsk points to request_sock that resulted in this big
394	* socket. Used to retransmit SYNACKs etc.	394	* socket. Used to retransmit SYNACKs etc.
395	*/	395	*/
396	struct request_sock *fastopen_rsk;	396	struct request_sock __rcu *fastopen_rsk;
397	u32 *saved_syn;	397	u32 *saved_syn;
398	};	398	};
399		399
@@ -447,8 +447,8 @@ static inline struct tcp_timewait_sock tcp_twsk(const struct sock sk)
447		447
448	static inline bool tcp_passive_fastopen(const struct sock *sk)	448	static inline bool tcp_passive_fastopen(const struct sock *sk)
449	{	449	{
450	return (sk->sk_state == TCP_SYN_RECV &&	450	return sk->sk_state == TCP_SYN_RECV &&
451	tcp_sk(sk)->fastopen_rsk != NULL);	451	rcu_access_pointer(tcp_sk(sk)->fastopen_rsk) != NULL;
452	}	452	}
453		453
454	static inline void fastopen_queue_tune(struct sock *sk, int backlog)	454	static inline void fastopen_queue_tune(struct sock *sk, int backlog)