diff options
| author | Eric Dumazet <edumazet@google.com> | 2019-10-10 23:17:38 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2019-10-13 13:13:08 -0400 |
| commit | d983ea6f16b835dcde2ee9a58a1e764ce68bfccc (patch) | |
| tree | 2bc283f36a6769e0247c49420f0c2149f147f08c /net/ipv4/tcp.c | |
| parent | 8caf8a91f34d55e8e3b1355ee8d658cb472146e2 (diff) | |
tcp: add rcu protection around tp->fastopen_rsk
Both tcp_v4_err() and tcp_v6_err() do the following operations
while they do not own the socket lock :
fastopen = tp->fastopen_rsk;
snd_una = fastopen ? tcp_rsk(fastopen)->snt_isn : tp->snd_una;
The problem is that without appropriate barrier, the compiler
might reload tp->fastopen_rsk and trigger a NULL deref.
request sockets are protected by RCU, we can simply add
the missing annotations and barriers to solve the issue.
Fixes: 168a8f58059a ("tcp: TCP Fast Open Server - main code path")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4/tcp.c')
| -rw-r--r-- | net/ipv4/tcp.c | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 8781a92ea4b6..c59d0bd29c5c 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c | |||
| @@ -543,7 +543,7 @@ __poll_t tcp_poll(struct file *file, struct socket *sock, poll_table *wait) | |||
| 543 | 543 | ||
| 544 | /* Connected or passive Fast Open socket? */ | 544 | /* Connected or passive Fast Open socket? */ |
| 545 | if (state != TCP_SYN_SENT && | 545 | if (state != TCP_SYN_SENT && |
| 546 | (state != TCP_SYN_RECV || tp->fastopen_rsk)) { | 546 | (state != TCP_SYN_RECV || rcu_access_pointer(tp->fastopen_rsk))) { |
| 547 | int target = sock_rcvlowat(sk, 0, INT_MAX); | 547 | int target = sock_rcvlowat(sk, 0, INT_MAX); |
| 548 | 548 | ||
| 549 | if (tp->urg_seq == tp->copied_seq && | 549 | if (tp->urg_seq == tp->copied_seq && |
| @@ -2487,7 +2487,10 @@ adjudge_to_death: | |||
| 2487 | } | 2487 | } |
| 2488 | 2488 | ||
| 2489 | if (sk->sk_state == TCP_CLOSE) { | 2489 | if (sk->sk_state == TCP_CLOSE) { |
| 2490 | struct request_sock *req = tcp_sk(sk)->fastopen_rsk; | 2490 | struct request_sock *req; |
| 2491 | |||
| 2492 | req = rcu_dereference_protected(tcp_sk(sk)->fastopen_rsk, | ||
| 2493 | lockdep_sock_is_held(sk)); | ||
| 2491 | /* We could get here with a non-NULL req if the socket is | 2494 | /* We could get here with a non-NULL req if the socket is |
| 2492 | * aborted (e.g., closed with unread data) before 3WHS | 2495 | * aborted (e.g., closed with unread data) before 3WHS |
| 2493 | * finishes. | 2496 | * finishes. |
| @@ -3831,8 +3834,10 @@ EXPORT_SYMBOL(tcp_md5_hash_key); | |||
| 3831 | 3834 | ||
| 3832 | void tcp_done(struct sock *sk) | 3835 | void tcp_done(struct sock *sk) |
| 3833 | { | 3836 | { |
| 3834 | struct request_sock *req = tcp_sk(sk)->fastopen_rsk; | 3837 | struct request_sock *req; |
| 3835 | 3838 | ||
| 3839 | req = rcu_dereference_protected(tcp_sk(sk)->fastopen_rsk, | ||
| 3840 | lockdep_sock_is_held(sk)); | ||
| 3836 | if (sk->sk_state == TCP_SYN_SENT || sk->sk_state == TCP_SYN_RECV) | 3841 | if (sk->sk_state == TCP_SYN_SENT || sk->sk_state == TCP_SYN_RECV) |
| 3837 | TCP_INC_STATS(sock_net(sk), TCP_MIB_ATTEMPTFAILS); | 3842 | TCP_INC_STATS(sock_net(sk), TCP_MIB_ATTEMPTFAILS); |
| 3838 | 3843 | ||