tcp: add rcu protection around tp->fastopen_rsk

Both tcp_v4_err() and tcp_v6_err() do the following operations while they do not own the socket lock : fastopen = tp->fastopen_rsk; snd_una = fastopen ? tcp_rsk(fastopen)->snt_isn : tp->snd_una; The problem is that without appropriate barrier, the compiler might reload tp->fastopen_rsk and trigger a NULL deref. request sockets are protected by RCU, we can simply add the missing annotations and barriers to solve the issue. Fixes: 168a8f58059a ("tcp: TCP Fast Open Server - main code path") Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Eric Dumazet <edumazet@google.com> 2019-10-10 23:17:38 -0400
committer: David S. Miller <davem@davemloft.net> 2019-10-13 13:13:08 -0400
commit: d983ea6f16b835dcde2ee9a58a1e764ce68bfccc (patch)
tree: 2bc283f36a6769e0247c49420f0c2149f147f08c /net/ipv4/tcp_ipv4.c
parent: 8caf8a91f34d55e8e3b1355ee8d658cb472146e2 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 492bf6a6b023..ffa366099eb2 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -478,7 +478,7 @@ int tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
        icsk = inet_csk(sk);
        tp = tcp_sk(sk);
        /* XXX (TFO) - tp->snd_una should be ISN (tcp_create_openreq_child() */
-        fastopen = tp->fastopen_rsk;
+        fastopen = rcu_dereference(tp->fastopen_rsk);
        snd_una = fastopen ? tcp_rsk(fastopen)->snt_isn : tp->snd_una;
        if (sk->sk_state != TCP_LISTEN &&
            !between(seq, snd_una, tp->snd_nxt)) {
@@ -2121,7 +2121,7 @@ void tcp_v4_destroy_sock(struct sock *sk)
        if (inet_csk(sk)->icsk_bind_hash)
                inet_put_port(sk);
-        BUG_ON(tp->fastopen_rsk);
+        BUG_ON(rcu_access_pointer(tp->fastopen_rsk));
        /* If socket is aborted during connect operation */
        tcp_free_fastopen_req(tp);
author	Eric Dumazet <edumazet@google.com>	2019-10-10 23:17:38 -0400
committer	David S. Miller <davem@davemloft.net>	2019-10-13 13:13:08 -0400
commit	d983ea6f16b835dcde2ee9a58a1e764ce68bfccc (patch)
tree	2bc283f36a6769e0247c49420f0c2149f147f08c /net/ipv4/tcp_ipv4.c
parent	8caf8a91f34d55e8e3b1355ee8d658cb472146e2 (diff)

diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 492bf6a6b023..ffa366099eb2 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c
@@ -478,7 +478,7 @@ int tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
478	icsk = inet_csk(sk);	478	icsk = inet_csk(sk);
479	tp = tcp_sk(sk);	479	tp = tcp_sk(sk);
480	/* XXX (TFO) - tp->snd_una should be ISN (tcp_create_openreq_child() */	480	/* XXX (TFO) - tp->snd_una should be ISN (tcp_create_openreq_child() */
481	fastopen = tp->fastopen_rsk;	481	fastopen = rcu_dereference(tp->fastopen_rsk);
482	snd_una = fastopen ? tcp_rsk(fastopen)->snt_isn : tp->snd_una;	482	snd_una = fastopen ? tcp_rsk(fastopen)->snt_isn : tp->snd_una;
483	if (sk->sk_state != TCP_LISTEN &&	483	if (sk->sk_state != TCP_LISTEN &&
484	!between(seq, snd_una, tp->snd_nxt)) {	484	!between(seq, snd_una, tp->snd_nxt)) {
@@ -2121,7 +2121,7 @@ void tcp_v4_destroy_sock(struct sock *sk)
2121	if (inet_csk(sk)->icsk_bind_hash)	2121	if (inet_csk(sk)->icsk_bind_hash)
2122	inet_put_port(sk);	2122	inet_put_port(sk);
2123		2123
2124	BUG_ON(tp->fastopen_rsk);	2124	BUG_ON(rcu_access_pointer(tp->fastopen_rsk));
2125		2125
2126	/* If socket is aborted during connect operation */	2126	/* If socket is aborted during connect operation */
2127	tcp_free_fastopen_req(tp);	2127	tcp_free_fastopen_req(tp);