diff options
| author | Eric Dumazet <edumazet@google.com> | 2015-04-16 21:10:35 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2015-04-17 13:28:31 -0400 |
| commit | 521f1cf1dbb9d5ad858dca5dc75d1b45f64b6589 (patch) | |
| tree | 2c6276958f5d7348616d887f4a64f5b78ec6b9ef /net | |
| parent | fad9dfefea6405039491e7e4fc21fb6e59e7d26c (diff) | |
inet_diag: fix access to tcp cc information
Two different problems are fixed here :
1) inet_sk_diag_fill() might be called without socket lock held.
icsk->icsk_ca_ops can change under us and module be unloaded.
-> Access to freed memory.
Fix this using rcu_read_lock() to prevent module unload.
2) Some TCP Congestion Control modules provide information
but again this is not safe against icsk->icsk_ca_ops
change and nla_put() errors were ignored. Some sockets
could not get the additional info if skb was almost full.
Fix this by returning a status from get_info() handlers and
using rcu protection as well.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/ipv4/inet_diag.c | 28 | ||||
| -rw-r--r-- | net/ipv4/tcp_dctcp.c | 5 | ||||
| -rw-r--r-- | net/ipv4/tcp_illinois.c | 6 | ||||
| -rw-r--r-- | net/ipv4/tcp_vegas.c | 5 | ||||
| -rw-r--r-- | net/ipv4/tcp_vegas.h | 2 | ||||
| -rw-r--r-- | net/ipv4/tcp_westwood.c | 6 |
6 files changed, 35 insertions, 17 deletions
diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c index 70e8b3c308ec..bb77ebdae3b3 100644 --- a/net/ipv4/inet_diag.c +++ b/net/ipv4/inet_diag.c | |||
| @@ -111,6 +111,7 @@ int inet_sk_diag_fill(struct sock *sk, struct inet_connection_sock *icsk, | |||
| 111 | const struct nlmsghdr *unlh) | 111 | const struct nlmsghdr *unlh) |
| 112 | { | 112 | { |
| 113 | const struct inet_sock *inet = inet_sk(sk); | 113 | const struct inet_sock *inet = inet_sk(sk); |
| 114 | const struct tcp_congestion_ops *ca_ops; | ||
| 114 | const struct inet_diag_handler *handler; | 115 | const struct inet_diag_handler *handler; |
| 115 | int ext = req->idiag_ext; | 116 | int ext = req->idiag_ext; |
| 116 | struct inet_diag_msg *r; | 117 | struct inet_diag_msg *r; |
| @@ -208,16 +209,31 @@ int inet_sk_diag_fill(struct sock *sk, struct inet_connection_sock *icsk, | |||
| 208 | info = nla_data(attr); | 209 | info = nla_data(attr); |
| 209 | } | 210 | } |
| 210 | 211 | ||
| 211 | if ((ext & (1 << (INET_DIAG_CONG - 1))) && icsk->icsk_ca_ops) | 212 | if (ext & (1 << (INET_DIAG_CONG - 1))) { |
| 212 | if (nla_put_string(skb, INET_DIAG_CONG, | 213 | int err = 0; |
| 213 | icsk->icsk_ca_ops->name) < 0) | 214 | |
| 215 | rcu_read_lock(); | ||
| 216 | ca_ops = READ_ONCE(icsk->icsk_ca_ops); | ||
| 217 | if (ca_ops) | ||
| 218 | err = nla_put_string(skb, INET_DIAG_CONG, ca_ops->name); | ||
| 219 | rcu_read_unlock(); | ||
| 220 | if (err < 0) | ||
| 214 | goto errout; | 221 | goto errout; |
| 222 | } | ||
| 215 | 223 | ||
| 216 | handler->idiag_get_info(sk, r, info); | 224 | handler->idiag_get_info(sk, r, info); |
| 217 | 225 | ||
| 218 | if (sk->sk_state < TCP_TIME_WAIT && | 226 | if (sk->sk_state < TCP_TIME_WAIT) { |
| 219 | icsk->icsk_ca_ops && icsk->icsk_ca_ops->get_info) | 227 | int err = 0; |
| 220 | icsk->icsk_ca_ops->get_info(sk, ext, skb); | 228 | |
| 229 | rcu_read_lock(); | ||
| 230 | ca_ops = READ_ONCE(icsk->icsk_ca_ops); | ||
| 231 | if (ca_ops && ca_ops->get_info) | ||
| 232 | err = ca_ops->get_info(sk, ext, skb); | ||
| 233 | rcu_read_unlock(); | ||
| 234 | if (err < 0) | ||
| 235 | goto errout; | ||
| 236 | } | ||
| 221 | 237 | ||
| 222 | out: | 238 | out: |
| 223 | nlmsg_end(skb, nlh); | 239 | nlmsg_end(skb, nlh); |
diff --git a/net/ipv4/tcp_dctcp.c b/net/ipv4/tcp_dctcp.c index b504371af742..4376016f7fa5 100644 --- a/net/ipv4/tcp_dctcp.c +++ b/net/ipv4/tcp_dctcp.c | |||
| @@ -277,7 +277,7 @@ static void dctcp_cwnd_event(struct sock *sk, enum tcp_ca_event ev) | |||
| 277 | } | 277 | } |
| 278 | } | 278 | } |
| 279 | 279 | ||
| 280 | static void dctcp_get_info(struct sock *sk, u32 ext, struct sk_buff *skb) | 280 | static int dctcp_get_info(struct sock *sk, u32 ext, struct sk_buff *skb) |
| 281 | { | 281 | { |
| 282 | const struct dctcp *ca = inet_csk_ca(sk); | 282 | const struct dctcp *ca = inet_csk_ca(sk); |
| 283 | 283 | ||
| @@ -297,8 +297,9 @@ static void dctcp_get_info(struct sock *sk, u32 ext, struct sk_buff *skb) | |||
| 297 | info.dctcp_ab_tot = ca->acked_bytes_total; | 297 | info.dctcp_ab_tot = ca->acked_bytes_total; |
| 298 | } | 298 | } |
| 299 | 299 | ||
| 300 | nla_put(skb, INET_DIAG_DCTCPINFO, sizeof(info), &info); | 300 | return nla_put(skb, INET_DIAG_DCTCPINFO, sizeof(info), &info); |
| 301 | } | 301 | } |
| 302 | return 0; | ||
| 302 | } | 303 | } |
| 303 | 304 | ||
| 304 | static struct tcp_congestion_ops dctcp __read_mostly = { | 305 | static struct tcp_congestion_ops dctcp __read_mostly = { |
diff --git a/net/ipv4/tcp_illinois.c b/net/ipv4/tcp_illinois.c index 1d5a30a90adf..67476f085e48 100644 --- a/net/ipv4/tcp_illinois.c +++ b/net/ipv4/tcp_illinois.c | |||
| @@ -300,8 +300,7 @@ static u32 tcp_illinois_ssthresh(struct sock *sk) | |||
| 300 | } | 300 | } |
| 301 | 301 | ||
| 302 | /* Extract info for Tcp socket info provided via netlink. */ | 302 | /* Extract info for Tcp socket info provided via netlink. */ |
| 303 | static void tcp_illinois_info(struct sock *sk, u32 ext, | 303 | static int tcp_illinois_info(struct sock *sk, u32 ext, struct sk_buff *skb) |
| 304 | struct sk_buff *skb) | ||
| 305 | { | 304 | { |
| 306 | const struct illinois *ca = inet_csk_ca(sk); | 305 | const struct illinois *ca = inet_csk_ca(sk); |
| 307 | 306 | ||
| @@ -318,8 +317,9 @@ static void tcp_illinois_info(struct sock *sk, u32 ext, | |||
| 318 | do_div(t, info.tcpv_rttcnt); | 317 | do_div(t, info.tcpv_rttcnt); |
| 319 | info.tcpv_rtt = t; | 318 | info.tcpv_rtt = t; |
| 320 | } | 319 | } |
| 321 | nla_put(skb, INET_DIAG_VEGASINFO, sizeof(info), &info); | 320 | return nla_put(skb, INET_DIAG_VEGASINFO, sizeof(info), &info); |
| 322 | } | 321 | } |
| 322 | return 0; | ||
| 323 | } | 323 | } |
| 324 | 324 | ||
| 325 | static struct tcp_congestion_ops tcp_illinois __read_mostly = { | 325 | static struct tcp_congestion_ops tcp_illinois __read_mostly = { |
diff --git a/net/ipv4/tcp_vegas.c b/net/ipv4/tcp_vegas.c index a6afde666ab1..c71a1b8f7bde 100644 --- a/net/ipv4/tcp_vegas.c +++ b/net/ipv4/tcp_vegas.c | |||
| @@ -286,7 +286,7 @@ static void tcp_vegas_cong_avoid(struct sock *sk, u32 ack, u32 acked) | |||
| 286 | } | 286 | } |
| 287 | 287 | ||
| 288 | /* Extract info for Tcp socket info provided via netlink. */ | 288 | /* Extract info for Tcp socket info provided via netlink. */ |
| 289 | void tcp_vegas_get_info(struct sock *sk, u32 ext, struct sk_buff *skb) | 289 | int tcp_vegas_get_info(struct sock *sk, u32 ext, struct sk_buff *skb) |
| 290 | { | 290 | { |
| 291 | const struct vegas *ca = inet_csk_ca(sk); | 291 | const struct vegas *ca = inet_csk_ca(sk); |
| 292 | if (ext & (1 << (INET_DIAG_VEGASINFO - 1))) { | 292 | if (ext & (1 << (INET_DIAG_VEGASINFO - 1))) { |
| @@ -297,8 +297,9 @@ void tcp_vegas_get_info(struct sock *sk, u32 ext, struct sk_buff *skb) | |||
| 297 | .tcpv_minrtt = ca->minRTT, | 297 | .tcpv_minrtt = ca->minRTT, |
| 298 | }; | 298 | }; |
| 299 | 299 | ||
| 300 | nla_put(skb, INET_DIAG_VEGASINFO, sizeof(info), &info); | 300 | return nla_put(skb, INET_DIAG_VEGASINFO, sizeof(info), &info); |
| 301 | } | 301 | } |
| 302 | return 0; | ||
| 302 | } | 303 | } |
| 303 | EXPORT_SYMBOL_GPL(tcp_vegas_get_info); | 304 | EXPORT_SYMBOL_GPL(tcp_vegas_get_info); |
| 304 | 305 | ||
diff --git a/net/ipv4/tcp_vegas.h b/net/ipv4/tcp_vegas.h index 0531b99d8637..e8a6b33cc61d 100644 --- a/net/ipv4/tcp_vegas.h +++ b/net/ipv4/tcp_vegas.h | |||
| @@ -19,6 +19,6 @@ void tcp_vegas_init(struct sock *sk); | |||
| 19 | void tcp_vegas_state(struct sock *sk, u8 ca_state); | 19 | void tcp_vegas_state(struct sock *sk, u8 ca_state); |
| 20 | void tcp_vegas_pkts_acked(struct sock *sk, u32 cnt, s32 rtt_us); | 20 | void tcp_vegas_pkts_acked(struct sock *sk, u32 cnt, s32 rtt_us); |
| 21 | void tcp_vegas_cwnd_event(struct sock *sk, enum tcp_ca_event event); | 21 | void tcp_vegas_cwnd_event(struct sock *sk, enum tcp_ca_event event); |
| 22 | void tcp_vegas_get_info(struct sock *sk, u32 ext, struct sk_buff *skb); | 22 | int tcp_vegas_get_info(struct sock *sk, u32 ext, struct sk_buff *skb); |
| 23 | 23 | ||
| 24 | #endif /* __TCP_VEGAS_H */ | 24 | #endif /* __TCP_VEGAS_H */ |
diff --git a/net/ipv4/tcp_westwood.c b/net/ipv4/tcp_westwood.c index bb63fba47d47..b3c57cceb990 100644 --- a/net/ipv4/tcp_westwood.c +++ b/net/ipv4/tcp_westwood.c | |||
| @@ -256,8 +256,7 @@ static void tcp_westwood_event(struct sock *sk, enum tcp_ca_event event) | |||
| 256 | } | 256 | } |
| 257 | 257 | ||
| 258 | /* Extract info for Tcp socket info provided via netlink. */ | 258 | /* Extract info for Tcp socket info provided via netlink. */ |
| 259 | static void tcp_westwood_info(struct sock *sk, u32 ext, | 259 | static int tcp_westwood_info(struct sock *sk, u32 ext, struct sk_buff *skb) |
| 260 | struct sk_buff *skb) | ||
| 261 | { | 260 | { |
| 262 | const struct westwood *ca = inet_csk_ca(sk); | 261 | const struct westwood *ca = inet_csk_ca(sk); |
| 263 | 262 | ||
| @@ -268,8 +267,9 @@ static void tcp_westwood_info(struct sock *sk, u32 ext, | |||
| 268 | .tcpv_minrtt = jiffies_to_usecs(ca->rtt_min), | 267 | .tcpv_minrtt = jiffies_to_usecs(ca->rtt_min), |
| 269 | }; | 268 | }; |
| 270 | 269 | ||
| 271 | nla_put(skb, INET_DIAG_VEGASINFO, sizeof(info), &info); | 270 | return nla_put(skb, INET_DIAG_VEGASINFO, sizeof(info), &info); |
| 272 | } | 271 | } |
| 272 | return 0; | ||
| 273 | } | 273 | } |
| 274 | 274 | ||
| 275 | static struct tcp_congestion_ops tcp_westwood __read_mostly = { | 275 | static struct tcp_congestion_ops tcp_westwood __read_mostly = { |