From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:36382 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753808AbbIZSmh (ORCPT ); Sat, 26 Sep 2015 14:42:37 -0400 Subject: Patch "udp: fix dst races with multicast early demux" has been added to the 4.1-stable tree To: edumazet@google.com, Gregory.Hoggarth@alliedtelesis.co.nz, agartrell@fb.com, davem@davemloft.net, gregkh@linuxfoundation.org, mkubecek@suse.cz Cc: , From: Date: Sat, 26 Sep 2015 11:42:36 -0700 Message-ID: <14432929561720@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled udp: fix dst races with multicast early demux to the 4.1-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: udp-fix-dst-races-with-multicast-early-demux.patch and it can be found in the queue-4.1 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From foo@baz Sat Sep 26 11:13:07 PDT 2015 From: Eric Dumazet Date: Sat, 1 Aug 2015 12:14:33 +0200 Subject: udp: fix dst races with multicast early demux MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From: Eric Dumazet [ Upstream commit 10e2eb878f3ca07ac2f05fa5ca5e6c4c9174a27a ] Multicast dst are not cached. They carry DST_NOCACHE. As mentioned in commit f8864972126899 ("ipv4: fix dst race in sk_dst_get()"), these dst need special care before caching them into a socket. Caching them is allowed only if their refcnt was not 0, ie we must use atomic_inc_not_zero() Also, we must use READ_ONCE() to fetch sk->sk_rx_dst, as mentioned in commit d0c294c53a771 ("tcp: prevent fetching dst twice in early demux code") Fixes: 421b3885bf6d ("udp: ipv4: Add udp early demux") Tested-by: Gregory Hoggarth Signed-off-by: Eric Dumazet Reported-by: Gregory Hoggarth Reported-by: Alex Gartrell Cc: Michal Kubeček Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/ipv4/udp.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -1995,12 +1995,19 @@ void udp_v4_early_demux(struct sk_buff * skb->sk = sk; skb->destructor = sock_efree; - dst = sk->sk_rx_dst; + dst = READ_ONCE(sk->sk_rx_dst); if (dst) dst = dst_check(dst, 0); - if (dst) - skb_dst_set_noref(skb, dst); + if (dst) { + /* DST_NOCACHE can not be used without taking a reference */ + if (dst->flags & DST_NOCACHE) { + if (likely(atomic_inc_not_zero(&dst->__refcnt))) + skb_dst_set(skb, dst); + } else { + skb_dst_set_noref(skb, dst); + } + } } int udp_rcv(struct sk_buff *skb) Patches currently in stable-queue which might be from edumazet@google.com are queue-4.1/udp-fix-dst-races-with-multicast-early-demux.patch queue-4.1/fq_codel-fix-a-use-after-free.patch queue-4.1/inet-fix-possible-request-socket-leak.patch queue-4.1/ipv6-lock-socket-in-ip6_datagram_connect.patch queue-4.1/net-fix-skb-csum-races-when-peeking.patch queue-4.1/inet-fix-races-with-reqsk-timers.patch queue-4.1/net-graceful-exit-from-netif_alloc_netdev_queues.patch queue-4.1/bridge-fix-potential-crash-in-__netdev_pick_tx.patch queue-4.1/inet-frags-fix-defragmented-packet-s-ip-header-for-af_packet.patch