From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Michal Kubecek <mkubecek@suse.cz>,
Eric Dumazet <edumazet@google.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 3.14 01/42] tcp: prevent fetching dst twice in early demux code
Date: Sun, 26 Apr 2015 16:01:20 +0200 [thread overview]
Message-ID: <20150426134248.217042797@linuxfoundation.org> (raw)
In-Reply-To: <20150426134248.160161895@linuxfoundation.org>
3.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: =?UTF-8?q?Michal=20Kube=C4=8Dek?= <mkubecek@suse.cz>
[ Upstream commit d0c294c53a771ae7e84506dfbd8c18c30f078735 ]
On s390x, gcc 4.8 compiles this part of tcp_v6_early_demux()
struct dst_entry *dst = sk->sk_rx_dst;
if (dst)
dst = dst_check(dst, inet6_sk(sk)->rx_dst_cookie);
to code reading sk->sk_rx_dst twice, once for the test and once for
the argument of ip6_dst_check() (dst_check() is inline). This allows
ip6_dst_check() to be called with null first argument, causing a crash.
Protect sk->sk_rx_dst access by ACCESS_ONCE() both in IPv4 and IPv6
TCP early demux code.
Fixes: 41063e9dd119 ("ipv4: Early TCP socket demux.")
Fixes: c7109986db3c ("ipv6: Early TCP socket demux")
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/tcp_ipv4.c | 2 +-
net/ipv6/tcp_ipv6.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1875,7 +1875,7 @@ void tcp_v4_early_demux(struct sk_buff *
skb->sk = sk;
skb->destructor = sock_edemux;
if (sk->sk_state != TCP_TIME_WAIT) {
- struct dst_entry *dst = sk->sk_rx_dst;
+ struct dst_entry *dst = ACCESS_ONCE(sk->sk_rx_dst);
if (dst)
dst = dst_check(dst, 0);
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1633,7 +1633,7 @@ static void tcp_v6_early_demux(struct sk
skb->sk = sk;
skb->destructor = sock_edemux;
if (sk->sk_state != TCP_TIME_WAIT) {
- struct dst_entry *dst = sk->sk_rx_dst;
+ struct dst_entry *dst = ACCESS_ONCE(sk->sk_rx_dst);
if (dst)
dst = dst_check(dst, inet6_sk(sk)->rx_dst_cookie);
next prev parent reply other threads:[~2015-04-26 14:02 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-26 14:01 [PATCH 3.14 00/42] 3.14.40-stable review Greg Kroah-Hartman
2015-04-26 14:01 ` Greg Kroah-Hartman [this message]
2015-04-26 14:01 ` [PATCH 3.14 02/42] net/mlx4_en: Call register_netdevice in the proper location Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 03/42] ipv6: Dont reduce hop limit for an interface Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 04/42] tcp: fix FRTO undo on cumulative ACK of SACKed range Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 05/42] ipv6: protect skb->sk accesses from recursive dereference inside the stack Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 06/42] tcp: tcp_make_synack() should clear skb->tstamp Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 07/42] 8139cp: Call dev_kfree_skby_any instead of kfree_skb Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 08/42] 8139too: Call dev_kfree_skby_any instead of dev_kfree_skb Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 09/42] r8169: " Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 10/42] bonding: Call dev_kfree_skby_any instead of kfree_skb Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 11/42] bnx2: Call dev_kfree_skby_any instead of dev_kfree_skb Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 12/42] tg3: " Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 13/42] ixgb: " Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 14/42] mlx4: " Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 15/42] benet: Call dev_kfree_skby_any instead of kfree_skb Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 16/42] gianfar: Carefully free skbs in functions called by netpoll Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 17/42] Bluetooth: Enable Atheros 0cf3:311e for firmware upload Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 18/42] Bluetooth: Add firmware update for Atheros 0cf3:311f Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 19/42] Bluetooth: btusb: Add IMC Networks (Broadcom based) Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 20/42] Bluetooth: sort the list of IDs in the source code Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 21/42] Bluetooth: append new supported device to the list [0b05:17d0] Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 22/42] Bluetooth: Add support for Intel bootloader devices Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 23/42] Bluetooth: Ignore isochronous endpoints for Intel USB bootloader Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 24/42] Bluetooth: Add support for Acer [13D3:3432] Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 25/42] Bluetooth: Add support for Broadcom device of Asus Z97-DELUXE motherboard Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 26/42] Add a new PID/VID 0227/0930 for AR3012 Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 27/42] Bluetooth: Add support for Acer [0489:e078] Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 28/42] Bluetooth: ath3k: Add support of MCI 13d3:3408 bt device Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 29/42] Bluetooth: Add USB device 04ca:3010 as Atheros AR3012 Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 30/42] mm: hwpoison: drop lru_add_drain_all() in __soft_offline_page() Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 31/42] netfilter: conntrack: disable generic tracking for known protocols Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 32/42] KVM: x86: SYSENTER emulation is broken Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 33/42] move d_rcu from overlapping d_child to overlapping d_alias Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 34/42] sched: declare pid_alive as inline Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 35/42] vm: add VM_FAULT_SIGSEGV handling support Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 36/42] vm: make stack guard page errors return VM_FAULT_SIGSEGV rather than SIGBUS Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 37/42] ARM: 8108/1: mm: Introduce {pte,pmd}_isset and {pte,pmd}_isclear Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 38/42] ARM: 8109/1: mm: Modify pte_write and pmd_write logic for LPAE Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 39/42] x86: mm: move mmap_sem unlock from mm_fault_error() to caller Greg Kroah-Hartman
2015-04-26 14:01 ` [PATCH 3.14 40/42] sb_edac: avoid INTERNAL ERROR message in EDAC with unspecified channel Greg Kroah-Hartman
2015-04-26 14:02 ` [PATCH 3.14 41/42] mm: softdirty: unmapped addresses between VMAs are clean Greg Kroah-Hartman
2015-04-26 14:02 ` [PATCH 3.14 42/42] proc/pagemap: walk page tables under pte lock Greg Kroah-Hartman
2015-04-26 20:03 ` [PATCH 3.14 00/42] 3.14.40-stable review Guenter Roeck
2015-04-27 17:19 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150426134248.217042797@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mkubecek@suse.cz \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.