From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, syzbot <syzkaller@googlegroups.com>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH 4.14 16/26] dccp: fix data-race around dp->dccps_mss_cache
Date: Sun, 13 Aug 2023 23:19:09 +0200 [thread overview]
Message-ID: <20230813211703.597664050@linuxfoundation.org> (raw)
In-Reply-To: <20230813211702.980427106@linuxfoundation.org>
From: Eric Dumazet <edumazet@google.com>
commit a47e598fbd8617967e49d85c49c22f9fc642704c upstream.
dccp_sendmsg() reads dp->dccps_mss_cache before locking the socket.
Same thing in do_dccp_getsockopt().
Add READ_ONCE()/WRITE_ONCE() annotations,
and change dccp_sendmsg() to check again dccps_mss_cache
after socket is locked.
Fixes: 7c657876b63c ("[DCCP]: Initial implementation")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20230803163021.2958262-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/dccp/output.c | 2 +-
net/dccp/proto.c | 10 ++++++++--
2 files changed, 9 insertions(+), 3 deletions(-)
--- a/net/dccp/output.c
+++ b/net/dccp/output.c
@@ -189,7 +189,7 @@ unsigned int dccp_sync_mss(struct sock *
/* And store cached results */
icsk->icsk_pmtu_cookie = pmtu;
- dp->dccps_mss_cache = cur_mps;
+ WRITE_ONCE(dp->dccps_mss_cache, cur_mps);
return cur_mps;
}
--- a/net/dccp/proto.c
+++ b/net/dccp/proto.c
@@ -645,7 +645,7 @@ static int do_dccp_getsockopt(struct soc
return dccp_getsockopt_service(sk, len,
(__be32 __user *)optval, optlen);
case DCCP_SOCKOPT_GET_CUR_MPS:
- val = dp->dccps_mss_cache;
+ val = READ_ONCE(dp->dccps_mss_cache);
break;
case DCCP_SOCKOPT_AVAILABLE_CCIDS:
return ccid_getsockopt_builtin_ccids(sk, len, optval, optlen);
@@ -765,7 +765,7 @@ int dccp_sendmsg(struct sock *sk, struct
int rc, size;
long timeo;
- if (len > dp->dccps_mss_cache)
+ if (len > READ_ONCE(dp->dccps_mss_cache))
return -EMSGSIZE;
lock_sock(sk);
@@ -798,6 +798,12 @@ int dccp_sendmsg(struct sock *sk, struct
goto out_discard;
}
+ /* We need to check dccps_mss_cache after socket is locked. */
+ if (len > dp->dccps_mss_cache) {
+ rc = -EMSGSIZE;
+ goto out_discard;
+ }
+
skb_reserve(skb, sk->sk_prot->max_header);
rc = memcpy_from_msg(skb_put(skb, len), msg, len);
if (rc != 0)
next prev parent reply other threads:[~2023-08-13 21:21 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-13 21:18 [PATCH 4.14 00/26] 4.14.323-rc1 review Greg Kroah-Hartman
2023-08-13 21:18 ` [PATCH 4.14 01/26] sparc: fix up arch_cpu_finalize_init() build breakage Greg Kroah-Hartman
2023-08-13 21:18 ` [PATCH 4.14 02/26] mmc: moxart: read scr register without changing byte order Greg Kroah-Hartman
2023-08-13 21:18 ` [PATCH 4.14 03/26] ipv6: adjust ndisc_is_useropt() to also return true for PIO Greg Kroah-Hartman
2023-08-13 21:18 ` [PATCH 4.14 04/26] dmaengine: pl330: Return DMA_PAUSED when transaction is paused Greg Kroah-Hartman
2023-08-13 21:18 ` [PATCH 4.14 05/26] radix tree test suite: fix incorrect allocation size for pthreads Greg Kroah-Hartman
2023-08-13 21:18 ` [PATCH 4.14 06/26] nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.14 07/26] test_firmware: return ENOMEM instead of ENOSPC on failed memory allocation Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.14 08/26] iio: cros_ec: Fix the allocation size for cros_ec_command Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.14 09/26] usb-storage: alauda: Fix uninit-value in alauda_check_media() Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.14 10/26] usb: dwc3: Properly handle processing of pending events Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.14 11/26] x86/mm: Fix VDSO and VVAR placement on 5-level paging machines Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.14 12/26] x86: Move gds_ucode_mitigated() declaration to header Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.14 13/26] drm/nouveau/disp: Revert a NULL check inside nouveau_connector_get_modes Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.14 14/26] net/packet: annotate data-races around tp->status Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.14 15/26] bonding: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves Greg Kroah-Hartman
2023-08-13 21:19 ` Greg Kroah-Hartman [this message]
2023-08-13 21:19 ` [PATCH 4.14 17/26] drivers: net: prevent tun_build_skb() to exceed the packet size limit Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.14 18/26] IB/hfi1: Fix possible panic during hotplug remove Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.14 19/26] btrfs: dont stop integrity writeback too early Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.14 20/26] netfilter: nf_tables: report use refcount overflow Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.14 21/26] scsi: core: Fix legacy /proc parsing buffer overflow Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.14 22/26] scsi: storvsc: Fix handling of virtual Fibre Channel timeouts Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.14 23/26] scsi: 53c700: Check that command slot is not NULL Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.14 24/26] scsi: snic: Fix possible memory leak if device_add() fails Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.14 25/26] scsi: core: " Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 4.14 26/26] alpha: remove __init annotation from exported page_is_ram() Greg Kroah-Hartman
2023-08-14 14:54 ` [PATCH 4.14 00/26] 4.14.323-rc1 review Thierry Reding
2023-08-14 18:22 ` Guenter Roeck
2023-08-15 1:49 ` Harshit Mogalapalli
2023-08-15 6:05 ` Daniel Díaz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230813211703.597664050@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.