Commit 882af43a authored by Eric Dumazet's avatar Eric Dumazet Committed by Paolo Abeni
Browse files

udplite: fix various data-races 



udp->pcflag, udp->pcslen and udp->pcrlen reads/writes are racy.

Move udp->pcflag to udp->udp_flags for atomicity,
and add READ_ONCE()/WRITE_ONCE() annotations for pcslen and pcrlen.

Fixes: ba4e58ec ("[NET]: Supporting UDP-Lite (RFC 3828) in Linux")
Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Reviewed-by: default avatarWillem de Bruijn <willemb@google.com>
Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
parent 729549aa

include/linux/udp.h

+2 −4
Original line number Diff line number Diff line
@@ -40,6 +40,8 @@ enum { 
	UDP_FLAGS_ACCEPT_FRAGLIST,

	UDP_FLAGS_ACCEPT_L4,

	UDP_FLAGS_ENCAP_ENABLED, /* This socket enabled encap */

	UDP_FLAGS_UDPLITE_SEND_CC, /* set via udplite setsockopt */

	UDP_FLAGS_UDPLITE_RECV_CC, /* set via udplite setsockopt */

};



struct udp_sock {
@@ -54,10 +56,6 @@ struct udp_sock { 
	int		 pending;	/* Any pending frames ? */

	__u8		 encap_type;	/* Is this an Encapsulation socket? */



/* indicator bits used by pcflag: */

#define UDPLITE_SEND_CC  0x1  		/* set via udplite setsockopt         */

#define UDPLITE_RECV_CC  0x2		/* set via udplite setsocktopt        */

	__u8		 pcflag;        /* marks socket as UDP-Lite if > 0    */

	/*

	 * Following member retains the information to create a UDP header

	 * when the socket is uncorked.

include/net/udplite.h

+9 −5
Original line number Diff line number Diff line
@@ -66,14 +66,18 @@ static inline int udplite_checksum_init(struct sk_buff *skb, struct udphdr *uh) 
/* Fast-path computation of checksum. Socket may not be locked. */

static inline __wsum udplite_csum(struct sk_buff *skb)

{

	const struct udp_sock *up = udp_sk(skb->sk);

	const int off = skb_transport_offset(skb);

	const struct sock *sk = skb->sk;

	int len = skb->len - off;



	if ((up->pcflag & UDPLITE_SEND_CC) && up->pcslen < len) {

		if (0 < up->pcslen)

			len = up->pcslen;

		udp_hdr(skb)->len = htons(up->pcslen);

	if (udp_test_bit(UDPLITE_SEND_CC, sk)) {

		u16 pcslen = READ_ONCE(udp_sk(sk)->pcslen);



		if (pcslen < len) {

			if (pcslen > 0)

				len = pcslen;

			udp_hdr(skb)->len = htons(pcslen);

		}

	}

	skb->ip_summed = CHECKSUM_NONE;     /* no HW support for checksumming */

net/ipv4/udp.c

+11 −10
Original line number Diff line number Diff line
@@ -2120,7 +2120,8 @@ static int udp_queue_rcv_one_skb(struct sock *sk, struct sk_buff *skb) 
	/*

	 * 	UDP-Lite specific tests, ignored on UDP sockets

	 */

	if ((up->pcflag & UDPLITE_RECV_CC)  &&  UDP_SKB_CB(skb)->partial_cov) {

	if (udp_test_bit(UDPLITE_RECV_CC, sk) && UDP_SKB_CB(skb)->partial_cov) {

		u16 pcrlen = READ_ONCE(up->pcrlen);



		/*

		 * MIB statistics other than incrementing the error count are
@@ -2133,7 +2134,7 @@ static int udp_queue_rcv_one_skb(struct sock *sk, struct sk_buff *skb) 
		 * delivery of packets with coverage values less than a value

		 * provided by the application."

		 */

		if (up->pcrlen == 0) {          /* full coverage was set  */

		if (pcrlen == 0) {          /* full coverage was set  */

			net_dbg_ratelimited("UDPLite: partial coverage %d while full coverage %d requested\n",

					    UDP_SKB_CB(skb)->cscov, skb->len);

			goto drop;
@@ -2144,9 +2145,9 @@ static int udp_queue_rcv_one_skb(struct sock *sk, struct sk_buff *skb) 
		 * that it wants x while sender emits packets of smaller size y.

		 * Therefore the above ...()->partial_cov statement is essential.

		 */

		if (UDP_SKB_CB(skb)->cscov  <  up->pcrlen) {

		if (UDP_SKB_CB(skb)->cscov < pcrlen) {

			net_dbg_ratelimited("UDPLite: coverage %d too small, need min %d\n",

					    UDP_SKB_CB(skb)->cscov, up->pcrlen);

					    UDP_SKB_CB(skb)->cscov, pcrlen);

			goto drop;

		}

	}
@@ -2729,8 +2730,8 @@ int udp_lib_setsockopt(struct sock *sk, int level, int optname, 
			val = 8;

		else if (val > USHRT_MAX)

			val = USHRT_MAX;

		up->pcslen = val;

		up->pcflag |= UDPLITE_SEND_CC;

		WRITE_ONCE(up->pcslen, val);

		udp_set_bit(UDPLITE_SEND_CC, sk);

		break;



	/* The receiver specifies a minimum checksum coverage value. To make
@@ -2743,8 +2744,8 @@ int udp_lib_setsockopt(struct sock *sk, int level, int optname, 
			val = 8;

		else if (val > USHRT_MAX)

			val = USHRT_MAX;

		up->pcrlen = val;

		up->pcflag |= UDPLITE_RECV_CC;

		WRITE_ONCE(up->pcrlen, val);

		udp_set_bit(UDPLITE_RECV_CC, sk);

		break;



	default:
@@ -2808,11 +2809,11 @@ int udp_lib_getsockopt(struct sock *sk, int level, int optname, 
	/* The following two cannot be changed on UDP sockets, the return is

	 * always 0 (which corresponds to the full checksum coverage of UDP). */

	case UDPLITE_SEND_CSCOV:

		val = up->pcslen;

		val = READ_ONCE(up->pcslen);

		break;



	case UDPLITE_RECV_CSCOV:

		val = up->pcrlen;

		val = READ_ONCE(up->pcrlen);

		break;



	default:

net/ipv6/udp.c

+5 −4
Original line number Diff line number Diff line
@@ -727,16 +727,17 @@ static int udpv6_queue_rcv_one_skb(struct sock *sk, struct sk_buff *skb) 
	/*

	 * UDP-Lite specific tests, ignored on UDP sockets (see net/ipv4/udp.c).

	 */

	if ((up->pcflag & UDPLITE_RECV_CC)  &&  UDP_SKB_CB(skb)->partial_cov) {

	if (udp_test_bit(UDPLITE_RECV_CC, sk) && UDP_SKB_CB(skb)->partial_cov) {

		u16 pcrlen = READ_ONCE(up->pcrlen);



		if (up->pcrlen == 0) {          /* full coverage was set  */

		if (pcrlen == 0) {          /* full coverage was set  */

			net_dbg_ratelimited("UDPLITE6: partial coverage %d while full coverage %d requested\n",

					    UDP_SKB_CB(skb)->cscov, skb->len);

			goto drop;

		}

		if (UDP_SKB_CB(skb)->cscov  <  up->pcrlen) {

		if (UDP_SKB_CB(skb)->cscov < pcrlen) {

			net_dbg_ratelimited("UDPLITE6: coverage %d too small, need min %d\n",

					    UDP_SKB_CB(skb)->cscov, up->pcrlen);

					    UDP_SKB_CB(skb)->cscov, pcrlen);

			goto drop;

		}

	}