From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.15 030/128] inet: fully convert sk->sk_rx_dst to RCU rules
Date: Mon, 27 Dec 2021 16:30:05 +0100 [thread overview]
Message-ID: <20211227151332.529953468@linuxfoundation.org> (raw)
In-Reply-To: <20211227151331.502501367@linuxfoundation.org>
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 8f905c0e7354ef261360fb7535ea079b1082c105 ]
syzbot reported various issues around early demux,
one being included in this changelog [1]
sk->sk_rx_dst is using RCU protection without clearly
documenting it.
And following sequences in tcp_v4_do_rcv()/tcp_v6_do_rcv()
are not following standard RCU rules.
[a] dst_release(dst);
[b] sk->sk_rx_dst = NULL;
They look wrong because a delete operation of RCU protected
pointer is supposed to clear the pointer before
the call_rcu()/synchronize_rcu() guarding actual memory freeing.
In some cases indeed, dst could be freed before [b] is done.
We could cheat by clearing sk_rx_dst before calling
dst_release(), but this seems the right time to stick
to standard RCU annotations and debugging facilities.
[1]
BUG: KASAN: use-after-free in dst_check include/net/dst.h:470 [inline]
BUG: KASAN: use-after-free in tcp_v4_early_demux+0x95b/0x960 net/ipv4/tcp_ipv4.c:1792
Read of size 2 at addr ffff88807f1cb73a by task syz-executor.5/9204
CPU: 0 PID: 9204 Comm: syz-executor.5 Not tainted 5.16.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247
__kasan_report mm/kasan/report.c:433 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:450
dst_check include/net/dst.h:470 [inline]
tcp_v4_early_demux+0x95b/0x960 net/ipv4/tcp_ipv4.c:1792
ip_rcv_finish_core.constprop.0+0x15de/0x1e80 net/ipv4/ip_input.c:340
ip_list_rcv_finish.constprop.0+0x1b2/0x6e0 net/ipv4/ip_input.c:583
ip_sublist_rcv net/ipv4/ip_input.c:609 [inline]
ip_list_rcv+0x34e/0x490 net/ipv4/ip_input.c:644
__netif_receive_skb_list_ptype net/core/dev.c:5508 [inline]
__netif_receive_skb_list_core+0x549/0x8e0 net/core/dev.c:5556
__netif_receive_skb_list net/core/dev.c:5608 [inline]
netif_receive_skb_list_internal+0x75e/0xd80 net/core/dev.c:5699
gro_normal_list net/core/dev.c:5853 [inline]
gro_normal_list net/core/dev.c:5849 [inline]
napi_complete_done+0x1f1/0x880 net/core/dev.c:6590
virtqueue_napi_complete drivers/net/virtio_net.c:339 [inline]
virtnet_poll+0xca2/0x11b0 drivers/net/virtio_net.c:1557
__napi_poll+0xaf/0x440 net/core/dev.c:7023
napi_poll net/core/dev.c:7090 [inline]
net_rx_action+0x801/0xb40 net/core/dev.c:7177
__do_softirq+0x29b/0x9c2 kernel/softirq.c:558
invoke_softirq kernel/softirq.c:432 [inline]
__irq_exit_rcu+0x123/0x180 kernel/softirq.c:637
irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
common_interrupt+0x52/0xc0 arch/x86/kernel/irq.c:240
asm_common_interrupt+0x1e/0x40 arch/x86/include/asm/idtentry.h:629
RIP: 0033:0x7f5e972bfd57
Code: 39 d1 73 14 0f 1f 80 00 00 00 00 48 8b 50 f8 48 83 e8 08 48 39 ca 77 f3 48 39 c3 73 3e 48 89 13 48 8b 50 f8 48 89 38 49 8b 0e <48> 8b 3e 48 83 c3 08 48 83 c6 08 eb bc 48 39 d1 72 9e 48 39 d0 73
RSP: 002b:00007fff8a413210 EFLAGS: 00000283
RAX: 00007f5e97108990 RBX: 00007f5e97108338 RCX: ffffffff81d3aa45
RDX: ffffffff81d3aa45 RSI: 00007f5e97108340 RDI: ffffffff81d3aa45
RBP: 00007f5e97107eb8 R08: 00007f5e97108d88 R09: 0000000093c2e8d9
R10: 0000000000000000 R11: 0000000000000000 R12: 00007f5e97107eb0
R13: 00007f5e97108338 R14: 00007f5e97107ea8 R15: 0000000000000019
</TASK>
Allocated by task 13:
kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
__kasan_slab_alloc+0x90/0xc0 mm/kasan/common.c:467
kasan_slab_alloc include/linux/kasan.h:259 [inline]
slab_post_alloc_hook mm/slab.h:519 [inline]
slab_alloc_node mm/slub.c:3234 [inline]
slab_alloc mm/slub.c:3242 [inline]
kmem_cache_alloc+0x202/0x3a0 mm/slub.c:3247
dst_alloc+0x146/0x1f0 net/core/dst.c:92
rt_dst_alloc+0x73/0x430 net/ipv4/route.c:1613
ip_route_input_slow+0x1817/0x3a20 net/ipv4/route.c:2340
ip_route_input_rcu net/ipv4/route.c:2470 [inline]
ip_route_input_noref+0x116/0x2a0 net/ipv4/route.c:2415
ip_rcv_finish_core.constprop.0+0x288/0x1e80 net/ipv4/ip_input.c:354
ip_list_rcv_finish.constprop.0+0x1b2/0x6e0 net/ipv4/ip_input.c:583
ip_sublist_rcv net/ipv4/ip_input.c:609 [inline]
ip_list_rcv+0x34e/0x490 net/ipv4/ip_input.c:644
__netif_receive_skb_list_ptype net/core/dev.c:5508 [inline]
__netif_receive_skb_list_core+0x549/0x8e0 net/core/dev.c:5556
__netif_receive_skb_list net/core/dev.c:5608 [inline]
netif_receive_skb_list_internal+0x75e/0xd80 net/core/dev.c:5699
gro_normal_list net/core/dev.c:5853 [inline]
gro_normal_list net/core/dev.c:5849 [inline]
napi_complete_done+0x1f1/0x880 net/core/dev.c:6590
virtqueue_napi_complete drivers/net/virtio_net.c:339 [inline]
virtnet_poll+0xca2/0x11b0 drivers/net/virtio_net.c:1557
__napi_poll+0xaf/0x440 net/core/dev.c:7023
napi_poll net/core/dev.c:7090 [inline]
net_rx_action+0x801/0xb40 net/core/dev.c:7177
__do_softirq+0x29b/0x9c2 kernel/softirq.c:558
Freed by task 13:
kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
kasan_set_track+0x21/0x30 mm/kasan/common.c:46
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
____kasan_slab_free mm/kasan/common.c:366 [inline]
____kasan_slab_free mm/kasan/common.c:328 [inline]
__kasan_slab_free+0xff/0x130 mm/kasan/common.c:374
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:1723 [inline]
slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1749
slab_free mm/slub.c:3513 [inline]
kmem_cache_free+0xbd/0x5d0 mm/slub.c:3530
dst_destroy+0x2d6/0x3f0 net/core/dst.c:127
rcu_do_batch kernel/rcu/tree.c:2506 [inline]
rcu_core+0x7ab/0x1470 kernel/rcu/tree.c:2741
__do_softirq+0x29b/0x9c2 kernel/softirq.c:558
Last potentially related work creation:
kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
__kasan_record_aux_stack+0xf5/0x120 mm/kasan/generic.c:348
__call_rcu kernel/rcu/tree.c:2985 [inline]
call_rcu+0xb1/0x740 kernel/rcu/tree.c:3065
dst_release net/core/dst.c:177 [inline]
dst_release+0x79/0xe0 net/core/dst.c:167
tcp_v4_do_rcv+0x612/0x8d0 net/ipv4/tcp_ipv4.c:1712
sk_backlog_rcv include/net/sock.h:1030 [inline]
__release_sock+0x134/0x3b0 net/core/sock.c:2768
release_sock+0x54/0x1b0 net/core/sock.c:3300
tcp_sendmsg+0x36/0x40 net/ipv4/tcp.c:1441
inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:819
sock_sendmsg_nosec net/socket.c:704 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:724
sock_write_iter+0x289/0x3c0 net/socket.c:1057
call_write_iter include/linux/fs.h:2162 [inline]
new_sync_write+0x429/0x660 fs/read_write.c:503
vfs_write+0x7cd/0xae0 fs/read_write.c:590
ksys_write+0x1ee/0x250 fs/read_write.c:643
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
The buggy address belongs to the object at ffff88807f1cb700
which belongs to the cache ip_dst_cache of size 176
The buggy address is located 58 bytes inside of
176-byte region [ffff88807f1cb700, ffff88807f1cb7b0)
The buggy address belongs to the page:
page:ffffea0001fc72c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7f1cb
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 dead000000000100 dead000000000122 ffff8881413bb780
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL), pid 5, ts 108466983062, free_ts 108048976062
prep_new_page mm/page_alloc.c:2418 [inline]
get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4149
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5369
alloc_pages+0x1a7/0x300 mm/mempolicy.c:2191
alloc_slab_page mm/slub.c:1793 [inline]
allocate_slab mm/slub.c:1930 [inline]
new_slab+0x32d/0x4a0 mm/slub.c:1993
___slab_alloc+0x918/0xfe0 mm/slub.c:3022
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3109
slab_alloc_node mm/slub.c:3200 [inline]
slab_alloc mm/slub.c:3242 [inline]
kmem_cache_alloc+0x35c/0x3a0 mm/slub.c:3247
dst_alloc+0x146/0x1f0 net/core/dst.c:92
rt_dst_alloc+0x73/0x430 net/ipv4/route.c:1613
__mkroute_output net/ipv4/route.c:2564 [inline]
ip_route_output_key_hash_rcu+0x921/0x2d00 net/ipv4/route.c:2791
ip_route_output_key_hash+0x18b/0x300 net/ipv4/route.c:2619
__ip_route_output_key include/net/route.h:126 [inline]
ip_route_output_flow+0x23/0x150 net/ipv4/route.c:2850
ip_route_output_key include/net/route.h:142 [inline]
geneve_get_v4_rt+0x3a6/0x830 drivers/net/geneve.c:809
geneve_xmit_skb drivers/net/geneve.c:899 [inline]
geneve_xmit+0xc4a/0x3540 drivers/net/geneve.c:1082
__netdev_start_xmit include/linux/netdevice.h:4994 [inline]
netdev_start_xmit include/linux/netdevice.h:5008 [inline]
xmit_one net/core/dev.c:3590 [inline]
dev_hard_start_xmit+0x1eb/0x920 net/core/dev.c:3606
__dev_queue_xmit+0x299a/0x3650 net/core/dev.c:4229
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1338 [inline]
free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1389
free_unref_page_prepare mm/page_alloc.c:3309 [inline]
free_unref_page+0x19/0x690 mm/page_alloc.c:3388
qlink_free mm/kasan/quarantine.c:146 [inline]
qlist_free_all+0x5a/0xc0 mm/kasan/quarantine.c:165
kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:272
__kasan_slab_alloc+0xa2/0xc0 mm/kasan/common.c:444
kasan_slab_alloc include/linux/kasan.h:259 [inline]
slab_post_alloc_hook mm/slab.h:519 [inline]
slab_alloc_node mm/slub.c:3234 [inline]
kmem_cache_alloc_node+0x255/0x3f0 mm/slub.c:3270
__alloc_skb+0x215/0x340 net/core/skbuff.c:414
alloc_skb include/linux/skbuff.h:1126 [inline]
alloc_skb_with_frags+0x93/0x620 net/core/skbuff.c:6078
sock_alloc_send_pskb+0x783/0x910 net/core/sock.c:2575
mld_newpack+0x1df/0x770 net/ipv6/mcast.c:1754
add_grhead+0x265/0x330 net/ipv6/mcast.c:1857
add_grec+0x1053/0x14e0 net/ipv6/mcast.c:1995
mld_send_initial_cr.part.0+0xf6/0x230 net/ipv6/mcast.c:2242
mld_send_initial_cr net/ipv6/mcast.c:1232 [inline]
mld_dad_work+0x1d3/0x690 net/ipv6/mcast.c:2268
process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298
worker_thread+0x658/0x11f0 kernel/workqueue.c:2445
Memory state around the buggy address:
ffff88807f1cb600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807f1cb680: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
>ffff88807f1cb700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807f1cb780: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
ffff88807f1cb800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Fixes: 41063e9dd119 ("ipv4: Early TCP socket demux.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20211220143330.680945-1-eric.dumazet@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/sock.h | 2 +-
net/ipv4/af_inet.c | 2 +-
net/ipv4/tcp.c | 3 +--
net/ipv4/tcp_input.c | 2 +-
net/ipv4/tcp_ipv4.c | 11 +++++++----
net/ipv4/udp.c | 6 +++---
net/ipv6/tcp_ipv6.c | 11 +++++++----
net/ipv6/udp.c | 4 ++--
8 files changed, 23 insertions(+), 18 deletions(-)
diff --git a/include/net/sock.h b/include/net/sock.h
index 796f859c69dd7..dfb92f91d5be5 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -432,7 +432,7 @@ struct sock {
#ifdef CONFIG_XFRM
struct xfrm_policy __rcu *sk_policy[2];
#endif
- struct dst_entry *sk_rx_dst;
+ struct dst_entry __rcu *sk_rx_dst;
int sk_rx_dst_ifindex;
u32 sk_rx_dst_cookie;
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 64062b7ce61df..3a9422a5873eb 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -158,7 +158,7 @@ void inet_sock_destruct(struct sock *sk)
kfree(rcu_dereference_protected(inet->inet_opt, 1));
dst_release(rcu_dereference_protected(sk->sk_dst_cache, 1));
- dst_release(sk->sk_rx_dst);
+ dst_release(rcu_dereference_protected(sk->sk_rx_dst, 1));
sk_refcnt_debug_dec(sk);
}
EXPORT_SYMBOL(inet_sock_destruct);
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 844c6e5a82891..f48f1059b31a6 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -3039,8 +3039,7 @@ int tcp_disconnect(struct sock *sk, int flags)
icsk->icsk_ack.rcv_mss = TCP_MIN_MSS;
memset(&tp->rx_opt, 0, sizeof(tp->rx_opt));
__sk_dst_reset(sk);
- dst_release(sk->sk_rx_dst);
- sk->sk_rx_dst = NULL;
+ dst_release(xchg((__force struct dst_entry **)&sk->sk_rx_dst, NULL));
tcp_saved_syn_free(tp);
tp->compressed_ack = 0;
tp->segs_in = 0;
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 141e85e6422b1..f3b6239674361 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -5770,7 +5770,7 @@ void tcp_rcv_established(struct sock *sk, struct sk_buff *skb)
trace_tcp_probe(sk, skb);
tcp_mstamp_refresh(tp);
- if (unlikely(!sk->sk_rx_dst))
+ if (unlikely(!rcu_access_pointer(sk->sk_rx_dst)))
inet_csk(sk)->icsk_af_ops->sk_rx_dst_set(sk, skb);
/*
* Header prediction.
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index f6838eec6ef73..0fe9461647da5 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1698,7 +1698,10 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
struct sock *rsk;
if (sk->sk_state == TCP_ESTABLISHED) { /* Fast path */
- struct dst_entry *dst = sk->sk_rx_dst;
+ struct dst_entry *dst;
+
+ dst = rcu_dereference_protected(sk->sk_rx_dst,
+ lockdep_sock_is_held(sk));
sock_rps_save_rxhash(sk, skb);
sk_mark_napi_id(sk, skb);
@@ -1706,8 +1709,8 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
if (sk->sk_rx_dst_ifindex != skb->skb_iif ||
!INDIRECT_CALL_1(dst->ops->check, ipv4_dst_check,
dst, 0)) {
+ RCU_INIT_POINTER(sk->sk_rx_dst, NULL);
dst_release(dst);
- sk->sk_rx_dst = NULL;
}
}
tcp_rcv_established(sk, skb);
@@ -1783,7 +1786,7 @@ int tcp_v4_early_demux(struct sk_buff *skb)
skb->sk = sk;
skb->destructor = sock_edemux;
if (sk_fullsock(sk)) {
- struct dst_entry *dst = READ_ONCE(sk->sk_rx_dst);
+ struct dst_entry *dst = rcu_dereference(sk->sk_rx_dst);
if (dst)
dst = dst_check(dst, 0);
@@ -2200,7 +2203,7 @@ void inet_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb)
struct dst_entry *dst = skb_dst(skb);
if (dst && dst_hold_safe(dst)) {
- sk->sk_rx_dst = dst;
+ rcu_assign_pointer(sk->sk_rx_dst, dst);
sk->sk_rx_dst_ifindex = skb->skb_iif;
}
}
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 3f6823bdd31e5..be07e3d2b77bc 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -2251,7 +2251,7 @@ bool udp_sk_rx_dst_set(struct sock *sk, struct dst_entry *dst)
struct dst_entry *old;
if (dst_hold_safe(dst)) {
- old = xchg(&sk->sk_rx_dst, dst);
+ old = xchg((__force struct dst_entry **)&sk->sk_rx_dst, dst);
dst_release(old);
return old != dst;
}
@@ -2441,7 +2441,7 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
struct dst_entry *dst = skb_dst(skb);
int ret;
- if (unlikely(sk->sk_rx_dst != dst))
+ if (unlikely(rcu_dereference(sk->sk_rx_dst) != dst))
udp_sk_rx_dst_set(sk, dst);
ret = udp_unicast_rcv_skb(sk, skb, uh);
@@ -2600,7 +2600,7 @@ int udp_v4_early_demux(struct sk_buff *skb)
skb->sk = sk;
skb->destructor = sock_efree;
- dst = READ_ONCE(sk->sk_rx_dst);
+ dst = rcu_dereference(sk->sk_rx_dst);
if (dst)
dst = dst_check(dst, 0);
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 42eafe35415d1..8eedf59e9cf25 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -107,7 +107,7 @@ static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb)
if (dst && dst_hold_safe(dst)) {
const struct rt6_info *rt = (const struct rt6_info *)dst;
- sk->sk_rx_dst = dst;
+ rcu_assign_pointer(sk->sk_rx_dst, dst);
sk->sk_rx_dst_ifindex = skb->skb_iif;
sk->sk_rx_dst_cookie = rt6_get_cookie(rt);
}
@@ -1504,7 +1504,10 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
opt_skb = skb_clone(skb, sk_gfp_mask(sk, GFP_ATOMIC));
if (sk->sk_state == TCP_ESTABLISHED) { /* Fast path */
- struct dst_entry *dst = sk->sk_rx_dst;
+ struct dst_entry *dst;
+
+ dst = rcu_dereference_protected(sk->sk_rx_dst,
+ lockdep_sock_is_held(sk));
sock_rps_save_rxhash(sk, skb);
sk_mark_napi_id(sk, skb);
@@ -1512,8 +1515,8 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
if (sk->sk_rx_dst_ifindex != skb->skb_iif ||
INDIRECT_CALL_1(dst->ops->check, ip6_dst_check,
dst, sk->sk_rx_dst_cookie) == NULL) {
+ RCU_INIT_POINTER(sk->sk_rx_dst, NULL);
dst_release(dst);
- sk->sk_rx_dst = NULL;
}
}
@@ -1875,7 +1878,7 @@ INDIRECT_CALLABLE_SCOPE void tcp_v6_early_demux(struct sk_buff *skb)
skb->sk = sk;
skb->destructor = sock_edemux;
if (sk_fullsock(sk)) {
- struct dst_entry *dst = READ_ONCE(sk->sk_rx_dst);
+ struct dst_entry *dst = rcu_dereference(sk->sk_rx_dst);
if (dst)
dst = dst_check(dst, sk->sk_rx_dst_cookie);
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 12c12619ee357..7bee95d8d2df0 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -956,7 +956,7 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
struct dst_entry *dst = skb_dst(skb);
int ret;
- if (unlikely(sk->sk_rx_dst != dst))
+ if (unlikely(rcu_dereference(sk->sk_rx_dst) != dst))
udp6_sk_rx_dst_set(sk, dst);
if (!uh->check && !udp_sk(sk)->no_check6_rx) {
@@ -1070,7 +1070,7 @@ INDIRECT_CALLABLE_SCOPE void udp_v6_early_demux(struct sk_buff *skb)
skb->sk = sk;
skb->destructor = sock_efree;
- dst = READ_ONCE(sk->sk_rx_dst);
+ dst = rcu_dereference(sk->sk_rx_dst);
if (dst)
dst = dst_check(dst, sk->sk_rx_dst_cookie);
--
2.34.1
next prev parent reply other threads:[~2021-12-27 15:45 UTC|newest]
Thread overview: 138+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-27 15:29 [PATCH 5.15 000/128] 5.15.12-rc1 review Greg Kroah-Hartman
2021-12-27 15:29 ` [PATCH 5.15 001/128] arm64: vdso32: require CROSS_COMPILE_COMPAT for gcc+bfd Greg Kroah-Hartman
2021-12-27 15:29 ` [PATCH 5.15 002/128] net: usb: lan78xx: add Allied Telesis AT29M2-AF Greg Kroah-Hartman
2021-12-27 15:29 ` [PATCH 5.15 003/128] ext4: prevent partial update of the extent blocks Greg Kroah-Hartman
2021-12-27 15:29 ` [PATCH 5.15 004/128] ext4: check for out-of-order index extents in ext4_valid_extent_entries() Greg Kroah-Hartman
2021-12-27 15:29 ` [PATCH 5.15 005/128] ext4: check for inconsistent extents between index and leaf block Greg Kroah-Hartman
2021-12-27 15:29 ` [PATCH 5.15 006/128] selftests: KVM: Fix non-x86 compiling Greg Kroah-Hartman
2021-12-27 15:29 ` [PATCH 5.15 007/128] HID: holtek: fix mouse probing Greg Kroah-Hartman
2021-12-27 15:29 ` [PATCH 5.15 008/128] HID: potential dereference of null pointer Greg Kroah-Hartman
2021-12-27 15:29 ` [PATCH 5.15 009/128] NFSD: Fix READDIR buffer overflow Greg Kroah-Hartman
2021-12-27 15:29 ` [PATCH 5.15 010/128] PM: sleep: Fix error handling in dpm_prepare() Greg Kroah-Hartman
2021-12-27 15:29 ` [PATCH 5.15 011/128] arm64: dts: allwinner: orangepi-zero-plus: fix PHY mode Greg Kroah-Hartman
2021-12-27 15:29 ` [PATCH 5.15 012/128] bus: sunxi-rsb: Fix shutdown Greg Kroah-Hartman
2021-12-27 15:29 ` [PATCH 5.15 013/128] spi: change clk_disable_unprepare to clk_unprepare Greg Kroah-Hartman
2021-12-27 15:29 ` [PATCH 5.15 014/128] ucounts: Fix rlimit max values check Greg Kroah-Hartman
2021-12-27 15:29 ` [PATCH 5.15 015/128] drm/mediatek: hdmi: Perform NULL pointer check for mtk_hdmi_conf Greg Kroah-Hartman
2021-12-27 15:29 ` [PATCH 5.15 016/128] ASoC: meson: aiu: fifo: Add missing dma_coerce_mask_and_coherent() Greg Kroah-Hartman
2021-12-27 15:29 ` [PATCH 5.15 017/128] RDMA/hns: Fix RNR retransmission issue for HIP08 Greg Kroah-Hartman
2021-12-27 15:29 ` [PATCH 5.15 018/128] IB/qib: Fix memory leak in qib_user_sdma_queue_pkts() Greg Kroah-Hartman
2021-12-27 15:29 ` [PATCH 5.15 019/128] RDMA/hns: Replace kfree() with kvfree() Greg Kroah-Hartman
2021-12-27 15:29 ` [PATCH 5.15 020/128] netfilter: nf_tables: fix use-after-free in nft_set_catchall_destroy() Greg Kroah-Hartman
2021-12-27 15:29 ` [PATCH 5.15 021/128] netfilter: fix regression in looped (broad|multi)casts MAC handling Greg Kroah-Hartman
2021-12-27 15:29 ` [PATCH 5.15 022/128] ARM: dts: imx6qdl-wandboard: Fix Ethernet support Greg Kroah-Hartman
2021-12-27 15:29 ` [PATCH 5.15 023/128] ice: Use xdp_buf instead of rx_buf for xsk zero-copy Greg Kroah-Hartman
2021-12-27 15:29 ` [PATCH 5.15 024/128] ice: xsk: return xsk buffers back to pool when cleaning the ring Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 025/128] net: marvell: prestera: fix incorrect return of port_find Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 026/128] net: marvell: prestera: fix incorrect structure access Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 027/128] qlcnic: potential dereference null pointer of rx_queue->page_ring Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 028/128] tcp: move inet->rx_dst_ifindex to sk->sk_rx_dst_ifindex Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 029/128] ipv6: move inet6_sk(sk)->rx_dst_cookie to sk->sk_rx_dst_cookie Greg Kroah-Hartman
2021-12-27 15:30 ` Greg Kroah-Hartman [this message]
2021-12-27 15:30 ` [PATCH 5.15 031/128] net: accept UFOv6 packages in virtio_net_hdr_to_skb Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 032/128] net: skip virtio_net_hdr_set_proto if protocol already set Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 033/128] igb: fix deadlock caused by taking RTNL in RPM resume path Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 034/128] ipmi: Fix UAF when uninstall ipmi_si and ipmi_msghandler module Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 035/128] gpio: virtio: remove timeout Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 036/128] bonding: fix ad_actor_system option setting to default Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 037/128] fjes: Check for error irq Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 038/128] drivers: net: smc911x: " Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 039/128] net: ks8851: " Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 040/128] sfc: Check null pointer of rx_queue->page_ring Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 041/128] sfc: falcon: " Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 042/128] asix: fix uninit-value in asix_mdio_read() Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 043/128] asix: fix wrong return value in asix_check_host_enable() Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 044/128] io_uring: zero iocb->ki_pos for stream file types Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 045/128] veth: ensure skb entering GRO are not cloned Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 046/128] net: stmmac: ptp: fix potentially overflowing expression Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 047/128] net: bridge: Use array_size() helper in copy_to_user() Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 048/128] net: bridge: fix ioctl old_deviceless bridge argument Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 049/128] r8152: fix the force speed doesnt work for RTL8156 Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 050/128] net: stmmac: dwmac-visconti: Fix value of ETHER_CLK_SEL_FREQ_SEL_2P5M Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 051/128] Input: elantech - fix stack out of bound access in elantech_change_report_id() Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 052/128] pinctrl: bcm2835: Change init order for gpio hogs Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 053/128] hwmon: (lm90) Fix usage of CONFIG2 register in detect function Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 054/128] hwmon: (lm90) Prevent integer overflow/underflow in hysteresis calculations Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 055/128] hwmon: (lm90) Introduce flag indicating extended temperature support Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 056/128] hwmon: (lm90) Add basic support for TI TMP461 Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 057/128] hwmon: (lm90) Drop critical attribute support for MAX6654 Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 058/128] ARM: 9160/1: NOMMU: Reload __secondary_data after PROCINFO_INITFUNC Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 059/128] uapi: Fix undefined __always_inline on non-glibc systems Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 060/128] compiler.h: Fix annotation macro misplacement with Clang Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 061/128] platform/x86/intel: Remove X86_PLATFORM_DRIVERS_INTEL Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 062/128] kernel/crash_core: suppress unknown crashkernel parameter warning Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 063/128] Revert "x86/boot: Pull up cmdline preparation and early param parsing" Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 064/128] x86/boot: Move EFI range reservation after cmdline parsing Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 065/128] ALSA: jack: Check the return value of kstrdup() Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 066/128] ALSA: drivers: opl3: Fix incorrect use of vp->state Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 067/128] ALSA: rawmidi - fix the uninitalized user_pversion Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 068/128] ALSA: hda/hdmi: Disable silent stream on GLK Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 069/128] ALSA: hda/realtek: Amp init fixup for HP ZBook 15 G6 Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 070/128] ALSA: hda/realtek: Add new alc285-hp-amp-init model Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 071/128] ALSA: hda/realtek: fix mute/micmute LEDs for a HP ProBook Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 072/128] ALSA: hda/realtek: Fix quirk for Clevo NJ51CU Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 073/128] ASoC: meson: aiu: Move AIU_I2S_MISC hold setting to aiu-fifo-i2s Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 074/128] ASoC: tegra: Add DAPM switches for headphones and mic jack Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 075/128] ASoC: tegra: Restore headphones jack name on Nyan Big Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 076/128] Input: atmel_mxt_ts - fix double free in mxt_read_info_block Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 077/128] ipmi: bail out if init_srcu_struct fails Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 078/128] ipmi: ssif: initialize ssif_info->client early Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 079/128] ipmi: fix initialization when workqueue allocation fails Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 080/128] parisc: Correct completer in lws start Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 081/128] parisc: Fix mask used to select futex spinlock Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 082/128] tee: handle lookup of shm with reference count 0 Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 083/128] x86/pkey: Fix undefined behaviour with PKRU_WD_BIT Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.15 084/128] platform/x86: amd-pmc: only use callbacks for suspend Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 085/128] platform/x86: intel_pmc_core: fix memleak on registration failure Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 086/128] KVM: x86: Always set kvm_run->if_flag Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 087/128] KVM: x86/mmu: Dont advance iterator after restart due to yielding Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 088/128] KVM: nVMX: Synthesize TRIPLE_FAULT for L2 if emulation is required Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 089/128] KVM: VMX: Always clear vmx->fail on emulation_required Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 090/128] KVM: VMX: Wake vCPU when delivering posted IRQ even if vCPU == this vCPU Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 091/128] pinctrl: stm32: consider the GPIO offset to expose all the GPIO lines Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 092/128] gpio: dln2: Fix interrupts when replugging the device Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 093/128] mmc: sdhci-tegra: Fix switch to HS400ES mode Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 094/128] mmc: meson-mx-sdhc: Set MANUAL_STOP for multi-block SDIO commands Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 095/128] mmc: core: Disable card detect during shutdown Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 096/128] mmc: mmci: stm32: clear DLYB_CR after sending tuning command Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 097/128] ARM: 9169/1: entry: fix Thumb2 bug in iWMMXt exception handling Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 098/128] ksmbd: fix error code in ndr_read_int32() Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 099/128] ksmbd: fix uninitialized symbol pntsd_size Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 100/128] ksmbd: disable SMB2_GLOBAL_CAP_ENCRYPTION for SMB 3.1.1 Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 101/128] mac80211: fix locking in ieee80211_start_ap error path Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 102/128] mm: mempolicy: fix THP allocations escaping mempolicy restrictions Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 103/128] mm, hwpoison: fix condition in free hugetlb page path Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 104/128] mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page() Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 105/128] mm/damon/dbgfs: protect targets destructions with kdamond_lock Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 106/128] tee: optee: Fix incorrect page free bug Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 107/128] f2fs: fix to do sanity check on last xattr entry in __f2fs_setxattr() Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 108/128] netfs: fix parameter of cleanup() Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 109/128] KVM: VMX: Fix stale docs for kvm-intel.emulate_invalid_guest_state Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 110/128] arm64: dts: lx2160a: fix scl-gpios property name Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 111/128] kfence: fix memory leak when cat kfence objects Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 112/128] Input: iqs626a - prohibit inlining of channel parsing functions Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 113/128] Input: elants_i2c - do not check Remark ID on eKTH3900/eKTH5312 Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 114/128] Input: i8042 - enable deferred probe quirk for ASUS UM325UA Greg Kroah-Hartman
2021-12-27 15:53 ` Samuel Čavoj
2021-12-27 16:00 ` Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 115/128] Input: goodix - add id->model mapping for the "9111" model Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 116/128] ASoC: tas2770: Fix setting of high sample rates Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 117/128] ASoC: SOF: Intel: pci-tgl: add new ADL-P variant Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 118/128] ASoC: SOF: Intel: pci-tgl: add ADL-N support Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 119/128] ASoC: rt5682: fix the wrong jack type detected Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 120/128] pinctrl: mediatek: fix global-out-of-bounds issue Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 121/128] hwmom: (lm90) Fix citical alarm status for MAX6680/MAX6681 Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 122/128] hwmon: (lm90) Do not report busy status bit as alarm Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 123/128] r8152: sync ocp base Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 124/128] ax25: NPD bug when detaching AX25 device Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 125/128] hamradio: defer ax25 kfree after unregister_netdev Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 126/128] hamradio: improve the incomplete fix to avoid NPD Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 127/128] tun: avoid double free in tun_free_netdev Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.15 128/128] phonet/pep: refuse to enable an unbound pipe Greg Kroah-Hartman
2021-12-27 18:32 ` [PATCH 5.15 000/128] 5.15.12-rc1 review Florian Fainelli
2021-12-28 8:01 ` Naresh Kamboju
2021-12-28 11:12 ` Rudi Heitbaum
2021-12-28 13:25 ` Sudip Mukherjee
2021-12-28 13:27 ` Jeffrin Jose T
2021-12-28 17:07 ` Guenter Roeck
2021-12-28 21:26 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211227151332.529953468@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.