queue-5.15/sock_diag-annotate-data-races-around-sock_diag_handl.patch

   1 From afaca66ef30eb6955eb31db288ffe66ea56741a9 Mon Sep 17 00:00:00 2001
   2 From: Sasha Levin <sashal@kernel.org>
   3 Date: Mon, 22 Jan 2024 11:25:55 +0000
   4 Subject: sock_diag: annotate data-races around sock_diag_handlers[family]
   5
   6 From: Eric Dumazet <edumazet@google.com>
   7
   8 [ Upstream commit efd402537673f9951992aea4ef0f5ff51d858f4b ]
   9
  10 __sock_diag_cmd() and sock_diag_bind() read sock_diag_handlers[family]
  11 without a lock held.
  12
  13 Use READ_ONCE()/WRITE_ONCE() annotations to avoid potential issues.
  14
  15 Fixes: 8ef874bfc729 ("sock_diag: Move the sock_ code to net/core/")
  16 Signed-off-by: Eric Dumazet <edumazet@google.com>
  17 Reviewed-by: Guillaume Nault <gnault@redhat.com>
  18 Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
  19 Reviewed-by: Willem de Bruijn <willemb@google.com>
  20 Signed-off-by: Paolo Abeni <pabeni@redhat.com>
  21 Signed-off-by: Sasha Levin <sashal@kernel.org>
  22 ---
  23  net/core/sock_diag.c | 10 +++++-----
  24  1 file changed, 5 insertions(+), 5 deletions(-)
  25
  26 diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
  27 index c9c45b935f990..bce65b519ee80 100644
  28 --- a/net/core/sock_diag.c
  29 +++ b/net/core/sock_diag.c
  30 @@ -189,7 +189,7 @@ int sock_diag_register(const struct sock_diag_handler *hndl)
  31         if (sock_diag_handlers[hndl->family])
  32                 err = -EBUSY;
  33         else
  34 -               sock_diag_handlers[hndl->family] = hndl;
  35 +               WRITE_ONCE(sock_diag_handlers[hndl->family], hndl);
  36         mutex_unlock(&sock_diag_table_mutex);
  37
  38         return err;
  39 @@ -205,7 +205,7 @@ void sock_diag_unregister(const struct sock_diag_handler *hnld)
  40
  41         mutex_lock(&sock_diag_table_mutex);
  42         BUG_ON(sock_diag_handlers[family] != hnld);
  43 -       sock_diag_handlers[family] = NULL;
  44 +       WRITE_ONCE(sock_diag_handlers[family], NULL);
  45         mutex_unlock(&sock_diag_table_mutex);
  46  }
  47  EXPORT_SYMBOL_GPL(sock_diag_unregister);
  48 @@ -223,7 +223,7 @@ static int __sock_diag_cmd(struct sk_buff *skb, struct nlmsghdr *nlh)
  49                 return -EINVAL;
  50         req->sdiag_family = array_index_nospec(req->sdiag_family, AF_MAX);
  51
  52 -       if (sock_diag_handlers[req->sdiag_family] == NULL)
  53 +       if (READ_ONCE(sock_diag_handlers[req->sdiag_family]) == NULL)
  54                 sock_load_diag_module(req->sdiag_family, 0);
  55
  56         mutex_lock(&sock_diag_table_mutex);
  57 @@ -282,12 +282,12 @@ static int sock_diag_bind(struct net *net, int group)
  58         switch (group) {
  59         case SKNLGRP_INET_TCP_DESTROY:
  60         case SKNLGRP_INET_UDP_DESTROY:
  61 -               if (!sock_diag_handlers[AF_INET])
  62 +               if (!READ_ONCE(sock_diag_handlers[AF_INET]))
  63                         sock_load_diag_module(AF_INET, 0);
  64                 break;
  65         case SKNLGRP_INET6_TCP_DESTROY:
  66         case SKNLGRP_INET6_UDP_DESTROY:
  67 -               if (!sock_diag_handlers[AF_INET6])
  68 +               if (!READ_ONCE(sock_diag_handlers[AF_INET6]))
  69                         sock_load_diag_module(AF_INET6, 0);
  70                 break;
  71         }
  72 --
  73 2.43.0
  74