From: Eric Dumazet Date: Wed, 16 Aug 2017 18:09:12 +0000 (-0700) Subject: ipv4: better IP_MAX_MTU enforcement X-Git-Tag: v4.4.85~48 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1bd54371388c0c1e24e3ffa8afde9e130c5799b9;p=thirdparty%2Fkernel%2Fstable.git ipv4: better IP_MAX_MTU enforcement [ Upstream commit c780a049f9bf442314335372c9abc4548bfe3e44 ] While working on yet another syzkaller report, I found that our IP_MAX_MTU enforcements were not properly done. gcc seems to reload dev->mtu for min(dev->mtu, IP_MAX_MTU), and final result can be bigger than IP_MAX_MTU :/ This is a problem because device mtu can be changed on other cpus or threads. While this patch does not fix the issue I am working on, it is probably worth addressing it. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- diff --git a/include/net/ip.h b/include/net/ip.h index b450d8653b30c..7476bb10ff375 100644 --- a/include/net/ip.h +++ b/include/net/ip.h @@ -314,7 +314,7 @@ static inline unsigned int ip_dst_mtu_maybe_forward(const struct dst_entry *dst, !forwarding) return dst_mtu(dst); - return min(dst->dev->mtu, IP_MAX_MTU); + return min(READ_ONCE(dst->dev->mtu), IP_MAX_MTU); } static inline unsigned int ip_skb_dst_mtu(const struct sk_buff *skb) @@ -327,7 +327,7 @@ static inline unsigned int ip_skb_dst_mtu(const struct sk_buff *skb) return ip_dst_mtu_maybe_forward(skb_dst(skb), forwarding); } - return min(skb_dst(skb)->dev->mtu, IP_MAX_MTU); + return min(READ_ONCE(skb_dst(skb)->dev->mtu), IP_MAX_MTU); } u32 ip_idents_reserve(u32 hash, int segs); diff --git a/net/ipv4/route.c b/net/ipv4/route.c index c295d882c6e0a..0294f7c99c854 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -1241,7 +1241,7 @@ static unsigned int ipv4_mtu(const struct dst_entry *dst) if (mtu) return mtu; - mtu = dst->dev->mtu; + mtu = READ_ONCE(dst->dev->mtu); if (unlikely(dst_metric_locked(dst, RTAX_MTU))) { if (rt->rt_uses_gateway && mtu > 576)