Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9c480601 authored by Paolo Abeni's avatar Paolo Abeni Committed by David S. Miller
Browse files

udp: fix jump label misuse 



The commit 60fb9567 ("udp: implement complete book-keeping for
encap_needed") introduced a severe misuse of jump label APIs, which
syzbot, as reported by Eric, was able to exploit.

When multiple sockets/process can concurrently request (and than
disable) the udp encap, we need to track the activation counter with
*_inc()/*_dec() jump label variants, or we can experience bad things
at disable time.

Fixes: 60fb9567 ("udp: implement complete book-keeping for encap_needed")
Reported-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 37342bda

net/ipv4/udp.c

+2 −2
Original line number Diff line number Diff line
@@ -587,7 +587,7 @@ static inline bool __udp_is_mcast_sock(struct net *net, struct sock *sk, 
DEFINE_STATIC_KEY_FALSE(udp_encap_needed_key);

void udp_encap_enable(void)

{

	static_branch_enable(&udp_encap_needed_key);

	static_branch_inc(&udp_encap_needed_key);

}

EXPORT_SYMBOL(udp_encap_enable);
@@ -2524,7 +2524,7 @@ void udp_destroy_sock(struct sock *sk) 
				encap_destroy(sk);

		}

		if (up->encap_enabled)

			static_branch_disable(&udp_encap_needed_key);

			static_branch_dec(&udp_encap_needed_key);

	}

}

net/ipv6/udp.c

+2 −2
Original line number Diff line number Diff line
@@ -448,7 +448,7 @@ int udpv6_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, 
DEFINE_STATIC_KEY_FALSE(udpv6_encap_needed_key);

void udpv6_encap_enable(void)

{

	static_branch_enable(&udpv6_encap_needed_key);

	static_branch_inc(&udpv6_encap_needed_key);

}

EXPORT_SYMBOL(udpv6_encap_enable);
@@ -1579,7 +1579,7 @@ void udpv6_destroy_sock(struct sock *sk) 
				encap_destroy(sk);

		}

		if (up->encap_enabled)

			static_branch_disable(&udpv6_encap_needed_key);

			static_branch_dec(&udpv6_encap_needed_key);

	}



	inet6_destroy_sock(sk);