Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b0d9f04c authored by Kuniyuki Iwashima's avatar Kuniyuki Iwashima Committed by Greg Kroah-Hartman
Browse files

tcp: Fix data-races around some timeout sysctl knobs. 



[ Upstream commit 39e24435a776e9de5c6dd188836cf2523547804b ]

While reading these sysctl knobs, they can be changed concurrently.
Thus, we need to add READ_ONCE() to their readers.

  - tcp_retries1
  - tcp_retries2
  - tcp_orphan_retries
  - tcp_fin_timeout

Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent ea309c46

include/net/tcp.h

+2 −1
Original line number Diff line number Diff line
@@ -1465,7 +1465,8 @@ static inline u32 keepalive_time_elapsed(const struct tcp_sock *tp) 


static inline int tcp_fin_time(const struct sock *sk)

{

	int fin_timeout = tcp_sk(sk)->linger2 ? : sock_net(sk)->ipv4.sysctl_tcp_fin_timeout;

	int fin_timeout = tcp_sk(sk)->linger2 ? :

		READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fin_timeout);

	const int rto = inet_csk(sk)->icsk_rto;



	if (fin_timeout < (rto << 2) - (rto >> 1))

net/ipv4/tcp.c

+1 −1
Original line number Diff line number Diff line
@@ -3466,7 +3466,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level, 
	case TCP_LINGER2:

		val = tp->linger2;

		if (val >= 0)

			val = (val ? : net->ipv4.sysctl_tcp_fin_timeout) / HZ;

			val = (val ? : READ_ONCE(net->ipv4.sysctl_tcp_fin_timeout)) / HZ;

		break;

	case TCP_DEFER_ACCEPT:

		val = retrans_to_secs(icsk->icsk_accept_queue.rskq_defer_accept,

net/ipv4/tcp_output.c

+1 −1
Original line number Diff line number Diff line
@@ -3847,7 +3847,7 @@ void tcp_send_probe0(struct sock *sk) 


	icsk->icsk_probes_out++;

	if (err <= 0) {

		if (icsk->icsk_backoff < net->ipv4.sysctl_tcp_retries2)

		if (icsk->icsk_backoff < READ_ONCE(net->ipv4.sysctl_tcp_retries2))

			icsk->icsk_backoff++;

		timeout = tcp_probe0_when(sk, TCP_RTO_MAX);

	} else {

net/ipv4/tcp_timer.c

+5 −5
Original line number Diff line number Diff line
@@ -143,7 +143,7 @@ static int tcp_out_of_resources(struct sock *sk, bool do_reset) 
 */

static int tcp_orphan_retries(struct sock *sk, bool alive)

{

	int retries = sock_net(sk)->ipv4.sysctl_tcp_orphan_retries; /* May be zero. */

	int retries = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_orphan_retries); /* May be zero. */



	/* We know from an ICMP that something is wrong. */

	if (sk->sk_err_soft && !alive)
@@ -245,7 +245,7 @@ static int tcp_write_timeout(struct sock *sk) 
		retry_until = icsk->icsk_syn_retries ? : net->ipv4.sysctl_tcp_syn_retries;

		expired = icsk->icsk_retransmits >= retry_until;

	} else {

		if (retransmits_timed_out(sk, net->ipv4.sysctl_tcp_retries1, 0)) {

		if (retransmits_timed_out(sk, READ_ONCE(net->ipv4.sysctl_tcp_retries1), 0)) {

			/* Black hole detection */

			tcp_mtu_probing(icsk, sk);
@@ -254,7 +254,7 @@ static int tcp_write_timeout(struct sock *sk) 
			sk_rethink_txhash(sk);

		}



		retry_until = net->ipv4.sysctl_tcp_retries2;

		retry_until = READ_ONCE(net->ipv4.sysctl_tcp_retries2);

		if (sock_flag(sk, SOCK_DEAD)) {

			const bool alive = icsk->icsk_rto < TCP_RTO_MAX;
@@ -381,7 +381,7 @@ static void tcp_probe_timer(struct sock *sk) 
		 msecs_to_jiffies(icsk->icsk_user_timeout))

		goto abort;



	max_probes = sock_net(sk)->ipv4.sysctl_tcp_retries2;

	max_probes = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_retries2);

	if (sock_flag(sk, SOCK_DEAD)) {

		const bool alive = inet_csk_rto_backoff(icsk, TCP_RTO_MAX) < TCP_RTO_MAX;
@@ -580,7 +580,7 @@ void tcp_retransmit_timer(struct sock *sk) 
	}

	inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS,

				  tcp_clamp_rto_to_user_timeout(sk), TCP_RTO_MAX);

	if (retransmits_timed_out(sk, net->ipv4.sysctl_tcp_retries1 + 1, 0))

	if (retransmits_timed_out(sk, READ_ONCE(net->ipv4.sysctl_tcp_retries1) + 1, 0))

		__sk_dst_reset(sk);



out:;