Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 521f1cf1 authored by Eric Dumazet's avatar Eric Dumazet Committed by David S. Miller
Browse files

inet_diag: fix access to tcp cc information 



Two different problems are fixed here :

1) inet_sk_diag_fill() might be called without socket lock held.
   icsk->icsk_ca_ops can change under us and module be unloaded.
   -> Access to freed memory.
   Fix this using rcu_read_lock() to prevent module unload.

2) Some TCP Congestion Control modules provide information
   but again this is not safe against icsk->icsk_ca_ops
   change and nla_put() errors were ignored. Some sockets
   could not get the additional info if skb was almost full.

Fix this by returning a status from get_info() handlers and
using rcu protection as well.

Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent fad9dfef

include/net/tcp.h

+1 −1
Original line number Diff line number Diff line
@@ -829,7 +829,7 @@ struct tcp_congestion_ops { 
	/* hook for packet ack accounting (optional) */

	void (*pkts_acked)(struct sock *sk, u32 num_acked, s32 rtt_us);

	/* get info for inet_diag (optional) */

	void (*get_info)(struct sock *sk, u32 ext, struct sk_buff *skb);

	int (*get_info)(struct sock *sk, u32 ext, struct sk_buff *skb);



	char 		name[TCP_CA_NAME_MAX];

	struct module 	*owner;

net/ipv4/inet_diag.c

+22 −6
Original line number Diff line number Diff line
@@ -111,6 +111,7 @@ int inet_sk_diag_fill(struct sock *sk, struct inet_connection_sock *icsk, 
		      const struct nlmsghdr *unlh)

{

	const struct inet_sock *inet = inet_sk(sk);

	const struct tcp_congestion_ops *ca_ops;

	const struct inet_diag_handler *handler;

	int ext = req->idiag_ext;

	struct inet_diag_msg *r;
@@ -208,16 +209,31 @@ int inet_sk_diag_fill(struct sock *sk, struct inet_connection_sock *icsk, 
		info = nla_data(attr);

	}



	if ((ext & (1 << (INET_DIAG_CONG - 1))) && icsk->icsk_ca_ops)

		if (nla_put_string(skb, INET_DIAG_CONG,

				   icsk->icsk_ca_ops->name) < 0)

	if (ext & (1 << (INET_DIAG_CONG - 1))) {

		int err = 0;



		rcu_read_lock();

		ca_ops = READ_ONCE(icsk->icsk_ca_ops);

		if (ca_ops)

			err = nla_put_string(skb, INET_DIAG_CONG, ca_ops->name);

		rcu_read_unlock();

		if (err < 0)

			goto errout;

	}



	handler->idiag_get_info(sk, r, info);



	if (sk->sk_state < TCP_TIME_WAIT &&

	    icsk->icsk_ca_ops && icsk->icsk_ca_ops->get_info)

		icsk->icsk_ca_ops->get_info(sk, ext, skb);

	if (sk->sk_state < TCP_TIME_WAIT) {

		int err = 0;



		rcu_read_lock();

		ca_ops = READ_ONCE(icsk->icsk_ca_ops);

		if (ca_ops && ca_ops->get_info)

			err = ca_ops->get_info(sk, ext, skb);

		rcu_read_unlock();

		if (err < 0)

			goto errout;

	}



out:

	nlmsg_end(skb, nlh);

net/ipv4/tcp_dctcp.c

+3 −2
Original line number Diff line number Diff line
@@ -277,7 +277,7 @@ static void dctcp_cwnd_event(struct sock *sk, enum tcp_ca_event ev) 
	}

}



static void dctcp_get_info(struct sock *sk, u32 ext, struct sk_buff *skb)

static int dctcp_get_info(struct sock *sk, u32 ext, struct sk_buff *skb)

{

	const struct dctcp *ca = inet_csk_ca(sk);
@@ -297,8 +297,9 @@ static void dctcp_get_info(struct sock *sk, u32 ext, struct sk_buff *skb) 
			info.dctcp_ab_tot = ca->acked_bytes_total;

		}



		nla_put(skb, INET_DIAG_DCTCPINFO, sizeof(info), &info);

		return nla_put(skb, INET_DIAG_DCTCPINFO, sizeof(info), &info);

	}

	return 0;

}



static struct tcp_congestion_ops dctcp __read_mostly = {

net/ipv4/tcp_illinois.c

+3 −3
Original line number Diff line number Diff line
@@ -300,8 +300,7 @@ static u32 tcp_illinois_ssthresh(struct sock *sk) 
}



/* Extract info for Tcp socket info provided via netlink. */

static void tcp_illinois_info(struct sock *sk, u32 ext,

			      struct sk_buff *skb)

static int tcp_illinois_info(struct sock *sk, u32 ext, struct sk_buff *skb)

{

	const struct illinois *ca = inet_csk_ca(sk);
@@ -318,8 +317,9 @@ static void tcp_illinois_info(struct sock *sk, u32 ext, 
			do_div(t, info.tcpv_rttcnt);

			info.tcpv_rtt = t;

		}

		nla_put(skb, INET_DIAG_VEGASINFO, sizeof(info), &info);

		return nla_put(skb, INET_DIAG_VEGASINFO, sizeof(info), &info);

	}

	return 0;

}



static struct tcp_congestion_ops tcp_illinois __read_mostly = {

net/ipv4/tcp_vegas.c

+3 −2
Original line number Diff line number Diff line
@@ -286,7 +286,7 @@ static void tcp_vegas_cong_avoid(struct sock *sk, u32 ack, u32 acked) 
}



/* Extract info for Tcp socket info provided via netlink. */

void tcp_vegas_get_info(struct sock *sk, u32 ext, struct sk_buff *skb)

int tcp_vegas_get_info(struct sock *sk, u32 ext, struct sk_buff *skb)

{

	const struct vegas *ca = inet_csk_ca(sk);

	if (ext & (1 << (INET_DIAG_VEGASINFO - 1))) {
@@ -297,8 +297,9 @@ void tcp_vegas_get_info(struct sock *sk, u32 ext, struct sk_buff *skb) 
			.tcpv_minrtt = ca->minRTT,

		};



		nla_put(skb, INET_DIAG_VEGASINFO, sizeof(info), &info);

		return nla_put(skb, INET_DIAG_VEGASINFO, sizeof(info), &info);

	}

	return 0;

}

EXPORT_SYMBOL_GPL(tcp_vegas_get_info);