lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANn89iLEANNvZ45PaPL8miZeyMUTAcLoVR4WS55gbtfiMPbueQ@mail.gmail.com> Date: Tue, 21 Nov 2023 09:08:49 +0100 From: Eric Dumazet <edumazet@...gle.com> To: Dmitry Safonov <dima@...sta.com> Cc: David Ahern <dsahern@...nel.org>, Paolo Abeni <pabeni@...hat.com>, Jakub Kicinski <kuba@...nel.org>, "David S. Miller" <davem@...emloft.net>, linux-kernel@...r.kernel.org, Dmitry Safonov <0x7f454c46@...il.com>, Francesco Ruggeri <fruggeri05@...il.com>, Salam Noureddine <noureddine@...sta.com>, Simon Horman <horms@...nel.org>, netdev@...r.kernel.org Subject: Re: [PATCH 6/7] net/tcp: ACCESS_ONCE() on snd/rcv SNEs On Tue, Nov 21, 2023 at 3:01 AM Dmitry Safonov <dima@...sta.com> wrote: > > SNEs need READ_ONCE()/WRITE_ONCE() for access as they can be written and > read at the same time. > > This is actually a shame: I planned to send it in TCP-AO patches, but > it seems I've chosen a wrong commit to git-commit-fixup some time ago. > It ended up in a commit that adds a selftest. Human factor. > > Fixes: 64382c71a557 ("net/tcp: Add TCP-AO SNE support") > Signed-off-by: Dmitry Safonov <dima@...sta.com> > --- > net/ipv4/tcp_ao.c | 4 ++-- > net/ipv4/tcp_input.c | 4 ++-- > 2 files changed, 4 insertions(+), 4 deletions(-) > > diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c > index 122ff58168ee..9b7f1970c2e9 100644 > --- a/net/ipv4/tcp_ao.c > +++ b/net/ipv4/tcp_ao.c > @@ -956,8 +956,8 @@ tcp_inbound_ao_hash(struct sock *sk, const struct sk_buff *skb, > if (unlikely(th->syn && !th->ack)) > goto verify_hash; > > - sne = tcp_ao_compute_sne(info->rcv_sne, tcp_sk(sk)->rcv_nxt, > - ntohl(th->seq)); > + sne = tcp_ao_compute_sne(READ_ONCE(info->rcv_sne), > + tcp_sk(sk)->rcv_nxt, ntohl(th->seq)); I think this is a wrong fix. Something is definitely fishy here. Update side should only happen for an established socket ? And the read side should have locked the socket before calling tcp_inbound_ao_hash(), otherwise reading other fields (like tcp_sk(sk)->rcv_nxt) would be racy anyway. > /* Established socket, traffic key are cached */ > traffic_key = rcv_other_key(key); > err = tcp_ao_verify_hash(sk, skb, family, info, aoh, key, > diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c > index bcb55d98004c..78896c8be0d4 100644 > --- a/net/ipv4/tcp_input.c > +++ b/net/ipv4/tcp_input.c tcp_snd_sne_update() definitely only deals with full sockets (TCP_AO_ESTABLISHED) > @@ -3583,7 +3583,7 @@ static void tcp_snd_sne_update(struct tcp_sock *tp, u32 ack) > ao = rcu_dereference_protected(tp->ao_info, > lockdep_sock_is_held((struct sock *)tp)); > if (ao && ack < tp->snd_una) > - ao->snd_sne++; > + WRITE_ONCE(ao->snd_sne, ao->snd_sne + 1); > #endif > } > > @@ -3609,7 +3609,7 @@ static void tcp_rcv_sne_update(struct tcp_sock *tp, u32 seq) > ao = rcu_dereference_protected(tp->ao_info, > lockdep_sock_is_held((struct sock *)tp)); > if (ao && seq < tp->rcv_nxt) > - ao->rcv_sne++; > + WRITE_ONCE(ao->rcv_sne, ao->rcv_sne + 1); > #endif > } > > -- > 2.42.0 >
Powered by blists - more mailing lists