| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250627112526.3615031-6-edumazet@google.com>
Date: Fri, 27 Jun 2025 11:25:21 +0000
From: Eric Dumazet <edumazet@...gle.com>
To: "David S . Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>
Cc: Simon Horman <horms@...nel.org>, Kuniyuki Iwashima <kuniyu@...gle.com>,
David Ahern <dsahern@...nel.org>, netdev@...r.kernel.org, eric.dumazet@...il.com,
Eric Dumazet <edumazet@...gle.com>
Subject: [PATCH net-next 05/10] net: dst: annotate data-races around dst->output
dst_dev_put() can overwrite dst->output while other
cpus might read this field (for instance from dst_output())
Add READ_ONCE()/WRITE_ONCE() annotations to suppress
potential issues.
We will likely need RCU protection in the future.
Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()")
Signed-off-by: Eric Dumazet <edumazet@...gle.com>
---
include/net/dst.h | 2 +-
include/net/lwtunnel.h | 4 ++--
net/core/dst.c | 2 +-
net/ipv4/route.c | 2 +-
4 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/include/net/dst.h b/include/net/dst.h
index c0f8b6d8e70746fe09a68037f14d6e5bf1d1c57e..b6acfde7d587c40489aaf869f715479478f548ca 100644
--- a/include/net/dst.h
+++ b/include/net/dst.h
@@ -458,7 +458,7 @@ INDIRECT_CALLABLE_DECLARE(int ip_output(struct net *, struct sock *,
/* Output packet to network from transport. */
static inline int dst_output(struct net *net, struct sock *sk, struct sk_buff *skb)
{
- return INDIRECT_CALL_INET(skb_dst(skb)->output,
+ return INDIRECT_CALL_INET(READ_ONCE(skb_dst(skb)->output),
ip6_output, ip_output,
net, sk, skb);
}
diff --git a/include/net/lwtunnel.h b/include/net/lwtunnel.h
index eaac07d505959e263e479e0fe288424371945f5d..26232f603e33c9c7a1499a0dd2f69c0ba10cc381 100644
--- a/include/net/lwtunnel.h
+++ b/include/net/lwtunnel.h
@@ -138,8 +138,8 @@ int bpf_lwt_push_ip_encap(struct sk_buff *skb, void *hdr, u32 len,
static inline void lwtunnel_set_redirect(struct dst_entry *dst)
{
if (lwtunnel_output_redirect(dst->lwtstate)) {
- dst->lwtstate->orig_output = dst->output;
- dst->output = lwtunnel_output;
+ dst->lwtstate->orig_output = READ_ONCE(dst->output);
+ WRITE_ONCE(dst->output, lwtunnel_output);
}
if (lwtunnel_input_redirect(dst->lwtstate)) {
dst->lwtstate->orig_input = READ_ONCE(dst->input);
diff --git a/net/core/dst.c b/net/core/dst.c
index 13c629dc7123da1eaeb07e4546ae6c3f38265af1..52e824e57c1755a39008fede0d97c7ed7be56855 100644
--- a/net/core/dst.c
+++ b/net/core/dst.c
@@ -149,7 +149,7 @@ void dst_dev_put(struct dst_entry *dst)
if (dst->ops->ifdown)
dst->ops->ifdown(dst, dev);
WRITE_ONCE(dst->input, dst_discard);
- dst->output = dst_discard_out;
+ WRITE_ONCE(dst->output, dst_discard_out);
dst->dev = blackhole_netdev;
netdev_ref_replace(dev, blackhole_netdev, &dst->dev_tracker,
GFP_ATOMIC);
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 75a1f9eabd6b6350b1ebc9d7dc8166b3d9364a03..ce6aba4f01ff25a8f9238271a7ae2295f7c7bb93 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1688,7 +1688,7 @@ struct rtable *rt_dst_clone(struct net_device *dev, struct rtable *rt)
new_rt->rt_gw6 = rt->rt_gw6;
new_rt->dst.input = READ_ONCE(rt->dst.input);
- new_rt->dst.output = rt->dst.output;
+ new_rt->dst.output = READ_ONCE(rt->dst.output);
new_rt->dst.error = rt->dst.error;
new_rt->dst.lastuse = jiffies;
new_rt->dst.lwtstate = lwtstate_get(rt->dst.lwtstate);
--
2.50.0.727.gbf7dc18ff4-goog
Powered by blists - more mailing lists