From nobody Fri Dec 19 07:47:12 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C3FFFC00144 for ; Mon, 1 Aug 2022 12:08:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233336AbiHAMIh (ORCPT ); Mon, 1 Aug 2022 08:08:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43560 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233671AbiHAMIL (ORCPT ); Mon, 1 Aug 2022 08:08:11 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8346665545; Mon, 1 Aug 2022 04:55:43 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 2DAAD6135A; Mon, 1 Aug 2022 11:55:43 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2F56AC433C1; Mon, 1 Aug 2022 11:55:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1659354942; bh=Lz53QV+wGiKU9ujIrGRQxFCNLaQVP42ex38Cm1xI+wE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=PFDzCdysCJhN8A9qXmfZZ5ytvyZ02FKLaBZuD6yuKVrQK71R5rCqIzxL8LMeS4kgm LIfsZ3FfsR39PrQIFJx4X4DfsKjZ1VBDisPgW3PeVuR9hWRc4zsjVFQMUM35g6wXo2 G4nSI2GApwl8LhElzvlrDRQnhWO5PpqkbfBZaskI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 5.15 48/69] net: Fix data-races around sysctl_[rw]mem(_offset)?. Date: Mon, 1 Aug 2022 13:47:12 +0200 Message-Id: <20220801114136.425185447@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220801114134.468284027@linuxfoundation.org> References: <20220801114134.468284027@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Kuniyuki Iwashima [ Upstream commit 02739545951ad4c1215160db7fbf9b7a918d3c0b ] While reading these sysctl variables, they can be changed concurrently. Thus, we need to add READ_ONCE() to their readers. - .sysctl_rmem - .sysctl_rwmem - .sysctl_rmem_offset - .sysctl_wmem_offset - sysctl_tcp_rmem[1, 2] - sysctl_tcp_wmem[1, 2] - sysctl_decnet_rmem[1] - sysctl_decnet_wmem[1] - sysctl_tipc_rmem[1] Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- include/net/sock.h | 8 ++++---- net/decnet/af_decnet.c | 4 ++-- net/ipv4/tcp.c | 6 +++--- net/ipv4/tcp_input.c | 13 +++++++------ net/ipv4/tcp_output.c | 2 +- net/mptcp/protocol.c | 6 +++--- net/tipc/socket.c | 2 +- 7 files changed, 21 insertions(+), 20 deletions(-) diff --git a/include/net/sock.h b/include/net/sock.h index 96f51d4b1649..819c53965ef3 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -2765,18 +2765,18 @@ static inline int sk_get_wmem0(const struct sock *s= k, const struct proto *proto) { /* Does this proto have per netns sysctl_wmem ? */ if (proto->sysctl_wmem_offset) - return *(int *)((void *)sock_net(sk) + proto->sysctl_wmem_offset); + return READ_ONCE(*(int *)((void *)sock_net(sk) + proto->sysctl_wmem_offs= et)); =20 - return *proto->sysctl_wmem; + return READ_ONCE(*proto->sysctl_wmem); } =20 static inline int sk_get_rmem0(const struct sock *sk, const struct proto *= proto) { /* Does this proto have per netns sysctl_rmem ? */ if (proto->sysctl_rmem_offset) - return *(int *)((void *)sock_net(sk) + proto->sysctl_rmem_offset); + return READ_ONCE(*(int *)((void *)sock_net(sk) + proto->sysctl_rmem_offs= et)); =20 - return *proto->sysctl_rmem; + return READ_ONCE(*proto->sysctl_rmem); } =20 /* Default TCP Small queue budget is ~1 ms of data (1sec >> 10) diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c index dc92a67baea3..7d542eb46172 100644 --- a/net/decnet/af_decnet.c +++ b/net/decnet/af_decnet.c @@ -480,8 +480,8 @@ static struct sock *dn_alloc_sock(struct net *net, stru= ct socket *sock, gfp_t gf sk->sk_family =3D PF_DECnet; sk->sk_protocol =3D 0; sk->sk_allocation =3D gfp; - sk->sk_sndbuf =3D sysctl_decnet_wmem[1]; - sk->sk_rcvbuf =3D sysctl_decnet_rmem[1]; + sk->sk_sndbuf =3D READ_ONCE(sysctl_decnet_wmem[1]); + sk->sk_rcvbuf =3D READ_ONCE(sysctl_decnet_rmem[1]); =20 /* Initialization of DECnet Session Control Port */ scp =3D DN_SK(sk); diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 7ba9059c263a..2097eeaf30a6 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -458,8 +458,8 @@ void tcp_init_sock(struct sock *sk) =20 icsk->icsk_sync_mss =3D tcp_sync_mss; =20 - WRITE_ONCE(sk->sk_sndbuf, sock_net(sk)->ipv4.sysctl_tcp_wmem[1]); - WRITE_ONCE(sk->sk_rcvbuf, sock_net(sk)->ipv4.sysctl_tcp_rmem[1]); + WRITE_ONCE(sk->sk_sndbuf, READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_wmem[1]= )); + WRITE_ONCE(sk->sk_rcvbuf, READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_rmem[1]= )); =20 sk_sockets_allocated_inc(sk); sk->sk_route_forced_caps =3D NETIF_F_GSO; @@ -1722,7 +1722,7 @@ int tcp_set_rcvlowat(struct sock *sk, int val) if (sk->sk_userlocks & SOCK_RCVBUF_LOCK) cap =3D sk->sk_rcvbuf >> 1; else - cap =3D sock_net(sk)->ipv4.sysctl_tcp_rmem[2] >> 1; + cap =3D READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_rmem[2]) >> 1; val =3D min(val, cap); WRITE_ONCE(sk->sk_rcvlowat, val ? : 1); =20 diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index 566745f527fe..e007bdc20e82 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -426,7 +426,7 @@ static void tcp_sndbuf_expand(struct sock *sk) =20 if (sk->sk_sndbuf < sndmem) WRITE_ONCE(sk->sk_sndbuf, - min(sndmem, sock_net(sk)->ipv4.sysctl_tcp_wmem[2])); + min(sndmem, READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_wmem[2]))); } =20 /* 2. Tuning advertised window (window_clamp, rcv_ssthresh) @@ -461,7 +461,7 @@ static int __tcp_grow_window(const struct sock *sk, con= st struct sk_buff *skb, struct tcp_sock *tp =3D tcp_sk(sk); /* Optimize this! */ int truesize =3D tcp_win_from_space(sk, skbtruesize) >> 1; - int window =3D tcp_win_from_space(sk, sock_net(sk)->ipv4.sysctl_tcp_rmem[= 2]) >> 1; + int window =3D tcp_win_from_space(sk, READ_ONCE(sock_net(sk)->ipv4.sysctl= _tcp_rmem[2])) >> 1; =20 while (tp->rcv_ssthresh <=3D window) { if (truesize <=3D skb->len) @@ -566,16 +566,17 @@ static void tcp_clamp_window(struct sock *sk) struct tcp_sock *tp =3D tcp_sk(sk); struct inet_connection_sock *icsk =3D inet_csk(sk); struct net *net =3D sock_net(sk); + int rmem2; =20 icsk->icsk_ack.quick =3D 0; + rmem2 =3D READ_ONCE(net->ipv4.sysctl_tcp_rmem[2]); =20 - if (sk->sk_rcvbuf < net->ipv4.sysctl_tcp_rmem[2] && + if (sk->sk_rcvbuf < rmem2 && !(sk->sk_userlocks & SOCK_RCVBUF_LOCK) && !tcp_under_memory_pressure(sk) && sk_memory_allocated(sk) < sk_prot_mem_limits(sk, 0)) { WRITE_ONCE(sk->sk_rcvbuf, - min(atomic_read(&sk->sk_rmem_alloc), - net->ipv4.sysctl_tcp_rmem[2])); + min(atomic_read(&sk->sk_rmem_alloc), rmem2)); } if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf) tp->rcv_ssthresh =3D min(tp->window_clamp, 2U * tp->advmss); @@ -737,7 +738,7 @@ void tcp_rcv_space_adjust(struct sock *sk) =20 do_div(rcvwin, tp->advmss); rcvbuf =3D min_t(u64, rcvwin * rcvmem, - sock_net(sk)->ipv4.sysctl_tcp_rmem[2]); + READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_rmem[2])); if (rcvbuf > sk->sk_rcvbuf) { WRITE_ONCE(sk->sk_rcvbuf, rcvbuf); =20 diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index 51f31311fdb6..9c9a0f7a3dee 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -238,7 +238,7 @@ void tcp_select_initial_window(const struct sock *sk, i= nt __space, __u32 mss, *rcv_wscale =3D 0; if (wscale_ok) { /* Set window scaling on max possible window */ - space =3D max_t(u32, space, sock_net(sk)->ipv4.sysctl_tcp_rmem[2]); + space =3D max_t(u32, space, READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_rmem= [2])); space =3D max_t(u32, space, sysctl_rmem_max); space =3D min_t(u32, space, *window_clamp); *rcv_wscale =3D clamp_t(int, ilog2(space) - 15, diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index 01ede89e3c46..7f96e0c42a09 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -1899,7 +1899,7 @@ static void mptcp_rcv_space_adjust(struct mptcp_sock = *msk, int copied) =20 do_div(rcvwin, advmss); rcvbuf =3D min_t(u64, rcvwin * rcvmem, - sock_net(sk)->ipv4.sysctl_tcp_rmem[2]); + READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_rmem[2])); =20 if (rcvbuf > sk->sk_rcvbuf) { u32 window_clamp; @@ -2532,8 +2532,8 @@ static int mptcp_init_sock(struct sock *sk) icsk->icsk_ca_ops =3D NULL; =20 sk_sockets_allocated_inc(sk); - sk->sk_rcvbuf =3D sock_net(sk)->ipv4.sysctl_tcp_rmem[1]; - sk->sk_sndbuf =3D sock_net(sk)->ipv4.sysctl_tcp_wmem[1]; + sk->sk_rcvbuf =3D READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_rmem[1]); + sk->sk_sndbuf =3D READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_wmem[1]); =20 return 0; } diff --git a/net/tipc/socket.c b/net/tipc/socket.c index 43509c7e90fc..f1c3b8eb4b3d 100644 --- a/net/tipc/socket.c +++ b/net/tipc/socket.c @@ -517,7 +517,7 @@ static int tipc_sk_create(struct net *net, struct socke= t *sock, timer_setup(&sk->sk_timer, tipc_sk_timeout, 0); sk->sk_shutdown =3D 0; sk->sk_backlog_rcv =3D tipc_sk_backlog_rcv; - sk->sk_rcvbuf =3D sysctl_tipc_rmem[1]; + sk->sk_rcvbuf =3D READ_ONCE(sysctl_tipc_rmem[1]); sk->sk_data_ready =3D tipc_data_ready; sk->sk_write_space =3D tipc_write_space; sk->sk_destruct =3D tipc_sock_destruct; --=20 2.35.1