[PATCH 3.16.y-ckt 075/130] udp: fix dst races with multicast early demux

From: Luis Henriques
Date: Fri Sep 04 2015 - 09:34:40 EST

3.16.7-ckt17 -stable review patch. If anyone has any objections, please let me know.


From: Eric Dumazet <edumazet@xxxxxxxxxx>

commit 10e2eb878f3ca07ac2f05fa5ca5e6c4c9174a27a upstream.

Multicast dst are not cached. They carry DST_NOCACHE.

As mentioned in commit f8864972126899 ("ipv4: fix dst race in
sk_dst_get()"), these dst need special care before caching them
into a socket.

Caching them is allowed only if their refcnt was not 0, ie we
must use atomic_inc_not_zero()

Also, we must use READ_ONCE() to fetch sk->sk_rx_dst, as mentioned
in commit d0c294c53a771 ("tcp: prevent fetching dst twice in early demux

Fixes: 421b3885bf6d ("udp: ipv4: Add udp early demux")
Tested-by: Gregory Hoggarth <Gregory.Hoggarth@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Eric Dumazet <edumazet@xxxxxxxxxx>
Reported-by: Gregory Hoggarth <Gregory.Hoggarth@xxxxxxxxxxxxxxxxxxx>
Reported-by: Alex Gartrell <agartrell@xxxxxx>
Cc: Michal KubeÄek <mkubecek@xxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
[ luis: backported to 3.16: used davem's backport to 3.14 ]
Signed-off-by: Luis Henriques <luis.henriques@xxxxxxxxxxxxx>
net/ipv4/udp.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 4d94056ce452..8253b5d3cc89 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1988,12 +1988,19 @@ void udp_v4_early_demux(struct sk_buff *skb)

skb->sk = sk;
skb->destructor = sock_edemux;
- dst = sk->sk_rx_dst;
+ dst = ACCESS_ONCE(sk->sk_rx_dst);

if (dst)
dst = dst_check(dst, 0);
- if (dst)
- skb_dst_set_noref(skb, dst);
+ if (dst) {
+ /* DST_NOCACHE can not be used without taking a reference */
+ if (dst->flags & DST_NOCACHE) {
+ if (likely(atomic_inc_not_zero(&dst->__refcnt)))
+ skb_dst_set(skb, dst);
+ } else {
+ skb_dst_set_noref(skb, dst);
+ }
+ }

int udp_rcv(struct sk_buff *skb)
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/