This is a note to let you know that I've just added the patch titled
udp: fix dst races with multicast early demux
to the 3.14-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
udp-fix-dst-races-with-multicast-early-demux.patch
and it can be found in the queue-3.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From foo@baz Sat Sep 26 11:19:08 PDT 2015
From: Eric Dumazet <edumazet@xxxxxxxxxx>
Date: Sat, 1 Aug 2015 12:14:33 +0200
Subject: udp: fix dst races with multicast early demux
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
From: Eric Dumazet <edumazet@xxxxxxxxxx>
[ Upstream commit 10e2eb878f3ca07ac2f05fa5ca5e6c4c9174a27a ]
Multicast dst are not cached. They carry DST_NOCACHE.
As mentioned in commit f8864972126899 ("ipv4: fix dst race in
sk_dst_get()"), these dst need special care before caching them
into a socket.
Caching them is allowed only if their refcnt was not 0, ie we
must use atomic_inc_not_zero()
Also, we must use READ_ONCE() to fetch sk->sk_rx_dst, as mentioned
in commit d0c294c53a771 ("tcp: prevent fetching dst twice in early demux
code")
Fixes: 421b3885bf6d ("udp: ipv4: Add udp early demux")
Tested-by: Gregory Hoggarth <Gregory.Hoggarth@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Eric Dumazet <edumazet@xxxxxxxxxx>
Reported-by: Gregory Hoggarth <Gregory.Hoggarth@xxxxxxxxxxxxxxxxxxx>
Reported-by: Alex Gartrell <agartrell@xxxxxx>
Cc: Michal Kubeček <mkubecek@xxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/ipv4/udp.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1957,12 +1957,19 @@ void udp_v4_early_demux(struct sk_buff *
skb->sk = sk;
skb->destructor = sock_edemux;
- dst = sk->sk_rx_dst;
+ dst = ACCESS_ONCE(sk->sk_rx_dst);
if (dst)
dst = dst_check(dst, 0);
- if (dst)
- skb_dst_set_noref(skb, dst);
+ if (dst) {
+ /* DST_NOCACHE can not be used without taking a reference */
+ if (dst->flags & DST_NOCACHE) {
+ if (likely(atomic_inc_not_zero(&dst->__refcnt)))
+ skb_dst_set(skb, dst);
+ } else {
+ skb_dst_set_noref(skb, dst);
+ }
+ }
}
int udp_rcv(struct sk_buff *skb)
Patches currently in stable-queue which might be from edumazet@xxxxxxxxxx are
queue-3.14/udp-fix-dst-races-with-multicast-early-demux.patch
queue-3.14/ipv6-lock-socket-in-ip6_datagram_connect.patch
queue-3.14/net-fix-skb-csum-races-when-peeking.patch
queue-3.14/net-graceful-exit-from-netif_alloc_netdev_queues.patch
queue-3.14/inet-frags-fix-defragmented-packet-s-ip-header-for-af_packet.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html