Commit 02739545 authored by Kuniyuki Iwashima's avatar Kuniyuki Iwashima Committed by David S. Miller
Browse files

net: Fix data-races around sysctl_[rw]mem(_offset)?. 



While reading these sysctl variables, they can be changed concurrently.
Thus, we need to add READ_ONCE() to their readers.

  - .sysctl_rmem
  - .sysctl_rwmem
  - .sysctl_rmem_offset
  - .sysctl_wmem_offset
  - sysctl_tcp_rmem[1, 2]
  - sysctl_tcp_wmem[1, 2]
  - sysctl_decnet_rmem[1]
  - sysctl_decnet_wmem[1]
  - sysctl_tipc_rmem[1]

Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 59bf6c65

include/net/sock.h

+4 −4
Original line number Diff line number Diff line
@@ -2843,18 +2843,18 @@ static inline int sk_get_wmem0(const struct sock *sk, const struct proto *proto) 
{

	/* Does this proto have per netns sysctl_wmem ? */

	if (proto->sysctl_wmem_offset)

		return *(int *)((void *)sock_net(sk) + proto->sysctl_wmem_offset);

		return READ_ONCE(*(int *)((void *)sock_net(sk) + proto->sysctl_wmem_offset));



	return *proto->sysctl_wmem;

	return READ_ONCE(*proto->sysctl_wmem);

}



static inline int sk_get_rmem0(const struct sock *sk, const struct proto *proto)

{

	/* Does this proto have per netns sysctl_rmem ? */

	if (proto->sysctl_rmem_offset)

		return *(int *)((void *)sock_net(sk) + proto->sysctl_rmem_offset);

		return READ_ONCE(*(int *)((void *)sock_net(sk) + proto->sysctl_rmem_offset));



	return *proto->sysctl_rmem;

	return READ_ONCE(*proto->sysctl_rmem);

}



/* Default TCP Small queue budget is ~1 ms of data (1sec >> 10)

net/decnet/af_decnet.c

+2 −2
Original line number Diff line number Diff line
@@ -480,8 +480,8 @@ static struct sock *dn_alloc_sock(struct net *net, struct socket *sock, gfp_t gf 
	sk->sk_family      = PF_DECnet;

	sk->sk_protocol    = 0;

	sk->sk_allocation  = gfp;

	sk->sk_sndbuf	   = sysctl_decnet_wmem[1];

	sk->sk_rcvbuf	   = sysctl_decnet_rmem[1];

	sk->sk_sndbuf	   = READ_ONCE(sysctl_decnet_wmem[1]);

	sk->sk_rcvbuf	   = READ_ONCE(sysctl_decnet_rmem[1]);



	/* Initialization of DECnet Session Control Port		*/

	scp = DN_SK(sk);

net/ipv4/tcp.c

+3 −3
Original line number Diff line number Diff line
@@ -452,8 +452,8 @@ void tcp_init_sock(struct sock *sk) 


	icsk->icsk_sync_mss = tcp_sync_mss;



	WRITE_ONCE(sk->sk_sndbuf, sock_net(sk)->ipv4.sysctl_tcp_wmem[1]);

	WRITE_ONCE(sk->sk_rcvbuf, sock_net(sk)->ipv4.sysctl_tcp_rmem[1]);

	WRITE_ONCE(sk->sk_sndbuf, READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_wmem[1]));

	WRITE_ONCE(sk->sk_rcvbuf, READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_rmem[1]));



	sk_sockets_allocated_inc(sk);

}
@@ -1724,7 +1724,7 @@ int tcp_set_rcvlowat(struct sock *sk, int val) 
	if (sk->sk_userlocks & SOCK_RCVBUF_LOCK)

		cap = sk->sk_rcvbuf >> 1;

	else

		cap = sock_net(sk)->ipv4.sysctl_tcp_rmem[2] >> 1;

		cap = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_rmem[2]) >> 1;

	val = min(val, cap);

	WRITE_ONCE(sk->sk_rcvlowat, val ? : 1);

net/ipv4/tcp_input.c

+7 −6
Original line number Diff line number Diff line
@@ -426,7 +426,7 @@ static void tcp_sndbuf_expand(struct sock *sk) 


	if (sk->sk_sndbuf < sndmem)

		WRITE_ONCE(sk->sk_sndbuf,

			   min(sndmem, sock_net(sk)->ipv4.sysctl_tcp_wmem[2]));

			   min(sndmem, READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_wmem[2])));

}



/* 2. Tuning advertised window (window_clamp, rcv_ssthresh)
@@ -461,7 +461,7 @@ static int __tcp_grow_window(const struct sock *sk, const struct sk_buff *skb, 
	struct tcp_sock *tp = tcp_sk(sk);

	/* Optimize this! */

	int truesize = tcp_win_from_space(sk, skbtruesize) >> 1;

	int window = tcp_win_from_space(sk, sock_net(sk)->ipv4.sysctl_tcp_rmem[2]) >> 1;

	int window = tcp_win_from_space(sk, READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_rmem[2])) >> 1;



	while (tp->rcv_ssthresh <= window) {

		if (truesize <= skb->len)
@@ -574,16 +574,17 @@ static void tcp_clamp_window(struct sock *sk) 
	struct tcp_sock *tp = tcp_sk(sk);

	struct inet_connection_sock *icsk = inet_csk(sk);

	struct net *net = sock_net(sk);

	int rmem2;



	icsk->icsk_ack.quick = 0;

	rmem2 = READ_ONCE(net->ipv4.sysctl_tcp_rmem[2]);



	if (sk->sk_rcvbuf < net->ipv4.sysctl_tcp_rmem[2] &&

	if (sk->sk_rcvbuf < rmem2 &&

	    !(sk->sk_userlocks & SOCK_RCVBUF_LOCK) &&

	    !tcp_under_memory_pressure(sk) &&

	    sk_memory_allocated(sk) < sk_prot_mem_limits(sk, 0)) {

		WRITE_ONCE(sk->sk_rcvbuf,

			   min(atomic_read(&sk->sk_rmem_alloc),

			       net->ipv4.sysctl_tcp_rmem[2]));

			   min(atomic_read(&sk->sk_rmem_alloc), rmem2));

	}

	if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf)

		tp->rcv_ssthresh = min(tp->window_clamp, 2U * tp->advmss);
@@ -745,7 +746,7 @@ void tcp_rcv_space_adjust(struct sock *sk) 


		do_div(rcvwin, tp->advmss);

		rcvbuf = min_t(u64, rcvwin * rcvmem,

			       sock_net(sk)->ipv4.sysctl_tcp_rmem[2]);

			       READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_rmem[2]));

		if (rcvbuf > sk->sk_rcvbuf) {

			WRITE_ONCE(sk->sk_rcvbuf, rcvbuf);

net/ipv4/tcp_output.c

+1 −1
Original line number Diff line number Diff line
@@ -238,7 +238,7 @@ void tcp_select_initial_window(const struct sock *sk, int __space, __u32 mss, 
	*rcv_wscale = 0;

	if (wscale_ok) {

		/* Set window scaling on max possible window */

		space = max_t(u32, space, sock_net(sk)->ipv4.sysctl_tcp_rmem[2]);

		space = max_t(u32, space, READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_rmem[2]));

		space = max_t(u32, space, sysctl_rmem_max);

		space = min_t(u32, space, *window_clamp);

		*rcv_wscale = clamp_t(int, ilog2(space) - 15,