www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Eric Dumazet <edumazet@google.com>
	Mon, 30 Nov 2015 03:37:57 +0000 (19:37 -0800)
committer	Chuck Anderson <chuck.anderson@oracle.com>
	Fri, 5 Feb 2016 03:33:15 +0000 (19:33 -0800)
commit	9f6c201720f482224d0817b2ace865e8a24d5f43
tree	e414fa03a65f64c6fdd422018fa7b80d5d7d6758	tree
parent	27b9f717b01544454c9d35fea4e006bd3397b7c9	commit \| diff

ipv6: add complete rcu protection around np->opt

Orabug: 22623859

[ Upstream commit 45f6fad84cc305103b28d73482b344d7f5b76f39 ]

This patch addresses multiple problems :

UDP/RAW sendmsg() need to get a stable struct ipv6_txoptions
while socket is not locked : Other threads can change np->opt
concurrently. Dmitry posted a syzkaller
(http://github.com/google/syzkaller) program desmonstrating
use-after-free.

Starting with TCP/DCCP lockless listeners, tcp_v6_syn_recv_sock()
and dccp_v6_request_recv_sock() also need to use RCU protection
to dereference np->opt once (before calling ipv6_dup_options())

This patch adds full RCU protection to np->opt

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 81ed463384847813faa59e692285fe775da7375f)
Signed-off-by: Dan Duval <dan.duval@oracle.com>

include/linux/ipv6.h		diff \| blob \| history
include/net/ipv6.h		diff \| blob \| history
net/dccp/ipv6.c		diff \| blob \| history
net/ipv6/af_inet6.c		diff \| blob \| history
net/ipv6/datagram.c		diff \| blob \| history
net/ipv6/exthdrs.c		diff \| blob \| history
net/ipv6/inet6_connection_sock.c		diff \| blob \| history
net/ipv6/ipv6_sockglue.c		diff \| blob \| history
net/ipv6/raw.c		diff \| blob \| history
net/ipv6/syncookies.c		diff \| blob \| history
net/ipv6/tcp_ipv6.c		diff \| blob \| history
net/ipv6/udp.c		diff \| blob \| history
net/l2tp/l2tp_ip6.c		diff \| blob \| history