net: udp: annotate data race around udp_sk(sk)->corkflag

commit a9f5970767d11eadc805d5283f202612c7ba1f59 upstream.

up->corkflag field can be read or written without any lock.
Annotate accesses to avoid possible syzbot/KCSAN reports.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 32f0d1bb3b6d5424c6dcb86309da46edb7031776..e62de979ee30c4ab7dd93fabfee60bdd5075c435 100644 (file)
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -935,7 +935,7 @@ int udp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
        __be16 dport;
        u8  tos;
        int err, is_udplite = IS_UDPLITE(sk);
-       int corkreq = up->corkflag || msg->msg_flags&MSG_MORE;
+       int corkreq = READ_ONCE(up->corkflag) || msg->msg_flags&MSG_MORE;
        int (*getfrag)(void *, char *, int, int, int, struct sk_buff *);
        struct sk_buff *skb;
        struct ip_options_data opt_copy;
@@ -1243,7 +1243,7 @@ int udp_sendpage(struct sock *sk, struct page *page, int offset,
        }
 
        up->len += size;
-       if (!(up->corkflag || (flags&MSG_MORE)))
+       if (!(READ_ONCE(up->corkflag) || (flags&MSG_MORE)))
                ret = udp_push_pending_frames(sk);
        if (!ret)
                ret = size;
@@ -2468,9 +2468,9 @@ int udp_lib_setsockopt(struct sock *sk, int level, int optname,
        switch (optname) {
        case UDP_CORK:
                if (val != 0) {
-                       up->corkflag = 1;
+                       WRITE_ONCE(up->corkflag, 1);
                } else {
-                       up->corkflag = 0;
+                       WRITE_ONCE(up->corkflag, 0);
                        lock_sock(sk);
                        push_pending_frames(sk);
                        release_sock(sk);
@@ -2583,7 +2583,7 @@ int udp_lib_getsockopt(struct sock *sk, int level, int optname,
 
        switch (optname) {
        case UDP_CORK:
-               val = up->corkflag;
+               val = READ_ONCE(up->corkflag);
                break;
 
        case UDP_ENCAP:

diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 042ab5428a4ff91e61250018446957f583254362..0198910c2bf2718f1834201d66189898c58b4287 100644 (file)
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -1169,7 +1169,7 @@ int udpv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
        int addr_len = msg->msg_namelen;
        bool connected = false;
        int ulen = len;
-       int corkreq = up->corkflag || msg->msg_flags&MSG_MORE;
+       int corkreq = READ_ONCE(up->corkflag) || msg->msg_flags&MSG_MORE;
        int err;
        int is_udplite = IS_UDPLITE(sk);
        int (*getfrag)(void *, char *, int, int, int, struct sk_buff *);