releases/5.10.71/net-udp-annotate-data-race-around-udp_sk-sk-corkflag.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From a9f5970767d11eadc805d5283f202612c7ba1f59 Mon Sep 17 00:00:00 2001
 From: Eric Dumazet <edumazet@google.com>
 Date: Mon, 27 Sep 2021 17:29:24 -0700
 Subject: net: udp: annotate data race around udp_sk(sk)->corkflag

 From: Eric Dumazet <edumazet@google.com>

 commit a9f5970767d11eadc805d5283f202612c7ba1f59 upstream.

 up->corkflag field can be read or written without any lock.
 Annotate accesses to avoid possible syzbot/KCSAN reports.

 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
 Signed-off-by: Eric Dumazet <edumazet@google.com>
 Signed-off-by: David S. Miller <davem@davemloft.net>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  net/ipv4/udp.c |   10 +++++-----
  net/ipv6/udp.c |    2 +-
  2 files changed, 6 insertions(+), 6 deletions(-)

 --- a/net/ipv4/udp.c
 +++ b/net/ipv4/udp.c
 @@ -1035,7 +1035,7 @@ int udp_sendmsg(struct sock *sk, struct
  	__be16 dport;
  	u8  tos;
  	int err, is_udplite = IS_UDPLITE(sk);
 -	int corkreq = up->corkflag || msg->msg_flags&MSG_MORE;
 +	int corkreq = READ_ONCE(up->corkflag) || msg->msg_flags&MSG_MORE;
  	int (*getfrag)(void *, char *, int, int, int, struct sk_buff *);
  	struct sk_buff *skb;
  	struct ip_options_data opt_copy;
 @@ -1343,7 +1343,7 @@ int udp_sendpage(struct sock *sk, struct
  	}

  	up->len += size;
 -	if (!(up->corkflag || (flags&MSG_MORE)))
 +	if (!(READ_ONCE(up->corkflag) || (flags&MSG_MORE)))
  		ret = udp_push_pending_frames(sk);
  	if (!ret)
  		ret = size;
 @@ -2609,9 +2609,9 @@ int udp_lib_setsockopt(struct sock *sk,
  	switch (optname) {
  	case UDP_CORK:
  		if (val != 0) {
 -			up->corkflag = 1;
 +			WRITE_ONCE(up->corkflag, 1);
  		} else {
 -			up->corkflag = 0;
 +			WRITE_ONCE(up->corkflag, 0);
  			lock_sock(sk);
  			push_pending_frames(sk);
  			release_sock(sk);
 @@ -2734,7 +2734,7 @@ int udp_lib_getsockopt(struct sock *sk,

  	switch (optname) {
  	case UDP_CORK:
 -		val = up->corkflag;
 +		val = READ_ONCE(up->corkflag);
  		break;

  	case UDP_ENCAP:
 --- a/net/ipv6/udp.c
 +++ b/net/ipv6/udp.c
 @@ -1288,7 +1288,7 @@ int udpv6_sendmsg(struct sock *sk, struc
  	int addr_len = msg->msg_namelen;
  	bool connected = false;
  	int ulen = len;
 -	int corkreq = up->corkflag || msg->msg_flags&MSG_MORE;
 +	int corkreq = READ_ONCE(up->corkflag) || msg->msg_flags&MSG_MORE;
  	int err;
  	int is_udplite = IS_UDPLITE(sk);
  	int (*getfrag)(void *, char *, int, int, int, struct sk_buff *);
	From a9f5970767d11eadc805d5283f202612c7ba1f59 Mon Sep 17 00:00:00 2001
	From: Eric Dumazet <edumazet@google.com>
	Date: Mon, 27 Sep 2021 17:29:24 -0700
	Subject: net: udp: annotate data race around udp_sk(sk)->corkflag

	From: Eric Dumazet <edumazet@google.com>

	commit a9f5970767d11eadc805d5283f202612c7ba1f59 upstream.

	up->corkflag field can be read or written without any lock.
	Annotate accesses to avoid possible syzbot/KCSAN reports.

	Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
	Signed-off-by: Eric Dumazet <edumazet@google.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	net/ipv4/udp.c \| 10 +++++-----
	net/ipv6/udp.c \| 2 +-
	2 files changed, 6 insertions(+), 6 deletions(-)

	--- a/net/ipv4/udp.c
	+++ b/net/ipv4/udp.c
	@@ -1035,7 +1035,7 @@ int udp_sendmsg(struct sock *sk, struct
	__be16 dport;
	u8 tos;
	int err, is_udplite = IS_UDPLITE(sk);
	- int corkreq = up->corkflag \|\| msg->msg_flags&MSG_MORE;
	+ int corkreq = READ_ONCE(up->corkflag) \|\| msg->msg_flags&MSG_MORE;
	int (getfrag)(void , char , int, int, int, struct sk_buff );
	struct sk_buff *skb;
	struct ip_options_data opt_copy;
	@@ -1343,7 +1343,7 @@ int udp_sendpage(struct sock *sk, struct
	}

	up->len += size;
	- if (!(up->corkflag \|\| (flags&MSG_MORE)))
	+ if (!(READ_ONCE(up->corkflag) \|\| (flags&MSG_MORE)))
	ret = udp_push_pending_frames(sk);
	if (!ret)
	ret = size;
	@@ -2609,9 +2609,9 @@ int udp_lib_setsockopt(struct sock *sk,
	switch (optname) {
	case UDP_CORK:
	if (val != 0) {
	- up->corkflag = 1;
	+ WRITE_ONCE(up->corkflag, 1);
	} else {
	- up->corkflag = 0;
	+ WRITE_ONCE(up->corkflag, 0);
	lock_sock(sk);
	push_pending_frames(sk);
	release_sock(sk);
	@@ -2734,7 +2734,7 @@ int udp_lib_getsockopt(struct sock *sk,

	switch (optname) {
	case UDP_CORK:
	- val = up->corkflag;
	+ val = READ_ONCE(up->corkflag);
	break;

	case UDP_ENCAP:
	--- a/net/ipv6/udp.c
	+++ b/net/ipv6/udp.c
	@@ -1288,7 +1288,7 @@ int udpv6_sendmsg(struct sock *sk, struc
	int addr_len = msg->msg_namelen;
	bool connected = false;
	int ulen = len;
	- int corkreq = up->corkflag \|\| msg->msg_flags&MSG_MORE;
	+ int corkreq = READ_ONCE(up->corkflag) \|\| msg->msg_flags&MSG_MORE;
	int err;
	int is_udplite = IS_UDPLITE(sk);
	int (getfrag)(void , char , int, int, int, struct sk_buff );