From: Eric Dumazet edumazet@google.com
mainline inclusion from mainline-v5.3-rc1 commit 8e8e2951e3095732d7e780c241f61ea130955a57 category: bugfix bugzilla: NA CVE: CVE-2020-14386
Prepare for fixing CVE-2020-14386. --------------------------------
Under DDOS, we want to be able to increment tp_drops without touching the spinlock. This will help readers to drain the receive queue slightly faster :/
Signed-off-by: Eric Dumazet edumazet@google.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Yang Yingliang yangyingliang@huawei.com Reviewed-by: Yue Haibing yuehaibing@huawei.com Reviewed-by: Jason Yan yanaijie@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- net/packet/af_packet.c | 20 +++++++++++--------- net/packet/internal.h | 1 + 2 files changed, 12 insertions(+), 9 deletions(-)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index 391671a77e96..b6231af63968 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -767,7 +767,7 @@ static void prb_close_block(struct tpacket_kbdq_core *pkc1, struct tpacket_hdr_v1 *h1 = &pbd1->hdr.bh1; struct sock *sk = &po->sk;
- if (po->stats.stats3.tp_drops) + if (atomic_read(&po->tp_drops)) status |= TP_STATUS_LOSING;
last_pkt = (struct tpacket3_hdr *)pkc1->prev; @@ -2133,10 +2133,8 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
drop_n_acct: is_drop_n_account = true; - spin_lock(&sk->sk_receive_queue.lock); - po->stats.stats1.tp_drops++; + atomic_inc(&po->tp_drops); atomic_inc(&sk->sk_drops); - spin_unlock(&sk->sk_receive_queue.lock);
drop_n_restore: if (skb_head != skb->data && skb_shared(skb)) { @@ -2288,7 +2286,7 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, * Anyways, moving it for V1/V2 only as V3 doesn't need this * at packet level. */ - if (po->stats.stats1.tp_drops) + if (atomic_read(&po->tp_drops)) status |= TP_STATUS_LOSING; }
@@ -2401,9 +2399,9 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, return 0;
drop_n_account: - is_drop_n_account = true; - po->stats.stats1.tp_drops++; spin_unlock(&sk->sk_receive_queue.lock); + atomic_inc(&po->tp_drops); + is_drop_n_account = true;
sk->sk_data_ready(sk); kfree_skb(copy_skb); @@ -3917,6 +3915,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, void *data = &val; union tpacket_stats_u st; struct tpacket_rollover_stats rstats; + int drops;
if (level != SOL_PACKET) return -ENOPROTOOPT; @@ -3933,14 +3932,17 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, memcpy(&st, &po->stats, sizeof(st)); memset(&po->stats, 0, sizeof(po->stats)); spin_unlock_bh(&sk->sk_receive_queue.lock); + drops = atomic_xchg(&po->tp_drops, 0);
if (po->tp_version == TPACKET_V3) { lv = sizeof(struct tpacket_stats_v3); - st.stats3.tp_packets += st.stats3.tp_drops; + st.stats3.tp_drops = drops; + st.stats3.tp_packets += drops; data = &st.stats3; } else { lv = sizeof(struct tpacket_stats); - st.stats1.tp_packets += st.stats1.tp_drops; + st.stats1.tp_drops = drops; + st.stats1.tp_packets += drops; data = &st.stats1; }
diff --git a/net/packet/internal.h b/net/packet/internal.h index f10294800aaf..907f4cd2a718 100644 --- a/net/packet/internal.h +++ b/net/packet/internal.h @@ -135,6 +135,7 @@ struct packet_sock { struct net_device __rcu *cached_dev; int (*xmit)(struct sk_buff *skb); struct packet_type prot_hook ____cacheline_aligned_in_smp; + atomic_t tp_drops ____cacheline_aligned_in_smp; };
static struct packet_sock *pkt_sk(struct sock *sk)