[PATCH OLK-5.10] inet: read sk->sk_family once in inet_recv_error()

7 Apr 2024

From: Eric Dumazet edumazet@google.com
stable inclusion
from stable-v5.10.210
commit 88081ba415224cf413101def4343d660f56d082b
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9DNRC
CVE: CVE-2024-26679
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit eef00a82c568944f113f2de738156ac591bbd5cd ]
inet_recv_error() is called without holding the socket lock.
IPv6 socket could mutate to IPv4 with IPV6_ADDRFORM
socket option and trigger a KCSAN warning.
Fixes: f4713a3dfad0 ("net-timestamp: make tcp_recvmsg call ipv6_recv_error for AF_INET6 socks")
Signed-off-by: Eric Dumazet edumazet@google.com
Cc: Willem de Bruijn willemb@google.com
Reviewed-by: Willem de Bruijn willemb@google.com
Signed-off-by: David S. Miller davem@davemloft.net
Signed-off-by: Sasha Levin sashal@kernel.org
Signed-off-by: Ziyang Xuan william.xuanziyang@huawei.com
---
 net/ipv4/af_inet.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 1fce11081e16..f9223adfb388 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -1610,10 +1610,12 @@ EXPORT_SYMBOL(inet_current_timestamp);
int inet_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
 {
-	if (sk->sk_family == AF_INET)
+	unsigned int family = READ_ONCE(sk->sk_family);
+
+	if (family == AF_INET)
    	return ip_recv_error(sk, msg, len, addr_len);
 #if IS_ENABLED(CONFIG_IPV6)
-	if (sk->sk_family == AF_INET6)
+	if (family == AF_INET6)
    	return pingv6_ops.ipv6_recv_error(sk, msg, len, addr_len);
 #endif
    return -EINVAL;
-- 
2.25.1


    

2024

2023

2022

2021

2020

2019

[PATCH OLK-5.10] inet: read sk->sk_family once in inet_recv_error()