From patchwork Mon Jan 8 14:54:44 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolai Stange X-Patchwork-Id: 856835 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3zFdbw3YC9z9ryT for ; Tue, 9 Jan 2018 01:55:08 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933819AbeAHOy4 (ORCPT ); Mon, 8 Jan 2018 09:54:56 -0500 Received: from mx2.suse.de ([195.135.220.15]:44133 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932782AbeAHOyz (ORCPT ); Mon, 8 Jan 2018 09:54:55 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 8214DAC9E; Mon, 8 Jan 2018 14:54:53 +0000 (UTC) From: Nicolai Stange To: "David S. Miller" , Alexey Kuznetsov , Hideaki YOSHIFUJI Cc: Mohamed Ghannam , Michal Kubecek , Miroslav Benes , Stefano Brivio , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Nicolai Stange Subject: [PATCH v2] net: ipv4: emulate READ_ONCE() on ->hdrincl bit-field in raw_sendmsg() Date: Mon, 8 Jan 2018 15:54:44 +0100 Message-Id: <20180108145444.19457-1-nstange@suse.de> X-Mailer: git-send-email 2.13.6 In-Reply-To: <20180103113700.049f7558@elisabeth> References: <20180103113700.049f7558@elisabeth> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Commit 8f659a03a0ba ("net: ipv4: fix for a race condition in raw_sendmsg") fixed the issue of possibly inconsistent ->hdrincl handling due to concurrent updates by reading this bit-field member into a local variable and using the thus stabilized value in subsequent tests. However, aforementioned commit also adds the (correct) comment that /* hdrincl should be READ_ONCE(inet->hdrincl) * but READ_ONCE() doesn't work with bit fields */ because as it stands, the compiler is free to shortcut or even eliminate the local variable at its will. Note that I have not seen anything like this happening in reality and thus, the concern is a theoretical one. However, in order to be on the safe side, emulate a READ_ONCE() on the bit-field by doing it on the local 'hdrincl' variable itself: int hdrincl = inet->hdrincl; hdrincl = READ_ONCE(hdrincl); This breaks the chain in the sense that the compiler is not allowed to replace subsequent reads from hdrincl with reloads from inet->hdrincl. Fixes: 8f659a03a0ba ("net: ipv4: fix for a race condition in raw_sendmsg") Signed-off-by: Nicolai Stange Reviewed-by: Stefano Brivio --- Compile-tested only (with inspection of compiler output on x86_64). Note that there's still a ->hdrincl reload, but that's due to the inet_sk_flowi_flags() invocation and probably harmless. Applicable to linux-next-20180108. Changes to v2: - Apply review from Stefano Brivio, i.e. drop the __hdrincl intermediate, update comment and commit message accordingly. net/ipv4/raw.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c index 5b9bd5c33d9d..6717cf2008f0 100644 --- a/net/ipv4/raw.c +++ b/net/ipv4/raw.c @@ -520,9 +520,11 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) goto out; /* hdrincl should be READ_ONCE(inet->hdrincl) - * but READ_ONCE() doesn't work with bit fields + * but READ_ONCE() doesn't work with bit fields. + * Doing this indirectly yields the same result. */ hdrincl = inet->hdrincl; + hdrincl = READ_ONCE(hdrincl); /* * Check the flags. */