Commit 521f1cf1 authored by Eric Dumazet's avatar Eric Dumazet Committed by David S. Miller

inet_diag: fix access to tcp cc information

Two different problems are fixed here :

1) inet_sk_diag_fill() might be called without socket lock held.
   icsk->icsk_ca_ops can change under us and module be unloaded.
   -> Access to freed memory.
   Fix this using rcu_read_lock() to prevent module unload.

2) Some TCP Congestion Control modules provide information
   but again this is not safe against icsk->icsk_ca_ops
   change and nla_put() errors were ignored. Some sockets
   could not get the additional info if skb was almost full.

Fix this by returning a status from get_info() handlers and
using rcu protection as well.
Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent fad9dfef
...@@ -829,7 +829,7 @@ struct tcp_congestion_ops { ...@@ -829,7 +829,7 @@ struct tcp_congestion_ops {
/* hook for packet ack accounting (optional) */ /* hook for packet ack accounting (optional) */
void (*pkts_acked)(struct sock *sk, u32 num_acked, s32 rtt_us); void (*pkts_acked)(struct sock *sk, u32 num_acked, s32 rtt_us);
/* get info for inet_diag (optional) */ /* get info for inet_diag (optional) */
void (*get_info)(struct sock *sk, u32 ext, struct sk_buff *skb); int (*get_info)(struct sock *sk, u32 ext, struct sk_buff *skb);
char name[TCP_CA_NAME_MAX]; char name[TCP_CA_NAME_MAX];
struct module *owner; struct module *owner;
......
...@@ -111,6 +111,7 @@ int inet_sk_diag_fill(struct sock *sk, struct inet_connection_sock *icsk, ...@@ -111,6 +111,7 @@ int inet_sk_diag_fill(struct sock *sk, struct inet_connection_sock *icsk,
const struct nlmsghdr *unlh) const struct nlmsghdr *unlh)
{ {
const struct inet_sock *inet = inet_sk(sk); const struct inet_sock *inet = inet_sk(sk);
const struct tcp_congestion_ops *ca_ops;
const struct inet_diag_handler *handler; const struct inet_diag_handler *handler;
int ext = req->idiag_ext; int ext = req->idiag_ext;
struct inet_diag_msg *r; struct inet_diag_msg *r;
...@@ -208,16 +209,31 @@ int inet_sk_diag_fill(struct sock *sk, struct inet_connection_sock *icsk, ...@@ -208,16 +209,31 @@ int inet_sk_diag_fill(struct sock *sk, struct inet_connection_sock *icsk,
info = nla_data(attr); info = nla_data(attr);
} }
if ((ext & (1 << (INET_DIAG_CONG - 1))) && icsk->icsk_ca_ops) if (ext & (1 << (INET_DIAG_CONG - 1))) {
if (nla_put_string(skb, INET_DIAG_CONG, int err = 0;
icsk->icsk_ca_ops->name) < 0)
rcu_read_lock();
ca_ops = READ_ONCE(icsk->icsk_ca_ops);
if (ca_ops)
err = nla_put_string(skb, INET_DIAG_CONG, ca_ops->name);
rcu_read_unlock();
if (err < 0)
goto errout; goto errout;
}
handler->idiag_get_info(sk, r, info); handler->idiag_get_info(sk, r, info);
if (sk->sk_state < TCP_TIME_WAIT && if (sk->sk_state < TCP_TIME_WAIT) {
icsk->icsk_ca_ops && icsk->icsk_ca_ops->get_info) int err = 0;
icsk->icsk_ca_ops->get_info(sk, ext, skb);
rcu_read_lock();
ca_ops = READ_ONCE(icsk->icsk_ca_ops);
if (ca_ops && ca_ops->get_info)
err = ca_ops->get_info(sk, ext, skb);
rcu_read_unlock();
if (err < 0)
goto errout;
}
out: out:
nlmsg_end(skb, nlh); nlmsg_end(skb, nlh);
......
...@@ -277,7 +277,7 @@ static void dctcp_cwnd_event(struct sock *sk, enum tcp_ca_event ev) ...@@ -277,7 +277,7 @@ static void dctcp_cwnd_event(struct sock *sk, enum tcp_ca_event ev)
} }
} }
static void dctcp_get_info(struct sock *sk, u32 ext, struct sk_buff *skb) static int dctcp_get_info(struct sock *sk, u32 ext, struct sk_buff *skb)
{ {
const struct dctcp *ca = inet_csk_ca(sk); const struct dctcp *ca = inet_csk_ca(sk);
...@@ -297,8 +297,9 @@ static void dctcp_get_info(struct sock *sk, u32 ext, struct sk_buff *skb) ...@@ -297,8 +297,9 @@ static void dctcp_get_info(struct sock *sk, u32 ext, struct sk_buff *skb)
info.dctcp_ab_tot = ca->acked_bytes_total; info.dctcp_ab_tot = ca->acked_bytes_total;
} }
nla_put(skb, INET_DIAG_DCTCPINFO, sizeof(info), &info); return nla_put(skb, INET_DIAG_DCTCPINFO, sizeof(info), &info);
} }
return 0;
} }
static struct tcp_congestion_ops dctcp __read_mostly = { static struct tcp_congestion_ops dctcp __read_mostly = {
......
...@@ -300,8 +300,7 @@ static u32 tcp_illinois_ssthresh(struct sock *sk) ...@@ -300,8 +300,7 @@ static u32 tcp_illinois_ssthresh(struct sock *sk)
} }
/* Extract info for Tcp socket info provided via netlink. */ /* Extract info for Tcp socket info provided via netlink. */
static void tcp_illinois_info(struct sock *sk, u32 ext, static int tcp_illinois_info(struct sock *sk, u32 ext, struct sk_buff *skb)
struct sk_buff *skb)
{ {
const struct illinois *ca = inet_csk_ca(sk); const struct illinois *ca = inet_csk_ca(sk);
...@@ -318,8 +317,9 @@ static void tcp_illinois_info(struct sock *sk, u32 ext, ...@@ -318,8 +317,9 @@ static void tcp_illinois_info(struct sock *sk, u32 ext,
do_div(t, info.tcpv_rttcnt); do_div(t, info.tcpv_rttcnt);
info.tcpv_rtt = t; info.tcpv_rtt = t;
} }
nla_put(skb, INET_DIAG_VEGASINFO, sizeof(info), &info); return nla_put(skb, INET_DIAG_VEGASINFO, sizeof(info), &info);
} }
return 0;
} }
static struct tcp_congestion_ops tcp_illinois __read_mostly = { static struct tcp_congestion_ops tcp_illinois __read_mostly = {
......
...@@ -286,7 +286,7 @@ static void tcp_vegas_cong_avoid(struct sock *sk, u32 ack, u32 acked) ...@@ -286,7 +286,7 @@ static void tcp_vegas_cong_avoid(struct sock *sk, u32 ack, u32 acked)
} }
/* Extract info for Tcp socket info provided via netlink. */ /* Extract info for Tcp socket info provided via netlink. */
void tcp_vegas_get_info(struct sock *sk, u32 ext, struct sk_buff *skb) int tcp_vegas_get_info(struct sock *sk, u32 ext, struct sk_buff *skb)
{ {
const struct vegas *ca = inet_csk_ca(sk); const struct vegas *ca = inet_csk_ca(sk);
if (ext & (1 << (INET_DIAG_VEGASINFO - 1))) { if (ext & (1 << (INET_DIAG_VEGASINFO - 1))) {
...@@ -297,8 +297,9 @@ void tcp_vegas_get_info(struct sock *sk, u32 ext, struct sk_buff *skb) ...@@ -297,8 +297,9 @@ void tcp_vegas_get_info(struct sock *sk, u32 ext, struct sk_buff *skb)
.tcpv_minrtt = ca->minRTT, .tcpv_minrtt = ca->minRTT,
}; };
nla_put(skb, INET_DIAG_VEGASINFO, sizeof(info), &info); return nla_put(skb, INET_DIAG_VEGASINFO, sizeof(info), &info);
} }
return 0;
} }
EXPORT_SYMBOL_GPL(tcp_vegas_get_info); EXPORT_SYMBOL_GPL(tcp_vegas_get_info);
......
...@@ -19,6 +19,6 @@ void tcp_vegas_init(struct sock *sk); ...@@ -19,6 +19,6 @@ void tcp_vegas_init(struct sock *sk);
void tcp_vegas_state(struct sock *sk, u8 ca_state); void tcp_vegas_state(struct sock *sk, u8 ca_state);
void tcp_vegas_pkts_acked(struct sock *sk, u32 cnt, s32 rtt_us); void tcp_vegas_pkts_acked(struct sock *sk, u32 cnt, s32 rtt_us);
void tcp_vegas_cwnd_event(struct sock *sk, enum tcp_ca_event event); void tcp_vegas_cwnd_event(struct sock *sk, enum tcp_ca_event event);
void tcp_vegas_get_info(struct sock *sk, u32 ext, struct sk_buff *skb); int tcp_vegas_get_info(struct sock *sk, u32 ext, struct sk_buff *skb);
#endif /* __TCP_VEGAS_H */ #endif /* __TCP_VEGAS_H */
...@@ -256,8 +256,7 @@ static void tcp_westwood_event(struct sock *sk, enum tcp_ca_event event) ...@@ -256,8 +256,7 @@ static void tcp_westwood_event(struct sock *sk, enum tcp_ca_event event)
} }
/* Extract info for Tcp socket info provided via netlink. */ /* Extract info for Tcp socket info provided via netlink. */
static void tcp_westwood_info(struct sock *sk, u32 ext, static int tcp_westwood_info(struct sock *sk, u32 ext, struct sk_buff *skb)
struct sk_buff *skb)
{ {
const struct westwood *ca = inet_csk_ca(sk); const struct westwood *ca = inet_csk_ca(sk);
...@@ -268,8 +267,9 @@ static void tcp_westwood_info(struct sock *sk, u32 ext, ...@@ -268,8 +267,9 @@ static void tcp_westwood_info(struct sock *sk, u32 ext,
.tcpv_minrtt = jiffies_to_usecs(ca->rtt_min), .tcpv_minrtt = jiffies_to_usecs(ca->rtt_min),
}; };
nla_put(skb, INET_DIAG_VEGASINFO, sizeof(info), &info); return nla_put(skb, INET_DIAG_VEGASINFO, sizeof(info), &info);
} }
return 0;
} }
static struct tcp_congestion_ops tcp_westwood __read_mostly = { static struct tcp_congestion_ops tcp_westwood __read_mostly = {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment