]> git.itanic.dy.fi Git - linux-stable/commitdiff
projects / linux-stable / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e25e9d8)
net: annotate sk->sk_err write from do_recvmmsg()
authorEric Dumazet <edumazet@google.com>
Tue, 9 May 2023 16:35:53 +0000 (16:35 +0000)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 30 May 2023 11:38:34 +0000 (12:38 +0100)
[ Upstream commit e05a5f510f26607616fecdd4ac136310c8bea56b ]

do_recvmmsg() can write to sk->sk_err from multiple threads.

As said before, many other points reading or writing sk_err
need annotations.

Fixes: 34b88a68f26a ("net: Fix use after free in the recvmmsg exit path")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
net/socket.c patch | blob | history

diff --git a/net/socket.c b/net/socket.c
index 7bcd7053e61f2b639e6ee0f96dc53a5f15d9c916..e59b114e16ba74e619e0f6918a29888161bf9557 100644 (file)
--- a/net/socket.c
+++ b/net/socket.c
@@ -2383,7 +2383,7 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
                 * error to return on the next call or if the
                 * app asks about it using getsockopt(SO_ERROR).
                 */
-               sock->sk->sk_err = -err;
+               WRITE_ONCE(sock->sk->sk_err, -err);
        }
 out_put:
        fput_light(sock->file, fput_needed);
Unnamed repository; edit this file 'description' to name the repository.