dccp: fix data-race around dp->dccps_mss_cache

dccp_sendmsg() reads dp->dccps_mss_cache before locking the socket. Same thing in do_dccp_getsockopt(). Add READ_ONCE()/WRITE_ONCE() annotations, and change dccp_sendmsg() to check again dccps_mss_cache after socket is locked. Fixes: 7c657876b63c ("[DCCP]: Initial implementation") Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Link: https://lore.kernel.org/r/20230803163021.2958262-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
author: Eric Dumazet <edumazet@google.com> 2023-08-03 16:30:21 +0000
committer: Jakub Kicinski <kuba@kernel.org> 2023-08-04 18:27:58 -0700
commit: a47e598fbd8617967e49d85c49c22f9fc642704c (patch)
tree: 7d9d662e64eb37268b7197729e3cafac5d59bf81 /net/dccp/output.c
parent: fc2ea6ab0a73b58328c61237017e28ba49b3a21e (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/net/dccp/output.c b/net/dccp/output.c
index b8a24734385e..fd2eb148d24d 100644
--- a/net/dccp/output.c
+++ b/net/dccp/output.c
@@ -187,7 +187,7 @@ unsigned int dccp_sync_mss(struct sock *sk, u32 pmtu)
 
 	/* And store cached results */
 	icsk->icsk_pmtu_cookie = pmtu;
-	dp->dccps_mss_cache = cur_mps;
+	WRITE_ONCE(dp->dccps_mss_cache, cur_mps);
 
 	return cur_mps;
 }
author	Eric Dumazet <edumazet@google.com>	2023-08-03 16:30:21 +0000
committer	Jakub Kicinski <kuba@kernel.org>	2023-08-04 18:27:58 -0700
commit	a47e598fbd8617967e49d85c49c22f9fc642704c (patch)
tree	7d9d662e64eb37268b7197729e3cafac5d59bf81 /net/dccp/output.c
parent	fc2ea6ab0a73b58328c61237017e28ba49b3a21e (diff)