tcp: annotate data-races on tp->segs_in and tp->data_segs_in

tcp_segs_in() can be called from BH, while socket spinlock
is held but socket owned by user, eventually reading these
fields from tcp_get_info()

Found by code inspection, no need to backport this patch
to older kernels.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/include/net/tcp.h b/include/net/tcp.h
index 4da22b41bde688dec4a3741f510346dae0cf32e0..05c81677aaf782f23b8c63d6ed133df802b43064 100644 (file)
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -2172,9 +2172,13 @@ static inline void tcp_segs_in(struct tcp_sock *tp, const struct sk_buff *skb)
        u16 segs_in;
 
        segs_in = max_t(u16, 1, skb_shinfo(skb)->gso_segs);
-       tp->segs_in += segs_in;
+
+       /* We update these fields while other threads might
+        * read them from tcp_get_info()
+        */
+       WRITE_ONCE(tp->segs_in, tp->segs_in + segs_in);
        if (skb->len > tcp_hdrlen(skb))
-               tp->data_segs_in += segs_in;
+               WRITE_ONCE(tp->data_segs_in, tp->data_segs_in + segs_in);
 }
 
 /*

diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 24d77a32c9cbcdf0e4380ec6d9aa3e42d2cf8730..267b2b18f048c4df4cabd819433a99bf8b3f2678 100644 (file)
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -3769,10 +3769,12 @@ void tcp_get_info(struct sock *sk, struct tcp_info *info)
        tcp_get_info_chrono_stats(tp, info);
 
        info->tcpi_segs_out = tp->segs_out;
-       info->tcpi_segs_in = tp->segs_in;
+
+       /* segs_in and data_segs_in can be updated from tcp_segs_in() from BH */
+       info->tcpi_segs_in = READ_ONCE(tp->segs_in);
+       info->tcpi_data_segs_in = READ_ONCE(tp->data_segs_in);
 
        info->tcpi_min_rtt = tcp_min_rtt(tp);
-       info->tcpi_data_segs_in = tp->data_segs_in;
        info->tcpi_data_segs_out = tp->data_segs_out;
 
        info->tcpi_delivery_rate_app_limited = tp->rate_app_limited ? 1 : 0;