net: annotate data-races around sk->sk_forward_alloc

bmastbergen · bmastbergen · commit 4c81ea907fa3 · 2025-09-19T13:28:22.000-04:00
jira VULN-65244 cve-pre CVE-2025-22058 commit-author Eric Dumazet <edumazet@google.com> commit 5e6300e Every time sk->sk_forward_alloc is read locklessly, add a READ_ONCE(). Add sk_forward_alloc_add() helper to centralize updates, to reduce number of WRITE_ONCE(). Fixes: 1da177e ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit 5e6300e) Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
diff --git a/include/net/sock.h b/include/net/sock.h
@@ -1033,6 +1033,12 @@ static inline void sk_wmem_queued_add(struct sock *sk, int val)
 	WRITE_ONCE(sk->sk_wmem_queued, sk->sk_wmem_queued + val);
 }
 
+static inline void sk_forward_alloc_add(struct sock *sk, int val)
+{
+	/* Paired with lockless reads of sk->sk_forward_alloc */
+	WRITE_ONCE(sk->sk_forward_alloc, sk->sk_forward_alloc + val);
+}
+
 void sk_stream_write_space(struct sock *sk);
 
 /* OOB backlog add */
@@ -1369,7 +1375,7 @@ static inline int sk_forward_alloc_get(const struct sock *sk)
 	if (sk->sk_prot->forward_alloc_get)
 		return sk->sk_prot->forward_alloc_get(sk);
 #endif
-	return sk->sk_forward_alloc;
+	return READ_ONCE(sk->sk_forward_alloc);
 }
 
 static inline bool __sk_stream_memory_free(const struct sock *sk, int wake)
@@ -1668,7 +1674,7 @@ static inline void sk_mem_charge(struct sock *sk, int size)
 {
 	if (!sk_has_account(sk))
 		return;
-	sk->sk_forward_alloc -= size;
+	sk_forward_alloc_add(sk, -size);
 }
 
 /* the following macros control memory reclaiming in mptcp_rmem_uncharge()
@@ -1680,7 +1686,7 @@ static inline void sk_mem_uncharge(struct sock *sk, int size)
 {
 	if (!sk_has_account(sk))
 		return;
-	sk->sk_forward_alloc += size;
+	sk_forward_alloc_add(sk, size);
 	sk_mem_reclaim(sk);
 }
 
diff --git a/net/core/sock.c b/net/core/sock.c
@@ -1021,7 +1021,7 @@ static int sock_reserve_memory(struct sock *sk, int bytes)
 		mem_cgroup_uncharge_skmem(sk->sk_memcg, pages);
 		return -ENOMEM;
 	}
-	sk->sk_forward_alloc += pages << PAGE_SHIFT;
+	sk_forward_alloc_add(sk, pages << PAGE_SHIFT);
 
 	sk->sk_reserved_mem += pages << PAGE_SHIFT;
 
@@ -2974,10 +2974,10 @@ int __sk_mem_schedule(struct sock *sk, int size, int kind)
 {
 	int ret, amt = sk_mem_pages(size);
 
-	sk->sk_forward_alloc += amt << PAGE_SHIFT;
+	sk_forward_alloc_add(sk, amt << PAGE_SHIFT);
 	ret = __sk_mem_raise_allocated(sk, size, amt, kind);
 	if (!ret)
-		sk->sk_forward_alloc -= amt << PAGE_SHIFT;
+		sk_forward_alloc_add(sk, -(amt << PAGE_SHIFT));
 	return ret;
 }
 EXPORT_SYMBOL(__sk_mem_schedule);
@@ -3010,7 +3010,7 @@ EXPORT_SYMBOL(__sk_mem_reduce_allocated);
 void __sk_mem_reclaim(struct sock *sk, int amount)
 {
 	amount >>= PAGE_SHIFT;
-	sk->sk_forward_alloc -= amount << PAGE_SHIFT;
+	sk_forward_alloc_add(sk, -(amount << PAGE_SHIFT));
 	__sk_mem_reduce_allocated(sk, amount);
 }
 EXPORT_SYMBOL(__sk_mem_reclaim);
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
@@ -3386,7 +3386,7 @@ void sk_forced_mem_schedule(struct sock *sk, int size)
 	if (delta <= 0)
 		return;
 	amt = sk_mem_pages(delta);
-	sk->sk_forward_alloc += amt << PAGE_SHIFT;
+	sk_forward_alloc_add(sk, amt << PAGE_SHIFT);
 	sk_memory_allocated_add(sk, amt);
 
 	if (mem_cgroup_sockets_enabled && sk->sk_memcg)
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
@@ -1462,9 +1462,9 @@ static void udp_rmem_release(struct sock *sk, int size, int partial,
 		spin_lock(&sk_queue->lock);
 
 
-	sk->sk_forward_alloc += size;
+	sk_forward_alloc_add(sk, size);
 	amt = (sk->sk_forward_alloc - partial) & ~(PAGE_SIZE - 1);
-	sk->sk_forward_alloc -= amt;
+	sk_forward_alloc_add(sk, -amt);
 
 	if (amt)
 		__sk_mem_reduce_allocated(sk, amt >> PAGE_SHIFT);
@@ -1570,7 +1570,7 @@ int __udp_enqueue_schedule_skb(struct sock *sk, struct sk_buff *skb)
 		sk->sk_forward_alloc += delta;
 	}
 
-	sk->sk_forward_alloc -= size;
+	sk_forward_alloc_add(sk, -size);
 
 	/* no need to setup a destructor, we will explicitly release the
 	 * forward allocated memory on dequeue
diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
@@ -1794,7 +1794,7 @@ static int mptcp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
 		}
 
 		/* data successfully copied into the write queue */
-		sk->sk_forward_alloc -= total_ts;
+		sk_forward_alloc_add(sk, -total_ts);
 		copied += psize;
 		dfrag->data_len += psize;
 		frag_truesize += psize;
@@ -3198,7 +3198,7 @@ void mptcp_destroy_common(struct mptcp_sock *msk, unsigned int flags)
 	/* move all the rx fwd alloc into the sk_mem_reclaim_final in
 	 * inet_sock_destruct() will dispose it
 	 */
-	sk->sk_forward_alloc += msk->rmem_fwd_alloc;
+	sk_forward_alloc_add(sk, msk->rmem_fwd_alloc);
 	msk->rmem_fwd_alloc = 0;
 	mptcp_token_destroy(msk);
 	mptcp_pm_free_anno_list(msk);
@@ -3479,7 +3479,7 @@ static void mptcp_shutdown(struct sock *sk, int how)
 
 static int mptcp_forward_alloc_get(const struct sock *sk)
 {
-	return sk->sk_forward_alloc + mptcp_sk(sk)->rmem_fwd_alloc;
+	return READ_ONCE(sk->sk_forward_alloc) + mptcp_sk(sk)->rmem_fwd_alloc;
 }
 
 static int mptcp_ioctl_outq(const struct mptcp_sock *msk, u64 v)

Original file line number	Diff line number	Diff line change
`@@ -1033,6 +1033,12 @@ static inline void sk_wmem_queued_add(struct sock *sk, int val)`
`1033`	`1033`	`WRITE_ONCE(sk->sk_wmem_queued, sk->sk_wmem_queued + val);`
`1034`	`1034`	`}`
`1035`	`1035`
	`1036`	`+static inline void sk_forward_alloc_add(struct sock *sk, int val)`
	`1037`	`+{`
	`1038`	`+ /* Paired with lockless reads of sk->sk_forward_alloc */`
	`1039`	`+ WRITE_ONCE(sk->sk_forward_alloc, sk->sk_forward_alloc + val);`
	`1040`	`+}`
	`1041`	`+`
`1036`	`1042`	`void sk_stream_write_space(struct sock *sk);`
`1037`	`1043`
`1038`	`1044`	`/* OOB backlog add */`
`@@ -1369,7 +1375,7 @@ static inline int sk_forward_alloc_get(const struct sock *sk)`
`1369`	`1375`	`if (sk->sk_prot->forward_alloc_get)`
`1370`	`1376`	`return sk->sk_prot->forward_alloc_get(sk);`
`1371`	`1377`	`#endif`
`1372`		`- return sk->sk_forward_alloc;`
	`1378`	`+ return READ_ONCE(sk->sk_forward_alloc);`
`1373`	`1379`	`}`
`1374`	`1380`
`1375`	`1381`	`static inline bool __sk_stream_memory_free(const struct sock *sk, int wake)`
`@@ -1668,7 +1674,7 @@ static inline void sk_mem_charge(struct sock *sk, int size)`
`1668`	`1674`	`{`
`1669`	`1675`	`if (!sk_has_account(sk))`
`1670`	`1676`	`return;`
`1671`		`- sk->sk_forward_alloc -= size;`
	`1677`	`+ sk_forward_alloc_add(sk, -size);`
`1672`	`1678`	`}`
`1673`	`1679`
`1674`	`1680`	`/* the following macros control memory reclaiming in mptcp_rmem_uncharge()`
`@@ -1680,7 +1686,7 @@ static inline void sk_mem_uncharge(struct sock *sk, int size)`
`1680`	`1686`	`{`
`1681`	`1687`	`if (!sk_has_account(sk))`
`1682`	`1688`	`return;`
`1683`		`- sk->sk_forward_alloc += size;`
	`1689`	`+ sk_forward_alloc_add(sk, size);`
`1684`	`1690`	`sk_mem_reclaim(sk);`
`1685`	`1691`	`}`
`1686`	`1692`
Original file line number	Diff line number	Diff line change
`@@ -1021,7 +1021,7 @@ static int sock_reserve_memory(struct sock *sk, int bytes)`
`1021`	`1021`	`mem_cgroup_uncharge_skmem(sk->sk_memcg, pages);`
`1022`	`1022`	`return -ENOMEM;`
`1023`	`1023`	`}`
`1024`		`- sk->sk_forward_alloc += pages << PAGE_SHIFT;`
	`1024`	`+ sk_forward_alloc_add(sk, pages << PAGE_SHIFT);`
`1025`	`1025`
`1026`	`1026`	`sk->sk_reserved_mem += pages << PAGE_SHIFT;`
`1027`	`1027`
`@@ -2974,10 +2974,10 @@ int __sk_mem_schedule(struct sock *sk, int size, int kind)`
`2974`	`2974`	`{`
`2975`	`2975`	`int ret, amt = sk_mem_pages(size);`
`2976`	`2976`
`2977`		`- sk->sk_forward_alloc += amt << PAGE_SHIFT;`
	`2977`	`+ sk_forward_alloc_add(sk, amt << PAGE_SHIFT);`
`2978`	`2978`	`ret = __sk_mem_raise_allocated(sk, size, amt, kind);`
`2979`	`2979`	`if (!ret)`
`2980`		`- sk->sk_forward_alloc -= amt << PAGE_SHIFT;`
	`2980`	`+ sk_forward_alloc_add(sk, -(amt << PAGE_SHIFT));`
`2981`	`2981`	`return ret;`
`2982`	`2982`	`}`
`2983`	`2983`	`EXPORT_SYMBOL(__sk_mem_schedule);`
`@@ -3010,7 +3010,7 @@ EXPORT_SYMBOL(__sk_mem_reduce_allocated);`
`3010`	`3010`	`void __sk_mem_reclaim(struct sock *sk, int amount)`
`3011`	`3011`	`{`
`3012`	`3012`	`amount >>= PAGE_SHIFT;`
`3013`		`- sk->sk_forward_alloc -= amount << PAGE_SHIFT;`
	`3013`	`+ sk_forward_alloc_add(sk, -(amount << PAGE_SHIFT));`
`3014`	`3014`	`__sk_mem_reduce_allocated(sk, amount);`
`3015`	`3015`	`}`
`3016`	`3016`	`EXPORT_SYMBOL(__sk_mem_reclaim);`