From 8f4b680a7793d22bcce7414d5ba766a7ec0feb48 Mon Sep 17 00:00:00 2001
From: liangbotong <liangbotong@huawei.com>
Date: Wed, 14 Jun 2023 16:09:55 +0800
Subject: [PATCH] security remediation of NewIP code

Signed-off-by: liangbotong <liangbotong@huawei.com>
---
 .../linux-5.10/include/net/tcp_nip.h          |  1 +
 .../linux-5.10/net/newip/ninet_hashtables.c   | 45 ++++++++++++-------
 .../linux-5.10/net/newip/tcp_nip.c            | 15 ++++---
 .../linux-5.10/net/newip/tcp_nip_input.c      |  6 +--
 .../linux-5.10/net/newip/tcp_nip_output.c     |  6 ++-
 .../linux-5.10/net/newip/tcp_nip_timer.c      |  4 +-
 6 files changed, 47 insertions(+), 30 deletions(-)

diff --git a/newip/third_party/linux-5.10/include/net/tcp_nip.h b/newip/third_party/linux-5.10/include/net/tcp_nip.h
index dfd38a7..1e30efd 100644
--- a/newip/third_party/linux-5.10/include/net/tcp_nip.h
+++ b/newip/third_party/linux-5.10/include/net/tcp_nip.h
@@ -116,6 +116,7 @@ void tcp_nip_init_xmit_timers(struct sock *sk);
 void tcp_nip_clear_xmit_timers(struct sock *sk);
 void tcp_nip_delack_timer_handler(struct sock *sk);
 void tcp_nip_write_timer_handler(struct sock *sk);
+void tcp_nip_check_space(struct sock *sk);
 
 static inline struct sk_buff *tcp_nip_send_head(const struct sock *sk)
 {
diff --git a/newip/third_party/linux-5.10/net/newip/ninet_hashtables.c b/newip/third_party/linux-5.10/net/newip/ninet_hashtables.c
index 563be27..a5e7efc 100644
--- a/newip/third_party/linux-5.10/net/newip/ninet_hashtables.c
+++ b/newip/third_party/linux-5.10/net/newip/ninet_hashtables.c
@@ -194,7 +194,9 @@ int __ninet_hash(struct sock *sk, struct sock *osk)
 	int err = 0;
 
 	if (sk->sk_state != TCP_LISTEN) {
+		local_bh_disable();
 		inet_ehash_nolisten(sk, osk, NULL);
+		local_bh_enable();
 		return 0;
 	}
 	WARN_ON(!sk_unhashed(sk));
@@ -243,34 +245,45 @@ static void ninet_unhash2(struct inet_hashinfo *h, struct sock *sk)
 	spin_unlock(&ilb2->lock);
 }
 
+static void __ninet_unhash(struct sock *sk, struct inet_listen_hashbucket *ilb)
+{
+	if (sk_unhashed(sk))
+		return;
+
+	if (ilb) {
+		struct inet_hashinfo *hashinfo = sk->sk_prot->h.hashinfo;
+
+		ninet_unhash2(hashinfo, sk);
+		ilb->count--;
+	}
+	__sk_nulls_del_node_init_rcu(sk);
+	sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
+}
+
 void ninet_unhash(struct sock *sk)
 {
 	struct inet_hashinfo *hashinfo = sk->sk_prot->h.hashinfo;
-	struct inet_listen_hashbucket *ilb = NULL;
-	spinlock_t *lock; /* Spin lock (note deleted alarm) */
 
 	if (sk_unhashed(sk))
 		return;
 
 	if (sk->sk_state == TCP_LISTEN) {
+		struct inet_listen_hashbucket *ilb;
+
 		ilb = &hashinfo->listening_hash[inet_sk_listen_hashfn(sk)];
-		lock = &ilb->lock;
+		/* Don't disable bottom halves while acquiring the lock to
+		 * avoid circular locking dependency on PREEMPT_RT.
+		 */
+		spin_lock(&ilb->lock);
+		__ninet_unhash(sk, ilb);
+		spin_unlock(&ilb->lock);
 	} else {
-		lock = inet_ehash_lockp(hashinfo, sk->sk_hash);
-	}
-	spin_lock_bh(lock);
-	if (sk_unhashed(sk))
-		goto unlock;
+		spinlock_t *lock = inet_ehash_lockp(hashinfo, sk->sk_hash);
 
-	if (ilb) {
-		ninet_unhash2(hashinfo, sk);
-		ilb->count--;
+		spin_lock_bh(lock);
+		__ninet_unhash(sk, NULL);
+		spin_unlock_bh(lock);
 	}
-	__sk_nulls_del_node_init_rcu(sk);
-	sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
-
-unlock:
-	spin_unlock_bh(lock);
 }
 
 /* Function
diff --git a/newip/third_party/linux-5.10/net/newip/tcp_nip.c b/newip/third_party/linux-5.10/net/newip/tcp_nip.c
index 9a43f1e..1ff3b2d 100644
--- a/newip/third_party/linux-5.10/net/newip/tcp_nip.c
+++ b/newip/third_party/linux-5.10/net/newip/tcp_nip.c
@@ -826,7 +826,7 @@ void ninet_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb)
 	struct dst_entry *dst = skb_dst(skb);
 
 	if (dst && dst_hold_safe(dst)) {
-		sk->sk_rx_dst = dst;
+		rcu_assign_pointer(sk->sk_rx_dst, dst);
 		inet_sk(sk)->rx_dst_ifindex = skb->skb_iif;
 	}
 }
@@ -1165,7 +1165,7 @@ static int tcp_nip_init_sock(struct sock *sk)
 	tp->snd_cwnd_clamp = ~0;
 	tp->mss_cache = TCP_MSS_DEFAULT;
 
-	tp->reordering = sock_net(sk)->ipv4.sysctl_tcp_reordering;
+	tp->reordering = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_reordering);
 	tp->tsoffset = 0;
 	sk->sk_state = TCP_CLOSE;
 	sk->sk_write_space = sk_stream_write_space;
@@ -1624,14 +1624,16 @@ static int tcp_nip_do_rcv(struct sock *sk, struct sk_buff *skb)
 	nip_dbg("received newip tcp skb, sk_state=%d", sk->sk_state);
 
 	if (sk->sk_state == TCP_ESTABLISHED) {
-		struct dst_entry *dst = sk->sk_rx_dst;
+		struct dst_entry *dst;
 
+		dst = rcu_dereference_protected(sk->sk_rx_dst,
+						lockdep_sock_is_held(sk));
 		if (dst) {
 			/* Triggered when processing newly received skb after deleting routes */
 			if (inet_sk(sk)->rx_dst_ifindex != skb->skb_iif ||
 			    !dst->ops->check(dst, 0)) {
+				RCU_INIT_POINTER(sk->sk_rx_dst, NULL);
 				dst_release(dst);
-				sk->sk_rx_dst = NULL;
 			}
 		}
 		tcp_nip_rcv_established(sk, skb, tcp_hdr(skb), skb->len);
@@ -1846,7 +1848,7 @@ static void tcp_nip_early_demux(struct sk_buff *skb)
 		skb->sk = sk;
 		skb->destructor = sock_edemux;
 		if (sk_fullsock(sk)) {
-			struct dst_entry *dst = READ_ONCE(sk->sk_rx_dst);
+			struct dst_entry *dst = rcu_dereference(sk->sk_rx_dst);
 
 			if (dst)
 				dst = dst_check(dst, 0);
@@ -1961,8 +1963,7 @@ int tcp_nip_disconnect(struct sock *sk, int flags)
 	sk->sk_send_head = NULL;
 	memset(&tp->rx_opt, 0, sizeof(tp->rx_opt));
 	__sk_dst_reset(sk);
-	dst_release(sk->sk_rx_dst);
-	sk->sk_rx_dst = NULL;
+	dst_release(xchg((__force struct dst_entry **)&sk->sk_rx_dst, NULL));
 	tp->segs_in = 0;
 	tp->segs_out = 0;
 	tp->bytes_acked = 0;
diff --git a/newip/third_party/linux-5.10/net/newip/tcp_nip_input.c b/newip/third_party/linux-5.10/net/newip/tcp_nip_input.c
index 3dad3bc..23a282c 100644
--- a/newip/third_party/linux-5.10/net/newip/tcp_nip_input.c
+++ b/newip/third_party/linux-5.10/net/newip/tcp_nip_input.c
@@ -607,7 +607,7 @@ static void tcp_nip_new_space(struct sock *sk)
 	sk->sk_write_space(sk);
 }
 
-static void tcp_nip_check_space(struct sock *sk)
+void tcp_nip_check_space(struct sock *sk)
 {
 	/* Invoke memory barrier (annotated prior to checkpatch requirements) */
 	smp_mb();
@@ -1596,7 +1596,7 @@ void tcp_nip_rcv_established(struct sock *sk, struct sk_buff *skb,
 	struct tcp_sock *tp = tcp_sk(sk);
 
 	tcp_mstamp_refresh(tp);
-	if (unlikely(!sk->sk_rx_dst))
+	if (unlikely(!rcu_access_pointer(sk->sk_rx_dst)))
 		inet_csk(sk)->icsk_af_ops->sk_rx_dst_set(sk, skb);
 
 	if (!tcp_nip_validate_incoming(sk, skb, th, 1))
@@ -1643,7 +1643,7 @@ static void tcp_nip_fixup_rcvbuf(struct sock *sk)
 #define TCP_NIP_SND_BUF_SIZE 30720
 void tcp_nip_init_buffer_space(struct sock *sk)
 {
-	int tcp_app_win = sock_net(sk)->ipv4.sysctl_tcp_app_win;
+	int tcp_app_win = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_app_win);
 	struct tcp_sock *tp = tcp_sk(sk);
 	int maxwin;
 
diff --git a/newip/third_party/linux-5.10/net/newip/tcp_nip_output.c b/newip/third_party/linux-5.10/net/newip/tcp_nip_output.c
index c3389cc..dcc46a7 100644
--- a/newip/third_party/linux-5.10/net/newip/tcp_nip_output.c
+++ b/newip/third_party/linux-5.10/net/newip/tcp_nip_output.c
@@ -133,11 +133,13 @@ static void tcp_nip_event_new_data_sent(struct sock *sk, struct sk_buff *skb)
 	unsigned int prior_packets = tp->packets_out;
 
 	tcp_advance_send_head(sk, skb);
-	tp->snd_nxt = TCP_SKB_CB(skb)->end_seq;
+	WRITE_ONCE(tp->snd_nxt, TCP_SKB_CB(skb)->end_seq);
 	tp->packets_out += tcp_skb_pcount(skb);
 	if (!prior_packets || icsk->icsk_pending == ICSK_TIME_EARLY_RETRANS ||
 	    icsk->icsk_pending == ICSK_TIME_LOSS_PROBE)
 		tcp_nip_rearm_rto(sk);
+
+	tcp_nip_check_space(sk);
 }
 
 /* check probe0 timer */
@@ -1347,7 +1349,7 @@ void tcp_nip_send_probe0(struct sock *sk)
 	/* Err: 0 succeeded, -1 failed */
 	icsk->icsk_probes_out++; /* Number of probes +1 */
 	if (err <= 0) {
-		if (icsk->icsk_backoff < net->ipv4.sysctl_tcp_retries2)
+		if (icsk->icsk_backoff < READ_ONCE(net->ipv4.sysctl_tcp_retries2))
 			icsk->icsk_backoff++;
 		when = tcp_probe0_when(sk, TCP_RTO_MAX);
 		nip_dbg("probe0 %s, probes_out=%u, probe0_base=%lu, icsk_backoff=%u, when=%lu",
diff --git a/newip/third_party/linux-5.10/net/newip/tcp_nip_timer.c b/newip/third_party/linux-5.10/net/newip/tcp_nip_timer.c
index 6be0ecf..532380f 100644
--- a/newip/third_party/linux-5.10/net/newip/tcp_nip_timer.c
+++ b/newip/third_party/linux-5.10/net/newip/tcp_nip_timer.c
@@ -126,7 +126,7 @@ static int tcp_nip_write_timeout(struct sock *sk)
 		retry_until = icsk->icsk_syn_retries ? : net->ipv4.sysctl_tcp_syn_retries;
 		syn_set = true;
 	} else {
-		retry_until = net->ipv4.sysctl_tcp_retries2;
+		retry_until = READ_ONCE(net->ipv4.sysctl_tcp_retries2);
 		if (sock_flag(sk, SOCK_DEAD)) {
 			const bool alive = icsk->icsk_rto < TCP_RTO_MAX;
 
@@ -178,7 +178,7 @@ void tcp_nip_retransmit_timer(struct sock *sk)
 		return;
 	}
 
-	if (icsk->icsk_backoff < net->ipv4.sysctl_tcp_retries2)
+	if (icsk->icsk_backoff < READ_ONCE(net->ipv4.sysctl_tcp_retries2))
 		icsk->icsk_backoff++;
 	icsk->icsk_retransmits++;
 
-- 
Gitee