On Mon, 8 Jan 2018 15:54:44 +0100
Nicolai Stange <nsta...@suse.de> wrote:
> Commit 8f659a03a0ba ("net: ipv4: fix for a race condition in
> raw_sendmsg") fixed the issue of possibly inconsistent ->hdrincl handling
> due to concurrent updates by reading this bit-field member into a local
> variable and using the thus stabilized value in subsequent tests.
>
> However, aforementioned commit also adds the (correct) comment that
>
> /* hdrincl should be READ_ONCE(inet->hdrincl)
> * but READ_ONCE() doesn't work with bit fields
> */
>
> because as it stands, the compiler is free to shortcut or even eliminate
> the local variable at its will.
>
> Note that I have not seen anything like this happening in reality and thus,
> the concern is a theoretical one.
>
> However, in order to be on the safe side, emulate a READ_ONCE() on the
> bit-field by doing it on the local 'hdrincl' variable itself:
>
> int hdrincl = inet->hdrincl;
> hdrincl = READ_ONCE(hdrincl);
>
> This breaks the chain in the sense that the compiler is not allowed
> to replace subsequent reads from hdrincl with reloads from inet->hdrincl.
>
> Fixes: 8f659a03a0ba ("net: ipv4: fix for a race condition in raw_sendmsg")
> Signed-off-by: Nicolai Stange <nsta...@suse.de>
Reviewed-by: Stefano Brivio <sbri...@redhat.com>
--
Stefano
