udp: fix jump label misuse
authorPaolo Abeni <pabeni@redhat.com>
Thu, 15 Nov 2018 01:34:50 +0000 (02:34 +0100)
committerDavid S. Miller <davem@davemloft.net>
Sat, 17 Nov 2018 07:01:56 +0000 (23:01 -0800)
commit9c48060141bd937497774546e4bb89b8992be383
treeb62996434ab3d9776fe3b5197c38ca6939452434
parent37342bdaf5b363cf2e1bd170ce7d1de34ecf57e7
udp: fix jump label misuse

The commit 60fb9567bf30 ("udp: implement complete book-keeping for
encap_needed") introduced a severe misuse of jump label APIs, which
syzbot, as reported by Eric, was able to exploit.

When multiple sockets/process can concurrently request (and than
disable) the udp encap, we need to track the activation counter with
*_inc()/*_dec() jump label variants, or we can experience bad things
at disable time.

Fixes: 60fb9567bf30 ("udp: implement complete book-keeping for encap_needed")
Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/udp.c
net/ipv6/udp.c