inet: add READ_ONCE(sk->sk_bound_dev_if) in inet_csk_bind_conflict()

[ Upstream commit d2c135619cb89d1d5693df81ab408c5e8e97e898 ]

inet_csk_bind_conflict() can access sk->sk_bound_dev_if for
unlocked sockets.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index a53f9bf..8039097 100644 (file)
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -155,10 +155,14 @@ static int inet_csk_bind_conflict(const struct sock *sk,
         */
 
        sk_for_each_bound(sk2, &tb->owners) {
-               if (sk != sk2 &&
-                   (!sk->sk_bound_dev_if ||
-                    !sk2->sk_bound_dev_if ||
-                    sk->sk_bound_dev_if == sk2->sk_bound_dev_if)) {
+               int bound_dev_if2;
+
+               if (sk == sk2)
+                       continue;
+               bound_dev_if2 = READ_ONCE(sk2->sk_bound_dev_if);
+               if ((!sk->sk_bound_dev_if ||
+                    !bound_dev_if2 ||
+                    sk->sk_bound_dev_if == bound_dev_if2)) {
                        if (reuse && sk2->sk_reuse &&
                            sk2->sk_state != TCP_LISTEN) {
                                if ((!relax ||