inet_diag: fix access to tcp cc information

Two different problems are fixed here :

1) inet_sk_diag_fill() might be called without socket lock held.
   icsk->icsk_ca_ops can change under us and module be unloaded.
   -> Access to freed memory.
   Fix this using rcu_read_lock() to prevent module unload.

2) Some TCP Congestion Control modules provide information
   but again this is not safe against icsk->icsk_ca_ops
   change and nla_put() errors were ignored. Some sockets
   could not get the additional info if skb was almost full.

Fix this by returning a status from get_info() handlers and
using rcu protection as well.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/include/net/tcp.h b/include/net/tcp.h
index 9598871..051dc5c 100644 (file)
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -829,7 +829,7 @@ struct tcp_congestion_ops {
        /* hook for packet ack accounting (optional) */
        void (*pkts_acked)(struct sock *sk, u32 num_acked, s32 rtt_us);
        /* get info for inet_diag (optional) */
-       void (*get_info)(struct sock *sk, u32 ext, struct sk_buff *skb);
+       int (*get_info)(struct sock *sk, u32 ext, struct sk_buff *skb);
 
        char            name[TCP_CA_NAME_MAX];
        struct module   *owner;

diff --cc net/ipv4/inet_diag.c
Simple merge

diff --cc net/ipv4/tcp_dctcp.c
Simple merge

diff --cc net/ipv4/tcp_illinois.c
Simple merge

diff --cc net/ipv4/tcp_vegas.c
Simple merge

diff --cc net/ipv4/tcp_vegas.h
Simple merge

diff --cc net/ipv4/tcp_westwood.c
Simple merge