[SRU focal/linux-oem-5.6] vsock: fix the race conditions in multi-transport support

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[SRU focal/linux-oem-5.6] vsock: fix the race conditions in multi-transport support

Thadeu Lima de Souza Cascardo-3
From: Alexander Popov <[hidden email]>

BugLink: https://bugs.launchpad.net/bugs/1914668

There are multiple similar bugs implicitly introduced by the
commit c0cfa2d8a788fcf4 ("vsock: add multi-transports support") and
commit 6a2c0962105ae8ce ("vsock: prevent transport modules unloading").

The bug pattern:
 [1] vsock_sock.transport pointer is copied to a local variable,
 [2] lock_sock() is called,
 [3] the local variable is used.
VSOCK multi-transport support introduced the race condition:
vsock_sock.transport value may change between [1] and [2].

Let's copy vsock_sock.transport pointer to local variables after
the lock_sock() call.

Fixes: c0cfa2d8a788fcf4 ("vsock: add multi-transports support")
Signed-off-by: Alexander Popov <[hidden email]>
Reviewed-by: Stefano Garzarella <[hidden email]>
Reviewed-by: Jorgen Hansen <[hidden email]>
Link: https://lore.kernel.org/r/20210201084719.2257066-1-alex.popov@...
Signed-off-by: Jakub Kicinski <[hidden email]>
(cherry picked from commit c518adafa39f37858697ac9309c6cf1805581446)
Signed-off-by: Thadeu Lima de Souza Cascardo <[hidden email]>
---
 net/vmw_vsock/af_vsock.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
index 626bf9044418..e8b1ab37d1c0 100644
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -997,9 +997,12 @@ static __poll_t vsock_poll(struct file *file, struct socket *sock,
  mask |= EPOLLOUT | EPOLLWRNORM | EPOLLWRBAND;
 
  } else if (sock->type == SOCK_STREAM) {
- const struct vsock_transport *transport = vsk->transport;
+ const struct vsock_transport *transport;
+
  lock_sock(sk);
 
+ transport = vsk->transport;
+
  /* Listening sockets that have connections in their accept
  * queue can be read.
  */
@@ -1082,10 +1085,11 @@ static int vsock_dgram_sendmsg(struct socket *sock, struct msghdr *msg,
  err = 0;
  sk = sock->sk;
  vsk = vsock_sk(sk);
- transport = vsk->transport;
 
  lock_sock(sk);
 
+ transport = vsk->transport;
+
  err = vsock_auto_bind(vsk);
  if (err)
  goto out;
@@ -1546,10 +1550,11 @@ static int vsock_stream_setsockopt(struct socket *sock,
  err = 0;
  sk = sock->sk;
  vsk = vsock_sk(sk);
- transport = vsk->transport;
 
  lock_sock(sk);
 
+ transport = vsk->transport;
+
  switch (optname) {
  case SO_VM_SOCKETS_BUFFER_SIZE:
  COPY_IN(val);
@@ -1682,7 +1687,6 @@ static int vsock_stream_sendmsg(struct socket *sock, struct msghdr *msg,
 
  sk = sock->sk;
  vsk = vsock_sk(sk);
- transport = vsk->transport;
  total_written = 0;
  err = 0;
 
@@ -1691,6 +1695,8 @@ static int vsock_stream_sendmsg(struct socket *sock, struct msghdr *msg,
 
  lock_sock(sk);
 
+ transport = vsk->transport;
+
  /* Callers should not provide a destination with stream sockets. */
  if (msg->msg_namelen) {
  err = sk->sk_state == TCP_ESTABLISHED ? -EISCONN : -EOPNOTSUPP;
@@ -1825,11 +1831,12 @@ vsock_stream_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
 
  sk = sock->sk;
  vsk = vsock_sk(sk);
- transport = vsk->transport;
  err = 0;
 
  lock_sock(sk);
 
+ transport = vsk->transport;
+
  if (!transport || sk->sk_state != TCP_ESTABLISHED) {
  /* Recvmsg is supposed to return 0 if a peer performs an
  * orderly shutdown. Differentiate between that case and when a
--
2.27.0


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [SRU focal/linux-oem-5.6] vsock: fix the race conditions in multi-transport support

William Breathitt Gray
On Fri, Feb 05, 2021 at 07:44:09AM -0300, Thadeu Lima de Souza Cascardo wrote:

> From: Alexander Popov <[hidden email]>
>
> BugLink: https://bugs.launchpad.net/bugs/1914668
>
> There are multiple similar bugs implicitly introduced by the
> commit c0cfa2d8a788fcf4 ("vsock: add multi-transports support") and
> commit 6a2c0962105ae8ce ("vsock: prevent transport modules unloading").
>
> The bug pattern:
>  [1] vsock_sock.transport pointer is copied to a local variable,
>  [2] lock_sock() is called,
>  [3] the local variable is used.
> VSOCK multi-transport support introduced the race condition:
> vsock_sock.transport value may change between [1] and [2].
>
> Let's copy vsock_sock.transport pointer to local variables after
> the lock_sock() call.
>
> Fixes: c0cfa2d8a788fcf4 ("vsock: add multi-transports support")
> Signed-off-by: Alexander Popov <[hidden email]>
> Reviewed-by: Stefano Garzarella <[hidden email]>
> Reviewed-by: Jorgen Hansen <[hidden email]>
> Link: https://lore.kernel.org/r/20210201084719.2257066-1-alex.popov@...
> Signed-off-by: Jakub Kicinski <[hidden email]>
> (cherry picked from commit c518adafa39f37858697ac9309c6cf1805581446)
> Signed-off-by: Thadeu Lima de Souza Cascardo <[hidden email]>
Acked-by: William Breathitt Gray <[hidden email]>

> ---
>  net/vmw_vsock/af_vsock.c | 17 ++++++++++++-----
>  1 file changed, 12 insertions(+), 5 deletions(-)
>
> diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
> index 626bf9044418..e8b1ab37d1c0 100644
> --- a/net/vmw_vsock/af_vsock.c
> +++ b/net/vmw_vsock/af_vsock.c
> @@ -997,9 +997,12 @@ static __poll_t vsock_poll(struct file *file, struct socket *sock,
>   mask |= EPOLLOUT | EPOLLWRNORM | EPOLLWRBAND;
>  
>   } else if (sock->type == SOCK_STREAM) {
> - const struct vsock_transport *transport = vsk->transport;
> + const struct vsock_transport *transport;
> +
>   lock_sock(sk);
>  
> + transport = vsk->transport;
> +
>   /* Listening sockets that have connections in their accept
>   * queue can be read.
>   */
> @@ -1082,10 +1085,11 @@ static int vsock_dgram_sendmsg(struct socket *sock, struct msghdr *msg,
>   err = 0;
>   sk = sock->sk;
>   vsk = vsock_sk(sk);
> - transport = vsk->transport;
>  
>   lock_sock(sk);
>  
> + transport = vsk->transport;
> +
>   err = vsock_auto_bind(vsk);
>   if (err)
>   goto out;
> @@ -1546,10 +1550,11 @@ static int vsock_stream_setsockopt(struct socket *sock,
>   err = 0;
>   sk = sock->sk;
>   vsk = vsock_sk(sk);
> - transport = vsk->transport;
>  
>   lock_sock(sk);
>  
> + transport = vsk->transport;
> +
>   switch (optname) {
>   case SO_VM_SOCKETS_BUFFER_SIZE:
>   COPY_IN(val);
> @@ -1682,7 +1687,6 @@ static int vsock_stream_sendmsg(struct socket *sock, struct msghdr *msg,
>  
>   sk = sock->sk;
>   vsk = vsock_sk(sk);
> - transport = vsk->transport;
>   total_written = 0;
>   err = 0;
>  
> @@ -1691,6 +1695,8 @@ static int vsock_stream_sendmsg(struct socket *sock, struct msghdr *msg,
>  
>   lock_sock(sk);
>  
> + transport = vsk->transport;
> +
>   /* Callers should not provide a destination with stream sockets. */
>   if (msg->msg_namelen) {
>   err = sk->sk_state == TCP_ESTABLISHED ? -EISCONN : -EOPNOTSUPP;
> @@ -1825,11 +1831,12 @@ vsock_stream_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
>  
>   sk = sock->sk;
>   vsk = vsock_sk(sk);
> - transport = vsk->transport;
>   err = 0;
>  
>   lock_sock(sk);
>  
> + transport = vsk->transport;
> +
>   if (!transport || sk->sk_state != TCP_ESTABLISHED) {
>   /* Recvmsg is supposed to return 0 if a peer performs an
>   * orderly shutdown. Differentiate between that case and when a
> --
> 2.27.0
>
>
> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

ACK: [SRU focal/linux-oem-5.6] vsock: fix the race conditions in multi-transport support

Stefan Bader-2
In reply to this post by Thadeu Lima de Souza Cascardo-3
On 05.02.21 11:44, Thadeu Lima de Souza Cascardo wrote:

> From: Alexander Popov <[hidden email]>
>
> BugLink: https://bugs.launchpad.net/bugs/1914668
>
> There are multiple similar bugs implicitly introduced by the
> commit c0cfa2d8a788fcf4 ("vsock: add multi-transports support") and
> commit 6a2c0962105ae8ce ("vsock: prevent transport modules unloading").
>
> The bug pattern:
>  [1] vsock_sock.transport pointer is copied to a local variable,
>  [2] lock_sock() is called,
>  [3] the local variable is used.
> VSOCK multi-transport support introduced the race condition:
> vsock_sock.transport value may change between [1] and [2].
>
> Let's copy vsock_sock.transport pointer to local variables after
> the lock_sock() call.
>
> Fixes: c0cfa2d8a788fcf4 ("vsock: add multi-transports support")
> Signed-off-by: Alexander Popov <[hidden email]>
> Reviewed-by: Stefano Garzarella <[hidden email]>
> Reviewed-by: Jorgen Hansen <[hidden email]>
> Link: https://lore.kernel.org/r/20210201084719.2257066-1-alex.popov@...
> Signed-off-by: Jakub Kicinski <[hidden email]>
> (cherry picked from commit c518adafa39f37858697ac9309c6cf1805581446)
> Signed-off-by: Thadeu Lima de Souza Cascardo <[hidden email]>
Acked-by: Stefan Bader <[hidden email]>

> ---
>  net/vmw_vsock/af_vsock.c | 17 ++++++++++++-----
>  1 file changed, 12 insertions(+), 5 deletions(-)
>
> diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
> index 626bf9044418..e8b1ab37d1c0 100644
> --- a/net/vmw_vsock/af_vsock.c
> +++ b/net/vmw_vsock/af_vsock.c
> @@ -997,9 +997,12 @@ static __poll_t vsock_poll(struct file *file, struct socket *sock,
>   mask |= EPOLLOUT | EPOLLWRNORM | EPOLLWRBAND;
>  
>   } else if (sock->type == SOCK_STREAM) {
> - const struct vsock_transport *transport = vsk->transport;
> + const struct vsock_transport *transport;
> +
>   lock_sock(sk);
>  
> + transport = vsk->transport;
> +
>   /* Listening sockets that have connections in their accept
>   * queue can be read.
>   */
> @@ -1082,10 +1085,11 @@ static int vsock_dgram_sendmsg(struct socket *sock, struct msghdr *msg,
>   err = 0;
>   sk = sock->sk;
>   vsk = vsock_sk(sk);
> - transport = vsk->transport;
>  
>   lock_sock(sk);
>  
> + transport = vsk->transport;
> +
>   err = vsock_auto_bind(vsk);
>   if (err)
>   goto out;
> @@ -1546,10 +1550,11 @@ static int vsock_stream_setsockopt(struct socket *sock,
>   err = 0;
>   sk = sock->sk;
>   vsk = vsock_sk(sk);
> - transport = vsk->transport;
>  
>   lock_sock(sk);
>  
> + transport = vsk->transport;
> +
>   switch (optname) {
>   case SO_VM_SOCKETS_BUFFER_SIZE:
>   COPY_IN(val);
> @@ -1682,7 +1687,6 @@ static int vsock_stream_sendmsg(struct socket *sock, struct msghdr *msg,
>  
>   sk = sock->sk;
>   vsk = vsock_sk(sk);
> - transport = vsk->transport;
>   total_written = 0;
>   err = 0;
>  
> @@ -1691,6 +1695,8 @@ static int vsock_stream_sendmsg(struct socket *sock, struct msghdr *msg,
>  
>   lock_sock(sk);
>  
> + transport = vsk->transport;
> +
>   /* Callers should not provide a destination with stream sockets. */
>   if (msg->msg_namelen) {
>   err = sk->sk_state == TCP_ESTABLISHED ? -EISCONN : -EOPNOTSUPP;
> @@ -1825,11 +1831,12 @@ vsock_stream_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
>  
>   sk = sock->sk;
>   vsk = vsock_sk(sk);
> - transport = vsk->transport;
>   err = 0;
>  
>   lock_sock(sk);
>  
> + transport = vsk->transport;
> +
>   if (!transport || sk->sk_state != TCP_ESTABLISHED) {
>   /* Recvmsg is supposed to return 0 if a peer performs an
>   * orderly shutdown. Differentiate between that case and when a
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

APPLIED: [SRU focal/linux-oem-5.6] vsock: fix the race conditions in multi-transport support

Stefan Bader-2
In reply to this post by Thadeu Lima de Souza Cascardo-3
On 05.02.21 11:44, Thadeu Lima de Souza Cascardo wrote:

> From: Alexander Popov <[hidden email]>
>
> BugLink: https://bugs.launchpad.net/bugs/1914668
>
> There are multiple similar bugs implicitly introduced by the
> commit c0cfa2d8a788fcf4 ("vsock: add multi-transports support") and
> commit 6a2c0962105ae8ce ("vsock: prevent transport modules unloading").
>
> The bug pattern:
>  [1] vsock_sock.transport pointer is copied to a local variable,
>  [2] lock_sock() is called,
>  [3] the local variable is used.
> VSOCK multi-transport support introduced the race condition:
> vsock_sock.transport value may change between [1] and [2].
>
> Let's copy vsock_sock.transport pointer to local variables after
> the lock_sock() call.
>
> Fixes: c0cfa2d8a788fcf4 ("vsock: add multi-transports support")
> Signed-off-by: Alexander Popov <[hidden email]>
> Reviewed-by: Stefano Garzarella <[hidden email]>
> Reviewed-by: Jorgen Hansen <[hidden email]>
> Link: https://lore.kernel.org/r/20210201084719.2257066-1-alex.popov@...
> Signed-off-by: Jakub Kicinski <[hidden email]>
> (cherry picked from commit c518adafa39f37858697ac9309c6cf1805581446)
> Signed-off-by: Thadeu Lima de Souza Cascardo <[hidden email]>
> ---
Applied to focal/linux-oem-5.6-next. In fact, this not only seems to be applied
already but also released in Ubuntu-oem-5.6-5.6.0-1047.51.

linux-oem-5.6                    | 5.6.0-1047.51 | focal-updates

-Stefan

>  net/vmw_vsock/af_vsock.c | 17 ++++++++++++-----
>  1 file changed, 12 insertions(+), 5 deletions(-)
>
> diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
> index 626bf9044418..e8b1ab37d1c0 100644
> --- a/net/vmw_vsock/af_vsock.c
> +++ b/net/vmw_vsock/af_vsock.c
> @@ -997,9 +997,12 @@ static __poll_t vsock_poll(struct file *file, struct socket *sock,
>   mask |= EPOLLOUT | EPOLLWRNORM | EPOLLWRBAND;
>  
>   } else if (sock->type == SOCK_STREAM) {
> - const struct vsock_transport *transport = vsk->transport;
> + const struct vsock_transport *transport;
> +
>   lock_sock(sk);
>  
> + transport = vsk->transport;
> +
>   /* Listening sockets that have connections in their accept
>   * queue can be read.
>   */
> @@ -1082,10 +1085,11 @@ static int vsock_dgram_sendmsg(struct socket *sock, struct msghdr *msg,
>   err = 0;
>   sk = sock->sk;
>   vsk = vsock_sk(sk);
> - transport = vsk->transport;
>  
>   lock_sock(sk);
>  
> + transport = vsk->transport;
> +
>   err = vsock_auto_bind(vsk);
>   if (err)
>   goto out;
> @@ -1546,10 +1550,11 @@ static int vsock_stream_setsockopt(struct socket *sock,
>   err = 0;
>   sk = sock->sk;
>   vsk = vsock_sk(sk);
> - transport = vsk->transport;
>  
>   lock_sock(sk);
>  
> + transport = vsk->transport;
> +
>   switch (optname) {
>   case SO_VM_SOCKETS_BUFFER_SIZE:
>   COPY_IN(val);
> @@ -1682,7 +1687,6 @@ static int vsock_stream_sendmsg(struct socket *sock, struct msghdr *msg,
>  
>   sk = sock->sk;
>   vsk = vsock_sk(sk);
> - transport = vsk->transport;
>   total_written = 0;
>   err = 0;
>  
> @@ -1691,6 +1695,8 @@ static int vsock_stream_sendmsg(struct socket *sock, struct msghdr *msg,
>  
>   lock_sock(sk);
>  
> + transport = vsk->transport;
> +
>   /* Callers should not provide a destination with stream sockets. */
>   if (msg->msg_namelen) {
>   err = sk->sk_state == TCP_ESTABLISHED ? -EISCONN : -EOPNOTSUPP;
> @@ -1825,11 +1831,12 @@ vsock_stream_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
>  
>   sk = sock->sk;
>   vsk = vsock_sk(sk);
> - transport = vsk->transport;
>   err = 0;
>  
>   lock_sock(sk);
>  
> + transport = vsk->transport;
> +
>   if (!transport || sk->sk_state != TCP_ESTABLISHED) {
>   /* Recvmsg is supposed to return 0 if a peer performs an
>   * orderly shutdown. Differentiate between that case and when a
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (849 bytes) Download Attachment