| Message ID | 20220513175959.3179701-1-meenashanmugam@google.com |
|---|---|
| State | Superseded |
| Headers | show |
| Series | SUNRPC: Don't call connect() more than once on a TCP socket | expand |
On Fri, May 13, 2022 at 05:59:59PM +0000, Meena Shanmugam wrote: > From: Trond Myklebust <trond.myklebust@hammerspace.com> > > commit 89f42494f92f448747bd8a7ab1ae8b5d5520577d upstream. > > Avoid socket state races due to repeated calls to ->connect() using the > same socket. If connect() returns 0 due to the connection having > completed, but we are in fact in a closing state, then we may leave the > XPRT_CONNECTING flag set on the transport. > > Reported-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de> > Fixes: 3be232f11a3c ("SUNRPC: Prevent immediate close+reconnect") > Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> > [meenashanmugam: Backported to 5.10: Fixed merge conflict in xs_tcp_setup_socket] > Signed-off-by: Meena Shanmugam <meenashanmugam@google.com> > --- > include/linux/sunrpc/xprtsock.h | 1 + > net/sunrpc/xprtsock.c | 21 +++++++++++---------- > 2 files changed, 12 insertions(+), 10 deletions(-) > > diff --git a/include/linux/sunrpc/xprtsock.h b/include/linux/sunrpc/xprtsock.h > index 8c2a712cb242..689062afdd61 100644 > --- a/include/linux/sunrpc/xprtsock.h > +++ b/include/linux/sunrpc/xprtsock.h > @@ -89,5 +89,6 @@ struct sock_xprt { > #define XPRT_SOCK_WAKE_WRITE (5) > #define XPRT_SOCK_WAKE_PENDING (6) > #define XPRT_SOCK_WAKE_DISCONNECT (7) > +#define XPRT_SOCK_CONNECT_SENT (8) > > #endif /* _LINUX_SUNRPC_XPRTSOCK_H */ > diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c > index 60c58eb9a456..33a81f9703b1 100644 > --- a/net/sunrpc/xprtsock.c > +++ b/net/sunrpc/xprtsock.c > @@ -2260,10 +2260,14 @@ static void xs_tcp_setup_socket(struct work_struct *work) > struct rpc_xprt *xprt = &transport->xprt; > int status = -EIO; > > - if (!sock) { > - sock = xs_create_sock(xprt, transport, > - xs_addr(xprt)->sa_family, SOCK_STREAM, > - IPPROTO_TCP, true); > + if (xprt_connected(xprt)) > + goto out; > + if (test_and_clear_bit(XPRT_SOCK_CONNECT_SENT, > + &transport->sock_state) || > + !sock) { > + xs_reset_transport(transport); > + sock = xs_create_sock(xprt, transport, xs_addr(xprt)->sa_family, > + SOCK_STREAM, IPPROTO_TCP, true); > if (IS_ERR(sock)) { > status = PTR_ERR(sock); > goto out; > @@ -2294,6 +2298,7 @@ static void xs_tcp_setup_socket(struct work_struct *work) > break; > case 0: > case -EINPROGRESS: > + set_bit(XPRT_SOCK_CONNECT_SENT, &transport->sock_state); > case -EALREADY: > xprt_unlock_connect(xprt, transport); > return; > @@ -2345,13 +2350,9 @@ static void xs_connect(struct rpc_xprt *xprt, struct rpc_task *task) > > WARN_ON_ONCE(!xprt_lock_connect(xprt, task, transport)); > > - if (transport->sock != NULL && !xprt_connecting(xprt)) { > + if (transport->sock != NULL) { > dprintk("RPC: xs_connect delayed xprt %p for %lu " > - "seconds\n", > - xprt, xprt->reestablish_timeout / HZ); > - > - /* Start by resetting any existing state */ > - xs_reset_transport(transport); > + "seconds\n", xprt, xprt->reestablish_timeout / HZ); > > delay = xprt_reconnect_delay(xprt); > xprt_reconnect_backoff(xprt, XS_TCP_INIT_REEST_TO); > -- > 2.36.0.512.ge40c2bad7a-goog > This should be a patch series, not just this one commit, right? What are _ALL_ of the commits you want to see applied for 5.10.y? thanks, greg k-h
On Sat, May 14, 2022 at 05:34:49AM +0000, Meena Shanmugam wrote: > The commit f00432063db1a0db484e85193eccc6845435b80e upstream (SUNRPC: > Ensure we flush any closed sockets before xs_xprt_free()) fixes > CVE-2022-28893, hence good candidate for stable trees. > The above commit depends on 3be232f(SUNRPC: Prevent immediate > close+reconnect) and 89f4249(SUNRPC: Don't call connect() more than > once on a TCP socket). Commit 3be232f depends on commit > e26d9972720e(SUNRPC: Clean up scheduling of autoclose). > > Commits e26d9972720e, 3be232f, f00432063db1 apply cleanly on 5.10 > kernel. commit 89f4249 didn't apply cleanly. This patch series includes > all the commits required for back porting f00432063db1. > Hi Meena, I can't speaking about the code (as I'm not subject-expert here), but I would like to give you suggestions: - When sending backported patch series, always prefix the subject with "[PATCH x.y]", where x.y is the stable version the backport is made against. - Abbreviated commit hash should be at least 12 (or my favorite, 14) characters long. - Commit identifier should be in format "%h (\"%s\")". - As always, DON'T DO top-posting, DO interleaved reply and reply below the quoted original message. Trond and Dexter, any comments or ACKs? Thanks.
On Sat, May 14, 2022 at 03:47:38PM +0700, Bagas Sanjaya wrote: > On Sat, May 14, 2022 at 05:34:49AM +0000, Meena Shanmugam wrote: > > The commit f00432063db1a0db484e85193eccc6845435b80e upstream (SUNRPC: > > Ensure we flush any closed sockets before xs_xprt_free()) fixes > > CVE-2022-28893, hence good candidate for stable trees. > > The above commit depends on 3be232f(SUNRPC: Prevent immediate > > close+reconnect) and 89f4249(SUNRPC: Don't call connect() more than > > once on a TCP socket). Commit 3be232f depends on commit > > e26d9972720e(SUNRPC: Clean up scheduling of autoclose). > > > > Commits e26d9972720e, 3be232f, f00432063db1 apply cleanly on 5.10 > > kernel. commit 89f4249 didn't apply cleanly. This patch series includes > > all the commits required for back porting f00432063db1. > > > > Hi Meena, > > I can't speaking about the code (as I'm not subject-expert here), but I > would like to give you suggestions: > > - When sending backported patch series, always prefix the subject with > "[PATCH x.y]", where x.y is the stable version the backport is made > against. > - Abbreviated commit hash should be at least 12 (or my favorite, 14) characters long. > - Commit identifier should be in format "%h (\"%s\")". > - As always, DON'T DO top-posting, DO interleaved reply and reply > below the quoted original message. Yes, that would have been better, but I figured it out from this series, it wasn't that hard. Now all queued up, thanks! greg k-h
diff --git a/include/linux/sunrpc/xprtsock.h b/include/linux/sunrpc/xprtsock.h index 8c2a712cb242..689062afdd61 100644 --- a/include/linux/sunrpc/xprtsock.h +++ b/include/linux/sunrpc/xprtsock.h @@ -89,5 +89,6 @@ struct sock_xprt { #define XPRT_SOCK_WAKE_WRITE (5) #define XPRT_SOCK_WAKE_PENDING (6) #define XPRT_SOCK_WAKE_DISCONNECT (7) +#define XPRT_SOCK_CONNECT_SENT (8) #endif /* _LINUX_SUNRPC_XPRTSOCK_H */ diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c index 60c58eb9a456..33a81f9703b1 100644 --- a/net/sunrpc/xprtsock.c +++ b/net/sunrpc/xprtsock.c @@ -2260,10 +2260,14 @@ static void xs_tcp_setup_socket(struct work_struct *work) struct rpc_xprt *xprt = &transport->xprt; int status = -EIO; - if (!sock) { - sock = xs_create_sock(xprt, transport, - xs_addr(xprt)->sa_family, SOCK_STREAM, - IPPROTO_TCP, true); + if (xprt_connected(xprt)) + goto out; + if (test_and_clear_bit(XPRT_SOCK_CONNECT_SENT, + &transport->sock_state) || + !sock) { + xs_reset_transport(transport); + sock = xs_create_sock(xprt, transport, xs_addr(xprt)->sa_family, + SOCK_STREAM, IPPROTO_TCP, true); if (IS_ERR(sock)) { status = PTR_ERR(sock); goto out; @@ -2294,6 +2298,7 @@ static void xs_tcp_setup_socket(struct work_struct *work) break; case 0: case -EINPROGRESS: + set_bit(XPRT_SOCK_CONNECT_SENT, &transport->sock_state); case -EALREADY: xprt_unlock_connect(xprt, transport); return; @@ -2345,13 +2350,9 @@ static void xs_connect(struct rpc_xprt *xprt, struct rpc_task *task) WARN_ON_ONCE(!xprt_lock_connect(xprt, task, transport)); - if (transport->sock != NULL && !xprt_connecting(xprt)) { + if (transport->sock != NULL) { dprintk("RPC: xs_connect delayed xprt %p for %lu " - "seconds\n", - xprt, xprt->reestablish_timeout / HZ); - - /* Start by resetting any existing state */ - xs_reset_transport(transport); + "seconds\n", xprt, xprt->reestablish_timeout / HZ); delay = xprt_reconnect_delay(xprt); xprt_reconnect_backoff(xprt, XS_TCP_INIT_REEST_TO);