[Devel] [PATCH RHEL7 COMMIT] ms/vsock: fix the race conditions in multi-transport support
Vasily Averin
vvs at virtuozzo.com
Thu Apr 22 03:41:33 MSK 2021
The commit is pushed to "branch-rh7-3.10.0-1160.21.1.vz7.174.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-1160.21.1.vz7.174.11
------>
commit fe8c2a71097f70991772a5665c607036f0d772ed
Author: Alexander Popov <alex.popov at linux.com>
Date: Thu Apr 22 03:41:33 2021 +0300
ms/vsock: fix the race conditions in multi-transport support
There are multiple similar bugs implicitly introduced by the
commit c0cfa2d8a788fcf4 ("vsock: add multi-transports support") and
commit 6a2c0962105ae8ce ("vsock: prevent transport modules unloading").
The bug pattern:
[1] vsock_sock.transport pointer is copied to a local variable,
[2] lock_sock() is called,
[3] the local variable is used.
VSOCK multi-transport support introduced the race condition:
vsock_sock.transport value may change between [1] and [2].
Let's copy vsock_sock.transport pointer to local variables after
the lock_sock() call.
Fixes: c0cfa2d8a788fcf4 ("vsock: add multi-transports support")
Signed-off-by: Alexander Popov <alex.popov at linux.com>
Reviewed-by: Stefano Garzarella <sgarzare at redhat.com>
Reviewed-by: Jorgen Hansen <jhansen at vmware.com>
Link: https://lore.kernel.org/r/20210201084719.2257066-1-alex.popov@linux.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
https://jira.sw.ru/browse/PSBM-128702
(cherry picked from commit c518adafa39f37858697ac9309c6cf1805581446)
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
net/vmw_vsock/af_vsock.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
index 90f9f4eb..ff1b2cdef 100644
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -988,9 +988,12 @@ static unsigned int vsock_poll(struct file *file, struct socket *sock,
mask |= POLLOUT | POLLWRNORM | POLLWRBAND;
} else if (sock->type == SOCK_STREAM) {
- const struct vsock_transport *transport = vsk->transport;
+ const struct vsock_transport *transport;
+
lock_sock(sk);
+ transport = vsk->transport;
+
/* Listening sockets that have connections in their accept
* queue can be read.
*/
@@ -1073,10 +1076,11 @@ static int vsock_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
err = 0;
sk = sock->sk;
vsk = vsock_sk(sk);
- transport = vsk->transport;
lock_sock(sk);
+ transport = vsk->transport;
+
err = vsock_auto_bind(vsk);
if (err)
goto out;
@@ -1520,10 +1524,11 @@ static int vsock_stream_setsockopt(struct socket *sock,
err = 0;
sk = sock->sk;
vsk = vsock_sk(sk);
- transport = vsk->transport;
lock_sock(sk);
+ transport = vsk->transport;
+
switch (optname) {
case SO_VM_SOCKETS_BUFFER_SIZE:
COPY_IN(val);
@@ -1657,7 +1662,6 @@ static int vsock_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
sk = sock->sk;
vsk = vsock_sk(sk);
- transport = vsk->transport;
total_written = 0;
err = 0;
@@ -1666,6 +1670,8 @@ static int vsock_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
lock_sock(sk);
+ transport = vsk->transport;
+
/* Callers should not provide a destination with stream sockets. */
if (msg->msg_namelen) {
err = sk->sk_state == TCP_ESTABLISHED ? -EISCONN : -EOPNOTSUPP;
@@ -1805,11 +1811,12 @@ vsock_stream_recvmsg(struct kiocb *kiocb,
sk = sock->sk;
vsk = vsock_sk(sk);
- transport = vsk->transport;
err = 0;
lock_sock(sk);
+ transport = vsk->transport;
+
if (!transport || sk->sk_state != TCP_ESTABLISHED) {
/* Recvmsg is supposed to return 0 if a peer performs an
* orderly shutdown. Differentiate between that case and when a
More information about the Devel
mailing list