diff mbox series

SUNRPC: Don't call connect() more than once on a TCP socket

Message ID 20220513175959.3179701-1-meenashanmugam@google.com
State Superseded
Headers show
Series SUNRPC: Don't call connect() more than once on a TCP socket | expand

Commit Message

Meena Shanmugam May 13, 2022, 5:59 p.m. UTC
From: Trond Myklebust <trond.myklebust@hammerspace.com>

commit 89f42494f92f448747bd8a7ab1ae8b5d5520577d upstream.

Avoid socket state races due to repeated calls to ->connect() using the
same socket. If connect() returns 0 due to the connection having
completed, but we are in fact in a closing state, then we may leave the
XPRT_CONNECTING flag set on the transport.

Reported-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
Fixes: 3be232f11a3c ("SUNRPC: Prevent immediate close+reconnect")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
[meenashanmugam: Backported to 5.10: Fixed merge conflict in xs_tcp_setup_socket]
Signed-off-by: Meena Shanmugam <meenashanmugam@google.com>
---
 include/linux/sunrpc/xprtsock.h |  1 +
 net/sunrpc/xprtsock.c           | 21 +++++++++++----------
 2 files changed, 12 insertions(+), 10 deletions(-)

Comments

Greg Kroah-Hartman May 14, 2022, 4:56 a.m. UTC | #1
On Fri, May 13, 2022 at 05:59:59PM +0000, Meena Shanmugam wrote:
> From: Trond Myklebust <trond.myklebust@hammerspace.com>
> 
> commit 89f42494f92f448747bd8a7ab1ae8b5d5520577d upstream.
> 
> Avoid socket state races due to repeated calls to ->connect() using the
> same socket. If connect() returns 0 due to the connection having
> completed, but we are in fact in a closing state, then we may leave the
> XPRT_CONNECTING flag set on the transport.
> 
> Reported-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
> Fixes: 3be232f11a3c ("SUNRPC: Prevent immediate close+reconnect")
> Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
> [meenashanmugam: Backported to 5.10: Fixed merge conflict in xs_tcp_setup_socket]
> Signed-off-by: Meena Shanmugam <meenashanmugam@google.com>
> ---
>  include/linux/sunrpc/xprtsock.h |  1 +
>  net/sunrpc/xprtsock.c           | 21 +++++++++++----------
>  2 files changed, 12 insertions(+), 10 deletions(-)
> 
> diff --git a/include/linux/sunrpc/xprtsock.h b/include/linux/sunrpc/xprtsock.h
> index 8c2a712cb242..689062afdd61 100644
> --- a/include/linux/sunrpc/xprtsock.h
> +++ b/include/linux/sunrpc/xprtsock.h
> @@ -89,5 +89,6 @@ struct sock_xprt {
>  #define XPRT_SOCK_WAKE_WRITE	(5)
>  #define XPRT_SOCK_WAKE_PENDING	(6)
>  #define XPRT_SOCK_WAKE_DISCONNECT	(7)
> +#define XPRT_SOCK_CONNECT_SENT	(8)
>  
>  #endif /* _LINUX_SUNRPC_XPRTSOCK_H */
> diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c
> index 60c58eb9a456..33a81f9703b1 100644
> --- a/net/sunrpc/xprtsock.c
> +++ b/net/sunrpc/xprtsock.c
> @@ -2260,10 +2260,14 @@ static void xs_tcp_setup_socket(struct work_struct *work)
>  	struct rpc_xprt *xprt = &transport->xprt;
>  	int status = -EIO;
>  
> -	if (!sock) {
> -		sock = xs_create_sock(xprt, transport,
> -				xs_addr(xprt)->sa_family, SOCK_STREAM,
> -				IPPROTO_TCP, true);
> +	if (xprt_connected(xprt))
> +		goto out;
> +	if (test_and_clear_bit(XPRT_SOCK_CONNECT_SENT,
> +			       &transport->sock_state) ||
> +	    !sock) {
> +		xs_reset_transport(transport);
> +		sock = xs_create_sock(xprt, transport, xs_addr(xprt)->sa_family,
> +				      SOCK_STREAM, IPPROTO_TCP, true);
>  		if (IS_ERR(sock)) {
>  			status = PTR_ERR(sock);
>  			goto out;
> @@ -2294,6 +2298,7 @@ static void xs_tcp_setup_socket(struct work_struct *work)
>  		break;
>  	case 0:
>  	case -EINPROGRESS:
> +		set_bit(XPRT_SOCK_CONNECT_SENT, &transport->sock_state);
>  	case -EALREADY:
>  		xprt_unlock_connect(xprt, transport);
>  		return;
> @@ -2345,13 +2350,9 @@ static void xs_connect(struct rpc_xprt *xprt, struct rpc_task *task)
>  
>  	WARN_ON_ONCE(!xprt_lock_connect(xprt, task, transport));
>  
> -	if (transport->sock != NULL && !xprt_connecting(xprt)) {
> +	if (transport->sock != NULL) {
>  		dprintk("RPC:       xs_connect delayed xprt %p for %lu "
> -				"seconds\n",
> -				xprt, xprt->reestablish_timeout / HZ);
> -
> -		/* Start by resetting any existing state */
> -		xs_reset_transport(transport);
> +			"seconds\n", xprt, xprt->reestablish_timeout / HZ);
>  
>  		delay = xprt_reconnect_delay(xprt);
>  		xprt_reconnect_backoff(xprt, XS_TCP_INIT_REEST_TO);
> -- 
> 2.36.0.512.ge40c2bad7a-goog
> 

This should be a patch series, not just this one commit, right?

What are _ALL_ of the commits you want to see applied for 5.10.y?

thanks,

greg k-h
Bagas Sanjaya May 14, 2022, 8:47 a.m. UTC | #2
On Sat, May 14, 2022 at 05:34:49AM +0000, Meena Shanmugam wrote:
> The commit f00432063db1a0db484e85193eccc6845435b80e upstream (SUNRPC:
> Ensure we flush any closed sockets before xs_xprt_free()) fixes
> CVE-2022-28893, hence good candidate for stable trees.
> The above commit depends on 3be232f(SUNRPC: Prevent immediate
> close+reconnect)  and  89f4249(SUNRPC: Don't call connect() more than
> once on a TCP socket). Commit 3be232f depends on commit
> e26d9972720e(SUNRPC: Clean up scheduling of autoclose).
> 
> Commits e26d9972720e, 3be232f, f00432063db1 apply cleanly on 5.10
> kernel. commit 89f4249 didn't apply cleanly. This patch series includes
> all the commits required for back porting f00432063db1.
> 

Hi Meena,

I can't speaking about the code (as I'm not subject-expert here), but I
would like to give you suggestions:

  - When sending backported patch series, always prefix the subject with
    "[PATCH x.y]", where x.y is the stable version the backport is made
    against.
  - Abbreviated commit hash should be at least 12 (or my favorite, 14) characters long.
  - Commit identifier should be in format "%h (\"%s\")".
  - As always, DON'T DO top-posting, DO interleaved reply and reply
    below the quoted original message.

Trond and Dexter, any comments or ACKs?

Thanks.
Greg Kroah-Hartman May 16, 2022, 12:43 p.m. UTC | #3
On Sat, May 14, 2022 at 03:47:38PM +0700, Bagas Sanjaya wrote:
> On Sat, May 14, 2022 at 05:34:49AM +0000, Meena Shanmugam wrote:
> > The commit f00432063db1a0db484e85193eccc6845435b80e upstream (SUNRPC:
> > Ensure we flush any closed sockets before xs_xprt_free()) fixes
> > CVE-2022-28893, hence good candidate for stable trees.
> > The above commit depends on 3be232f(SUNRPC: Prevent immediate
> > close+reconnect)  and  89f4249(SUNRPC: Don't call connect() more than
> > once on a TCP socket). Commit 3be232f depends on commit
> > e26d9972720e(SUNRPC: Clean up scheduling of autoclose).
> > 
> > Commits e26d9972720e, 3be232f, f00432063db1 apply cleanly on 5.10
> > kernel. commit 89f4249 didn't apply cleanly. This patch series includes
> > all the commits required for back porting f00432063db1.
> > 
> 
> Hi Meena,
> 
> I can't speaking about the code (as I'm not subject-expert here), but I
> would like to give you suggestions:
> 
>   - When sending backported patch series, always prefix the subject with
>     "[PATCH x.y]", where x.y is the stable version the backport is made
>     against.
>   - Abbreviated commit hash should be at least 12 (or my favorite, 14) characters long.
>   - Commit identifier should be in format "%h (\"%s\")".
>   - As always, DON'T DO top-posting, DO interleaved reply and reply
>     below the quoted original message.

Yes, that would have been better, but I figured it out from this series,
it wasn't that hard.

Now all queued up, thanks!

greg k-h
diff mbox series

Patch

diff --git a/include/linux/sunrpc/xprtsock.h b/include/linux/sunrpc/xprtsock.h
index 8c2a712cb242..689062afdd61 100644
--- a/include/linux/sunrpc/xprtsock.h
+++ b/include/linux/sunrpc/xprtsock.h
@@ -89,5 +89,6 @@  struct sock_xprt {
 #define XPRT_SOCK_WAKE_WRITE	(5)
 #define XPRT_SOCK_WAKE_PENDING	(6)
 #define XPRT_SOCK_WAKE_DISCONNECT	(7)
+#define XPRT_SOCK_CONNECT_SENT	(8)
 
 #endif /* _LINUX_SUNRPC_XPRTSOCK_H */
diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c
index 60c58eb9a456..33a81f9703b1 100644
--- a/net/sunrpc/xprtsock.c
+++ b/net/sunrpc/xprtsock.c
@@ -2260,10 +2260,14 @@  static void xs_tcp_setup_socket(struct work_struct *work)
 	struct rpc_xprt *xprt = &transport->xprt;
 	int status = -EIO;
 
-	if (!sock) {
-		sock = xs_create_sock(xprt, transport,
-				xs_addr(xprt)->sa_family, SOCK_STREAM,
-				IPPROTO_TCP, true);
+	if (xprt_connected(xprt))
+		goto out;
+	if (test_and_clear_bit(XPRT_SOCK_CONNECT_SENT,
+			       &transport->sock_state) ||
+	    !sock) {
+		xs_reset_transport(transport);
+		sock = xs_create_sock(xprt, transport, xs_addr(xprt)->sa_family,
+				      SOCK_STREAM, IPPROTO_TCP, true);
 		if (IS_ERR(sock)) {
 			status = PTR_ERR(sock);
 			goto out;
@@ -2294,6 +2298,7 @@  static void xs_tcp_setup_socket(struct work_struct *work)
 		break;
 	case 0:
 	case -EINPROGRESS:
+		set_bit(XPRT_SOCK_CONNECT_SENT, &transport->sock_state);
 	case -EALREADY:
 		xprt_unlock_connect(xprt, transport);
 		return;
@@ -2345,13 +2350,9 @@  static void xs_connect(struct rpc_xprt *xprt, struct rpc_task *task)
 
 	WARN_ON_ONCE(!xprt_lock_connect(xprt, task, transport));
 
-	if (transport->sock != NULL && !xprt_connecting(xprt)) {
+	if (transport->sock != NULL) {
 		dprintk("RPC:       xs_connect delayed xprt %p for %lu "
-				"seconds\n",
-				xprt, xprt->reestablish_timeout / HZ);
-
-		/* Start by resetting any existing state */
-		xs_reset_transport(transport);
+			"seconds\n", xprt, xprt->reestablish_timeout / HZ);
 
 		delay = xprt_reconnect_delay(xprt);
 		xprt_reconnect_backoff(xprt, XS_TCP_INIT_REEST_TO);