All of lore.kernel.org
 help / color / mirror / Atom feed
* Request to cherry-pick f00432063db1 to 5.10
@ 2022-05-11  2:33 Meena Shanmugam
  2022-05-12  6:48 ` Bagas Sanjaya
  2022-05-12 16:23 ` Greg KH
  0 siblings, 2 replies; 19+ messages in thread
From: Meena Shanmugam @ 2022-05-11  2:33 UTC (permalink / raw)
  To: stable; +Cc: gregkh, trond.myklebust

Hi all,

The commit f00432063db1a0db484e85193eccc6845435b80e upstream (SUNRPC:
Ensure we flush any closed sockets before xs_xprt_free()) fixes
CVE-2022-28893, hence good candidate for stable trees.
The above commit depends on 3be232f(SUNRPC: Prevent immediate
close+reconnect)  and  89f4249(SUNRPC: Don't call connect() more than
once on a TCP socket). Commit 3be232f depends on commit
e26d9972720e(SUNRPC: Clean up scheduling of autoclose).

Commits e26d9972720e, 3be232f, f00432063db1 apply cleanly on 5.10
kernel. commit 89f4249 didn't apply cleanly. I have patch for 89f4249
below.

Thanks,
Meena

From: Trond Myklebust <trond.myklebust@hammerspace.com>
Date: Wed, 16 Mar 2022 19:10:43 -0400
Subject: [PATCH] SUNRPC: Don't call connect() more than once on a TCP socket

commit 89f42494f92f448747bd8a7ab1ae8b5d5520577d upstream.

Avoid socket state races due to repeated calls to ->connect() using the
same socket. If connect() returns 0 due to the connection having
completed, but we are in fact in a closing state, then we may leave the
XPRT_CONNECTING flag set on the transport.

Reported-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
Fixes: 3be232f11a3c ("SUNRPC: Prevent immediate close+reconnect")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
[meenashanmugam: Backported to 5.10: Fixed merge conflict in
xs_tcp_setup_socket]
Signed-off-by: Meena Shanmugam <meena.shanmugam@google.com>
---
 include/linux/sunrpc/xprtsock.h |  1 +
 net/sunrpc/xprtsock.c           | 21 +++++++++++----------
 2 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/include/linux/sunrpc/xprtsock.h b/include/linux/sunrpc/xprtsock.h
index 8c2a712cb242..689062afdd61 100644
--- a/include/linux/sunrpc/xprtsock.h
+++ b/include/linux/sunrpc/xprtsock.h
@@ -89,5 +89,6 @@ struct sock_xprt {
 #define XPRT_SOCK_WAKE_WRITE (5)
 #define XPRT_SOCK_WAKE_PENDING (6)
 #define XPRT_SOCK_WAKE_DISCONNECT (7)
+#define XPRT_SOCK_CONNECT_SENT (8)

 #endif /* _LINUX_SUNRPC_XPRTSOCK_H */
diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c
index 60c58eb9a456..33a81f9703b1 100644
--- a/net/sunrpc/xprtsock.c
+++ b/net/sunrpc/xprtsock.c
@@ -2260,10 +2260,14 @@ static void xs_tcp_setup_socket(struct
work_struct *work)
  struct rpc_xprt *xprt = &transport->xprt;
  int status = -EIO;

- if (!sock) {
- sock = xs_create_sock(xprt, transport,
- xs_addr(xprt)->sa_family, SOCK_STREAM,
- IPPROTO_TCP, true);
+ if (xprt_connected(xprt))
+ goto out;
+ if (test_and_clear_bit(XPRT_SOCK_CONNECT_SENT,
+        &transport->sock_state) ||
+     !sock) {
+ xs_reset_transport(transport);
+ sock = xs_create_sock(xprt, transport, xs_addr(xprt)->sa_family,
+       SOCK_STREAM, IPPROTO_TCP, true);
  if (IS_ERR(sock)) {
  status = PTR_ERR(sock);
  goto out;
@@ -2294,6 +2298,7 @@ static void xs_tcp_setup_socket(struct work_struct *work)
  break;
  case 0:
  case -EINPROGRESS:
+ set_bit(XPRT_SOCK_CONNECT_SENT, &transport->sock_state);
  case -EALREADY:
  xprt_unlock_connect(xprt, transport);
  return;
@@ -2345,13 +2350,9 @@ static void xs_connect(struct rpc_xprt *xprt,
struct rpc_task *task)

  WARN_ON_ONCE(!xprt_lock_connect(xprt, task, transport));

- if (transport->sock != NULL && !xprt_connecting(xprt)) {
+ if (transport->sock != NULL) {
  dprintk("RPC:       xs_connect delayed xprt %p for %lu "
- "seconds\n",
- xprt, xprt->reestablish_timeout / HZ);
-
- /* Start by resetting any existing state */
- xs_reset_transport(transport);
+ "seconds\n", xprt, xprt->reestablish_timeout / HZ);

  delay = xprt_reconnect_delay(xprt);
  xprt_reconnect_backoff(xprt, XS_TCP_INIT_REEST_TO);
-- 
2.36.0.512.ge40c2bad7a-goog

^ permalink raw reply related	[flat|nested] 19+ messages in thread
end of thread, other threads:[~2022-05-17  3:57 UTC | newest]

Thread overview: 19+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-11  2:33 Request to cherry-pick f00432063db1 to 5.10 Meena Shanmugam
2022-05-12  6:48 ` Bagas Sanjaya
2022-05-12 16:23 ` Greg KH
2022-05-12 17:38   ` Meena Shanmugam
2022-05-13  8:25     ` Greg KH
2022-05-13 17:59       ` [PATCH] SUNRPC: Don't call connect() more than once on a TCP socket Meena Shanmugam
2022-05-14  4:56         ` Greg KH
2022-05-14  5:34           ` [PATCH 0/4] Request to cherry-pick f00432063db1 to 5.10 Meena Shanmugam
2022-05-14  5:34             ` [PATCH 1/4] SUNRPC: Clean up scheduling of autoclose Meena Shanmugam
2022-05-14  5:34             ` [PATCH 2/4] SUNRPC: Prevent immediate close+reconnect Meena Shanmugam
2022-05-14  5:34             ` [PATCH 3/4] SUNRPC: Don't call connect() more than once on a TCP socket Meena Shanmugam
2022-05-16 21:34               ` Greg KH
2022-05-17  3:56                 ` Meena Shanmugam
2022-05-14  5:34             ` [PATCH 4/4] SUNRPC: Ensure we flush any closed sockets before xs_xprt_free() Meena Shanmugam
2022-05-14  8:47             ` [PATCH 0/4] Request to cherry-pick f00432063db1 to 5.10 Bagas Sanjaya
2022-05-16 12:43               ` Greg KH
2022-05-13 18:10       ` Meena Shanmugam
2022-05-13 18:14       ` Meena Shanmugam
2022-05-16 12:42         ` Greg KH

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.