All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] net/vmw_vsock: fix NULL pointer deref and improve locking
@ 2021-02-04 21:28 Norbert Slusarek
  2021-02-04 21:37 ` Eric Dumazet
  0 siblings, 1 reply; 5+ messages in thread
From: Norbert Slusarek @ 2021-02-04 21:28 UTC (permalink / raw)
  To: Stefano Garzarella, alex.popov, kuba; +Cc: netdev

From: Norbert Slusarek <nslusarek@gmx.net>
Date: Thu, 4 Feb 2021 18:49:24 +0100
Subject: [PATCH] net/vmw_vsock: fix NULL pointer deref and improve locking

In vsock_stream_connect(), a thread will enter schedule_timeout().
While being scheduled out, another thread can enter vsock_stream_connect() as
well and set vsk->transport to NULL. In case a signal was sent, the first
thread can leave schedule_timeout() and vsock_transport_cancel_pkt() will be
called right after. Inside vsock_transport_cancel_pkt(), a null dereference
will happen on transport->cancel_pkt.

The patch also features improved locking inside vsock_connect_timeout().

Signed-off-by: Norbert Slusarek <nslusarek@gmx.net>
---
 net/vmw_vsock/af_vsock.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
index 3b480ed0953a..ea7b9d208724 100644
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -1233,7 +1233,7 @@ static int vsock_transport_cancel_pkt(struct vsock_sock *vsk)
 {
 	const struct vsock_transport *transport = vsk->transport;

-	if (!transport->cancel_pkt)
+	if (!transport || !transport->cancel_pkt)
 		return -EOPNOTSUPP;

 	return transport->cancel_pkt(vsk);
@@ -1243,7 +1243,6 @@ static void vsock_connect_timeout(struct work_struct *work)
 {
 	struct sock *sk;
 	struct vsock_sock *vsk;
-	int cancel = 0;

 	vsk = container_of(work, struct vsock_sock, connect_work.work);
 	sk = sk_vsock(vsk);
@@ -1254,11 +1253,9 @@ static void vsock_connect_timeout(struct work_struct *work)
 		sk->sk_state = TCP_CLOSE;
 		sk->sk_err = ETIMEDOUT;
 		sk->sk_error_report(sk);
-		cancel = 1;
+		vsock_transport_cancel_pkt(vsk);
 	}
 	release_sock(sk);
-	if (cancel)
-		vsock_transport_cancel_pkt(vsk);

 	sock_put(sk);
 }
--
2.30.0

^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH] net/vmw_vsock: fix NULL pointer deref and improve locking
  2021-02-04 21:28 [PATCH] net/vmw_vsock: fix NULL pointer deref and improve locking Norbert Slusarek
@ 2021-02-04 21:37 ` Eric Dumazet
  2021-02-04 22:22   ` Norbert Slusarek
  0 siblings, 1 reply; 5+ messages in thread
From: Eric Dumazet @ 2021-02-04 21:37 UTC (permalink / raw)
  To: Norbert Slusarek, Stefano Garzarella, alex.popov, kuba; +Cc: netdev



On 2/4/21 10:28 PM, Norbert Slusarek wrote:
> From: Norbert Slusarek <nslusarek@gmx.net>
> Date: Thu, 4 Feb 2021 18:49:24 +0100
> Subject: [PATCH] net/vmw_vsock: fix NULL pointer deref and improve locking
> 
> In vsock_stream_connect(), a thread will enter schedule_timeout().
> While being scheduled out, another thread can enter vsock_stream_connect() as
> well and set vsk->transport to NULL. In case a signal was sent, the first
> thread can leave schedule_timeout() and vsock_transport_cancel_pkt() will be
> called right after. Inside vsock_transport_cancel_pkt(), a null dereference
> will happen on transport->cancel_pkt.
> 
> The patch also features improved locking inside vsock_connect_timeout().


We request Fixes: tag for patches targeting net tree.

You could also mention the vsock_connect_timeout()
issue was found by a reviewer and give some credits ;)

> 
> Signed-off-by: Norbert Slusarek <nslusarek@gmx.net>
> ---
>  net/vmw_vsock/af_vsock.c | 7 ++-----
>  1 file changed, 2 insertions(+), 5 deletions(-)
> 
> diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
> index 3b480ed0953a..ea7b9d208724 100644
> --- a/net/vmw_vsock/af_vsock.c
> +++ b/net/vmw_vsock/af_vsock.c
> @@ -1233,7 +1233,7 @@ static int vsock_transport_cancel_pkt(struct vsock_sock *vsk)
>  {
>  	const struct vsock_transport *transport = vsk->transport;
> 
> -	if (!transport->cancel_pkt)
> +	if (!transport || !transport->cancel_pkt)
>  		return -EOPNOTSUPP;
> 
>  	return transport->cancel_pkt(vsk);
> @@ -1243,7 +1243,6 @@ static void vsock_connect_timeout(struct work_struct *work)
>  {
>  	struct sock *sk;
>  	struct vsock_sock *vsk;
> -	int cancel = 0;
> 
>  	vsk = container_of(work, struct vsock_sock, connect_work.work);
>  	sk = sk_vsock(vsk);
> @@ -1254,11 +1253,9 @@ static void vsock_connect_timeout(struct work_struct *work)
>  		sk->sk_state = TCP_CLOSE;
>  		sk->sk_err = ETIMEDOUT;
>  		sk->sk_error_report(sk);
> -		cancel = 1;
> +		vsock_transport_cancel_pkt(vsk);
>  	}
>  	release_sock(sk);
> -	if (cancel)
> -		vsock_transport_cancel_pkt(vsk);
> 
>  	sock_put(sk);
>  }
> --
> 2.30.0
> 

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH] net/vmw_vsock: fix NULL pointer deref and improve locking
  2021-02-04 21:37 ` Eric Dumazet
@ 2021-02-04 22:22   ` Norbert Slusarek
  2021-02-05  8:20     ` Stefano Garzarella
  0 siblings, 1 reply; 5+ messages in thread
From: Norbert Slusarek @ 2021-02-04 22:22 UTC (permalink / raw)
  To: Eric Dumazet; +Cc: Stefano Garzarella, alex.popov, kuba, netdev

> We request Fixes: tag for patches targeting net tree.
>
> You could also mention the vsock_connect_timeout()
> issue was found by a reviewer and give some credits ;)

You're right, Eric Dumazet spotted the locking problem in vsock_cancel_timeout().
I am not too familiar how I should format my response to include it to the final
patch message, in case I should specifically format it, just let me know.
For now:

Fixes: 380feae0def7e6a115124a3219c3ec9b654dca32 (vsock: cancel packets when failing to connect)
Reported-by: Norbert Slusarek <nslusarek@gmx.net>
Reported-by: Eric Dumazet <eric.dumazet@gmail.com>

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH] net/vmw_vsock: fix NULL pointer deref and improve locking
  2021-02-04 22:22   ` Norbert Slusarek
@ 2021-02-05  8:20     ` Stefano Garzarella
  2021-02-05  9:05       ` Norbert Slusarek
  0 siblings, 1 reply; 5+ messages in thread
From: Stefano Garzarella @ 2021-02-05  8:20 UTC (permalink / raw)
  To: Norbert Slusarek; +Cc: Eric Dumazet, alex.popov, kuba, netdev

On Thu, Feb 04, 2021 at 11:22:42PM +0100, Norbert Slusarek wrote:
>> We request Fixes: tag for patches targeting net tree.
>>
>> You could also mention the vsock_connect_timeout()
>> issue was found by a reviewer and give some credits ;)
>
>You're right, Eric Dumazet spotted the locking problem in vsock_cancel_timeout().
>I am not too familiar how I should format my response to include it to the final
>patch message, in case I should specifically format it, just let me know.
>For now:
>

 From Documentation/process/submitting-patches.rst:
"please use the 'Fixes:' tag with the first 12 characters of the SHA-1 
ID, and the one line summary."

>Fixes: 380feae0def7e6a115124a3219c3ec9b654dca32 (vsock: cancel packets when failing to connect)

So this should be :
Fixes: 380feae0def7 ("vsock: cancel packets when failing to connect")

This maybe could apply for the locking issue, but for the NULL pointer 
issue is better to refer to the commit that handled vsk->transport 
pointer dynamically, that is this one:

Fixes: c0cfa2d8a788 ("vsock: add multi-transports support")

As I suggested, I think is better to split this patch in two patches 
since we are fixing two issues. This should also simplify to attach the 
proper 'Fixes' tag.

But if you want to send a single patch, I thing the right 'Fixes:' tag 
should be the c0cfa2d8a788, since before this commit, both issues are 
not really exploitable.

>Reported-by: Norbert Slusarek <nslusarek@gmx.net>
>Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
>

Splitting also allows to put the reporter in the right issue he 
reported.

Thanks,
Stefano


^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH] net/vmw_vsock: fix NULL pointer deref and improve locking
  2021-02-05  8:20     ` Stefano Garzarella
@ 2021-02-05  9:05       ` Norbert Slusarek
  0 siblings, 0 replies; 5+ messages in thread
From: Norbert Slusarek @ 2021-02-05  9:05 UTC (permalink / raw)
  To: Stefano Garzarella; +Cc: Eric Dumazet, alex.popov, kuba, netdev

> As I suggested, I think is better to split this patch in two patches
> since we are fixing two issues. This should also simplify to attach the
> proper 'Fixes' tag.

> Splitting also allows to put the reporter in the right issue he
> reported.

I agree it makes sense to split it. I will send separate patches in a few hours.

Norbert

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-02-05  9:10 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-04 21:28 [PATCH] net/vmw_vsock: fix NULL pointer deref and improve locking Norbert Slusarek
2021-02-04 21:37 ` Eric Dumazet
2021-02-04 22:22   ` Norbert Slusarek
2021-02-05  8:20     ` Stefano Garzarella
2021-02-05  9:05       ` Norbert Slusarek

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.