From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Daniel Borkmann <dborkman@redhat.com>,
Vlad Yasevich <vyasevich@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Amit Pundir <amit.pundir@linaro.org>
Subject: [PATCH 3.18 28/50] net: sctp: fix race for one-to-many sockets in sendmsgs auto associate
Date: Fri, 4 Aug 2017 16:16:14 -0700 [thread overview]
Message-ID: <20170804231552.679025998@linuxfoundation.org> (raw)
In-Reply-To: <20170804231550.830518786@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann <dborkman@redhat.com>
commit 2061dcd6bff8b774b4fac8b0739b6be3f87bc9f2 upstream.
I.e. one-to-many sockets in SCTP are not required to explicitly
call into connect(2) or sctp_connectx(2) prior to data exchange.
Instead, they can directly invoke sendmsg(2) and the SCTP stack
will automatically trigger connection establishment through 4WHS
via sctp_primitive_ASSOCIATE(). However, this in its current
implementation is racy: INIT is being sent out immediately (as
it cannot be bundled anyway) and the rest of the DATA chunks are
queued up for later xmit when connection is established, meaning
sendmsg(2) will return successfully. This behaviour can result
in an undesired side-effect that the kernel made the application
think the data has already been transmitted, although none of it
has actually left the machine, worst case even after close(2)'ing
the socket.
Instead, when the association from client side has been shut down
e.g. first gracefully through SCTP_EOF and then close(2), the
client could afterwards still receive the server's INIT_ACK due
to a connection with higher latency. This INIT_ACK is then considered
out of the blue and hence responded with ABORT as there was no
alive assoc found anymore. This can be easily reproduced f.e.
with sctp_test application from lksctp. One way to fix this race
is to wait for the handshake to actually complete.
The fix defers waiting after sctp_primitive_ASSOCIATE() and
sctp_primitive_SEND() succeeded, so that DATA chunks cooked up
from sctp_sendmsg() have already been placed into the output
queue through the side-effect interpreter, and therefore can then
be bundeled together with COOKIE_ECHO control chunks.
strace from example application (shortened):
socket(PF_INET, SOCK_SEQPACKET, IPPROTO_SCTP) = 3
sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
msg_iov(0)=[], msg_controllen=48, {cmsg_len=48, cmsg_level=0x84 /* SOL_??? */, cmsg_type=, ...},
msg_flags=0}, 0) = 0 // graceful shutdown for SOCK_SEQPACKET via SCTP_EOF
close(3) = 0
tcpdump before patch (fooling the application):
22:33:36.306142 IP 192.168.1.114.41462 > 192.168.1.115.8888: sctp (1) [INIT] [init tag: 3879023686] [rwnd: 106496] [OS: 10] [MIS: 65535] [init TSN: 3139201684]
22:33:36.316619 IP 192.168.1.115.8888 > 192.168.1.114.41462: sctp (1) [INIT ACK] [init tag: 3345394793] [rwnd: 106496] [OS: 10] [MIS: 10] [init TSN: 3380109591]
22:33:36.317600 IP 192.168.1.114.41462 > 192.168.1.115.8888: sctp (1) [ABORT]
tcpdump after patch:
14:28:58.884116 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [INIT] [init tag: 438593213] [rwnd: 106496] [OS: 10] [MIS: 65535] [init TSN: 3092969729]
14:28:58.888414 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [INIT ACK] [init tag: 381429855] [rwnd: 106496] [OS: 10] [MIS: 10] [init TSN: 2141904492]
14:28:58.888638 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [COOKIE ECHO] , (2) [DATA] (B)(E) [TSN: 3092969729] [...]
14:28:58.893278 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [COOKIE ACK] , (2) [SACK] [cum ack 3092969729] [a_rwnd 106491] [#gap acks 0] [#dup tsns 0]
14:28:58.893591 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [DATA] (B)(E) [TSN: 3092969730] [...]
14:28:59.096963 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SACK] [cum ack 3092969730] [a_rwnd 106496] [#gap acks 0] [#dup tsns 0]
14:28:59.097086 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [DATA] (B)(E) [TSN: 3092969731] [...] , (2) [DATA] (B)(E) [TSN: 3092969732] [...]
14:28:59.103218 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SACK] [cum ack 3092969732] [a_rwnd 106486] [#gap acks 0] [#dup tsns 0]
14:28:59.103330 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [SHUTDOWN]
14:28:59.107793 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SHUTDOWN ACK]
14:28:59.107890 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [SHUTDOWN COMPLETE]
Looks like this bug is from the pre-git history museum. ;)
Fixes: 08707d5482df ("lksctp-2_5_31-0_5_1.patch")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sctp/socket.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -1604,7 +1604,7 @@ static int sctp_sendmsg(struct kiocb *io
sctp_assoc_t associd = 0;
sctp_cmsgs_t cmsgs = { NULL };
sctp_scope_t scope;
- bool fill_sinfo_ttl = false;
+ bool fill_sinfo_ttl = false, wait_connect = false;
struct sctp_datamsg *datamsg;
int msg_flags = msg->msg_flags;
__u16 sinfo_flags = 0;
@@ -1944,6 +1944,7 @@ static int sctp_sendmsg(struct kiocb *io
if (err < 0)
goto out_free;
+ wait_connect = true;
pr_debug("%s: we associated primitively\n", __func__);
}
@@ -1981,6 +1982,11 @@ static int sctp_sendmsg(struct kiocb *io
sctp_datamsg_put(datamsg);
err = msg_len;
+ if (unlikely(wait_connect)) {
+ timeo = sock_sndtimeo(sk, msg_flags & MSG_DONTWAIT);
+ sctp_wait_for_connect(asoc, &timeo);
+ }
+
/* If we are already past ASSOCIATE, the lower
* layers are responsible for association cleanup.
*/
next prev parent reply other threads:[~2017-08-04 23:36 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-04 23:15 [PATCH 3.18 00/50] 3.18.64-stable review Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 3.18 01/50] af_key: Add lock to key dump Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 3.18 02/50] pstore: Make spinlock per zone instead of global Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 3.18 03/50] net: reduce skb_warn_bad_offload() noise Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 3.18 04/50] powerpc/pseries: Fix of_node_put() underflow during reconfig remove Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 3.18 05/50] md/raid5: add thread_group worker async_tx_issue_pending_all Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 3.18 06/50] drm/vmwgfx: Fix gcc-7.1.1 warning Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 3.18 07/50] KVM: PPC: Book3S HV: Restore critical SPRs to host values on guest exit Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 3.18 08/50] KVM: PPC: Book3S HV: Reload HTM registers explicitly Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 3.18 09/50] KVM: PPC: Book3S HV: Save/restore host values of debug registers Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 3.18 10/50] Revert "powerpc/numa: Fix percpu allocations to be NUMA aware" Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 3.18 11/50] Staging: comedi: comedi_fops: Avoid orphaned proc entry Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 3.18 12/50] Bluetooth: bnep: bnep_add_connection() should verify that its dealing with l2cap socket Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 3.18 13/50] Bluetooth: Fix potential NULL dereference Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 14/50] Bluetooth: cmtp: cmtp_add_connection() should verify that its dealing with l2cap socket Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 15/50] net: phy: Do not perform software reset for Generic PHY Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 16/50] isdn: Fix a sleep-in-atomic bug Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 17/50] string: provide strscpy() Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 18/50] strscpy: zero any trailing garbage bytes in the destination Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 19/50] isdn/i4l: fix buffer overflow Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 20/50] wil6210: fix deadlock when using fw_no_recovery option Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 21/50] mailbox: always wait in mbox_send_message for blocking Tx mode Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 22/50] mailbox: skip complete wait event if timer expired Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 23/50] mailbox: handle empty message in tx_tick Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 24/50] mpt3sas: Dont overreach ioc->reply_post[] during initialization Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 25/50] kaweth: fix firmware download Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 26/50] kaweth: fix oops upon failed memory allocation Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 27/50] ipv6: fix possible deadlock in ip6_fl_purge / ip6_fl_gc Greg Kroah-Hartman
2017-08-04 23:16 ` Greg Kroah-Hartman [this message]
2017-08-04 23:16 ` [PATCH 3.18 29/50] sh_eth: Fix ethtool operation crash when net device is down Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 30/50] net, sched: fix soft lockup in tc_classify Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 31/50] ipmi/watchdog: fix watchdog timeout set on reboot Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 32/50] dentry name snapshots Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 33/50] [media] v4l: s5c73m3: fix negation operator Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 34/50] pstore: Allow prz to control need for locking Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 35/50] pstore: Correctly initialize spinlock and flags Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 36/50] pstore: Use dynamic spinlock initializer Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 37/50] net: skb_needs_check() accepts CHECKSUM_NONE for tx Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 38/50] tpm: fix a kernel memory leak in tpm-sysfs.c Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 39/50] x86/mce/AMD: Make the init code more robust Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 40/50] r8169: add support for RTL8168 series add-on card Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 42/50] ipv6: Should use consistent conditional judgement for ip6 fragment between __ip6_append_data and ip6_finish_output Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 43/50] net/mlx4: Remove BUG_ON from ICM allocation routine Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 44/50] drm/msm: Ensure that the hardware write pointer is valid Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 45/50] drm/msm: Verify that MSM_SUBMIT_BO_FLAGS are set Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 46/50] vfio-pci: use 32-bit comparisons for register address for gcc-4.5 Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 47/50] ASoC: tlv320aic3x: Mark the RESET register as volatile Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 48/50] spi: dw: Make debugfs name unique between instances Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 49/50] vlan: Propagate MAC address to VLANs Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 3.18 50/50] xfrm: Dont use sk_family for socket policy lookups Greg Kroah-Hartman
2017-08-05 1:43 ` [PATCH 3.18 00/50] 3.18.64-stable review Guenter Roeck
2017-08-05 2:46 ` Greg Kroah-Hartman
2017-08-05 2:51 ` Greg Kroah-Hartman
2017-08-05 3:00 ` Greg Kroah-Hartman
2017-08-05 4:01 ` Guenter Roeck
2017-08-05 15:43 ` Greg Kroah-Hartman
2017-08-05 5:55 ` Willy Tarreau
2017-08-05 6:02 ` Willy Tarreau
2017-08-05 15:43 ` Greg Kroah-Hartman
2017-08-05 19:11 ` Guenter Roeck
2017-08-07 19:34 ` Greg Kroah-Hartman
2017-08-08 4:11 ` Guenter Roeck
2017-08-05 3:57 ` Guenter Roeck
2017-08-05 15:45 ` Greg Kroah-Hartman
2017-08-05 1:52 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170804231552.679025998@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=amit.pundir@linaro.org \
--cc=davem@davemloft.net \
--cc=dborkman@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=vyasevich@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).