From: Greg Kroah-Hartman Date: Wed, 3 Feb 2021 21:55:28 +0000 (+0100) Subject: 5.10 patch added X-Git-Tag: v4.4.255~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=759ff8e0b54f98161674f985d661d3f6f8ed31f9;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10 patch added --- diff --git a/queue-5.10/series b/queue-5.10/series index 0ccf879ed5b..6b5e386b258 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -140,3 +140,4 @@ scsi-qla2xxx-fix-description-for-parameter-ql2xenforce_iocb_limit.patch team-protect-features-update-by-rcu-to-avoid-deadlock.patch tcp-make-tcp_user_timeout-accurate-for-zero-window-probes.patch tcp-fix-tlp-timer-not-set-when-ca_state-changes-from-disorder-to-open.patch +vsock-fix-the-race-conditions-in-multi-transport-support.patch diff --git a/queue-5.10/vsock-fix-the-race-conditions-in-multi-transport-support.patch b/queue-5.10/vsock-fix-the-race-conditions-in-multi-transport-support.patch new file mode 100644 index 00000000000..7409a10d938 --- /dev/null +++ b/queue-5.10/vsock-fix-the-race-conditions-in-multi-transport-support.patch @@ -0,0 +1,107 @@ +From c518adafa39f37858697ac9309c6cf1805581446 Mon Sep 17 00:00:00 2001 +From: Alexander Popov +Date: Mon, 1 Feb 2021 11:47:19 +0300 +Subject: vsock: fix the race conditions in multi-transport support + +From: Alexander Popov + +commit c518adafa39f37858697ac9309c6cf1805581446 upstream. + +There are multiple similar bugs implicitly introduced by the +commit c0cfa2d8a788fcf4 ("vsock: add multi-transports support") and +commit 6a2c0962105ae8ce ("vsock: prevent transport modules unloading"). + +The bug pattern: + [1] vsock_sock.transport pointer is copied to a local variable, + [2] lock_sock() is called, + [3] the local variable is used. +VSOCK multi-transport support introduced the race condition: +vsock_sock.transport value may change between [1] and [2]. + +Let's copy vsock_sock.transport pointer to local variables after +the lock_sock() call. + +Fixes: c0cfa2d8a788fcf4 ("vsock: add multi-transports support") +Signed-off-by: Alexander Popov +Reviewed-by: Stefano Garzarella +Reviewed-by: Jorgen Hansen +Link: https://lore.kernel.org/r/20210201084719.2257066-1-alex.popov@linux.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/af_vsock.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -997,9 +997,12 @@ static __poll_t vsock_poll(struct file * + mask |= EPOLLOUT | EPOLLWRNORM | EPOLLWRBAND; + + } else if (sock->type == SOCK_STREAM) { +- const struct vsock_transport *transport = vsk->transport; ++ const struct vsock_transport *transport; ++ + lock_sock(sk); + ++ transport = vsk->transport; ++ + /* Listening sockets that have connections in their accept + * queue can be read. + */ +@@ -1082,10 +1085,11 @@ static int vsock_dgram_sendmsg(struct so + err = 0; + sk = sock->sk; + vsk = vsock_sk(sk); +- transport = vsk->transport; + + lock_sock(sk); + ++ transport = vsk->transport; ++ + err = vsock_auto_bind(vsk); + if (err) + goto out; +@@ -1544,10 +1548,11 @@ static int vsock_stream_setsockopt(struc + err = 0; + sk = sock->sk; + vsk = vsock_sk(sk); +- transport = vsk->transport; + + lock_sock(sk); + ++ transport = vsk->transport; ++ + switch (optname) { + case SO_VM_SOCKETS_BUFFER_SIZE: + COPY_IN(val); +@@ -1680,7 +1685,6 @@ static int vsock_stream_sendmsg(struct s + + sk = sock->sk; + vsk = vsock_sk(sk); +- transport = vsk->transport; + total_written = 0; + err = 0; + +@@ -1689,6 +1693,8 @@ static int vsock_stream_sendmsg(struct s + + lock_sock(sk); + ++ transport = vsk->transport; ++ + /* Callers should not provide a destination with stream sockets. */ + if (msg->msg_namelen) { + err = sk->sk_state == TCP_ESTABLISHED ? -EISCONN : -EOPNOTSUPP; +@@ -1823,11 +1829,12 @@ vsock_stream_recvmsg(struct socket *sock + + sk = sock->sk; + vsk = vsock_sk(sk); +- transport = vsk->transport; + err = 0; + + lock_sock(sk); + ++ transport = vsk->transport; ++ + if (!transport || sk->sk_state != TCP_ESTABLISHED) { + /* Recvmsg is supposed to return 0 if a peer performs an + * orderly shutdown. Differentiate between that case and when a