From patchwork Mon Mar 12 21:04:12 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tom Herbert X-Patchwork-Id: 884883 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=quantonium.net Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=quantonium-net.20150623.gappssmtp.com header.i=@quantonium-net.20150623.gappssmtp.com header.b="LtbQis+e"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 400VqC3Lw2z9sSg for ; Tue, 13 Mar 2018 08:04:39 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932443AbeCLVEh (ORCPT ); Mon, 12 Mar 2018 17:04:37 -0400 Received: from mail-pf0-f196.google.com ([209.85.192.196]:38325 "EHLO mail-pf0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932400AbeCLVEg (ORCPT ); Mon, 12 Mar 2018 17:04:36 -0400 Received: by mail-pf0-f196.google.com with SMTP id d26so4904824pfn.5 for ; Mon, 12 Mar 2018 14:04:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quantonium-net.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id; bh=NTqjq0XnlLjx8wSaA7sCQI7N5ZXGaEsx7oZ/7pkGZzY=; b=LtbQis+eynLz+UNqaM1dEtumiace79BSByEPb8wxxvfQ11d6imX3wpwMwiiIRslQXB BdTAcZXox21gLy8T7uxICixnxRRZlnAsgmwHtq9+v5Z1NRtJtWCw/f7gEnuvZe/nvC0M XltNQ6LvkzV7FyxvNVU/5dOsWU4f62+98wyzAEWGpefmQV8dzLAn8J85+LuRGPxggijg U7+CAl7Jmq9LDzMdeRja82hqJUsiST4ttKYJQh4MJVsQNAI+VJyJ78yC+ec6rDD3r6hw jU2njMM3YSOzDDEpF9+ljKJB8MvLOCmnyxKsQhwTrCmbZNeggfqn/HSxG9jtr0su8Syl 48xw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=NTqjq0XnlLjx8wSaA7sCQI7N5ZXGaEsx7oZ/7pkGZzY=; b=qZZn5FiE2Fd+q09XW8hBR6PdqoDObmRC5zbDo10Yx5PvuTsYw/x/vBSTdRAbzXVh4e +RlEoR88coAKxoFCqi4C86o4brYSP8f9/DDC4XVKl94MCDCy3DQy1nIbFIiub1peu0DD 2zMpuowzIrYozVQn7WLjOkhSZHkEcjJfyOyiDNZyaoNMQQvHZHULwvShU6DVOjhSXSH7 r2M3Ib/gUOAFdseu7+Klxw0oLJT+tHxlyggw8NgvHlHAPz/2ba5rOmdZYZGozGKEOgyr xDJ2gR1ZeOHK5G4UCZ5+6OV+4yqYTm9fqEMU9Bt/UI3hgIgTaCX2wlEm1GcCt+SCSB4E x4sw== X-Gm-Message-State: AElRT7Ev7oOP+TmCp/sKiE3d3KljyIl27MIo+S+Wgp0snFEXzBykL3RJ wSfmNXRQnUir+y8NsfLOgsGroIXH X-Google-Smtp-Source: AG47ELv5m8DQGUBUkOGu/S0+yXnHuY0zLMDOYIxjDxAEZDz9opIVbV7TYQIogZS+0b8Y+57v5gqzZg== X-Received: by 10.101.100.208 with SMTP id t16mr7458648pgv.398.1520888675391; Mon, 12 Mar 2018 14:04:35 -0700 (PDT) Received: from localhost.localdomain (67-207-98-108.static.wiline.com. [67.207.98.108]) by smtp.gmail.com with ESMTPSA id b72sm18302920pfl.21.2018.03.12.14.04.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 12 Mar 2018 14:04:34 -0700 (PDT) From: Tom Herbert To: davem@davemloft.net Cc: netdev@vger.kernel.org, ebiggers3@gmail.com, Tom Herbert Subject: [PATCH net] kcm: lock lower socket in kcm_attach Date: Mon, 12 Mar 2018 14:04:12 -0700 Message-Id: <20180312210412.1875-1-tom@quantonium.net> X-Mailer: git-send-email 2.11.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Need to lock lower socket in order to provide mutual exclusion with kcm_unattach. Fixes: ab7ac4eb9832e32a09f4e804 ("kcm: Kernel Connection Multiplexor module") Signed-off-by: Tom Herbert Reported-by: syzbot+ea75c0ffcd353d32515f064aaebefc5279e6161e@syzkaller.appspotmail.com --- net/kcm/kcmsock.c | 33 +++++++++++++++++++++++---------- 1 file changed, 23 insertions(+), 10 deletions(-) diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c index f297d53a11aa..34355fd19f27 100644 --- a/net/kcm/kcmsock.c +++ b/net/kcm/kcmsock.c @@ -1381,24 +1381,32 @@ static int kcm_attach(struct socket *sock, struct socket *csock, .parse_msg = kcm_parse_func_strparser, .read_sock_done = kcm_read_sock_done, }; - int err; + int err = 0; csk = csock->sk; if (!csk) return -EINVAL; + lock_sock(csk); + /* Only allow TCP sockets to be attached for now */ if ((csk->sk_family != AF_INET && csk->sk_family != AF_INET6) || - csk->sk_protocol != IPPROTO_TCP) - return -EOPNOTSUPP; + csk->sk_protocol != IPPROTO_TCP) { + err = -EOPNOTSUPP; + goto out; + } /* Don't allow listeners or closed sockets */ - if (csk->sk_state == TCP_LISTEN || csk->sk_state == TCP_CLOSE) - return -EOPNOTSUPP; + if (csk->sk_state == TCP_LISTEN || csk->sk_state == TCP_CLOSE) { + err = -EOPNOTSUPP; + goto out; + } psock = kmem_cache_zalloc(kcm_psockp, GFP_KERNEL); - if (!psock) - return -ENOMEM; + if (!psock) { + err = -ENOMEM; + goto out; + } psock->mux = mux; psock->sk = csk; @@ -1407,7 +1415,7 @@ static int kcm_attach(struct socket *sock, struct socket *csock, err = strp_init(&psock->strp, csk, &cb); if (err) { kmem_cache_free(kcm_psockp, psock); - return err; + goto out; } write_lock_bh(&csk->sk_callback_lock); @@ -1419,7 +1427,8 @@ static int kcm_attach(struct socket *sock, struct socket *csock, write_unlock_bh(&csk->sk_callback_lock); strp_done(&psock->strp); kmem_cache_free(kcm_psockp, psock); - return -EALREADY; + err = -EALREADY; + goto out; } psock->save_data_ready = csk->sk_data_ready; @@ -1455,7 +1464,10 @@ static int kcm_attach(struct socket *sock, struct socket *csock, /* Schedule RX work in case there are already bytes queued */ strp_check_rcv(&psock->strp); - return 0; +out: + release_sock(csk); + + return err; } static int kcm_attach_ioctl(struct socket *sock, struct kcm_attach *info) @@ -1507,6 +1519,7 @@ static void kcm_unattach(struct kcm_psock *psock) if (WARN_ON(psock->rx_kcm)) { write_unlock_bh(&csk->sk_callback_lock); + release_sock(csk); return; }