| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 30 May 2020 17:44:45 -0700 (PDT)
From: David Miller <davem@...emloft.net>
To: justin.he@....com
Cc: stefanha@...hat.com, sgarzare@...hat.com, kuba@...nel.org,
kvm@...r.kernel.org, virtualization@...ts.linux-foundation.org,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
Kaly.Xin@....com, stable@...r.kernel.org
Subject: Re: [PATCH v3] virtio_vsock: Fix race condition in
virtio_transport_recv_pkt
From: Jia He <justin.he@....com>
Date: Sat, 30 May 2020 09:38:28 +0800
> When client on the host tries to connect(SOCK_STREAM, O_NONBLOCK) to the
> server on the guest, there will be a panic on a ThunderX2 (armv8a server):
...
> The race condition is as follows:
> Task1 Task2
> ===== =====
> __sock_release virtio_transport_recv_pkt
> __vsock_release vsock_find_bound_socket (found sk)
> lock_sock_nested
> vsock_remove_sock
> sock_orphan
> sk_set_socket(sk, NULL)
> sk->sk_shutdown = SHUTDOWN_MASK
> ...
> release_sock
> lock_sock
> virtio_transport_recv_connecting
> sk->sk_socket->state (panic!)
>
> The root cause is that vsock_find_bound_socket can't hold the lock_sock,
> so there is a small race window between vsock_find_bound_socket() and
> lock_sock(). If __vsock_release() is running in another task,
> sk->sk_socket will be set to NULL inadvertently.
>
> This fixes it by checking sk->sk_shutdown(suggested by Stefano) after
> lock_sock since sk->sk_shutdown is set to SHUTDOWN_MASK under the
> protection of lock_sock_nested.
>
> Signed-off-by: Jia He <justin.he@....com>
> Reviewed-by: Stefano Garzarella <sgarzare@...hat.com>
Applied and queued up for -stable, thank you.
Powered by blists - more mailing lists