From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Dexuan Cui <decui@microsoft.com>,
Sunil Muthuswamy <sunilmut@microsoft.com>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org, bcm-kernel-feedback-list@broadcom.com
Subject: [PATCH AUTOSEL 4.19 01/29] hv_sock: Fix hang when a connection is closed
Date: Thu, 29 Aug 2019 06:49:41 -0400 [thread overview]
Message-ID: <20190829105009.2265-1-sashal@kernel.org> (raw)
From: Dexuan Cui <decui@microsoft.com>
[ Upstream commit 685703b497bacea8765bb409d6b73455b73c540e ]
There is a race condition for an established connection that is being closed
by the guest: the refcnt is 4 at the end of hvs_release() (Note: here the
'remove_sock' is false):
1 for the initial value;
1 for the sk being in the bound list;
1 for the sk being in the connected list;
1 for the delayed close_work.
After hvs_release() finishes, __vsock_release() -> sock_put(sk) *may*
decrease the refcnt to 3.
Concurrently, hvs_close_connection() runs in another thread:
calls vsock_remove_sock() to decrease the refcnt by 2;
call sock_put() to decrease the refcnt to 0, and free the sk;
next, the "release_sock(sk)" may hang due to use-after-free.
In the above, after hvs_release() finishes, if hvs_close_connection() runs
faster than "__vsock_release() -> sock_put(sk)", then there is not any issue,
because at the beginning of hvs_close_connection(), the refcnt is still 4.
The issue can be resolved if an extra reference is taken when the
connection is established.
Fixes: a9eeb998c28d ("hv_sock: Add support for delayed close")
Signed-off-by: Dexuan Cui <decui@microsoft.com>
Reviewed-by: Sunil Muthuswamy <sunilmut@microsoft.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/vmw_vsock/hyperv_transport.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/net/vmw_vsock/hyperv_transport.c b/net/vmw_vsock/hyperv_transport.c
index 9c7da811d130f..98f193fd5315e 100644
--- a/net/vmw_vsock/hyperv_transport.c
+++ b/net/vmw_vsock/hyperv_transport.c
@@ -320,6 +320,11 @@ static void hvs_close_connection(struct vmbus_channel *chan)
lock_sock(sk);
hvs_do_close_lock_held(vsock_sk(sk), true);
release_sock(sk);
+
+ /* Release the refcnt for the channel that's opened in
+ * hvs_open_connection().
+ */
+ sock_put(sk);
}
static void hvs_open_connection(struct vmbus_channel *chan)
@@ -388,6 +393,9 @@ static void hvs_open_connection(struct vmbus_channel *chan)
}
set_per_channel_state(chan, conn_from_host ? new : sk);
+
+ /* This reference will be dropped by hvs_close_connection(). */
+ sock_hold(conn_from_host ? new : sk);
vmbus_set_chn_rescind_callback(chan, hvs_close_connection);
/* Set the pending send size to max packet size to always get
--
2.20.1
next reply other threads:[~2019-08-29 10:55 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-29 10:49 Sasha Levin [this message]
2019-08-29 10:49 ` [PATCH AUTOSEL 4.19 02/29] Revert "dm bufio: fix deadlock with loop device" Sasha Levin
2019-08-29 10:49 ` [PATCH AUTOSEL 4.19 03/29] kprobes: Fix potential deadlock in kprobe_optimizer() Sasha Levin
2019-08-29 10:49 ` [PATCH AUTOSEL 4.19 04/29] ALSA: line6: Fix memory leak at line6_init_pcm() error path Sasha Levin
2019-08-29 10:49 ` [PATCH AUTOSEL 4.19 05/29] Blk-iolatency: warn on negative inflight IO counter Sasha Levin
2019-08-29 10:49 ` [PATCH AUTOSEL 4.19 06/29] blk-iolatency: fix STS_AGAIN handling Sasha Levin
2019-08-29 10:49 ` [PATCH AUTOSEL 4.19 07/29] {nl,mac}80211: fix interface combinations on crypto controlled devices Sasha Levin
2019-08-29 10:49 ` [PATCH AUTOSEL 4.19 08/29] timekeeping: Use proper ktime_add when adding nsecs in coarse offset Sasha Levin
2019-08-29 10:49 ` [PATCH AUTOSEL 4.19 09/29] selftests: fib_rule_tests: use pre-defined DEV_ADDR Sasha Levin
2019-08-29 10:49 ` [PATCH AUTOSEL 4.19 10/29] x86/ftrace: Fix warning and considate ftrace_jmp_replace() and ftrace_call_replace() Sasha Levin
2019-08-29 10:49 ` [PATCH AUTOSEL 4.19 11/29] binder: take read mode of mmap_sem in binder_alloc_free_page() Sasha Levin
2019-08-29 15:13 ` Tyler Hicks
2019-08-30 6:29 ` Greg Kroah-Hartman
2019-08-30 7:30 ` Tyler Hicks
2019-09-02 15:54 ` Greg Kroah-Hartman
2019-08-29 10:49 ` [PATCH AUTOSEL 4.19 12/29] powerpc/64: mark start_here_multiplatform as __ref Sasha Levin
2019-08-29 10:49 ` Sasha Levin
2019-08-29 10:49 ` [PATCH AUTOSEL 4.19 13/29] media: stm32-dcmi: fix irq = 0 case Sasha Levin
2019-08-29 10:49 ` [PATCH AUTOSEL 4.19 14/29] HID: input: fix a4tech horizontal wheel custom usage Sasha Levin
2019-08-29 10:49 ` [PATCH AUTOSEL 4.19 15/29] netfilter: nf_tables: use-after-free in failing rule with bound set Sasha Levin
2019-08-29 10:49 ` [PATCH AUTOSEL 4.19 16/29] userfaultfd_release: always remove uffd flags and clear vm_userfaultfd_ctx Sasha Levin
[not found] ` <20190829105009.2265-1-sashal-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2019-08-29 10:49 ` [PATCH AUTOSEL 4.19 17/29] arm64: dts: rockchip: enable usb-host regulators at boot on rk3328-rock64 Sasha Levin
2019-08-29 10:49 ` Sasha Levin
2019-08-29 10:49 ` [PATCH AUTOSEL 4.19 18/29] mac80211: fix possible sta leak Sasha Levin
2019-08-29 10:49 ` [PATCH AUTOSEL 4.19 19/29] scripts/decode_stacktrace: match basepath using shell prefix operator, not regex Sasha Levin
2019-08-29 10:50 ` [PATCH AUTOSEL 4.19 20/29] KVM: arm/arm64: Only skip MMIO insn once Sasha Levin
2019-08-29 10:50 ` Sasha Levin
2019-08-29 10:50 ` [PATCH AUTOSEL 4.19 21/29] netfilter: ipset: Actually allow destination MAC address for hash:ip,mac sets too Sasha Levin
2019-08-29 10:50 ` [PATCH AUTOSEL 4.19 22/29] netfilter: ipset: Copy the right MAC address in bitmap:ip,mac and hash:ip,mac sets Sasha Levin
2019-08-29 10:50 ` [PATCH AUTOSEL 4.19 23/29] ALSA: usb-audio: Check mixer unit bitmap yet more strictly Sasha Levin
2019-08-29 10:50 ` [PATCH AUTOSEL 4.19 24/29] riscv: remove unused variable in ftrace Sasha Levin
2019-08-29 10:50 ` [PATCH AUTOSEL 4.19 25/29] nvme-fc: use separate work queue to avoid warning Sasha Levin
2019-08-29 10:50 ` [PATCH AUTOSEL 4.19 26/29] clk: s2mps11: Add used attribute to s2mps11_dt_match Sasha Levin
2019-08-29 10:50 ` [PATCH AUTOSEL 4.19 27/29] remoteproc: qcom: q6v5: shore up resource probe handling Sasha Levin
2019-08-29 10:50 ` [PATCH AUTOSEL 4.19 28/29] modules: always page-align module section allocations Sasha Levin
2019-08-29 10:50 ` [PATCH AUTOSEL 4.19 29/29] kernel/module: Fix mem leak in module_add_modinfo_attrs Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190829105009.2265-1-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=bcm-kernel-feedback-list@broadcom.com \
--cc=davem@davemloft.net \
--cc=decui@microsoft.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=sunilmut@microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.