From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot <syzbot+e36f41d207137b5d12f7@syzkaller.appspotmail.com>,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.14 11/12] tipc: fix shutdown() of connectionless socket
Date: Fri, 11 Sep 2020 14:47:05 +0200 [thread overview]
Message-ID: <20200911122458.967159042@linuxfoundation.org> (raw)
In-Reply-To: <20200911122458.413137406@linuxfoundation.org>
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
[ Upstream commit 2a63866c8b51a3f72cea388dfac259d0e14c4ba6 ]
syzbot is reporting hung task at nbd_ioctl() [1], for there are two
problems regarding TIPC's connectionless socket's shutdown() operation.
----------
#include <fcntl.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <linux/nbd.h>
#include <unistd.h>
int main(int argc, char *argv[])
{
const int fd = open("/dev/nbd0", 3);
alarm(5);
ioctl(fd, NBD_SET_SOCK, socket(PF_TIPC, SOCK_DGRAM, 0));
ioctl(fd, NBD_DO_IT, 0); /* To be interrupted by SIGALRM. */
return 0;
}
----------
One problem is that wait_for_completion() from flush_workqueue() from
nbd_start_device_ioctl() from nbd_ioctl() cannot be completed when
nbd_start_device_ioctl() received a signal at wait_event_interruptible(),
for tipc_shutdown() from kernel_sock_shutdown(SHUT_RDWR) from
nbd_mark_nsock_dead() from sock_shutdown() from nbd_start_device_ioctl()
is failing to wake up a WQ thread sleeping at wait_woken() from
tipc_wait_for_rcvmsg() from sock_recvmsg() from sock_xmit() from
nbd_read_stat() from recv_work() scheduled by nbd_start_device() from
nbd_start_device_ioctl(). Fix this problem by always invoking
sk->sk_state_change() (like inet_shutdown() does) when tipc_shutdown() is
called.
The other problem is that tipc_wait_for_rcvmsg() cannot return when
tipc_shutdown() is called, for tipc_shutdown() sets sk->sk_shutdown to
SEND_SHUTDOWN (despite "how" is SHUT_RDWR) while tipc_wait_for_rcvmsg()
needs sk->sk_shutdown set to RCV_SHUTDOWN or SHUTDOWN_MASK. Fix this
problem by setting sk->sk_shutdown to SHUTDOWN_MASK (like inet_shutdown()
does) when the socket is connectionless.
[1] https://syzkaller.appspot.com/bug?id=3fe51d307c1f0a845485cf1798aa059d12bf18b2
Reported-by: syzbot <syzbot+e36f41d207137b5d12f7@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/tipc/socket.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -2126,18 +2126,21 @@ static int tipc_shutdown(struct socket *
lock_sock(sk);
__tipc_shutdown(sock, TIPC_CONN_SHUTDOWN);
- sk->sk_shutdown = SEND_SHUTDOWN;
+ if (tipc_sk_type_connectionless(sk))
+ sk->sk_shutdown = SHUTDOWN_MASK;
+ else
+ sk->sk_shutdown = SEND_SHUTDOWN;
if (sk->sk_state == TIPC_DISCONNECTING) {
/* Discard any unreceived messages */
__skb_queue_purge(&sk->sk_receive_queue);
- /* Wake up anyone sleeping in poll */
- sk->sk_state_change(sk);
res = 0;
} else {
res = -ENOTCONN;
}
+ /* Wake up anyone sleeping in poll. */
+ sk->sk_state_change(sk);
release_sock(sk);
return res;
next prev parent reply other threads:[~2020-09-11 15:20 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-11 12:46 [PATCH 4.14 00/12] 4.14.198-rc1 review Greg Kroah-Hartman
2020-09-11 12:46 ` [PATCH 4.14 01/12] ALSA; firewire-tascam: exclude Tascam FE-8 from detection Greg Kroah-Hartman
2020-09-11 12:46 ` [PATCH 4.14 02/12] block: ensure bdi->io_pages is always initialized Greg Kroah-Hartman
2020-09-11 12:46 ` [PATCH 4.14 03/12] vfio/type1: Support faulting PFNMAP vmas Greg Kroah-Hartman
2020-09-11 12:46 ` [PATCH 4.14 04/12] vfio-pci: Fault mmaps to enable vma tracking Greg Kroah-Hartman
2020-09-11 12:46 ` [PATCH 4.14 05/12] vfio-pci: Invalidate mmaps and block MMIO access on disabled memory Greg Kroah-Hartman
2020-09-11 12:47 ` [PATCH 4.14 06/12] vfio/pci: Fix SR-IOV VF handling with MMIO blocking Greg Kroah-Hartman
2020-09-11 12:47 ` [PATCH 4.14 07/12] bnxt: dont enable NAPI until rings are ready Greg Kroah-Hartman
2020-09-11 12:47 ` [PATCH 4.14 08/12] netlabel: fix problems with mapping removal Greg Kroah-Hartman
2020-09-11 12:47 ` [PATCH 4.14 09/12] net: usb: dm9601: Add USB ID of Keenetic Plus DSL Greg Kroah-Hartman
2020-09-11 12:47 ` [PATCH 4.14 10/12] sctp: not disable bh in the whole sctp_get_port_local() Greg Kroah-Hartman
2020-09-11 12:47 ` Greg Kroah-Hartman [this message]
2020-09-11 12:47 ` [PATCH 4.14 12/12] net: disable netpoll on fresh napis Greg Kroah-Hartman
2020-09-11 17:10 ` [PATCH 4.14 00/12] 4.14.198-rc1 review Jon Hunter
2020-09-11 22:30 ` Shuah Khan
2020-09-12 2:18 ` Guenter Roeck
2020-09-12 7:52 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200911122458.967159042@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=stable@vger.kernel.org \
--cc=syzbot+e36f41d207137b5d12f7@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.