From: Kuniyuki Iwashima <kuniyu@amazon.com>
To: <liujian56@huawei.com>
Cc: <Dai.Ngo@oracle.com>, <anna@kernel.org>, <chuck.lever@oracle.com>,
<davem@davemloft.net>, <ebiederm@xmission.com>,
<edumazet@google.com>, <geert+renesas@glider.be>,
<jlayton@kernel.org>, <kuba@kernel.org>, <kuniyu@amazon.com>,
<linux-nfs@vger.kernel.org>, <neilb@suse.de>,
<netdev@vger.kernel.org>, <ofir.gal@volumez.com>,
<okorniev@redhat.com>, <pabeni@redhat.com>, <tom@talpey.com>,
<trondmy@kernel.org>
Subject: Re: [PATCH net v2] sunrpc: fix one UAF issue caused by sunrpc kernel tcp socket
Date: Thu, 7 Nov 2024 12:59:52 -0800 [thread overview]
Message-ID: <20241107205952.7992-1-kuniyu@amazon.com> (raw)
In-Reply-To: <78efbd6e-31e5-4e67-a046-2736747b291d@huawei.com>
From: "liujian (CE)" <liujian56@huawei.com>
Date: Thu, 7 Nov 2024 20:03:40 +0800
> >> diff --git a/net/socket.c b/net/socket.c
> >> index 042451f01c65..e64a02445b1a 100644
> >> --- a/net/socket.c
> >> +++ b/net/socket.c
> >> @@ -1651,6 +1651,34 @@ int sock_create_kern(struct net *net, int family, int type, int protocol, struct
> >> }
> >> EXPORT_SYMBOL(sock_create_kern);
> >>
> >> +int sock_create_kern_getnet(struct net *net, int family, int type, int proto, struct socket **res)
> >> +{
> >> + struct sock *sk;
> >> + int ret;
> >> +
> >> + if (!maybe_get_net(net))
> >> + return -EINVAL;
> >
> > Is this really safe ?
> >
> > IIUC, maybe_get_net() is safe for a net only when it is fetched under
> > RCU, then rcu_read_lock() prevents cleanup_net() from reusing the net
> > by rcu_barrier().
> >
> > Otherwise, there should be a small chance that the same slab object is
> > reused for another netns between fetching the net and reaching here.
> >
> > svc_create_socket() is called much later after the netns is fetched,
> > and _svc_xprt_create() calls try_module_get() before ->xpo_create().
> > So, it seems the path is not under RCU and maybe_get_net() must be
> > called much earlier by each call site.
> >
> > For this reason, when I write a patch for the same issue in CIFS,
> > I delayed put_net() to cifsd kthread so that the netns refcnt taken
> > for each CIFS server info lives until the last __sock_create() attempt
> > from cifsd.
> >
> > https://lore.kernel.org/linux-cifs/20241102212438.76691-1-kuniyu@amazon.com/
> >
> Okay, got it. thank you.
> Looking at the nfs and nfsd processing flow, it seems that the call to
> __sock_create() to create a TCP socket is always after the mount
> operation get_net(). So it should be fine to use get_net() directly.
Is there any chance that a concurrent unmount releases the
last refcount by put_net() while another thread trying to call
__sock_create() ?
CIFS was the case.
> So
> here I'm going to change may_get_net() to get_net(), move
> sock_create_kern_getnet() to the sunrpc module, and rename it to
> something more appropriate. Is that okay?
Could you go without adding a helper and do the conversion in sunrpc
code as CIFS did ?
I plan to resurrect my patch and remove such socket conversion altogether
in the next cycle after the CIFS fix lands on net-next.
https://lore.kernel.org/netdev/20240227011041.97375-4-kuniyu@amazon.com/
https://github.com/q2ven/linux/commits/427_2
https://github.com/q2ven/linux/commit/2e54a8cc84f1e9ce60a0e4693c79a8e74c3dbeb9
I inspected all the callers of __sock_create() and friends, and all
__sock_create() can be replaced with sock_create_kern(), so I will
unexport __sock_create() and then add a new parameter hold_net to it.
Then, I'll rename sock_create_kern() to sock_create_net_noref() and add
a fat comment to catch in-kernel users attention so that they no longer
use _kern() API blindly without care about netns reference. Also, I'll
add sock_create_net() and use it for MPTCP, SMC, CIFS, (and sunrpc) etc.
RDS uses maybe_net_get() but I think this is still buggy and I need
to check more.
next prev parent reply other threads:[~2024-11-07 21:00 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-30 9:49 [PATCH net v2] sunrpc: fix one UAF issue caused by sunrpc kernel tcp socket Liu Jian
2024-11-03 4:09 ` Kuniyuki Iwashima
2024-11-07 12:03 ` liujian (CE)
2024-11-07 20:59 ` Kuniyuki Iwashima [this message]
2024-11-08 13:04 ` liujian (CE)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241107205952.7992-1-kuniyu@amazon.com \
--to=kuniyu@amazon.com \
--cc=Dai.Ngo@oracle.com \
--cc=anna@kernel.org \
--cc=chuck.lever@oracle.com \
--cc=davem@davemloft.net \
--cc=ebiederm@xmission.com \
--cc=edumazet@google.com \
--cc=geert+renesas@glider.be \
--cc=jlayton@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=liujian56@huawei.com \
--cc=neilb@suse.de \
--cc=netdev@vger.kernel.org \
--cc=ofir.gal@volumez.com \
--cc=okorniev@redhat.com \
--cc=pabeni@redhat.com \
--cc=tom@talpey.com \
--cc=trondmy@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.