mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-01-22 16:06:04 -05:00
unix: Fix race in SOCK_SEQPACKET's unix_dgram_sendmsg()
There is a race resulting in alive SOCK_SEQPACKET socket
may change its state from TCP_ESTABLISHED to TCP_CLOSE:
unix_release_sock(peer) unix_dgram_sendmsg(sk)
sock_orphan(peer)
sock_set_flag(peer, SOCK_DEAD)
sock_alloc_send_pskb()
if !(sk->sk_shutdown & SEND_SHUTDOWN)
OK
if sock_flag(peer, SOCK_DEAD)
sk->sk_state = TCP_CLOSE
sk->sk_shutdown = SHUTDOWN_MASK
After that socket sk remains almost normal: it is able to connect, listen, accept
and recvmsg, while it can't sendmsg.
Since this is the only possibility for alive SOCK_SEQPACKET to change
the state in such way, we should better fix this strange and potentially
danger corner case.
Note, that we will return EPIPE here like this is normally done in sock_alloc_send_pskb().
Originally used ECONNREFUSED looks strange, since it's strange to return
a specific retval in dependence of race in kernel, when user can't affect on this.
Also, move TCP_CLOSE assignment for SOCK_DGRAM sockets under state lock
to fix race with unix_dgram_connect():
unix_dgram_connect(other) unix_dgram_sendmsg(sk)
unix_peer(sk) = NULL
unix_state_unlock(sk)
unix_state_double_lock(sk, other)
sk->sk_state = TCP_ESTABLISHED
unix_peer(sk) = other
unix_state_double_unlock(sk, other)
sk->sk_state = TCP_CLOSED
This patch fixes both of these races.
Fixes: 83301b5367
("af_unix: Set TCP_ESTABLISHED for datagram sockets too")
Signed-off-by: Kirill Tkhai <tkhai@ya.ru>
Link: https://lore.kernel.org/r/135fda25-22d5-837a-782b-ceee50e19844@ya.ru
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
This commit is contained in:
parent
9f28157778
commit
3ff8bff704
1 changed files with 9 additions and 2 deletions
|
@ -1999,13 +1999,20 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg,
|
|||
unix_state_lock(sk);
|
||||
|
||||
err = 0;
|
||||
if (unix_peer(sk) == other) {
|
||||
if (sk->sk_type == SOCK_SEQPACKET) {
|
||||
/* We are here only when racing with unix_release_sock()
|
||||
* is clearing @other. Never change state to TCP_CLOSE
|
||||
* unlike SOCK_DGRAM wants.
|
||||
*/
|
||||
unix_state_unlock(sk);
|
||||
err = -EPIPE;
|
||||
} else if (unix_peer(sk) == other) {
|
||||
unix_peer(sk) = NULL;
|
||||
unix_dgram_peer_wake_disconnect_wakeup(sk, other);
|
||||
|
||||
sk->sk_state = TCP_CLOSE;
|
||||
unix_state_unlock(sk);
|
||||
|
||||
sk->sk_state = TCP_CLOSE;
|
||||
unix_dgram_disconnected(sk, other);
|
||||
sock_put(other);
|
||||
err = -ECONNREFUSED;
|
||||
|
|
Loading…
Reference in a new issue