[2/5] net/handshake: Fix handshake_dup() ref counting

Message ID	168321389545.16695.14828237648251844351.stgit@oracle-102.nfsv4bat.org (mailing list archive)
State	Superseded
Delegated to:	Netdev Maintainers
Headers	show Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0945879D0; Thu, 4 May 2023 15:25:16 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5E4BDC433EF; Thu, 4 May 2023 15:25:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1683213916; bh=UzrYB/+xFPPdTbyfTZH5iQH1u2R5hCE2c71kqPRwk7k=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=szlbBvb07cWeKVUYW9obTnlMbJ7t+ZslNxLYD8QgO4KLI+kj/1ahdYTJVPKitP4Xy 2sjyVBhBvq+83FELLpjWKCNrVYlJHdzBmJcjRaU49IqGc2YnriLsFYYWmfoXomB3w5 MjXOh1J7Kol45iUhRuATbJDExWtKS1VTf0E5mJ3639TRiv5DFXkgm/crmQgUGDshVl VWJiYdqq6BU+AhVwXVotOD3y3nwWfn9ac7djKrnT4wEdfvJNybm+uR7hdwzx3SkmXv JRa83bHWpTQ129V78/XScmZAg399h6qMwMGOM+zdwCqpTAFMxg6HUnFdDydKDUEwFD gn1f2N6L/owdA== Subject: [PATCH 2/5] net/handshake: Fix handshake_dup() ref counting From: Chuck Lever <cel@kernel.org> To: kernel-tls-handshake@lists.linux.dev Cc: netdev@vger.kernel.org, dan.carpenter@linaro.org Date: Thu, 04 May 2023 11:25:05 -0400 Message-ID: <168321389545.16695.14828237648251844351.stgit@oracle-102.nfsv4bat.org> In-Reply-To: <168321371754.16695.4217960864733718685.stgit@oracle-102.nfsv4bat.org> References: <168321371754.16695.4217960864733718685.stgit@oracle-102.nfsv4bat.org> User-Agent: StGit/1.5 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: <netdev.vger.kernel.org> List-Subscribe: <mailto:netdev+subscribe@vger.kernel.org> List-Unsubscribe: <mailto:netdev+unsubscribe@vger.kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Patchwork-Delegate: kuba@kernel.org
Series	Bug fixes for net/handshake \| expand [0/5] Bug fixes for net/handshake [1/5] net/handshake: Remove unneeded check from handshake_dup() [2/5] net/handshake: Fix handshake_dup() ref counting [3/5] net/handshake: Fix uninitialized local variable [4/5] net/handshake: handshake_genl_notify() shouldn't ignore @flags [5/5] net/handshake: Enable the SNI extension to work properly

Message ID

168321389545.16695.14828237648251844351.stgit@oracle-102.nfsv4bat.org (mailing list archive)

State

Superseded

Delegated to:

Netdev Maintainers

Headers

Subject: [PATCH 2/5] net/handshake: Fix handshake_dup() ref counting
From: Chuck Lever <cel@kernel.org>
To: kernel-tls-handshake@lists.linux.dev
Cc: netdev@vger.kernel.org, dan.carpenter@linaro.org
Date: Thu, 04 May 2023 11:25:05 -0400
Message-ID: 
 <168321389545.16695.14828237648251844351.stgit@oracle-102.nfsv4bat.org>
In-Reply-To: 
 <168321371754.16695.4217960864733718685.stgit@oracle-102.nfsv4bat.org>
References: 
 <168321371754.16695.4217960864733718685.stgit@oracle-102.nfsv4bat.org>
User-Agent: StGit/1.5
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

Series

Bug fixes for net/handshake | expand

Context	Check	Description
netdev/series_format	warning	Target tree name not specified in the subject
netdev/tree_selection	success	Guessed tree name to be net-next
netdev/fixes_present	success	Fixes tag not required for -next series
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	success	Errors and warnings before: 10 this patch: 10
netdev/cc_maintainers	fail	2 blamed authors not CCed: kuba@kernel.org chuck.lever@oracle.com; 5 maintainers not CCed: kuba@kernel.org chuck.lever@oracle.com davem@davemloft.net pabeni@redhat.com edumazet@google.com
netdev/build_clang	success	Errors and warnings before: 8 this patch: 8
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/deprecated_api	success	None detected
netdev/check_selftest	success	No net selftest shell script
netdev/verify_fixes	success	Fixes tag looks correct
netdev/build_allmodconfig_warn	success	Errors and warnings before: 10 this patch: 10
netdev/checkpatch	success	total: 0 errors, 0 warnings, 0 checks, 31 lines checked
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/source_inline	success	Was 0 now: 0

Context

Check

Description

netdev/series_format

warning

Target tree name not specified in the subject

netdev/tree_selection

success

Guessed tree name to be net-next

netdev/fixes_present

success

Fixes tag not required for -next series

netdev/header_inline

success

No static functions without inline keyword in header files

netdev/build_32bit

success

Errors and warnings before: 10 this patch: 10

netdev/cc_maintainers

fail

2 blamed authors not CCed: kuba@kernel.org chuck.lever@oracle.com; 5 maintainers not CCed: kuba@kernel.org chuck.lever@oracle.com davem@davemloft.net pabeni@redhat.com edumazet@google.com

netdev/build_clang

success

Errors and warnings before: 8 this patch: 8

netdev/verify_signedoff

success

Signed-off-by tag matches author and committer

netdev/deprecated_api

success

None detected

netdev/check_selftest

success

No net selftest shell script

netdev/verify_fixes

success

Fixes tag looks correct

netdev/build_allmodconfig_warn

success

Errors and warnings before: 10 this patch: 10

netdev/checkpatch

success

total: 0 errors, 0 warnings, 0 checks, 31 lines checked

netdev/kdoc

success

Errors and warnings before: 0 this patch: 0

netdev/source_inline

success

Was 0 now: 0

Commit Message

Chuck Lever May 4, 2023, 3:25 p.m. UTC

From: Chuck Lever <chuck.lever@oracle.com>

If get_unused_fd_flags() fails, we ended up calling fput(sock->file)
twice.

Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Fixes: 3b3009ea8abb ("net/handshake: Create a NETLINK service for handling handshake requests")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
 net/handshake/netlink.c |   10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

Comments

Simon Horman May 5, 2023, 1:15 p.m. UTC | #1

On Thu, May 04, 2023 at 11:25:05AM -0400, Chuck Lever wrote:
> From: Chuck Lever <chuck.lever@oracle.com>
> 
> If get_unused_fd_flags() fails, we ended up calling fput(sock->file)
> twice.
> 
> Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
> Fixes: 3b3009ea8abb ("net/handshake: Create a NETLINK service for handling handshake requests")
> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

Reviewed-by: Simon Horman <simon.horman@corigine.com>

Jakub Kicinski May 5, 2023, 8:58 p.m. UTC | #2

On Thu, 04 May 2023 11:25:05 -0400 Chuck Lever wrote:
> From: Chuck Lever <chuck.lever@oracle.com>
> 
> If get_unused_fd_flags() fails, we ended up calling fput(sock->file)
> twice.
> 
> Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
> Fixes: 3b3009ea8abb ("net/handshake: Create a NETLINK service for handling handshake requests")
> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

> diff --git a/net/handshake/netlink.c b/net/handshake/netlink.c
> index 7ec8a76c3c8a..3508bc3e661d 100644
> --- a/net/handshake/netlink.c
> +++ b/net/handshake/netlink.c
> @@ -96,17 +96,13 @@ EXPORT_SYMBOL(handshake_genl_put);
>   */
>  static int handshake_dup(struct socket *sock)
>  {
> -	struct file *file;
>  	int newfd;
>  
> -	file = get_file(sock->file);
>  	newfd = get_unused_fd_flags(O_CLOEXEC);
> -	if (newfd < 0) {
> -		fput(file);
> +	if (newfd < 0)
>  		return newfd;
> -	}
>  
> -	fd_install(newfd, file);
> +	fd_install(newfd, sock->file);

I'm not vfs expert but doesn't this mean that we will now have the file
installed in the fd table, under newfd, before we incremented the
refcount?  Can't another thread close(newfd) and make sock->file
get freed?

>  	return newfd;
>  }
>  
> @@ -143,11 +139,11 @@ int handshake_nl_accept_doit(struct sk_buff *skb, struct genl_info *info)
>  		goto out_complete;
>  
>  	trace_handshake_cmd_accept(net, req, req->hr_sk, fd);
> +	get_file(sock->file);	/* released by DONE */

What if DONE does not get called?

>  	return 0;
>  
>  out_complete:
>  	handshake_complete(req, -EIO, NULL);

We don't want to release the fd here?

> -	fput(sock->file);
>  out_status:
>  	trace_handshake_cmd_accept_err(net, req, NULL, err);
>  	return err;

Chuck Lever May 5, 2023, 11:28 p.m. UTC | #3

On Fri, May 05, 2023 at 01:58:08PM -0700, Jakub Kicinski wrote:
> On Thu, 04 May 2023 11:25:05 -0400 Chuck Lever wrote:
> > From: Chuck Lever <chuck.lever@oracle.com>
> > 
> > If get_unused_fd_flags() fails, we ended up calling fput(sock->file)
> > twice.
> > 
> > Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
> > Fixes: 3b3009ea8abb ("net/handshake: Create a NETLINK service for handling handshake requests")
> > Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
> 
> > diff --git a/net/handshake/netlink.c b/net/handshake/netlink.c
> > index 7ec8a76c3c8a..3508bc3e661d 100644
> > --- a/net/handshake/netlink.c
> > +++ b/net/handshake/netlink.c
> > @@ -96,17 +96,13 @@ EXPORT_SYMBOL(handshake_genl_put);
> >   */
> >  static int handshake_dup(struct socket *sock)
> >  {
> > -	struct file *file;
> >  	int newfd;
> >  
> > -	file = get_file(sock->file);
> >  	newfd = get_unused_fd_flags(O_CLOEXEC);
> > -	if (newfd < 0) {
> > -		fput(file);
> > +	if (newfd < 0)
> >  		return newfd;
> > -	}
> >  
> > -	fd_install(newfd, file);
> > +	fd_install(newfd, sock->file);
> 
> I'm not vfs expert but doesn't this mean that we will now have the file
> installed in the fd table, under newfd, before we incremented the
> refcount?  Can't another thread close(newfd) and make sock->file
> get freed?

I suppose. I can rework it and send a refresh.


> >  	return newfd;
> >  }
> >  
> > @@ -143,11 +139,11 @@ int handshake_nl_accept_doit(struct sk_buff *skb, struct genl_info *info)
> >  		goto out_complete;
> >  
> >  	trace_handshake_cmd_accept(net, req, req->hr_sk, fd);
> > +	get_file(sock->file);	/* released by DONE */
> 
> What if DONE does not get called?

A correctly-coded kernel caller has a timeout that is supposed to
release the socket via handshake_req_cancel(). I see that it doesn't
put sock->file, though... perhaps it should use sockfd_put() instead
of sock_release().


> >  	return 0;
> >  
> >  out_complete:
> >  	handshake_complete(req, -EIO, NULL);
> 
> We don't want to release the fd here?

Not any more, since we don't do the get_file() until everything
else has succeeded. But the rework will likely restore the fput
here.


> > -	fput(sock->file);
> >  out_status:
> >  	trace_handshake_cmd_accept_err(net, req, NULL, err);
> >  	return err;
> -- 
> pw-bot: cr

diff --git a/net/handshake/netlink.c b/net/handshake/netlink.c
index 7ec8a76c3c8a..3508bc3e661d 100644
--- a/net/handshake/netlink.c
+++ b/net/handshake/netlink.c
@@ -96,17 +96,13 @@  EXPORT_SYMBOL(handshake_genl_put);
  */
 static int handshake_dup(struct socket *sock)
 {
-	struct file *file;
 	int newfd;
 
-	file = get_file(sock->file);
 	newfd = get_unused_fd_flags(O_CLOEXEC);
-	if (newfd < 0) {
-		fput(file);
+	if (newfd < 0)
 		return newfd;
-	}
 
-	fd_install(newfd, file);
+	fd_install(newfd, sock->file);
 	return newfd;
 }
 
@@ -143,11 +139,11 @@  int handshake_nl_accept_doit(struct sk_buff *skb, struct genl_info *info)
 		goto out_complete;
 
 	trace_handshake_cmd_accept(net, req, req->hr_sk, fd);
+	get_file(sock->file);	/* released by DONE */
 	return 0;
 
 out_complete:
 	handshake_complete(req, -EIO, NULL);
-	fput(sock->file);
 out_status:
 	trace_handshake_cmd_accept_err(net, req, NULL, err);
 	return err;

[2/5] net/handshake: Fix handshake_dup() ref counting

Checks

Commit Message

Comments

Patch