diff mbox series

[net] smc: disallow TCP_ULP in smc_setsockopt()

Message ID 20210410181732.25995-1-xiyou.wangcong@gmail.com (mailing list archive)
State Changes Requested
Delegated to: Netdev Maintainers
Headers show
Series [net] smc: disallow TCP_ULP in smc_setsockopt() | expand

Checks

Context Check Description
netdev/cover_letter success Link
netdev/fixes_present fail Series targets non-next tree, but doesn't contain any Fixes tags
netdev/patch_count success Link
netdev/tree_selection success Clearly marked for net
netdev/subject_prefix success Link
netdev/cc_maintainers warning 2 maintainers not CCed: davem@davemloft.net kuba@kernel.org
netdev/source_inline success Was 0 now: 0
netdev/verify_signedoff success Link
netdev/module_param success Was 0 now: 0
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/verify_fixes success Link
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 16 lines checked
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/header_inline success Link

Commit Message

Cong Wang April 10, 2021, 6:17 p.m. UTC 
From: Cong Wang <cong.wang@bytedance.com>

syzbot is able to setup kTLS on an SMC socket, which coincidentally
uses sk_user_data too, later, kTLS treats it as psock so triggers a
refcnt warning. The cause is that smc_setsockopt() simply calls
TCP setsockopt(). I do not think it makes sense to setup kTLS on
top of SMC, so we can just disallow this.

Reported-and-tested-by: syzbot+b54a1ce86ba4a623b7f0@syzkaller.appspotmail.com
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Karsten Graul <kgraul@linux.ibm.com>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
---
 net/smc/af_smc.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Comments

Karsten Graul April 12, 2021, 6:52 a.m. UTC | #1 
On 10/04/2021 20:17, Cong Wang wrote:
> From: Cong Wang <cong.wang@bytedance.com>
> 
> syzbot is able to setup kTLS on an SMC socket, which coincidentally
> uses sk_user_data too, later, kTLS treats it as psock so triggers a
> refcnt warning. The cause is that smc_setsockopt() simply calls
> TCP setsockopt(). I do not think it makes sense to setup kTLS on
> top of SMC, so we can just disallow this.
> 
> Reported-and-tested-by: syzbot+b54a1ce86ba4a623b7f0@syzkaller.appspotmail.com
> Cc: John Fastabend <john.fastabend@gmail.com>
> Cc: Karsten Graul <kgraul@linux.ibm.com>
> Signed-off-by: Cong Wang <cong.wang@bytedance.com>
> ---
>  net/smc/af_smc.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
> index 47340b3b514f..0d4d6d28f20c 100644
> --- a/net/smc/af_smc.c
> +++ b/net/smc/af_smc.c
> @@ -2162,6 +2162,9 @@ static int smc_setsockopt(struct socket *sock, int level, int optname,
>  	struct smc_sock *smc;
>  	int val, rc;
>  
> +	if (optname == TCP_ULP)
> +		return -EOPNOTSUPP;
> +
>  	smc = smc_sk(sk);
>  
>  	/* generic setsockopts reaching us here always apply to the
> @@ -2186,7 +2189,6 @@ static int smc_setsockopt(struct socket *sock, int level, int optname,
>  	if (rc || smc->use_fallback)
>  		goto out;
>  	switch (optname) {
> -	case TCP_ULP:

Should'nt it return -EOPNOTSUPP in that case, too?

>  	case TCP_FASTOPEN:
>  	case TCP_FASTOPEN_CONNECT:
>  	case TCP_FASTOPEN_KEY:
>
Cong Wang April 12, 2021, 7:09 p.m. UTC | #2 
On Sun, Apr 11, 2021 at 11:52 PM Karsten Graul <kgraul@linux.ibm.com> wrote:
>
>
>
> On 10/04/2021 20:17, Cong Wang wrote:
> > From: Cong Wang <cong.wang@bytedance.com>
> >
> > syzbot is able to setup kTLS on an SMC socket, which coincidentally
> > uses sk_user_data too, later, kTLS treats it as psock so triggers a
> > refcnt warning. The cause is that smc_setsockopt() simply calls
> > TCP setsockopt(). I do not think it makes sense to setup kTLS on
> > top of SMC, so we can just disallow this.
> >
> > Reported-and-tested-by: syzbot+b54a1ce86ba4a623b7f0@syzkaller.appspotmail.com
> > Cc: John Fastabend <john.fastabend@gmail.com>
> > Cc: Karsten Graul <kgraul@linux.ibm.com>
> > Signed-off-by: Cong Wang <cong.wang@bytedance.com>
> > ---
> >  net/smc/af_smc.c | 4 +++-
> >  1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
> > index 47340b3b514f..0d4d6d28f20c 100644
> > --- a/net/smc/af_smc.c
> > +++ b/net/smc/af_smc.c
> > @@ -2162,6 +2162,9 @@ static int smc_setsockopt(struct socket *sock, int level, int optname,
> >       struct smc_sock *smc;
> >       int val, rc;
> >
> > +     if (optname == TCP_ULP)
> > +             return -EOPNOTSUPP;
> > +
> >       smc = smc_sk(sk);
> >
> >       /* generic setsockopts reaching us here always apply to the
> > @@ -2186,7 +2189,6 @@ static int smc_setsockopt(struct socket *sock, int level, int optname,
> >       if (rc || smc->use_fallback)
> >               goto out;
> >       switch (optname) {
> > -     case TCP_ULP:
>
> Should'nt it return -EOPNOTSUPP in that case, too?

I do not think I understand this. In case of TCP_ULP, we will
not even reach this switch case after my patch.

Thanks.
Karsten Graul April 13, 2021, 7:48 a.m. UTC | #3 
On 10/04/2021 20:17, Cong Wang wrote:
> From: Cong Wang <cong.wang@bytedance.com>
> 
> syzbot is able to setup kTLS on an SMC socket, which coincidentally
> uses sk_user_data too, later, kTLS treats it as psock so triggers a
> refcnt warning. The cause is that smc_setsockopt() simply calls
> TCP setsockopt(). I do not think it makes sense to setup kTLS on
> top of SMC, so we can just disallow this.
> 
> Reported-and-tested-by: syzbot+b54a1ce86ba4a623b7f0@syzkaller.appspotmail.com
> Cc: John Fastabend <john.fastabend@gmail.com>
> Cc: Karsten Graul <kgraul@linux.ibm.com>
> Signed-off-by: Cong Wang <cong.wang@bytedance.com>
> ---

Signed-off-by: Karsten Graul <kgraul@linux.ibm.com>
diff mbox series

Patch

diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
index 47340b3b514f..0d4d6d28f20c 100644
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -2162,6 +2162,9 @@  static int smc_setsockopt(struct socket *sock, int level, int optname,
 	struct smc_sock *smc;
 	int val, rc;
 
+	if (optname == TCP_ULP)
+		return -EOPNOTSUPP;
+
 	smc = smc_sk(sk);
 
 	/* generic setsockopts reaching us here always apply to the
@@ -2186,7 +2189,6 @@  static int smc_setsockopt(struct socket *sock, int level, int optname,
 	if (rc || smc->use_fallback)
 		goto out;
 	switch (optname) {
-	case TCP_ULP:
 	case TCP_FASTOPEN:
 	case TCP_FASTOPEN_CONNECT:
 	case TCP_FASTOPEN_KEY: