Kernel/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2025-01-04 04:06:26 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
23a6919bb3
linux-stable/net/smc
History
Wen Gu 0cf598548a net/smc: fix LGR and link use-after-free issue 
[ Upstream commit 2c7f14ed9c ]

We encountered a LGR/link use-after-free issue, which manifested as
the LGR/link refcnt reaching 0 early and entering the clear process,
making resource access unsafe.

 refcount_t: addition on 0; use-after-free.
 WARNING: CPU: 14 PID: 107447 at lib/refcount.c:25 refcount_warn_saturate+0x9c/0x140
 Workqueue: events smc_lgr_terminate_work [smc]
 Call trace:
  refcount_warn_saturate+0x9c/0x140
  __smc_lgr_terminate.part.45+0x2a8/0x370 [smc]
  smc_lgr_terminate_work+0x28/0x30 [smc]
  process_one_work+0x1b8/0x420
  worker_thread+0x158/0x510
  kthread+0x114/0x118

or

 refcount_t: underflow; use-after-free.
 WARNING: CPU: 6 PID: 93140 at lib/refcount.c:28 refcount_warn_saturate+0xf0/0x140
 Workqueue: smc_hs_wq smc_listen_work [smc]
 Call trace:
  refcount_warn_saturate+0xf0/0x140
  smcr_link_put+0x1cc/0x1d8 [smc]
  smc_conn_free+0x110/0x1b0 [smc]
  smc_conn_abort+0x50/0x60 [smc]
  smc_listen_find_device+0x75c/0x790 [smc]
  smc_listen_work+0x368/0x8a0 [smc]
  process_one_work+0x1b8/0x420
  worker_thread+0x158/0x510
  kthread+0x114/0x118

It is caused by repeated release of LGR/link refcnt. One suspect is that
smc_conn_free() is called repeatedly because some smc_conn_free() from
server listening path are not protected by sock lock.

e.g.

Calls under socklock        | smc_listen_work
-------------------------------------------------------
lock_sock(sk)               | smc_conn_abort
smc_conn_free               | \- smc_conn_free
\- smcr_link_put            |    \- smcr_link_put (duplicated)
release_sock(sk)

So here add sock lock protection in smc_listen_work() path, making it
exclusive with other connection operations.

Fixes: 3b2dec2603 ("net/smc: restructure client and server code in af_smc")
Co-developed-by: Guangguan Wang <guangguan.wang@linux.alibaba.com>
Signed-off-by: Guangguan Wang <guangguan.wang@linux.alibaba.com>
Co-developed-by: Kai <KaiShen@linux.alibaba.com>
Signed-off-by: Kai <KaiShen@linux.alibaba.com>
Signed-off-by: Wen Gu <guwen@linux.alibaba.com>
Reviewed-by: Wenjia Zhang <wenjia@linux.ibm.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-12-14 19:54:22 +01:00
..
af_smc.c net/smc: fix LGR and link use-after-free issue 2024-12-14 19:54:22 +01:00
Kconfig treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
Makefile net/smc: fix compile warning for smc_sysctl 2022-03-07 11:59:17 +00:00
smc_cdc.c net/smc: allow cdc msg send rather than drop it with NULL sndbuf_desc 2023-11-20 11:52:16 +01:00
smc_cdc.h net/smc: fix kernel panic caused by race of smc_sock 2021-12-28 12:42:45 +00:00
smc_clc.c net/smc: disable SEID on non-s390 archs where virtual ISM may be used 2024-02-05 20:12:54 +00:00
smc_clc.h net/smc: Allow virtually contiguous sndbufs or RMBs for SMC-R 2022-07-18 11:19:17 +01:00
smc_close.c net/smc: put sk reference if close work was canceled 2023-11-20 11:52:16 +01:00
smc_close.h net/smc: remove close abort worker 2019-10-22 11:23:44 -07:00
smc_core.c net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when CONFIG_ARCH_NO_SG_CHAIN is defined 2024-08-03 08:49:04 +02:00
smc_core.h net/smc: replace mutex rmbs_lock and sndbufs_lock with rw_semaphore 2023-08-23 17:52:18 +02:00
smc_diag.c sock_diag: add module pointer to "struct sock_diag_handler" 2024-12-14 19:53:32 +01:00
smc_ib.c net/smc: fix neighbour and rtable leak in smc_ib_find_route() 2024-05-17 11:56:13 +02:00
smc_ib.h net/smc: fix smc clc failed issue when netdevice not in init_net 2023-10-25 12:03:13 +02:00
smc_ism.c net/smc: Pass on DMBE bit mask in IRQ handler 2022-07-27 13:24:42 +01:00
smc_ism.h net/smc: Eliminate struct smc_ism_position 2022-07-27 13:24:42 +01:00
smc_llc.c net/smc: replace mutex rmbs_lock and sndbufs_lock with rw_semaphore 2023-08-23 17:52:18 +02:00
smc_llc.h net/smc: Introduce a specific sysctl for TEST_LINK time 2022-09-22 12:58:21 +02:00
smc_netlink.c genetlink: start to validate reserved header bytes 2022-08-29 12:47:15 +01:00
smc_netlink.h net/smc: add support for user defined EIDs 2021-09-14 12:49:10 +01:00
smc_netns.h net/smc: introduce list of pnetids for Ethernet devices 2020-09-28 15:19:03 -07:00
smc_pnet.c net/smc: Fix searching in list of known pnetids in smc_pnet_add_pnetid 2024-11-01 01:55:59 +01:00
smc_pnet.h net/smc: Use a mutex for locking "struct smc_pnettable" 2022-02-24 09:09:33 -08:00
smc_rx.c net: deal with most data-races in sk_wait_event() 2023-05-24 17:32:32 +01:00
smc_rx.h smc: add support for splice() 2018-05-04 11:45:06 -04:00
smc_stats.c net/smc: Fix ENODATA tests in smc_nl_get_fback_stats() 2021-06-21 12:16:58 -07:00
smc_stats.h net/smc: Fix pos miscalculation in statistics 2023-10-19 23:08:54 +02:00
smc_sysctl.c net/smc: Fix setsockopt and sysctl to specify same buffer size again 2023-08-23 17:52:18 +02:00
smc_sysctl.h net/smc: fix -Wmissing-prototypes warning when CONFIG_SYSCTL not set 2022-03-09 20:02:35 -08:00
smc_tracepoint.c net/smc: Introduce tracepoint for smcr link down 2021-11-01 13:39:14 +00:00
smc_tracepoint.h net/smc: Add net namespace for tracepoints 2022-01-02 12:07:39 +00:00
smc_tx.c net: deal with most data-races in sk_wait_event() 2023-05-24 17:32:32 +01:00
smc_tx.h net/smc: Cork when sendpage with MSG_SENDPAGE_NOTLAST flag 2022-01-31 15:08:20 +00:00
smc_wr.c net/smc: Fix possible access to freed memory in link clear 2022-09-07 16:00:48 +01:00
smc_wr.h net/smc: Fix possible access to freed memory in link clear 2022-09-07 16:00:48 +01:00
smc.h net/smc: fix dangling sock under state SMC_APPFINCLOSEWAIT 2023-11-20 11:52:16 +01:00