linux/net/rxrpc
David Howells 106b415d51 rxrpc: Fix race between recvmsg and sendmsg on immediate call failure
[ Upstream commit 65550098c1 ]

There's a race between rxrpc_sendmsg setting up a call, but then failing to
send anything on it due to an error, and recvmsg() seeing the call
completion occur and trying to return the state to the user.

An assertion fails in rxrpc_recvmsg() because the call has already been
released from the socket and is about to be released again as recvmsg deals
with it.  (The recvmsg_q queue on the socket holds a ref, so there's no
problem with use-after-free.)

We also have to be careful not to end up reporting an error twice, in such
a way that both returns indicate to userspace that the user ID supplied
with the call is no longer in use - which could cause the client to
malfunction if it recycles the user ID fast enough.

Fix this by the following means:

 (1) When sendmsg() creates a call after the point that the call has been
     successfully added to the socket, don't return any errors through
     sendmsg(), but rather complete the call and let recvmsg() retrieve
     them.  Make sendmsg() return 0 at this point.  Further calls to
     sendmsg() for that call will fail with ESHUTDOWN.

     Note that at this point, we haven't send any packets yet, so the
     server doesn't yet know about the call.

 (2) If sendmsg() returns an error when it was expected to create a new
     call, it means that the user ID wasn't used.

 (3) Mark the call disconnected before marking it completed to prevent an
     oops in rxrpc_release_call().

 (4) recvmsg() will then retrieve the error and set MSG_EOR to indicate
     that the user ID is no longer known by the kernel.

An oops like the following is produced:

	kernel BUG at net/rxrpc/recvmsg.c:605!
	...
	RIP: 0010:rxrpc_recvmsg+0x256/0x5ae
	...
	Call Trace:
	 ? __init_waitqueue_head+0x2f/0x2f
	 ____sys_recvmsg+0x8a/0x148
	 ? import_iovec+0x69/0x9c
	 ? copy_msghdr_from_user+0x5c/0x86
	 ___sys_recvmsg+0x72/0xaa
	 ? __fget_files+0x22/0x57
	 ? __fget_light+0x46/0x51
	 ? fdget+0x9/0x1b
	 do_recvmmsg+0x15e/0x232
	 ? _raw_spin_unlock+0xa/0xb
	 ? vtime_delta+0xf/0x25
	 __x64_sys_recvmmsg+0x2c/0x2f
	 do_syscall_64+0x4c/0x78
	 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: 357f5ef646 ("rxrpc: Call rxrpc_release_call() on error in rxrpc_new_client_call()")
Reported-by: syzbot+b54969381df354936d96@syzkaller.appspotmail.com
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Marc Dionne <marc.dionne@auristor.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-08-11 15:33:40 +02:00
..
af_rxrpc.c rxrpc: Fix call interruptibility handling 2020-04-17 10:49:57 +02:00
ar-internal.h rxrpc: Fix the excessive initial retransmission timeout 2020-05-27 17:46:48 +02:00
call_accept.c rxrpc: Fix notification call on completion of discarded calls 2020-06-30 15:36:45 -04:00
call_event.c rxrpc: Fix afs large storage transmission performance drop 2020-07-09 09:37:52 +02:00
call_object.c rxrpc: Fix race between recvmsg and sendmsg on immediate call failure 2020-08-11 15:33:40 +02:00
conn_client.c rxrpc: Fix call interruptibility handling 2020-04-17 10:49:57 +02:00
conn_event.c rxrpc: Fix missing active use pinning of rxrpc_local object 2020-02-11 04:35:05 -08:00
conn_object.c rxrpc: Fix race between recvmsg and sendmsg on immediate call failure 2020-08-11 15:33:40 +02:00
conn_service.c rxrpc: Fix missing security check on incoming calls 2020-01-17 19:49:05 +01:00
input.c rxrpc: Fix handling of rwind from an ACK packet 2020-06-30 15:36:57 -04:00
insecure.c rxrpc: Fix -Wframe-larger-than= warnings from on-stack crypto 2019-07-30 10:32:35 -07:00
Kconfig treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
key.c KEYS: Don't write out to userspace while holding key semaphore 2020-04-23 10:36:45 +02:00
local_event.c rxrpc: Use the tx-phase skb flag to simplify tracing 2019-08-27 10:04:18 +01:00
local_object.c rxrpc: Fix DATA Tx to disable nofrag for UDP on AF_INET6 socket 2020-05-02 08:48:47 +02:00
Makefile rxrpc: Fix the excessive initial retransmission timeout 2020-05-27 17:46:48 +02:00
misc.c rxrpc: Fix the excessive initial retransmission timeout 2020-05-27 17:46:48 +02:00
net_ns.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 36 2019-05-24 17:27:11 +02:00
output.c rxrpc: Fix the excessive initial retransmission timeout 2020-05-27 17:46:48 +02:00
peer_event.c rxrpc: Fix the excessive initial retransmission timeout 2020-05-27 17:46:48 +02:00
peer_object.c rxrpc: Fix the excessive initial retransmission timeout 2020-05-27 17:46:48 +02:00
proc.c rxrpc: Adjust /proc/net/rxrpc/calls to display call->debug_id not user_ID 2020-06-24 17:50:37 +02:00
protocol.h rxrpc: Improve jumbo packet counting 2019-08-27 09:48:37 +01:00
recvmsg.c rxrpc: Fix race between recvmsg and sendmsg on immediate call failure 2020-08-11 15:33:40 +02:00
rtt.c rxrpc: Fix the excessive initial retransmission timeout 2020-05-27 17:46:48 +02:00
rxkad.c rxrpc: Fix a memory leak in rxkad_verify_response() 2020-05-27 17:46:49 +02:00
security.c rxrpc: Fix missing security check on incoming calls 2020-01-17 19:49:05 +01:00
sendmsg.c rxrpc: Fix race between recvmsg and sendmsg on immediate call failure 2020-08-11 15:33:40 +02:00
skbuff.c rxrpc: Use skb_unshare() rather than skb_cow_data() 2019-08-27 10:13:46 +01:00
sysctl.c rxrpc: Fix the excessive initial retransmission timeout 2020-05-27 17:46:48 +02:00
utils.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 36 2019-05-24 17:27:11 +02:00