From c6bab983d4c16cff4debdc58c4aff7d1bcb516cd Mon Sep 17 00:00:00 2001 From: Petr Tesarik Date: Apr 17 2020 08:14:12 +0000 Subject: net/smc: add fallback check to connect() (git-fixes). --- diff --git a/patches.suse/net-smc-add-fallback-check-to-connect b/patches.suse/net-smc-add-fallback-check-to-connect new file mode 100644 index 0000000..fbb3b0b --- /dev/null +++ b/patches.suse/net-smc-add-fallback-check-to-connect @@ -0,0 +1,92 @@ +From: Ursula Braun +Date: Thu, 12 Dec 2019 22:35:58 +0100 +Subject: net/smc: add fallback check to connect() +Git-commit: 86434744fedf0cfe07a9eee3f4632c0e25c1d136 +Patch-mainline: v5.5-rc3 +References: git-fixes + +FASTOPEN setsockopt() or sendmsg() may switch the SMC socket to fallback +mode. Once fallback mode is active, the native TCP socket functions are +called. Nevertheless there is a small race window, when FASTOPEN +setsockopt/sendmsg runs in parallel to a connect(), and switch the +socket into fallback mode before connect() takes the sock lock. +Make sure the SMC-specific connect setup is omitted in this case. + +This way a syzbot-reported refcount problem is fixed, triggered by +different threads running non-blocking connect() and FASTOPEN_KEY +setsockopt. + +Reported-by: syzbot+96d3f9ff6a86d37e44c8@syzkaller.appspotmail.com +Fixes: 6d6dd528d5af ("net/smc: fix refcount non-blocking connect() -part 2") +Signed-off-by: Ursula Braun +Signed-off-by: Karsten Graul +Signed-off-by: Jakub Kicinski +Acked-by: Petr Tesarik +--- + net/smc/af_smc.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -843,6 +843,8 @@ static int smc_connect(struct socket *so + goto out; + + sock_hold(&smc->sk); /* sock put in passive closing */ ++ if (smc->use_fallback) ++ goto out; + if (flags & O_NONBLOCK) { + if (schedule_work(&smc->connect_work)) + smc->connect_nonblock = 1; +@@ -1724,8 +1726,6 @@ static int smc_setsockopt(struct socket + sk->sk_err = smc->clcsock->sk->sk_err; + sk->sk_error_report(sk); + } +- if (rc) +- return rc; + + if (optlen < sizeof(int)) + return -EINVAL; +@@ -1733,6 +1733,8 @@ static int smc_setsockopt(struct socket + return -EFAULT; + + lock_sock(sk); ++ if (rc || smc->use_fallback) ++ goto out; + switch (optname) { + case TCP_FASTOPEN: + case TCP_FASTOPEN_CONNECT: +@@ -1741,15 +1743,14 @@ static int smc_setsockopt(struct socket + smc_switch_to_fallback(smc); + smc->fallback_rsn = SMC_CLC_DECL_OPTUNSUPP; + } else { +- if (!smc->use_fallback) +- rc = -EINVAL; ++ rc = -EINVAL; + } + break; + case TCP_NODELAY: + if (sk->sk_state != SMC_INIT && + sk->sk_state != SMC_LISTEN && + sk->sk_state != SMC_CLOSED) { +- if (val && !smc->use_fallback) ++ if (val) + mod_delayed_work(system_wq, &smc->conn.tx_work, + 0); + } +@@ -1758,7 +1759,7 @@ static int smc_setsockopt(struct socket + if (sk->sk_state != SMC_INIT && + sk->sk_state != SMC_LISTEN && + sk->sk_state != SMC_CLOSED) { +- if (!val && !smc->use_fallback) ++ if (!val) + mod_delayed_work(system_wq, &smc->conn.tx_work, + 0); + } +@@ -1769,6 +1770,7 @@ static int smc_setsockopt(struct socket + default: + break; + } ++out: + release_sock(sk); + + return rc; diff --git a/series.conf b/series.conf index 5879458..4ef8eaf 100644 --- a/series.conf +++ b/series.conf @@ -26850,6 +26850,7 @@ patches.suse/gtp-fix-wrong-condition-in-gtp_genl_dump_pdp.patch patches.suse/gtp-fix-an-use-after-free-in-ipv4_pdp_find.patch patches.suse/gtp-avoid-zero-size-hashtable.patch + patches.suse/net-smc-add-fallback-check-to-connect patches.suse/mwifiex-fix-possible-heap-overflow-in-mwifiex_proces.patch patches.suse/mwifiex-Fix-heap-overflow-in-mmwifiex_process_tdls_a.patch patches.suse/net-qlogic-Fix-error-paths-in-ql_alloc_large_buffers.patch