mirrors/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2025-11-04 10:40:15 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
linux/net/tipc
History
Tetsuo Handa 2a63866c8b tipc: fix shutdown() of connectionless socket 
syzbot is reporting hung task at nbd_ioctl() [1], for there are two
problems regarding TIPC's connectionless socket's shutdown() operation.

----------
#include <fcntl.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <linux/nbd.h>
#include <unistd.h>

int main(int argc, char *argv[])
{
        const int fd = open("/dev/nbd0", 3);
        alarm(5);
        ioctl(fd, NBD_SET_SOCK, socket(PF_TIPC, SOCK_DGRAM, 0));
        ioctl(fd, NBD_DO_IT, 0); /* To be interrupted by SIGALRM. */
        return 0;
}
----------

One problem is that wait_for_completion() from flush_workqueue() from
nbd_start_device_ioctl() from nbd_ioctl() cannot be completed when
nbd_start_device_ioctl() received a signal at wait_event_interruptible(),
for tipc_shutdown() from kernel_sock_shutdown(SHUT_RDWR) from
nbd_mark_nsock_dead() from sock_shutdown() from nbd_start_device_ioctl()
is failing to wake up a WQ thread sleeping at wait_woken() from
tipc_wait_for_rcvmsg() from sock_recvmsg() from sock_xmit() from
nbd_read_stat() from recv_work() scheduled by nbd_start_device() from
nbd_start_device_ioctl(). Fix this problem by always invoking
sk->sk_state_change() (like inet_shutdown() does) when tipc_shutdown() is
called.

The other problem is that tipc_wait_for_rcvmsg() cannot return when
tipc_shutdown() is called, for tipc_shutdown() sets sk->sk_shutdown to
SEND_SHUTDOWN (despite "how" is SHUT_RDWR) while tipc_wait_for_rcvmsg()
needs sk->sk_shutdown set to RCV_SHUTDOWN or SHUTDOWN_MASK. Fix this
problem by setting sk->sk_shutdown to SHUTDOWN_MASK (like inet_shutdown()
does) when the socket is connectionless.

[1] https://syzkaller.appspot.com/bug?id=3fe51d307c1f0a845485cf1798aa059d12bf18b2

Reported-by: syzbot <syzbot+e36f41d207137b5d12f7@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-09-02 15:49:30 -07:00
..
addr.c
addr.h
bcast.c
bcast.h
bearer.c
bearer.h
core.c
core.h
crypto.c tipc: fix using smp_processor_id() in preemptible 2020-08-30 19:12:17 -07:00
crypto.h
diag.c
discover.c
discover.h
eth_media.c tipc: Use is_broadcast_ether_addr() instead of memcmp() 2020-08-03 16:21:46 -07:00
group.c
group.h
ib_media.c
Kconfig tipc: not enable tipc when ipv6 works as a module 2020-08-16 21:04:55 -07:00
link.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-07-25 17:49:04 -07:00
link.h
Makefile
monitor.c
monitor.h
msg.c
msg.h
name_distr.c
name_distr.h
name_table.c
name_table.h
net.c
net.h
netlink.c
netlink.h
netlink_compat.c tipc: fix uninit skb->data in tipc_nl_compat_dumpit() 2020-08-16 21:03:19 -07:00
node.c
node.h
socket.c tipc: fix shutdown() of connectionless socket 2020-09-02 15:49:30 -07:00
socket.h
subscr.c
subscr.h
sysctl.c
topsrv.c
topsrv.h
trace.c
trace.h
udp_media.c ipv6: some fixes for ipv6_dev_find() 2020-08-18 15:58:53 -07:00
udp_media.h