linux/net/rxrpc
David Howells b0f571ecd7 rxrpc: Fix locking in rxrpc's sendmsg
Fix three bugs in the rxrpc's sendmsg implementation:

 (1) rxrpc_new_client_call() should release the socket lock when returning
     an error from rxrpc_get_call_slot().

 (2) rxrpc_wait_for_tx_window_intr() will return without the call mutex
     held in the event that we're interrupted by a signal whilst waiting
     for tx space on the socket or relocking the call mutex afterwards.

     Fix this by: (a) moving the unlock/lock of the call mutex up to
     rxrpc_send_data() such that the lock is not held around all of
     rxrpc_wait_for_tx_window*() and (b) indicating to higher callers
     whether we're return with the lock dropped.  Note that this means
     recvmsg() will not block on this call whilst we're waiting.

 (3) After dropping and regaining the call mutex, rxrpc_send_data() needs
     to go and recheck the state of the tx_pending buffer and the
     tx_total_len check in case we raced with another sendmsg() on the same
     call.

Thinking on this some more, it might make sense to have different locks for
sendmsg() and recvmsg().  There's probably no need to make recvmsg() wait
for sendmsg().  It does mean that recvmsg() can return MSG_EOR indicating
that a call is dead before a sendmsg() to that call returns - but that can
currently happen anyway.

Without fix (2), something like the following can be induced:

	WARNING: bad unlock balance detected!
	5.16.0-rc6-syzkaller #0 Not tainted
	-------------------------------------
	syz-executor011/3597 is trying to release lock (&call->user_mutex) at:
	[<ffffffff885163a3>] rxrpc_do_sendmsg+0xc13/0x1350 net/rxrpc/sendmsg.c:748
	but there are no more locks to release!

	other info that might help us debug this:
	no locks held by syz-executor011/3597.
	...
	Call Trace:
	 <TASK>
	 __dump_stack lib/dump_stack.c:88 [inline]
	 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
	 print_unlock_imbalance_bug include/trace/events/lock.h:58 [inline]
	 __lock_release kernel/locking/lockdep.c:5306 [inline]
	 lock_release.cold+0x49/0x4e kernel/locking/lockdep.c:5657
	 __mutex_unlock_slowpath+0x99/0x5e0 kernel/locking/mutex.c:900
	 rxrpc_do_sendmsg+0xc13/0x1350 net/rxrpc/sendmsg.c:748
	 rxrpc_sendmsg+0x420/0x630 net/rxrpc/af_rxrpc.c:561
	 sock_sendmsg_nosec net/socket.c:704 [inline]
	 sock_sendmsg+0xcf/0x120 net/socket.c:724
	 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2409
	 ___sys_sendmsg+0xf3/0x170 net/socket.c:2463
	 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2492
	 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
	 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
	 entry_SYSCALL_64_after_hwframe+0x44/0xae

[Thanks to Hawkins Jiawei and Khalid Masum for their attempts to fix this]

Fixes: bc5e3a546d ("rxrpc: Use MSG_WAITALL to tell sendmsg() to temporarily ignore signals")
Reported-by: syzbot+7f0483225d0c94cb3441@syzkaller.appspotmail.com
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Marc Dionne <marc.dionne@auristor.com>
Tested-by: syzbot+7f0483225d0c94cb3441@syzkaller.appspotmail.com
cc: Hawkins Jiawei <yin31149@gmail.com>
cc: Khalid Masum <khalid.masum.92@gmail.com>
cc: Dan Carpenter <dan.carpenter@oracle.com>
cc: linux-afs@lists.infradead.org
Link: https://lore.kernel.org/r/166135894583.600315.7170979436768124075.stgit@warthog.procyon.org.uk
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2022-08-25 12:39:40 -07:00
..
af_rxrpc.c rxrpc: Use refcount_t rather than atomic_t 2022-05-22 21:03:01 +01:00
ar-internal.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-05-23 21:19:17 -07:00
call_accept.c rxrpc: Fix locking issue 2022-05-22 21:03:01 +01:00
call_event.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-05-23 21:19:17 -07:00
call_object.c rxrpc: Fix locking in rxrpc's sendmsg 2022-08-25 12:39:40 -07:00
conn_client.c rxrpc: Use refcount_t rather than atomic_t 2022-05-22 21:03:01 +01:00
conn_event.c rxrpc: Merge prime_packet_security into init_connection_security 2020-11-23 18:09:30 +00:00
conn_object.c rxrpc, afs: Fix selection of abort codes 2022-05-22 21:03:02 +01:00
conn_service.c rxrpc: Use refcount_t rather than atomic_t 2022-05-22 21:03:01 +01:00
input.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-05-23 21:19:17 -07:00
insecure.c rxrpc: Ask the security class how much space to allow in a packet 2020-11-23 19:53:11 +00:00
Kconfig net: RxRPC: make dependent Kconfig symbols be shown indented 2021-08-18 10:12:11 +01:00
key.c rxrpc: Fix handling of an unsupported token type in rxrpc_read() 2021-01-13 10:38:00 -08:00
local_event.c rxrpc: Fix a typo 2021-06-02 14:01:55 -07:00
local_object.c rxrpc: Use refcount_t rather than atomic_t 2022-05-22 21:03:01 +01:00
Makefile rxrpc: Split the server key type (rxrpc_s) into its own file 2020-11-23 18:09:29 +00:00
misc.c rxrpc: Fix the excessive initial retransmission timeout 2020-05-11 16:42:28 +01:00
net_ns.c rxrpc: Fix locking issue 2022-05-22 21:03:01 +01:00
output.c rxrpc: Fix decision on when to generate an IDLE ACK 2022-05-22 21:30:53 +01:00
peer_event.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
peer_object.c rxrpc: Use refcount_t rather than atomic_t 2022-05-22 21:03:01 +01:00
proc.c rxrpc: Fix locking issue 2022-05-22 21:03:01 +01:00
protocol.h net: delete extra space and tab in blank line 2022-07-25 19:38:31 -07:00
recvmsg.c rxrpc: Fix decision on when to generate an IDLE ACK 2022-05-22 21:30:53 +01:00
rtt.c rxrpc: Fix _usecs_to_jiffies() by using usecs_to_jiffies() 2021-09-24 14:18:34 +01:00
rxkad.c net: rxrpc: fix clang -Wformat warning 2022-07-08 20:15:11 -07:00
security.c rxrpc: Hand server key parsing off to the security class 2020-11-23 18:09:29 +00:00
sendmsg.c rxrpc: Fix locking in rxrpc's sendmsg 2022-08-25 12:39:40 -07:00
server_key.c rxrpc: fix some null-ptr-deref bugs in server_key.c 2022-03-31 15:21:31 +02:00
skbuff.c rxrpc: Use refcount_t rather than atomic_t 2022-05-22 21:03:01 +01:00
sysctl.c rxrpc: Fix listen() setting the bar too high for the prealloc rings 2022-05-22 21:30:53 +01:00
utils.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 36 2019-05-24 17:27:11 +02:00