diff mbox series

[v2] net/rose: Fix to not accept on connected socket

Message ID 20230123194020.GA115501@ubuntu (mailing list archive)
State Superseded
Delegated to: Netdev Maintainers
Headers show
Series [v2] net/rose: Fix to not accept on connected socket | expand

Checks

Context Check Description
netdev/tree_selection success Guessed tree name to be net-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/subject_prefix warning Target tree name not specified in the subject
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/cc_maintainers success CCed 7 of 7 maintainers
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 22 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Hyunwoo Kim Jan. 23, 2023, 7:40 p.m. UTC
If listen() and accept() are called on a rose socket
that connect() is successful, accept() succeeds immediately.
This is because rose_connect() queues the skb to
sk->sk_receive_queue, and rose_accept() dequeues it.

This creates a child socket with the sk of the parent
rose socket, which can cause confusion.

Fix rose_listen() to return -EINVAL if the socket has
already been successfully connected, and add lock_sock
to prevent this issue.

Signed-off-by: Hyunwoo Kim <v4bel@theori.io>
---
 net/rose/af_rose.c | 8 ++++++++
 1 file changed, 8 insertions(+)

Comments

Kuniyuki Iwashima Jan. 25, 2023, 2:08 a.m. UTC | #1
From:   Hyunwoo Kim <v4bel@theori.io>
Date:   Mon, 23 Jan 2023 11:40:20 -0800
> If listen() and accept() are called on a rose socket
> that connect() is successful, accept() succeeds immediately.
> This is because rose_connect() queues the skb to
> sk->sk_receive_queue, and rose_accept() dequeues it.
> 
> This creates a child socket with the sk of the parent
> rose socket, which can cause confusion.
> 
> Fix rose_listen() to return -EINVAL if the socket has
> already been successfully connected, and add lock_sock
> to prevent this issue.
> 
> Signed-off-by: Hyunwoo Kim <v4bel@theori.io>

Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>


> ---
>  net/rose/af_rose.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
> index 36fefc3957d7..ca2b17f32670 100644
> --- a/net/rose/af_rose.c
> +++ b/net/rose/af_rose.c
> @@ -488,6 +488,12 @@ static int rose_listen(struct socket *sock, int backlog)
>  {
>  	struct sock *sk = sock->sk;
>  
> +	lock_sock(sk);
> +	if (sock->state != SS_UNCONNECTED) {
> +		release_sock(sk);
> +		return -EINVAL;
> +	}
> +
>  	if (sk->sk_state != TCP_LISTEN) {
>  		struct rose_sock *rose = rose_sk(sk);
>  
> @@ -497,8 +503,10 @@ static int rose_listen(struct socket *sock, int backlog)
>  		memset(rose->dest_digis, 0, AX25_ADDR_LEN * ROSE_MAX_DIGIS);
>  		sk->sk_max_ack_backlog = backlog;
>  		sk->sk_state           = TCP_LISTEN;
> +		release_sock(sk);
>  		return 0;
>  	}
> +	release_sock(sk);
>  
>  	return -EOPNOTSUPP;
>  }
> -- 
> 2.25.1
Kuniyuki Iwashima Jan. 25, 2023, 2:28 a.m. UTC | #2
From:   Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Tue, 24 Jan 2023 18:08:09 -0800
> From:   Hyunwoo Kim <v4bel@theori.io>
> Date:   Mon, 23 Jan 2023 11:40:20 -0800
> > If listen() and accept() are called on a rose socket
> > that connect() is successful, accept() succeeds immediately.
> > This is because rose_connect() queues the skb to
> > sk->sk_receive_queue, and rose_accept() dequeues it.

Same comment for the netrom patch here.
https://lore.kernel.org/netdev/20230125014347.65971-1-kuniyu@amazon.com/

The skb which the problematic accept() dequeues is created by
sendmsg(), not connect(), right ?


> > 
> > This creates a child socket with the sk of the parent
> > rose socket, which can cause confusion.
> > 
> > Fix rose_listen() to return -EINVAL if the socket has
> > already been successfully connected, and add lock_sock
> > to prevent this issue.
> > 
> > Signed-off-by: Hyunwoo Kim <v4bel@theori.io>
> 
> Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
> 
> 
> > ---
> >  net/rose/af_rose.c | 8 ++++++++
> >  1 file changed, 8 insertions(+)
> > 
> > diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
> > index 36fefc3957d7..ca2b17f32670 100644
> > --- a/net/rose/af_rose.c
> > +++ b/net/rose/af_rose.c
> > @@ -488,6 +488,12 @@ static int rose_listen(struct socket *sock, int backlog)
> >  {
> >  	struct sock *sk = sock->sk;
> >  
> > +	lock_sock(sk);
> > +	if (sock->state != SS_UNCONNECTED) {
> > +		release_sock(sk);
> > +		return -EINVAL;
> > +	}
> > +
> >  	if (sk->sk_state != TCP_LISTEN) {
> >  		struct rose_sock *rose = rose_sk(sk);
> >  
> > @@ -497,8 +503,10 @@ static int rose_listen(struct socket *sock, int backlog)
> >  		memset(rose->dest_digis, 0, AX25_ADDR_LEN * ROSE_MAX_DIGIS);
> >  		sk->sk_max_ack_backlog = backlog;
> >  		sk->sk_state           = TCP_LISTEN;
> > +		release_sock(sk);
> >  		return 0;
> >  	}
> > +	release_sock(sk);
> >  
> >  	return -EOPNOTSUPP;
> >  }
> > -- 
> > 2.25.1
diff mbox series

Patch

diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
index 36fefc3957d7..ca2b17f32670 100644
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -488,6 +488,12 @@  static int rose_listen(struct socket *sock, int backlog)
 {
 	struct sock *sk = sock->sk;
 
+	lock_sock(sk);
+	if (sock->state != SS_UNCONNECTED) {
+		release_sock(sk);
+		return -EINVAL;
+	}
+
 	if (sk->sk_state != TCP_LISTEN) {
 		struct rose_sock *rose = rose_sk(sk);
 
@@ -497,8 +503,10 @@  static int rose_listen(struct socket *sock, int backlog)
 		memset(rose->dest_digis, 0, AX25_ADDR_LEN * ROSE_MAX_DIGIS);
 		sk->sk_max_ack_backlog = backlog;
 		sk->sk_state           = TCP_LISTEN;
+		release_sock(sk);
 		return 0;
 	}
+	release_sock(sk);
 
 	return -EOPNOTSUPP;
 }