From patchwork Tue Oct 12 20:05:29 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralf Baechle X-Patchwork-Id: 12553631 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 82889C433F5 for ; Tue, 12 Oct 2021 20:20:56 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 49CAB60F92 for ; Tue, 12 Oct 2021 20:20:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234084AbhJLUWz (ORCPT ); Tue, 12 Oct 2021 16:22:55 -0400 Received: from relay12.mail.gandi.net ([217.70.178.232]:50629 "EHLO relay12.mail.gandi.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232419AbhJLUWy (ORCPT ); Tue, 12 Oct 2021 16:22:54 -0400 Received: from h7.dl5rb.org.uk (pd95470b6.dip0.t-ipconnect.de [217.84.112.182]) (Authenticated sender: ralf@linux-mips.org) by relay12.mail.gandi.net (Postfix) with ESMTPSA id 9466D200004; Tue, 12 Oct 2021 20:20:48 +0000 (UTC) Received: from h7.dl5rb.org.uk (localhost [127.0.0.1]) by h7.dl5rb.org.uk (8.16.1/8.16.1) with ESMTPS id 19CKKk3U217651 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Tue, 12 Oct 2021 22:20:46 +0200 Received: (from ralf@localhost) by h7.dl5rb.org.uk (8.16.1/8.16.1/Submit) id 19CKKjxv217644; Tue, 12 Oct 2021 22:20:45 +0200 Message-Id: <2dea23e9208d008e74faddf92acf4ef557f97a85.1634069168.git.ralf@linux-mips.org> From: Ralf Baechle Date: Tue, 12 Oct 2021 22:05:29 +0200 Subject: [PATCH v2 1/2] ax25: Fix use of copy_from_sockptr() in ax25_setsockopt() To: netdev@vger.kernel.org Cc: "David S. Miller" , Jakub Kicinski , Christoph Hellwig , Thomas Osterried , linux-hams@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org The destination pointer passed to copy_from_sockptr() is an unsigned long * but the source in userspace is an unsigned int. This happens to work on 32 bit but breaks 64-bit where bytes 4..7 will not be initialized. By luck it may work on little endian but on big endian where the userspace data is copied to the upper 32 bit of the destination it's most likely going to break. Signed-off-by: Ralf Baechle Reviewed-by: Christoph Hellwig Fixes: a7b75c5a8c41 ("net: pass a sockptr_t into ->setsockopt") --- net/ax25/af_ax25.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index 2631efc6e359..5e7ab76f7f9b 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -534,7 +534,7 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname, ax25_cb *ax25; struct net_device *dev; char devname[IFNAMSIZ]; - unsigned long opt; + unsigned int opt; int res = 0; if (level != SOL_AX25) @@ -566,7 +566,7 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname, break; case AX25_T1: - if (opt < 1 || opt > ULONG_MAX / HZ) { + if (opt < 1 || opt > UINT_MAX / HZ) { res = -EINVAL; break; } @@ -575,7 +575,7 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname, break; case AX25_T2: - if (opt < 1 || opt > ULONG_MAX / HZ) { + if (opt < 1 || opt > UINT_MAX / HZ) { res = -EINVAL; break; } @@ -591,7 +591,7 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname, break; case AX25_T3: - if (opt < 1 || opt > ULONG_MAX / HZ) { + if (opt < 1 || opt > UINT_MAX / HZ) { res = -EINVAL; break; } @@ -599,7 +599,7 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname, break; case AX25_IDLE: - if (opt > ULONG_MAX / (60 * HZ)) { + if (opt > UINT_MAX / (60 * HZ)) { res = -EINVAL; break; } From patchwork Tue Oct 12 20:05:30 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralf Baechle X-Patchwork-Id: 12553633 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A94FFC433FE for ; Tue, 12 Oct 2021 20:20:58 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 85BDE61050 for ; Tue, 12 Oct 2021 20:20:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234182AbhJLUW5 (ORCPT ); Tue, 12 Oct 2021 16:22:57 -0400 Received: from relay2-d.mail.gandi.net ([217.70.183.194]:37395 "EHLO relay2-d.mail.gandi.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231902AbhJLUWx (ORCPT ); Tue, 12 Oct 2021 16:22:53 -0400 Received: from h7.dl5rb.org.uk (pd95470b6.dip0.t-ipconnect.de [217.84.112.182]) (Authenticated sender: ralf@linux-mips.org) by relay2-d.mail.gandi.net (Postfix) with ESMTPSA id 5EC0640002; Tue, 12 Oct 2021 20:20:48 +0000 (UTC) Received: from h7.dl5rb.org.uk (localhost [127.0.0.1]) by h7.dl5rb.org.uk (8.16.1/8.16.1) with ESMTPS id 19CKKkCU217658 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Tue, 12 Oct 2021 22:20:46 +0200 Received: (from ralf@localhost) by h7.dl5rb.org.uk (8.16.1/8.16.1/Submit) id 19CKKkBp217657; Tue, 12 Oct 2021 22:20:46 +0200 Message-Id: <4a2f53386509164e60531750a02480a4c032d51a.1634069168.git.ralf@linux-mips.org> In-Reply-To: <2dea23e9208d008e74faddf92acf4ef557f97a85.1634069168.git.ralf@linux-mips.org> References: <2dea23e9208d008e74faddf92acf4ef557f97a85.1634069168.git.ralf@linux-mips.org> From: Ralf Baechle Date: Tue, 12 Oct 2021 22:05:30 +0200 Subject: [PATCH 2/2] ax25: Fix deadlock hang during concurrent read and write on socket. To: netdev@vger.kernel.org Cc: "David S. Miller" , Jakub Kicinski , Christoph Hellwig , Thomas Osterried , linux-hams@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org From: Thomas Habets Before this patch, this hangs, because the read(2) blocks the write(2). Before: strace -f -eread,write ./examples/client_lockcheck M0THC-9 M0THC-0 M0THC-2 strace: Process 3888 attached [pid 3888] read(3, [pid 3887] write(3, "hello world", 11 [hang] After: strace -f -eread,write ./examples/client_lockcheck M0THC-9 M0THC-0 M0THC-2 strace: Process 2433 attached [pid 2433] read(3, [pid 2432] write(3, "hello world", 11) = 11 [pid 2433] <... read resumed> "yo", 1000) = 2 [pid 2433] write(1, "yo\n", 3yo ) = 3 [successful exit] Signed-off-by: Thomas Habets Signed-off-by: Ralf Baechle Reported-by: kernel test robot --- net/ax25/af_ax25.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index 5e7ab76f7f9b..d2d0dd744bb4 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -1624,22 +1624,22 @@ static int ax25_recvmsg(struct socket *sock, struct msghdr *msg, size_t size, int copied; int err = 0; - lock_sock(sk); /* * This works for seqpacket too. The receiver has ordered the * queue for us! We do one quick check first though */ if (sk->sk_type == SOCK_SEQPACKET && sk->sk_state != TCP_ESTABLISHED) { err = -ENOTCONN; - goto out; + goto out_nolock; } /* Now we can treat all alike */ skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT, flags & MSG_DONTWAIT, &err); if (skb == NULL) - goto out; + goto out_nolock; + lock_sock(sk); if (!sk_to_ax25(sk)->pidincl) skb_pull(skb, 1); /* Remove PID */ @@ -1684,6 +1684,7 @@ static int ax25_recvmsg(struct socket *sock, struct msghdr *msg, size_t size, out: release_sock(sk); +out_nolock: return err; }