Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2327243imm; Mon, 28 May 2018 06:08:18 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqoa1hk1O44vRVwOoVDFfWKVoyWAJOrnxGlp/ILSKnW5r0iD08BgoydmpSOA5XayXmrQPuY X-Received: by 2002:a17:902:a616:: with SMTP id u22-v6mr13839191plq.186.1527512897971; Mon, 28 May 2018 06:08:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527512897; cv=none; d=google.com; s=arc-20160816; b=k1zyjVxr4kmxlVNLD87oF7kqSR5MWuaDfiOogk1LWETgaF3GuZ3tJsQ9/YkEPnfrIv Qj+O+A/oqoDHXfkae4sXU6dJZIIK5UyaVa8Z7A+/tuzuU8BwwRp/WyJI39Vc9OPCFzpl 1McUqN8lTLUzFK9JVoMiRt3RsgrbOYtYoFEaxynR8Ii6LGmWhd3CSobXzGzmAcjGUQSb e4m+kPSyI5mAt+zNyiOaneP7uaiOdkTpjIqc7M1n+ZSvYZYkVjDIHeOIaDksrbQPovfj mb53iT4IBBm3zoqRD6FqhIGdowToiVsOqv94rOX+QZoTE1jYAzbSUYoFO/ftmvPzisw1 IC9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=JxjIEP4fLPEafyTzHnag2VEHbOxABQHboinOw605NO4=; b=wM1/UsoSfJ2W3AJRweIg/q/CmVMpNxIJ7+BgDf0eZPAjJsK2gxcARJExNIJgv9JYcs ziPDDq/SEvrao9YbXeQgSq/dTLFO5EGXzeACulW8RtTJPE03keyujze09Pn9F2B4E5Qc 6FpJh39HNCsxpGXMvpqt0G8I2AWdwi6GQdDVl7x6VCTJMyl12SkUAuU3C/ZdF1OLZSBL 55SD+ONgy0dp+0zWyvJC7mZVSguSdxNKb0pCBdjrAeFpfPgnMlQNSaErvlL+/bF4TjVB S/Fv26Io1qiIdRBvtoE+61jxlK6p129x7MC7TYdkhFQ5DsuzKcFVGAymY/fp6+4Ev9Eb 3jaQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=uXb5rH/B; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h131-v6si28982638pfc.206.2018.05.28.06.08.02; Mon, 28 May 2018 06:08:17 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=uXb5rH/B; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1165182AbeE1NFy (ORCPT + 99 others); Mon, 28 May 2018 09:05:54 -0400 Received: from mail.kernel.org ([198.145.29.99]:41818 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1163626AbeE1Kwb (ORCPT ); Mon, 28 May 2018 06:52:31 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3590A20883; Mon, 28 May 2018 10:52:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1527504750; bh=SujOBmAcDbjJnJVv7BMdl4oiCVl/nUkaWExNtMlYIA8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=uXb5rH/BzIEIs4+m6XoIy8mFh2I6vtRdQJDT5uurgDQNypn5R5grsn+SPqdXfpteN 1hZXgbWvYjgNvD98jGInkiCWNc2IbUBDsqxa6gx5roCr1sjXHpxadS5TCt7EctXCFI 5W/z1un6N3grnHWSy7//59l6UQb59Wla1RYaoDWM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ka-Cheong Poon , Santosh Shilimkar , Sowmini Varadhan , "David S. Miller" , Sasha Levin Subject: [PATCH 4.14 208/496] rds: Incorrect reference counting in TCP socket creation Date: Mon, 28 May 2018 11:59:53 +0200 Message-Id: <20180528100328.701966267@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180528100319.498712256@linuxfoundation.org> References: <20180528100319.498712256@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Ka-Cheong Poon [ Upstream commit 84eef2b2187ed73c0e4520cbfeb874e964a0b56a ] Commit 0933a578cd55 ("rds: tcp: use sock_create_lite() to create the accept socket") has a reference counting issue in TCP socket creation when accepting a new connection. The code uses sock_create_lite() to create a kernel socket. But it does not do __module_get() on the socket owner. When the connection is shutdown and sock_release() is called to free the socket, the owner's reference count is decremented and becomes incorrect. Note that this bug only shows up when the socket owner is configured as a kernel module. v2: Update comments Fixes: 0933a578cd55 ("rds: tcp: use sock_create_lite() to create the accept socket") Signed-off-by: Ka-Cheong Poon Acked-by: Santosh Shilimkar Acked-by: Sowmini Varadhan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- net/rds/tcp_listen.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) --- a/net/rds/tcp_listen.c +++ b/net/rds/tcp_listen.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2006 Oracle. All rights reserved. + * Copyright (c) 2006, 2018 Oracle. All rights reserved. * * This software is available to you under a choice of one of two * licenses. You may choose to be licensed under the terms of the GNU @@ -142,12 +142,20 @@ int rds_tcp_accept_one(struct socket *so if (ret) goto out; - new_sock->type = sock->type; - new_sock->ops = sock->ops; ret = sock->ops->accept(sock, new_sock, O_NONBLOCK, true); if (ret < 0) goto out; + /* sock_create_lite() does not get a hold on the owner module so we + * need to do it here. Note that sock_release() uses sock->ops to + * determine if it needs to decrement the reference count. So set + * sock->ops after calling accept() in case that fails. And there's + * no need to do try_module_get() as the listener should have a hold + * already. + */ + new_sock->ops = sock->ops; + __module_get(new_sock->ops->owner); + ret = rds_tcp_keepalive(new_sock); if (ret < 0) goto out;