Received: by 2002:a25:b794:0:0:0:0:0 with SMTP id n20csp1196778ybh;
        Sat, 3 Aug 2019 20:21:57 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxdAVxv1C/Cja3jXRqvIc8soGGr+RwuZc3SpniqyyS9/RGoPG4PLXKftiTxZ5sghXgTYaIZ
X-Received: by 2002:a17:902:aa09:: with SMTP id be9mr52657909plb.52.1564888917182;
        Sat, 03 Aug 2019 20:21:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1564888917; cv=none;
        d=google.com; s=arc-20160816;
        b=yq9W2m+QWKpIJBAz0erXCTuke3NPr6lc5ib0DfVAitMrKYpJYjZWXMqXhP5EpjPPgR
         6Irjf5HgMqrrwuMW5UvrMU4ORc7oj204Ubr4qGh3M1+BTPxAhGzn/tyTClOyOjjV4s4b
         dVESihT1s6ktlAwckyo08vm1dGkUpxnN9ncHaj2CV5laQUGIUZMnYWEard32DohIhEQS
         bQrp6yX4WzEynnmgiGe3SIT6kS8huXng/b1FbG7f6oJI0eJIbeBO+jJVx6pZsK4JxH5j
         9FF8PcYURzB4i4Oj4VxIhN7LaK7Q0YYwRub8iCUXzok/cg8uS0P4ya2y3EJhjisN7CSK
         /SDA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:from:subject:cc:to:message-id:date;
        bh=N6strqQ5lXRUsledmGd9znFHaV6eNMHCTohR/tn2pl4=;
        b=V6AIJTzyrow/3n0NP2tgFUnMDxUFcrY9rAuUzSzAe1BEez0Y2HP2/m5cwJvULmp5h2
         qY0hG5Kh/N0Y2kXQLJz03Je9u2VvsTAJxzjQ9kBlfrZDpslb1bk7Am0PkvxYzcBLh21+
         A5qMVAUUhqT9rKJHpXVEVbLMLiwiEpTcMFWi9L08bG/1W2qUVeKj5iLNzSPLAaw/zoN1
         uq7Ziyo9ZxBTsXOo2rl56sEwbxRAtBJjyUXO95yHjAs43gKfuLq/DMoNZjDv7CZvKCC1
         /s2h4iaNijpCSljkrSipXiyx12WTeLWJi/4lFtiKAM0DwvOsRDPNPSfzFtdONuFWyaa+
         oCIw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id y8si36969280plk.428.2019.08.03.20.21.42;
        Sat, 03 Aug 2019 20:21:57 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2392437AbfHCA1b (ORCPT <rfc822;yuankui.zhao@gmail.com>
        + 99 others); Fri, 2 Aug 2019 20:27:31 -0400
Received: from shards.monkeyblade.net ([23.128.96.9]:52502 "EHLO
        shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2389781AbfHCA1a (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 2 Aug 2019 20:27:30 -0400
Received: from localhost (unknown [IPv6:2601:601:9f80:35cd::d71])
        (using TLSv1 with cipher AES256-SHA (256/256 bits))
        (Client did not present a certificate)
        (Authenticated sender: davem-davemloft)
        by shards.monkeyblade.net (Postfix) with ESMTPSA id 9C2161264EC7E;
        Fri,  2 Aug 2019 17:27:29 -0700 (PDT)
Date:   Fri, 02 Aug 2019 17:27:29 -0700 (PDT)
Message-Id: <20190802.172729.1656276508211556851.davem@davemloft.net>
To:     decui@microsoft.com
Cc:     sunilmut@microsoft.com, netdev@vger.kernel.org, kys@microsoft.com,
        haiyangz@microsoft.com, sthemmin@microsoft.com, sashal@kernel.org,
        mikelley@microsoft.com, linux-hyperv@vger.kernel.org,
        linux-kernel@vger.kernel.org, olaf@aepfle.de, apw@canonical.com,
        jasowang@redhat.com, vkuznets@redhat.com,
        marcelo.cerri@canonical.com
Subject: Re: [PATCH v2 net] hv_sock: Fix hang when a connection is closed
From:   David Miller <davem@davemloft.net>
In-Reply-To: <PU1P153MB01696DDD3A3F601370701DD2BFDF0@PU1P153MB0169.APCP153.PROD.OUTLOOK.COM>
References: <PU1P153MB01696DDD3A3F601370701DD2BFDF0@PU1P153MB0169.APCP153.PROD.OUTLOOK.COM>
X-Mailer: Mew version 6.8 on Emacs 26.1
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Fri, 02 Aug 2019 17:27:30 -0700 (PDT)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Dexuan Cui <decui@microsoft.com>
Date: Wed, 31 Jul 2019 01:25:45 +0000

> 
> There is a race condition for an established connection that is being closed
> by the guest: the refcnt is 4 at the end of hvs_release() (Note: here the
> 'remove_sock' is false):
> 
> 1 for the initial value;
> 1 for the sk being in the bound list;
> 1 for the sk being in the connected list;
> 1 for the delayed close_work.
> 
> After hvs_release() finishes, __vsock_release() -> sock_put(sk) *may*
> decrease the refcnt to 3.
> 
> Concurrently, hvs_close_connection() runs in another thread:
>   calls vsock_remove_sock() to decrease the refcnt by 2;
>   call sock_put() to decrease the refcnt to 0, and free the sk;
>   next, the "release_sock(sk)" may hang due to use-after-free.
> 
> In the above, after hvs_release() finishes, if hvs_close_connection() runs
> faster than "__vsock_release() -> sock_put(sk)", then there is not any issue,
> because at the beginning of hvs_close_connection(), the refcnt is still 4.
> 
> The issue can be resolved if an extra reference is taken when the
> connection is established.
> 
> Fixes: a9eeb998c28d ("hv_sock: Add support for delayed close")
> Signed-off-by: Dexuan Cui <decui@microsoft.com>

Applied and queued up for -stable.

Do not ever CC: stable for networking patches, we submit to -stable manually.

Thank you.