Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp4052891pxb;
        Mon, 8 Feb 2021 06:54:07 -0800 (PST)
X-Google-Smtp-Source: ABdhPJw6hmbmyog6OngTGwLfyZ0EgrPP5ph5BZLXitTTT4KjSFxCWCxLMQgbezRUhc6W5t2WErJw
X-Received: by 2002:aa7:cb8f:: with SMTP id r15mr17678286edt.130.1612796047693;
        Mon, 08 Feb 2021 06:54:07 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1612796047; cv=none;
        d=google.com; s=arc-20160816;
        b=nZ80XctrSKwA6qaVBZGmVUPW6YzQa8yAbXy8sdhO/6tZ1Z/3yd54vwotvFT3bPNjFM
         39iZ8tiUbpgMYaFTeRHgRUi49XCfX09jRuUHXQ+JlyaZw+I87gU9sP3DZBCHwpZDI2Qz
         Aqevv7Nh/I9aS7e16H5a2ApA0XSCUpN27h1b280v9H7SD3S1MimUMRwBuRkcNOp0rdk6
         EopNBqEZvFzeq0cCQhube6UofBOiddCiXtuBlKiPMQGhkEBDPw3Lm7TAeAmOGx29V26H
         oV0RUPKz32IQbR9GsNJokxDrtxzPz3UhWd8WB0zTESQQHTpH2DFJ8KYo8ZWP7Gi2V33l
         Re7g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=hJ25Ui01C1ncQ+IMfWQfND73YP38mMdrHPvtKAqidhw=;
        b=shquw5ILFTQ/GMj0qnCN3L66Tg/qRPOBpHGKjOhIB6reCeQrC1SJFsk/LBvrHs41tC
         TG1PNRH0bath2G2dXH1uSKxdsRp8xTG4rd3bzQqeBjAHiGAb95jVCG8vc8XkEjcgUb7S
         icvEpvIqHWwl/cHglYcccRVI6e924exgfGp6Z856o2AlXtAWfa6QGuCSLhICB30r3qRJ
         0JImsrGbLdIGqQr4SPzacWRoTlP7B6cB8yQJquwrdz0XY7vELBaMXUUV1QNVVQAjsCP1
         40q2/8h3GACoSo+SfQ17048hhy2rPbe6PgUEGLGz+F6zy06cLwTYK7QZ5GIMeEPJsAo8
         SNFQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=iFkB5Qx+;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id x94si15319699ede.277.2021.02.08.06.53.43;
        Mon, 08 Feb 2021 06:54:07 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=iFkB5Qx+;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233029AbhBHOuu (ORCPT <rfc822;lkmldmj@gmail.com> + 99 others);
        Mon, 8 Feb 2021 09:50:50 -0500
Received: from us-smtp-delivery-124.mimecast.com ([63.128.21.124]:35553 "EHLO
        us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S232927AbhBHOok (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 8 Feb 2021 09:44:40 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1612795395;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:
         content-transfer-encoding:content-transfer-encoding;
        bh=hJ25Ui01C1ncQ+IMfWQfND73YP38mMdrHPvtKAqidhw=;
        b=iFkB5Qx+rhb5IROSdhq79S9NHtvRZslfVESH3VJKVD+FiOQAfI/Q4jp2Y5Vu+8+MJNrhOU
        xGuokUUTwbJu72D7OXftduxmtXV+Qsi8cVO7UI69nsgGQUEfxOY5PC5tETI/rvupBtalgS
        ZYXVf5l2kEr8jQ2+jbaJdJdlFcP/v3g=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-258-Ja8sH24zPYSqpZXLVrafYw-1; Mon, 08 Feb 2021 09:43:13 -0500
X-MC-Unique: Ja8sH24zPYSqpZXLVrafYw-1
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 564B31966322;
        Mon,  8 Feb 2021 14:43:11 +0000 (UTC)
Received: from steredhat.redhat.com (ovpn-115-25.ams2.redhat.com [10.36.115.25])
        by smtp.corp.redhat.com (Postfix) with ESMTP id 899315D9DE;
        Mon,  8 Feb 2021 14:43:08 +0000 (UTC)
From:   Stefano Garzarella <sgarzare@redhat.com>
To:     kuba@kernel.org
Cc:     netdev@vger.kernel.org, Jorgen Hansen <jhansen@vmware.com>,
        Stephen Hemminger <sthemmin@microsoft.com>,
        "David S. Miller" <davem@davemloft.net>,
        Andy King <acking@vmware.com>, Wei Liu <wei.liu@kernel.org>,
        Dmitry Torokhov <dtor@vmware.com>,
        "K. Y. Srinivasan" <kys@microsoft.com>,
        George Zhang <georgezhang@vmware.com>,
        Haiyang Zhang <haiyangz@microsoft.com>,
        linux-kernel@vger.kernel.org, linux-hyperv@vger.kernel.org,
        Stefano Garzarella <sgarzare@redhat.com>
Subject: [PATCH net] vsock: fix locking in vsock_shutdown()
Date:   Mon,  8 Feb 2021 15:43:07 +0100
Message-Id: <20210208144307.83628-1-sgarzare@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

In vsock_shutdown() we touched some socket fields without holding the
socket lock, such as 'state' and 'sk_flags'.

Also, after the introduction of multi-transport, we are accessing
'vsk->transport' in vsock_send_shutdown() without holding the lock
and this call can be made while the connection is in progress, so
the transport can change in the meantime.

To avoid issues, we hold the socket lock when we enter in
vsock_shutdown() and release it when we leave.

Among the transports that implement the 'shutdown' callback, only
hyperv_transport acquired the lock. Since the caller now holds it,
we no longer take it.

Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
---
 net/vmw_vsock/af_vsock.c         | 8 +++++---
 net/vmw_vsock/hyperv_transport.c | 2 --
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
index 4ea301fc2bf0..5546710d8ac1 100644
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -943,10 +943,12 @@ static int vsock_shutdown(struct socket *sock, int mode)
 	 */
 
 	sk = sock->sk;
+
+	lock_sock(sk);
 	if (sock->state == SS_UNCONNECTED) {
 		err = -ENOTCONN;
 		if (sk->sk_type == SOCK_STREAM)
-			return err;
+			goto out;
 	} else {
 		sock->state = SS_DISCONNECTING;
 		err = 0;
@@ -955,10 +957,8 @@ static int vsock_shutdown(struct socket *sock, int mode)
 	/* Receive and send shutdowns are treated alike. */
 	mode = mode & (RCV_SHUTDOWN | SEND_SHUTDOWN);
 	if (mode) {
-		lock_sock(sk);
 		sk->sk_shutdown |= mode;
 		sk->sk_state_change(sk);
-		release_sock(sk);
 
 		if (sk->sk_type == SOCK_STREAM) {
 			sock_reset_flag(sk, SOCK_DONE);
@@ -966,6 +966,8 @@ static int vsock_shutdown(struct socket *sock, int mode)
 		}
 	}
 
+out:
+	release_sock(sk);
 	return err;
 }
 
diff --git a/net/vmw_vsock/hyperv_transport.c b/net/vmw_vsock/hyperv_transport.c
index 630b851f8150..5a3beef73461 100644
--- a/net/vmw_vsock/hyperv_transport.c
+++ b/net/vmw_vsock/hyperv_transport.c
@@ -479,9 +479,7 @@ static int hvs_shutdown(struct vsock_sock *vsk, int mode)
 	if (!(mode & SEND_SHUTDOWN))
 		return 0;
 
-	lock_sock(sk);
 	hvs_shutdown_lock_held(vsk->trans, mode);
-	release_sock(sk);
 	return 0;
 }
 
-- 
2.29.2