Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2655736pxj; Mon, 14 Jun 2021 04:10:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy3sXUP1u1iGStbGSj5zpNuvM0a8P4mNb5R4uHSV86jBZWQHytrgoKYdwZZA7QtwGE2eK4m X-Received: by 2002:a17:906:a108:: with SMTP id t8mr14580045ejy.407.1623669027681; Mon, 14 Jun 2021 04:10:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623669027; cv=none; d=google.com; s=arc-20160816; b=EMh0cAbmZP4YUuN67Sw/QnV4u31oucLvuFF/RU1Ulw8zP8WNzaSPPDSjbARu4+X+iA wPOY5KJ/xiTw/5e1N3o1WrI07/n4uI5lEp1YkvVJn/0MsnDBXaKoba8zS006YafF83Xd HjOIeCZ//9F7TqzsQ7DmWsuEkcfkaHnV5Ou0a8Z6GWGd1g8PIRYqJPjjvNZLXVbeGVhW k1eKk4ux0FPibyXwnfdF8GAIz2VgIPIpkBlh6Cu6jzpBnATl1RCutIeCJPLpOuBHtOod npe9w9HSFeDtN+4wV8qZAr/TRusTLuzGmzFWCnSFgjUsE6H/vm5dPLo31C5j+PLOezg3 EN6Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Z/XRpe0/X2qs/VqMqck8Zt6qVZXKabrHy04VUiBEn2I=; b=JCw2cdTssHBmj1x536MnIgmwcxzYnAxB7oEazhs7IpUrfMfNnS/x+9h8NBI4OCn7s/ VTTK2/M2FLRhacR13avvJjVGgH0TmdoTD+Mz2K+HSWS/v4bkLtT91TiPMBhHXv093ija tM8YG84ha5YlPQsAYfHXeRCw9wzEli5OYcQkt0n1jACJ/zXqZPeRH/FFjBqfDfwH4l0V lBfpO6TW/wzrWslmJAgxG6aQKNtvw1zz8qJj+y3MBNBhjv1BW8DY4hkX3Btl+jTy4vaf m/4Wt//JWD+b/51HHFAsiU8Fvz/9TpX+6MCpoVTyy0T3f7nStUlB/wtsQ2SdOsg57urK SigA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=0x28FjoN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y18si11357378edr.488.2021.06.14.04.10.05; Mon, 14 Jun 2021 04:10:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=0x28FjoN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235321AbhFNLJ1 (ORCPT + 99 others); Mon, 14 Jun 2021 07:09:27 -0400 Received: from mail.kernel.org ([198.145.29.99]:35366 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234706AbhFNK6w (ORCPT ); Mon, 14 Jun 2021 06:58:52 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 9C9E061428; Mon, 14 Jun 2021 10:41:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1623667318; bh=CxMCCAMzI0oP1w1s1Sfs0yAhLqXb4sg5ETqeKvCJJos=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=0x28FjoNJYKuO4OMKm0G454mtZergqopnmg91OvmFgbFoZx0/RV++WsDjbp6R8YYS 1lnRyxlRKkddIJOFt3Uh+l9KB+DwGlPzBNx/Fdlyh8s4gCa35QkGZNglB7dmyIZszl dEe3PKkFGHCkEe+4bxP2NSxCKQlmCzY/FJ9Uu6lQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Rao Shoaib , "David S. Miller" , Sasha Levin Subject: [PATCH 5.10 024/131] RDS tcp loopback connection can hang Date: Mon, 14 Jun 2021 12:26:25 +0200 Message-Id: <20210614102653.825237266@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210614102652.964395392@linuxfoundation.org> References: <20210614102652.964395392@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Rao Shoaib [ Upstream commit aced3ce57cd37b5ca332bcacd370d01f5a8c5371 ] When TCP is used as transport and a program on the system connects to RDS port 16385, connection is accepted but denied per the rules of RDS. However, RDS connections object is left in the list. Next loopback connection will select that connection object as it is at the head of list. The connection attempt will hang as the connection object is set to connect over TCP which is not allowed The issue can be reproduced easily, use rds-ping to ping a local IP address. After that use any program like ncat to connect to the same IP address and port 16385. This will hang so ctrl-c out. Now try rds-ping, it will hang. To fix the issue this patch adds checks to disallow the connection object creation and destroys the connection object. Signed-off-by: Rao Shoaib Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/rds/connection.c | 23 +++++++++++++++++------ net/rds/tcp.c | 4 ++-- net/rds/tcp.h | 3 ++- net/rds/tcp_listen.c | 6 ++++++ 4 files changed, 27 insertions(+), 9 deletions(-) diff --git a/net/rds/connection.c b/net/rds/connection.c index f2fcab182095..a3bc4b54d491 100644 --- a/net/rds/connection.c +++ b/net/rds/connection.c @@ -240,12 +240,23 @@ static struct rds_connection *__rds_conn_create(struct net *net, if (loop_trans) { rds_trans_put(loop_trans); conn->c_loopback = 1; - if (is_outgoing && trans->t_prefer_loopback) { - /* "outgoing" connection - and the transport - * says it wants the connection handled by the - * loopback transport. This is what TCP does. - */ - trans = &rds_loop_transport; + if (trans->t_prefer_loopback) { + if (likely(is_outgoing)) { + /* "outgoing" connection to local address. + * Protocol says it wants the connection + * handled by the loopback transport. + * This is what TCP does. + */ + trans = &rds_loop_transport; + } else { + /* No transport currently in use + * should end up here, but if it + * does, reset/destroy the connection. + */ + kmem_cache_free(rds_conn_slab, conn); + conn = ERR_PTR(-EOPNOTSUPP); + goto out; + } } } diff --git a/net/rds/tcp.c b/net/rds/tcp.c index 43db0eca911f..abf19c0e3ba0 100644 --- a/net/rds/tcp.c +++ b/net/rds/tcp.c @@ -313,8 +313,8 @@ out: } #endif -static int rds_tcp_laddr_check(struct net *net, const struct in6_addr *addr, - __u32 scope_id) +int rds_tcp_laddr_check(struct net *net, const struct in6_addr *addr, + __u32 scope_id) { struct net_device *dev = NULL; #if IS_ENABLED(CONFIG_IPV6) diff --git a/net/rds/tcp.h b/net/rds/tcp.h index bad9cf49d565..dc8d745d6857 100644 --- a/net/rds/tcp.h +++ b/net/rds/tcp.h @@ -59,7 +59,8 @@ u32 rds_tcp_snd_una(struct rds_tcp_connection *tc); u64 rds_tcp_map_seq(struct rds_tcp_connection *tc, u32 seq); extern struct rds_transport rds_tcp_transport; void rds_tcp_accept_work(struct sock *sk); - +int rds_tcp_laddr_check(struct net *net, const struct in6_addr *addr, + __u32 scope_id); /* tcp_connect.c */ int rds_tcp_conn_path_connect(struct rds_conn_path *cp); void rds_tcp_conn_path_shutdown(struct rds_conn_path *conn); diff --git a/net/rds/tcp_listen.c b/net/rds/tcp_listen.c index 101cf14215a0..09cadd556d1e 100644 --- a/net/rds/tcp_listen.c +++ b/net/rds/tcp_listen.c @@ -167,6 +167,12 @@ int rds_tcp_accept_one(struct socket *sock) } #endif + if (!rds_tcp_laddr_check(sock_net(sock->sk), peer_addr, dev_if)) { + /* local address connection is only allowed via loopback */ + ret = -EOPNOTSUPP; + goto out; + } + conn = rds_conn_create(sock_net(sock->sk), my_addr, peer_addr, &rds_tcp_transport, 0, GFP_KERNEL, dev_if); -- 2.30.2