From: Stefano Garzarella sgarzare@redhat.com
mainline inclusion from mainline-v5.10-rc6 commit 3fe356d58efae54dade9ec94ea7c919ed20cf4db category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I94J63 CVE: CVE-2021-47024
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
Starting from commit 8692cefc433f ("virtio_vsock: Fix race condition in virtio_transport_recv_pkt"), we discard packets in virtio_transport_recv_pkt() if the socket has been released.
When the socket is connected, we schedule a delayed work to wait the RST packet from the other peer, also if SHUTDOWN_MASK is set in sk->sk_shutdown. This is done to complete the virtio-vsock shutdown algorithm, releasing the port assigned to the socket definitively only when the other peer has consumed all the packets.
If we discard the RST packet received, the socket will be closed only when the VSOCK_CLOSE_TIMEOUT is reached.
Sergio discovered the issue while running ab(1) HTTP benchmark using libkrun [1] and observing a latency increase with that commit.
To avoid this issue, we discard packet only if the socket is really closed (SOCK_DONE flag is set). We also set SOCK_DONE in virtio_transport_release() when we don't need to wait any packets from the other peer (we didn't schedule the delayed work). In this case we remove the socket from the vsock lists, releasing the port assigned.
[1] https://github.com/containers/libkrun
Fixes: 8692cefc433f ("virtio_vsock: Fix race condition in virtio_transport_recv_pkt") Cc: justin.he@arm.com Reported-by: Sergio Lopez slp@redhat.com Tested-by: Sergio Lopez slp@redhat.com Signed-off-by: Stefano Garzarella sgarzare@redhat.com Acked-by: Jia He justin.he@arm.com Link: https://lore.kernel.org/r/20201120104736.73749-1-sgarzare@redhat.com Signed-off-by: Jakub Kicinski kuba@kernel.org Conflicts: net/vmw_vsock/virtio_transport_common.c Signed-off-by: Ziyang Xuan william.xuanziyang@huawei.com --- net/vmw_vsock/virtio_transport_common.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c index 723ea42d7a40..ff46c0fcc02b 100644 --- a/net/vmw_vsock/virtio_transport_common.c +++ b/net/vmw_vsock/virtio_transport_common.c @@ -810,8 +810,10 @@ void virtio_transport_release(struct vsock_sock *vsk) } release_sock(sk);
- if (remove_sock) + if (remove_sock) { + sock_set_flag(sk, SOCK_DONE); vsock_remove_sock(vsk); + } } EXPORT_SYMBOL_GPL(virtio_transport_release);
@@ -1037,8 +1039,8 @@ void virtio_transport_recv_pkt(struct virtio_vsock_pkt *pkt)
lock_sock(sk);
- /* Check if sk has been released before lock_sock */ - if (sk->sk_shutdown == SHUTDOWN_MASK) { + /* Check if sk has been closed before lock_sock */ + if (sock_flag(sk, SOCK_DONE)) { (void)virtio_transport_reset_no_sock(pkt); release_sock(sk); sock_put(sk);