[PATCH openEuler-22.03-LTS-SP1 3/4] net/smc: Only save the original clcsock callback functions

2 Jul 2024

From: Wen Gu guwen@linux.alibaba.com
mainline inclusion
from mainline-v5.18-rc5
commit 97b9af7a70936e331170c79040cc9bf20071b566
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA72JN
CVE: CVE-2022-48721
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
Both listen and fallback process will save the current clcsock
callback functions and establish new ones. But if both of them
happen, the saved callback functions will be overwritten.
So this patch introduces some helpers to ensure that only save
the original callback functions of clcsock.
Fixes: 341adeec9ada ("net/smc: Forward wakeup to smc socket waitqueue after fallback")
Signed-off-by: Wen Gu guwen@linux.alibaba.com
Acked-by: Karsten Graul kgraul@linux.ibm.com
Signed-off-by: Jakub Kicinski kuba@kernel.org
Conflicts:
    net/smc/af_smc.c
    net/smc/smc.h
[The conflict occurs because the commit c0bf3d8a943b("net/smc:
Transitional solution for clcsock race issue") and
e0e4b8fa5338("net/smc: Add SMC statistics support") are not
merged]
Signed-off-by: Zhengchao Shao shaozhengchao@huawei.com
---
 net/smc/af_smc.c    | 55 ++++++++++++++++++++++++++++-----------------
 net/smc/smc.h       | 29 ++++++++++++++++++++++++
 net/smc/smc_close.c |  3 ++-
 3 files changed, 66 insertions(+), 21 deletions(-)

diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
index e630d676d963..2209afa125e4 100644
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -258,6 +258,7 @@ static struct sock *smc_sock_alloc(struct net *net, struct socket *sock,
    sk->sk_prot->hash(sk);
    sk_refcnt_debug_inc(sk);
    mutex_init(&smc->clcsock_release_lock);
+	smc_init_saved_callbacks(smc);
return sk;
 }
@@ -622,15 +623,24 @@ static void smc_fback_error_report(struct sock *clcsk)
    smc_fback_forward_wakeup(smc, clcsk, smc->clcsk_error_report);
 }
-static void smc_switch_to_fallback(struct smc_sock *smc)
+static void smc_fback_replace_callbacks(struct smc_sock *smc)
 {
-	struct sock *clcsk;
+	struct sock *clcsk = smc->clcsock->sk;
-	clcsk = smc->clcsock->sk;
+	clcsk->sk_user_data = (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY);
-	if (smc->use_fallback)
-		return;
+	smc_clcsock_replace_cb(&clcsk->sk_state_change, smc_fback_state_change,
+			       &smc->clcsk_state_change);
+	smc_clcsock_replace_cb(&clcsk->sk_data_ready, smc_fback_data_ready,
+			       &smc->clcsk_data_ready);
+	smc_clcsock_replace_cb(&clcsk->sk_write_space, smc_fback_write_space,
+			       &smc->clcsk_write_space);
+	smc_clcsock_replace_cb(&clcsk->sk_error_report, smc_fback_error_report,
+			       &smc->clcsk_error_report);
+}
+static void smc_switch_to_fallback(struct smc_sock *smc)
+{
    smc->use_fallback = true;
    if (smc->sk.sk_socket && smc->sk.sk_socket->file) {
    	smc->clcsock->file = smc->sk.sk_socket->file;
@@ -642,18 +652,7 @@ static void smc_switch_to_fallback(struct smc_sock *smc)
    	 * in smc sk->sk_wq and they should be woken up
    	 * as clcsock's wait queue is woken up.
    	 */
-		smc->clcsk_state_change = clcsk->sk_state_change;
-		smc->clcsk_data_ready = clcsk->sk_data_ready;
-		smc->clcsk_write_space = clcsk->sk_write_space;
-		smc->clcsk_error_report = clcsk->sk_error_report;
-
-		clcsk->sk_state_change = smc_fback_state_change;
-		clcsk->sk_data_ready = smc_fback_data_ready;
-		clcsk->sk_write_space = smc_fback_write_space;
-		clcsk->sk_error_report = smc_fback_error_report;
-
-		smc->clcsock->sk->sk_user_data =
-			(void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY);
+		smc_fback_replace_callbacks(smc);
    }
 }
@@ -1292,6 +1291,19 @@ static int smc_clcsock_accept(struct smc_sock *lsmc, struct smc_sock **new_smc)
     * function; switch it back to the original sk_data_ready function
     */
    new_clcsock->sk->sk_data_ready = lsmc->clcsk_data_ready;
+
+	/* if new clcsock has also inherited the fallback-specific callback
+	 * functions, switch them back to the original ones.
+	 */
+	if (lsmc->use_fallback) {
+		if (lsmc->clcsk_state_change)
+			new_clcsock->sk->sk_state_change = lsmc->clcsk_state_change;
+		if (lsmc->clcsk_write_space)
+			new_clcsock->sk->sk_write_space = lsmc->clcsk_write_space;
+		if (lsmc->clcsk_error_report)
+			new_clcsock->sk->sk_error_report = lsmc->clcsk_error_report;
+	}
+
    (*new_smc)->clcsock = new_clcsock;
 out:
    return rc;
@@ -1994,13 +2006,16 @@ static int smc_listen(struct socket *sock, int backlog)
    /* save original sk_data_ready function and establish
     * smc-specific sk_data_ready function
     */
-	smc->clcsk_data_ready = smc->clcsock->sk->sk_data_ready;
-	smc->clcsock->sk->sk_data_ready = smc_clcsock_data_ready;
    smc->clcsock->sk->sk_user_data =
    	(void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY);
+	smc_clcsock_replace_cb(&smc->clcsock->sk->sk_data_ready,
+			       smc_clcsock_data_ready, &smc->clcsk_data_ready);
+
    rc = kernel_listen(smc->clcsock, backlog);
    if (rc) {
-		smc->clcsock->sk->sk_data_ready = smc->clcsk_data_ready;
+		smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready,
+				       &smc->clcsk_data_ready);
+		smc->clcsock->sk->sk_user_data = NULL;
    	goto out;
    }
    sk->sk_max_ack_backlog = backlog;
diff --git a/net/smc/smc.h b/net/smc/smc.h
index 930544f7b2e2..c06add7db4af 100644
--- a/net/smc/smc.h
+++ b/net/smc/smc.h
@@ -265,12 +265,41 @@ static inline struct smc_sock *smc_sk(const struct sock *sk)
    return (struct smc_sock *)sk;
 }
+static inline void smc_init_saved_callbacks(struct smc_sock *smc)
+{
+	smc->clcsk_state_change = NULL;
+	smc->clcsk_data_ready   = NULL;
+	smc->clcsk_write_space  = NULL;
+	smc->clcsk_error_report = NULL;
+}
+
 static inline struct smc_sock *smc_clcsock_user_data(struct sock *clcsk)
 {
    return (struct smc_sock *)
           ((uintptr_t)clcsk->sk_user_data & ~SK_USER_DATA_NOCOPY);
 }
+/* save target_cb in saved_cb, and replace target_cb with new_cb */
+static inline void smc_clcsock_replace_cb(void (**target_cb)(struct sock *),
+					  void (*new_cb)(struct sock *),
+					  void (**saved_cb)(struct sock *))
+{
+	/* only save once */
+	if (!*saved_cb)
+		*saved_cb = *target_cb;
+	*target_cb = new_cb;
+}
+
+/* restore target_cb to saved_cb, and reset saved_cb to NULL */
+static inline void smc_clcsock_restore_cb(void (**target_cb)(struct sock *),
+					  void (**saved_cb)(struct sock *))
+{
+	if (!*saved_cb)
+		return;
+	*target_cb = *saved_cb;
+	*saved_cb = NULL;
+}
+
 extern struct workqueue_struct	*smc_hs_wq;	/* wq for handshake work */
 extern struct workqueue_struct	*smc_close_wq;	/* wq for close work */
diff --git a/net/smc/smc_close.c b/net/smc/smc_close.c
index 84102db5bb31..a3f18eb545c2 100644
--- a/net/smc/smc_close.c
+++ b/net/smc/smc_close.c
@@ -211,7 +211,8 @@ int smc_close_active(struct smc_sock *smc)
    	sk->sk_state = SMC_CLOSED;
    	sk->sk_state_change(sk); /* wake up accept */
    	if (smc->clcsock && smc->clcsock->sk) {
-			smc->clcsock->sk->sk_data_ready = smc->clcsk_data_ready;
+			smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready,
+					       &smc->clcsk_data_ready);
    		smc->clcsock->sk->sk_user_data = NULL;
    		rc = kernel_sock_shutdown(smc->clcsock, SHUT_RDWR);
    	}
-- 
2.34.1


    

2024

2023

2022

2021

2020

2019

[PATCH openEuler-22.03-LTS-SP1 3/4] net/smc: Only save the original clcsock callback functions