On Fri, Mar 07, 2025 at 10:27:50AM +0100, Michal Luczaj wrote:
Signal delivered during connect() may result in a disconnect of an already
TCP_ESTABLISHED socket. Problem is that such established socket might have
been placed in a sockmap before the connection was closed. We end up with a
SS_UNCONNECTED vsock in a sockmap. And this, combined with the ability to
reassign (unconnected) vsock's transport to NULL, breaks the sockmap
contract. As manifested by WARN_ON_ONCE.
Ensure the socket does not stay in sockmap.
WARNING: CPU: 10 PID: 1310 at net/vmw_vsock/vsock_bpf.c:90 vsock_bpf_recvmsg+0xb4b/0xdf0
CPU: 10 UID: 0 PID: 1310 Comm: a.out Tainted: G W 6.14.0-rc4+
sock_recvmsg+0x1b2/0x220
__sys_recvfrom+0x190/0x270
__x64_sys_recvfrom+0xdc/0x1b0
do_syscall_64+0x93/0x1b0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Fixes: 634f1a7110b4 ("vsock: support sockmap")
Signed-off-by: Michal Luczaj <mhal@xxxxxxx>
---
net/vmw_vsock/af_vsock.c | 10 +++++++++-
net/vmw_vsock/vsock_bpf.c | 1 +
2 files changed, 10 insertions(+), 1 deletion(-)
I can't see this patch on the virtualization ML, are you using
get_maintainer.pl?
$ ./scripts/get_maintainer.pl -f net/vmw_vsock/af_vsock.c
Stefano Garzarella <sgarzare@xxxxxxxxxx> (maintainer:VM SOCKETS (AF_VSOCK))
"David S. Miller" <davem@xxxxxxxxxxxxx> (maintainer:NETWORKING [GENERAL])
Eric Dumazet <edumazet@xxxxxxxxxx> (maintainer:NETWORKING [GENERAL])
Jakub Kicinski <kuba@xxxxxxxxxx> (maintainer:NETWORKING [GENERAL])
Paolo Abeni <pabeni@xxxxxxxxxx> (maintainer:NETWORKING [GENERAL])
Simon Horman <horms@xxxxxxxxxx> (reviewer:NETWORKING [GENERAL])
virtualization@xxxxxxxxxxxxxxx (open list:VM SOCKETS (AF_VSOCK))
netdev@xxxxxxxxxxxxxxx (open list:VM SOCKETS (AF_VSOCK))
linux-kernel@xxxxxxxxxxxxxxx (open list)
BTW the patch LGTM, thanks for the fix!
Reviewed-by: Stefano Garzarella <sgarzare@xxxxxxxxxx>
diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
index 7742a9ae0131310bba197830a241541b2cde6123..e5a6d1d413634f414370595c02bcd77664780d8e 100644
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -1581,7 +1581,15 @@ static int vsock_connect(struct socket *sock, struct sockaddr *addr,
if (signal_pending(current)) {
err = sock_intr_errno(timeout);
- sk->sk_state = sk->sk_state == TCP_ESTABLISHED ? TCP_CLOSING : TCP_CLOSE;
+ if (sk->sk_state == TCP_ESTABLISHED) {
+ /* Might have raced with a sockmap update. */
+ if (sk->sk_prot->unhash)
+ sk->sk_prot->unhash(sk);
+
+ sk->sk_state = TCP_CLOSING;
+ } else {
+ sk->sk_state = TCP_CLOSE;
+ }
sock->state = SS_UNCONNECTED;
vsock_transport_cancel_pkt(vsk);
vsock_remove_connected(vsk);
diff --git a/net/vmw_vsock/vsock_bpf.c b/net/vmw_vsock/vsock_bpf.c
index 07b96d56f3a577af71021b1b8132743554996c4f..c68fdaf09046b68254dac3ea70ffbe73dfa45cef 100644
--- a/net/vmw_vsock/vsock_bpf.c
+++ b/net/vmw_vsock/vsock_bpf.c
@@ -127,6 +127,7 @@ static void vsock_bpf_rebuild_protos(struct proto *prot, const struct proto *bas
{
*prot = *base;
prot->close = sock_map_close;
+ prot->unhash = sock_map_unhash;
prot->recvmsg = vsock_bpf_recvmsg;
prot->sock_is_readable = sk_msg_is_readable;
}
---
base-commit: b1455a45afcf789f98032ec93c16fea0facdec93
change-id: 20250305-vsock-trans-signal-race-d62f7718d099
Best regards,
--
Michal Luczaj <mhal@xxxxxxx>
