Commit f4251190 authored by Chuck Lever's avatar Chuck Lever Committed by Paolo Abeni
Browse files

net/handshake: hand off the pinned file reference to accept_doit 



handshake_req_next() removes the request from the per-net
pending list and drops hn_lock before handshake_nl_accept_doit()
reads req->hr_sk->sk_socket and dereferences sock->file (once in
FD_PREPARE() and again in get_file()).  In that window a
consumer running tls_handshake_cancel() followed by sockfd_put()
(svc_sock_free) or __fput_sync() (xs_reset_transport) releases
sock->file.  sock_release() then runs sock_orphan(), zeroing
sk_socket, and frees the struct socket.  The accept-side code
either reads NULL through sk_socket or chases freed memory.

The submit-side sock_hold() does not prevent this.  sk_refcnt
protects struct sock, but struct socket and sock->file are
independently refcounted via the file descriptor the consumer
owns.  Pinning sk leaves sock and sock->file unprotected.

Retarget the accept-side dereferences at req->hr_file, which was
pinned at submit time, instead of req->hr_sk->sk_socket->file.
Pinning on its own is not sufficient: a consumer that cancels
between handshake_req_next() returning and accept_doit reaching
FD_PREPARE() takes the !remove_pending() branch in
handshake_req_cancel() and drops hr_file before the accept side
takes its own reference.  Hand off an additional file reference
inside handshake_req_next(), under hn_lock, so the accept side
operates on a reference that no concurrent handshake_req_cancel()
can revoke.  FD_PREPARE() consumes that handed-off reference,
either by transferring it to the new fd in fd_publish() or by
dropping it in the cleanup destructor on error; the explicit
get_file() that previously balanced FD_PREPARE() is therefore
redundant and goes away.

Update handshake_req_cancel_test2 and _test3 to simulate the
FD_PREPARE() consumption with an fput() so the kunit file-count
assertions stay balanced.

Reported-by: default avatarChris Mason <clm@meta.com>
Fixes: 3b3009ea ("net/handshake: Create a NETLINK service for handling handshake requests")
Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
Reviewed-by: default avatarHannes Reinecke <hare@kernel.org>
Link: https://patch.msgid.link/20260525-handshake-file-pin-v3-5-66c616906ead@oracle.com


Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
parent 09dba37e

net/handshake/handshake-test.c

+8 −0
Original line number Diff line number Diff line
@@ -375,6 +375,10 @@ static void handshake_req_cancel_test2(struct kunit *test) 
	/* Pretend to accept this request */

	next = handshake_req_next(hn, HANDSHAKE_HANDLER_CLASS_TLSHD);

	KUNIT_ASSERT_PTR_EQ(test, req, next);

	/* Simulate FD_PREPARE() consuming the file reference handed

	 * off by handshake_req_next(); see handshake_nl_accept_doit().

	 */

	fput(filp);



	/* Act */

	result = handshake_req_cancel(sock->sk);
@@ -417,6 +421,10 @@ static void handshake_req_cancel_test3(struct kunit *test) 
	/* Pretend to accept this request */

	next = handshake_req_next(hn, HANDSHAKE_HANDLER_CLASS_TLSHD);

	KUNIT_ASSERT_PTR_EQ(test, req, next);

	/* Simulate FD_PREPARE() consuming the file reference handed

	 * off by handshake_req_next(); see handshake_nl_accept_doit().

	 */

	fput(filp);



	/* Pretend to complete this request */

	handshake_complete(next, -ETIMEDOUT, NULL);

net/handshake/netlink.c

+2 −5
Original line number Diff line number Diff line
@@ -92,7 +92,6 @@ int handshake_nl_accept_doit(struct sk_buff *skb, struct genl_info *info) 
	struct net *net = sock_net(skb->sk);

	struct handshake_net *hn = handshake_pernet(net);

	struct handshake_req *req = NULL;

	struct socket *sock;

	int class, err;



	err = -EOPNOTSUPP;
@@ -107,15 +106,13 @@ int handshake_nl_accept_doit(struct sk_buff *skb, struct genl_info *info) 
	err = -EAGAIN;

	req = handshake_req_next(hn, class);

	if (req) {

		sock = req->hr_sk->sk_socket;



		FD_PREPARE(fdf, O_CLOEXEC, sock->file);

		FD_PREPARE(fdf, O_CLOEXEC, req->hr_file);

		if (fdf.err) {

			fput(req->hr_file); /* drop ref from handshake_req_next() */

			err = fdf.err;

			goto out_complete;

		}



		get_file(sock->file); /* FD_PREPARE() consumes a reference. */

		err = req->hr_proto->hp_accept(req, info, fd_prepare_fd(fdf));

		if (err)

			goto out_complete; /* Automatic cleanup handles fput */

net/handshake/request.c

+18 −0
Original line number Diff line number Diff line
@@ -178,6 +178,17 @@ static bool remove_pending(struct handshake_net *hn, struct handshake_req *req) 
	return ret;

}



/**

 * handshake_req_next - Return the next queued handshake request

 * @hn: per-net handshake state

 * @class: handler class to match

 *

 * On a non-NULL return, the caller owns an extra reference

 * on @req->hr_file.  FD_PREPARE() consumes it on success; on

 * the FD_PREPARE() failure path the caller must fput() it.

 *

 * Return: pointer to a removed handshake_req, or NULL.

 */

struct handshake_req *handshake_req_next(struct handshake_net *hn, int class)

{

	struct handshake_req *req, *pos;
@@ -188,6 +199,13 @@ struct handshake_req *handshake_req_next(struct handshake_net *hn, int class) 
		if (pos->hr_proto->hp_handler_class != class)

			continue;

		__remove_pending_locked(hn, pos);

		/* Hand off a file reference to the accept side under

		 * hn_lock.  A concurrent handshake_req_cancel() can drop

		 * hr_file before accept reaches FD_PREPARE(); this extra

		 * reference keeps the file alive until FD_PREPARE() takes

		 * ownership.

		 */

		get_file(pos->hr_file);

		req = pos;

		break;

	}