Commit 6b22d433 authored by Chuck Lever's avatar Chuck Lever Committed by Paolo Abeni
Browse files

net/handshake: Pass negative errno through handshake_complete() 



handshake_complete() declares status as unsigned int and
tls_handshake_done() negates that value (-status) before handing
it to the TLS consumer. Consumers match on negative errno
constants -- xs_tls_handshake_done() has

	switch (status) {
	case 0:
	case -EACCES:
	case -ETIMEDOUT:
		lower_transport->xprt_err = status;
		break;
	default:
		lower_transport->xprt_err = -EACCES;
	}

so the API as designed expects callers to pass positive errno
values that the tlshd shim then negates.

Three internal callers in handshake_nl_accept_doit(), the
net-exit drain, and a kunit test follow kernel convention and
pass negative errnos -- -EIO, -ETIMEDOUT, -ETIMEDOUT. The
implicit conversion to unsigned int turns -ETIMEDOUT into
0xFFFFFF92; the subsequent -status in tls_handshake_done()
wraps back to 110, the consumer's switch falls through, and
the xprt reports -EACCES on what should be -ETIMEDOUT or -EIO.

Fix the API rather than the call sites. The natural kernel
convention is negative errno in, negative errno out. Change
handshake_complete() and hp_done to take int status, drop the
negation in tls_handshake_done(), and negate once in
handshake_nl_done_doit() where status arrives from the wire
as an unsigned netlink attribute. The three internal callers
were already correct under that convention and need no change.

At the same wire boundary, declare MAX_ERRNO as the netlink
policy upper bound for HANDSHAKE_A_DONE_STATUS. Attribute
validation rejects out-of-range values before
handshake_nl_done_doit() runs, and negating a bounded u32 there
stays within int range -- closing the UBSAN-visible signed-
integer overflow that an unconstrained u32 would invoke.

Fixes: 3b3009ea ("net/handshake: Create a NETLINK service for handling handshake requests")
Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
Reviewed-by: default avatarHannes Reinecke <hare@kernel.org>
Link: https://patch.msgid.link/20260525-handshake-file-pin-v3-3-66c616906ead@oracle.com


Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
parent 9015985b

Documentation/netlink/specs/handshake.yaml

+8 −0
Original line number Diff line number Diff line
@@ -12,6 +12,12 @@ protocol: genetlink 
doc: Netlink protocol to request a transport layer security handshake.



definitions:

  -

    type: const

    name: max-errno

    value: 4095

    header: linux/err.h

    scope: kernel

  -

    type: enum

    name: handler-class
@@ -80,6 +86,8 @@ attribute-sets: 
      -

        name: status

        type: u32

        checks:

          max: max-errno

      -

        name: sockfd

        type: s32

net/handshake/genl.c

+2 −1
Original line number Diff line number Diff line
@@ -10,6 +10,7 @@ 
#include "genl.h"



#include <uapi/linux/handshake.h>

#include <linux/err.h>



/* HANDSHAKE_CMD_ACCEPT - do */

static const struct nla_policy handshake_accept_nl_policy[HANDSHAKE_A_ACCEPT_HANDLER_CLASS + 1] = {
@@ -18,7 +19,7 @@ static const struct nla_policy handshake_accept_nl_policy[HANDSHAKE_A_ACCEPT_HAN 


/* HANDSHAKE_CMD_DONE - do */

static const struct nla_policy handshake_done_nl_policy[HANDSHAKE_A_DONE_REMOTE_AUTH + 1] = {

	[HANDSHAKE_A_DONE_STATUS] = { .type = NLA_U32, },

	[HANDSHAKE_A_DONE_STATUS] = NLA_POLICY_MAX(NLA_U32, MAX_ERRNO),

	[HANDSHAKE_A_DONE_SOCKFD] = { .type = NLA_S32, },

	[HANDSHAKE_A_DONE_REMOTE_AUTH] = { .type = NLA_U32, },

};

net/handshake/genl.h

+1 −0
Original line number Diff line number Diff line
@@ -11,6 +11,7 @@ 
#include <net/genetlink.h>



#include <uapi/linux/handshake.h>

#include <linux/err.h>



int handshake_nl_accept_doit(struct sk_buff *skb, struct genl_info *info);

int handshake_nl_done_doit(struct sk_buff *skb, struct genl_info *info);

net/handshake/handshake-test.c

+1 −1
Original line number Diff line number Diff line
@@ -25,7 +25,7 @@ static int test_accept_func(struct handshake_req *req, struct genl_info *info, 
	return 0;

}



static void test_done_func(struct handshake_req *req, unsigned int status,

static void test_done_func(struct handshake_req *req, int status,

			   struct genl_info *info)

{

}

net/handshake/handshake.h

+2 −2
Original line number Diff line number Diff line
@@ -57,7 +57,7 @@ struct handshake_proto { 
	int			(*hp_accept)(struct handshake_req *req,

					     struct genl_info *info, int fd);

	void			(*hp_done)(struct handshake_req *req,

					   unsigned int status,

					   int status,

					   struct genl_info *info);

	void			(*hp_destroy)(struct handshake_req *req);

};
@@ -86,7 +86,7 @@ struct handshake_req *handshake_req_hash_lookup(struct sock *sk); 
struct handshake_req *handshake_req_next(struct handshake_net *hn, int class);

int handshake_req_submit(struct socket *sock, struct handshake_req *req,

			 gfp_t flags);

void handshake_complete(struct handshake_req *req, unsigned int status,

void handshake_complete(struct handshake_req *req, int status,

			struct genl_info *info);

bool handshake_req_cancel(struct sock *sk);