From 824e433b07a51cb64d228d1a8acc7220f99d4e11 Mon Sep 17 00:00:00 2001 From: NeilBrown Date: Mon, 22 Jul 2024 14:18:52 +0800 Subject: [PATCH] SUNRPC: lock against ->sock changing during sysfs read mainline inclusion from mainline-v5.17-rc4 commit b49ea673e119f59c71645e2f65b3ccad857c90ee category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IADG5L CVE: CVE-2022-48816 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b49ea673e119f59c71645e2f65b3ccad857c90ee --------------------------- ->sock can be set to NULL asynchronously unless ->recv_mutex is held. So it is important to hold that mutex. Otherwise a sysfs read can trigger an oops. Commit 17f09d3f619a ("SUNRPC: Check if the xprt is connected before handling sysfs reads") appears to attempt to fix this problem, but it only narrows the race window. Fixes: 17f09d3f619a ("SUNRPC: Check if the xprt is connected before handling sysfs reads") Fixes: a8482488a7d6 ("SUNRPC query transport's source port") Signed-off-by: NeilBrown Signed-off-by: Anna Schumaker Conflicts: net/sunrpc/sysfs.c [Did not backport e44773daf851d.] Signed-off-by: Liu Jian --- net/sunrpc/xprtsock.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c index 0666f981618a..8d9a27b25ca5 100644 --- a/net/sunrpc/xprtsock.c +++ b/net/sunrpc/xprtsock.c @@ -1676,7 +1676,12 @@ static int xs_get_srcport(struct sock_xprt *transport) unsigned short get_srcport(struct rpc_xprt *xprt) { struct sock_xprt *sock = container_of(xprt, struct sock_xprt, xprt); - return xs_sock_getport(sock->sock); + unsigned short ret = 0; + mutex_lock(&sock->recv_mutex); + if (sock->sock) + ret = xs_sock_getport(sock->sock); + mutex_unlock(&sock->recv_mutex); + return ret; } EXPORT_SYMBOL(get_srcport); -- Gitee