Page MenuHomeFreeBSD
Differential D38504

ktls: Fix interlocking between ktls_enable_rx() and listen(2)
ClosedPublic
Actions

Authored by markj on Feb 11 2023, 3:23 PM.
Tags
None
Referenced Files
Unknown Object (File)
Feb 18 2024, 3:40 AM
Unknown Object (File)
Jan 31 2024, 4:42 AM
Unknown Object (File)
Jan 21 2024, 2:35 PM
Unknown Object (File)
Jan 14 2024, 7:29 AM
Unknown Object (File)
Dec 20 2023, 6:24 AM
Unknown Object (File)
Oct 11 2023, 3:44 PM
Unknown Object (File)
Oct 11 2023, 3:44 PM
Unknown Object (File)
Aug 25 2023, 1:53 PM
View All 22 Files
Subscribers
imp

Details

Reviewers
jhb
gallatin
glebius
Group Reviewers
network
Commits
rGb4b33821fa3d: ktls: Fix interlocking between ktls_enable_rx() and listen(2)
Summary

The TCP_TXTLS_ENABLE and TCP_RXTLS_ENABLE socket option handlers check
whether the socket is listening socket and fail if so, but this check is
racy. Since we have to lock the socket buffer later anyway, defer the
check to that point.

ktls_enable_tx() locks the send buffer's I/O lock, which will fail if
the socket is a listening socket, so no explicit checks are needed. In
ktls_enable_rx(), which does not acquire the I/O lock for some reason,
use an explicit SOLISTENING() check after locking the recv socket
buffer.

Otherwise, a concurrent solisten_proto() call can trigger crashes and
memory leaks by wiping out socket buffers as ktls_enable_*() is
modifying them.

Also make sure that a KTLS-enabled socket can't be converted to a
listening socket, and use SOCK_(SEND|RECV)BUF_LOCK macros instead of the
old ones.

Reported by: syzkaller

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

markj created this revision.Feb 11 2023, 3:23 PM
Herald added a subscriber: imp. · View Herald TranscriptFeb 11 2023, 3:23 PM
markj requested review of this revision.Feb 11 2023, 3:23 PM
Harbormaster completed remote builds in B49685: Diff 116983.Feb 11 2023, 3:24 PM
gallatin accepted this revision.Feb 12 2023, 5:31 PM

It might be nice to document why the SOLISTENTING() check is not needed in the tx case..

This revision is now accepted and ready to land.Feb 12 2023, 5:31 PM
markj added a comment.Feb 13 2023, 3:35 PM
In D38504#876841, @gallatin wrote:

It might be nice to document why the SOLISTENTING() check is not needed in the tx case..

Why exactly do we acquire the SEND_IO lock in enable_tx but we don't acquire the RECV_IO lock in enable_rx? It's a bit hard to write a useful comment without that info.

gallatin added a comment.Feb 20 2023, 5:13 PM
In D38504#877161, @markj wrote:
In D38504#876841, @gallatin wrote:

It might be nice to document why the SOLISTENTING() check is not needed in the tx case..

Why exactly do we acquire the SEND_IO lock in enable_tx but we don't acquire the RECV_IO lock in enable_rx? It's a bit hard to write a useful comment without that info.

Maybe not acquiring the RECV IO lock is a bug? I don't (yet) use the rx code, so I've not paid close attention to it. Maybe @jhb knows?

jhb added a comment.Mar 1 2023, 6:02 PM
In D38504#880532, @gallatin wrote:
In D38504#877161, @markj wrote:
In D38504#876841, @gallatin wrote:

It might be nice to document why the SOLISTENTING() check is not needed in the tx case..

Why exactly do we acquire the SEND_IO lock in enable_tx but we don't acquire the RECV_IO lock in enable_rx? It's a bit hard to write a useful comment without that info.

Maybe not acquiring the RECV IO lock is a bug? I don't (yet) use the rx code, so I've not paid close attention to it. Maybe @jhb knows?

We acquire the SEND_IO lock to synchronize with concurrent calls to write() or sendfile() on the socket from other threads.

On the receive side, the socket buffer is sufficient I believe as the arriving data comes from interrupt threads queueing data via sbappend* which is done under the socket buffer lock. For threads calling read() concurrently, I think losing the race is harmless as they can only drain previously-received data? However, perhaps a thread can do a concurrent blocking read() which would sleep in soreceive_stream() and won't take the KTLS detour when it is later awakened, so perhaps we do need the I/O lock for the rx case as well.

sys/kern/uipc_socket.c
1008
jhb added a comment.Mar 1 2023, 6:04 PM
In D38504#884206, @jhb wrote:
In D38504#880532, @gallatin wrote:
In D38504#877161, @markj wrote:
In D38504#876841, @gallatin wrote:

It might be nice to document why the SOLISTENTING() check is not needed in the tx case..

Why exactly do we acquire the SEND_IO lock in enable_tx but we don't acquire the RECV_IO lock in enable_rx? It's a bit hard to write a useful comment without that info.

Maybe not acquiring the RECV IO lock is a bug? I don't (yet) use the rx code, so I've not paid close attention to it. Maybe @jhb knows?

We acquire the SEND_IO lock to synchronize with concurrent calls to write() or sendfile() on the socket from other threads.

On the receive side, the socket buffer is sufficient I believe as the arriving data comes from interrupt threads queueing data via sbappend* which is done under the socket buffer lock. For threads calling read() concurrently, I think losing the race is harmless as they can only drain previously-received data? However, perhaps a thread can do a concurrent blocking read() which would sleep in soreceive_stream() and won't take the KTLS detour when it is later awakened, so perhaps we do need the I/O lock for the rx case as well.

So the I/O lock would not close that race. Instead, we need to move the existing check for KTLS in soreceive_stream below the restart label I think.

glebius added inline comments.Mar 1 2023, 7:14 PM
sys/kern/uipc_socket.c
989–1008
glebius added inline comments.Mar 1 2023, 7:16 PM
sys/kern/uipc_socket.c
989–1008

IMHO, throwing all socket states that don't allow it to turn into a listening under one if (!SOLISTENING(so)) reduces paste and makes it easier to read.

markj marked 2 inline comments as done.Mar 6 2023, 8:34 PM
In D38504#884208, @jhb wrote:
In D38504#884206, @jhb wrote:
In D38504#880532, @gallatin wrote:
In D38504#877161, @markj wrote:
In D38504#876841, @gallatin wrote:

It might be nice to document why the SOLISTENTING() check is not needed in the tx case..

Why exactly do we acquire the SEND_IO lock in enable_tx but we don't acquire the RECV_IO lock in enable_rx? It's a bit hard to write a useful comment without that info.

Maybe not acquiring the RECV IO lock is a bug? I don't (yet) use the rx code, so I've not paid close attention to it. Maybe @jhb knows?

We acquire the SEND_IO lock to synchronize with concurrent calls to write() or sendfile() on the socket from other threads.

On the receive side, the socket buffer is sufficient I believe as the arriving data comes from interrupt threads queueing data via sbappend* which is done under the socket buffer lock. For threads calling read() concurrently, I think losing the race is harmless as they can only drain previously-received data? However, perhaps a thread can do a concurrent blocking read() which would sleep in soreceive_stream() and won't take the KTLS detour when it is later awakened, so perhaps we do need the I/O lock for the rx case as well.

So the I/O lock would not close that race. Instead, we need to move the existing check for KTLS in soreceive_stream below the restart label I think.

Don't we want to do both? soreceive_stream() drops the sockbuf mutex in a couple of places, and I'd think that we want to serialize against that as well.

markj updated this revision to Diff 118424.Mar 6 2023, 8:53 PM
  • Add a comment in ktls_enable_tx() explaining why we don't check for a listening socket.
  • Fix the ktls check in solisten_proto() and reduce code duplication.
  • Add a regression test.
This revision now requires review to proceed.Mar 6 2023, 8:53 PM
Harbormaster completed remote builds in B50176: Diff 118424.Mar 6 2023, 8:53 PM
jhb added a comment.Mar 20 2023, 4:59 PM
In D38504#886490, @markj wrote:
In D38504#884208, @jhb wrote:
In D38504#884206, @jhb wrote:
In D38504#880532, @gallatin wrote:
In D38504#877161, @markj wrote:
In D38504#876841, @gallatin wrote:

It might be nice to document why the SOLISTENTING() check is not needed in the tx case..

Why exactly do we acquire the SEND_IO lock in enable_tx but we don't acquire the RECV_IO lock in enable_rx? It's a bit hard to write a useful comment without that info.

Maybe not acquiring the RECV IO lock is a bug? I don't (yet) use the rx code, so I've not paid close attention to it. Maybe @jhb knows?

We acquire the SEND_IO lock to synchronize with concurrent calls to write() or sendfile() on the socket from other threads.

On the receive side, the socket buffer is sufficient I believe as the arriving data comes from interrupt threads queueing data via sbappend* which is done under the socket buffer lock. For threads calling read() concurrently, I think losing the race is harmless as they can only drain previously-received data? However, perhaps a thread can do a concurrent blocking read() which would sleep in soreceive_stream() and won't take the KTLS detour when it is later awakened, so perhaps we do need the I/O lock for the rx case as well.

So the I/O lock would not close that race. Instead, we need to move the existing check for KTLS in soreceive_stream below the restart label I think.

Don't we want to do both? soreceive_stream() drops the sockbuf mutex in a couple of places, and I'd think that we want to serialize against that as well.

Hummm, perhaps, and it is probably safest to do so.

jhb accepted this revision.Mar 20 2023, 5:01 PM
This revision is now accepted and ready to land.Mar 20 2023, 5:01 PM
glebius added inline comments.Mar 20 2023, 5:35 PM
sys/kern/uipc_socket.c
989–1008

To my taste this looks better than previous version, but fully collapsing common code solisten_proto_abort() and return would be even better, IMHO. Leaving only two predicates under KERN_TLS.

markj added inline comments.Mar 20 2023, 5:48 PM
sys/kern/uipc_socket.c
989–1008

I don't like mixing preprocessor directives and C expressions, which is why I didn't do it that way.

I'll upload a version which introduces a local variable instead, so there's no code duplication.

markj updated this revision to Diff 119133.Mar 20 2023, 5:58 PM

Eliminate some code duplication.

This revision now requires review to proceed.Mar 20 2023, 5:58 PM
Harbormaster completed remote builds in B50486: Diff 119133.Mar 20 2023, 5:58 PM
glebius accepted this revision as: glebius.Mar 21 2023, 5:25 PM
This revision is now accepted and ready to land.Mar 21 2023, 5:25 PM
gallatin accepted this revision.Mar 21 2023, 7:52 PM
Closed by commit rGb4b33821fa3d: ktls: Fix interlocking between ktls_enable_rx() and listen(2) (authored by markj). · Explain WhyMar 21 2023, 8:04 PM
This revision was automatically updated to reflect the committed changes.
markj added a commit: rGb4b33821fa3d: ktls: Fix interlocking between ktls_enable_rx() and listen(2).

Revision Contents
Changeset List

PathSize
sys/
kern/
21 lines
23 lines
tests/
sys/
kern/
46 lines

Diff 119211

View Options

sys/kern/uipc_ktls.c

Loading...
View Options

sys/kern/uipc_socket.c

Loading...
View Options

tests/sys/kern/ktls_test.c

Loading...