unix: Fix race in SOCK_SEQPACKET's unix_dgram_sendmsg()

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2164865
Upstream Status: net.git commit 3ff8bff

commit 3ff8bff
Author: Kirill Tkhai <tkhai@ya.ru>
Date:   Tue Dec 13 00:05:53 2022 +0300

    unix: Fix race in SOCK_SEQPACKET's unix_dgram_sendmsg()

    There is a race resulting in alive SOCK_SEQPACKET socket
    may change its state from TCP_ESTABLISHED to TCP_CLOSE:

    unix_release_sock(peer)                  unix_dgram_sendmsg(sk)
      sock_orphan(peer)
        sock_set_flag(peer, SOCK_DEAD)
                                               sock_alloc_send_pskb()
                                                 if !(sk->sk_shutdown & SEND_SHUTDOWN)
                                                   OK
                                               if sock_flag(peer, SOCK_DEAD)
                                                 sk->sk_state = TCP_CLOSE
      sk->sk_shutdown = SHUTDOWN_MASK

    After that socket sk remains almost normal: it is able to connect, listen, accept
    and recvmsg, while it can't sendmsg.

    Since this is the only possibility for alive SOCK_SEQPACKET to change
    the state in such way, we should better fix this strange and potentially
    danger corner case.

    Note, that we will return EPIPE here like this is normally done in sock_alloc_send_pskb().
    Originally used ECONNREFUSED looks strange, since it's strange to return
    a specific retval in dependence of race in kernel, when user can't affect on this.

    Also, move TCP_CLOSE assignment for SOCK_DGRAM sockets under state lock
    to fix race with unix_dgram_connect():

    unix_dgram_connect(other)            unix_dgram_sendmsg(sk)
                                           unix_peer(sk) = NULL
                                           unix_state_unlock(sk)
      unix_state_double_lock(sk, other)
      sk->sk_state  = TCP_ESTABLISHED
      unix_peer(sk) = other
      unix_state_double_unlock(sk, other)
                                           sk->sk_state  = TCP_CLOSED

    This patch fixes both of these races.

    Fixes: 83301b5 ("af_unix: Set TCP_ESTABLISHED for datagram sockets too")
    Signed-off-by: Kirill Tkhai <tkhai@ya.ru>
    Link: https://lore.kernel.org/r/135fda25-22d5-837a-782b-ceee50e19844@ya.ru
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>

Signed-off-by: Davide Caratti <dcaratti@redhat.com>

Author: dcaratti

net/unix/af_unix.c

@@ -1945,13 +1945,20 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg,
 			unix_state_lock(sk);
 
 		err = 0;
-		if (unix_peer(sk) == other) {
+		if (sk->sk_type == SOCK_SEQPACKET) {
+			/* We are here only when racing with unix_release_sock()
+			 * is clearing @other. Never change state to TCP_CLOSE
+			 * unlike SOCK_DGRAM wants.
+			 */
+			unix_state_unlock(sk);
+			err = -EPIPE;
+		} else if (unix_peer(sk) == other) {
 			unix_peer(sk) = NULL;
 			unix_dgram_peer_wake_disconnect_wakeup(sk, other);
 
+			sk->sk_state = TCP_CLOSE;
 			unix_state_unlock(sk);
 
-			sk->sk_state = TCP_CLOSE;
 			unix_dgram_disconnected(sk, other);
 			sock_put(other);
 			err = -ECONNREFUSED;