net: Avoid address overwrite in kernel_connect

PlaidCat · PlaidCat · commit 9b3b65361065 · 2024-09-12T13:26:58.000-04:00
jira LE-1907 Rebuild_History Non-Buildable kernel-5.14.0-427.31.1.el9_4 commit-author Jordan Rife <jrife@google.com> commit 0bdf399 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-5.14.0-427.31.1.el9_4/0bdf3993.failed BPF programs that run on connect can rewrite the connect address. For the connect system call this isn't a problem, because a copy of the address is made when it is moved into kernel space. However, kernel_connect simply passes through the address it is given, so the caller may observe its address value unexpectedly change. A practical example where this is problematic is where NFS is combined with a system such as Cilium which implements BPF-based load balancing. A common pattern in software-defined storage systems is to have an NFS mount that connects to a persistent virtual IP which in turn maps to an ephemeral server IP. This is usually done to achieve high availability: if your server goes down you can quickly spin up a replacement and remap the virtual IP to that endpoint. With BPF-based load balancing, mounts will forget the virtual IP address when the address rewrite occurs because a pointer to the only copy of that address is passed down the stack. Server failover then breaks, because clients have forgotten the virtual IP address. Reconnects fail and mounts remain broken. This patch was tested by setting up a scenario like this and ensuring that NFS reconnects worked after applying the patch. Signed-off-by: Jordan Rife <jrife@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit 0bdf399) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # net/socket.c
diff --git a/ciq/ciq_backports/kernel-5.14.0-427.31.1.el9_4/0bdf3993.failed b/ciq/ciq_backports/kernel-5.14.0-427.31.1.el9_4/0bdf3993.failed
@@ -0,0 +1,59 @@
+net: Avoid address overwrite in kernel_connect
+
+jira LE-1907
+Rebuild_History Non-Buildable kernel-5.14.0-427.31.1.el9_4
+commit-author Jordan Rife <jrife@google.com>
+commit 0bdf399342c5acbd817c9098b6c7ed21f1974312
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-5.14.0-427.31.1.el9_4/0bdf3993.failed
+
+BPF programs that run on connect can rewrite the connect address. For
+the connect system call this isn't a problem, because a copy of the address
+is made when it is moved into kernel space. However, kernel_connect
+simply passes through the address it is given, so the caller may observe
+its address value unexpectedly change.
+
+A practical example where this is problematic is where NFS is combined
+with a system such as Cilium which implements BPF-based load balancing.
+A common pattern in software-defined storage systems is to have an NFS
+mount that connects to a persistent virtual IP which in turn maps to an
+ephemeral server IP. This is usually done to achieve high availability:
+if your server goes down you can quickly spin up a replacement and remap
+the virtual IP to that endpoint. With BPF-based load balancing, mounts
+will forget the virtual IP address when the address rewrite occurs
+because a pointer to the only copy of that address is passed down the
+stack. Server failover then breaks, because clients have forgotten the
+virtual IP address. Reconnects fail and mounts remain broken. This patch
+was tested by setting up a scenario like this and ensuring that NFS
+reconnects worked after applying the patch.
+
+	Signed-off-by: Jordan Rife <jrife@google.com>
+	Signed-off-by: David S. Miller <davem@davemloft.net>
+(cherry picked from commit 0bdf399342c5acbd817c9098b6c7ed21f1974312)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	net/socket.c
+diff --cc net/socket.c
+index a02d2b6014eb,848116d06b51..000000000000
+--- a/net/socket.c
++++ b/net/socket.c
+@@@ -3531,7 -3567,12 +3531,16 @@@ EXPORT_SYMBOL(kernel_accept)
+  int kernel_connect(struct socket *sock, struct sockaddr *addr, int addrlen,
+  		   int flags)
+  {
+++<<<<<<< HEAD
+ +	return sock->ops->connect(sock, addr, addrlen, flags);
+++=======
++ 	struct sockaddr_storage address;
++ 
++ 	memcpy(&address, addr, addrlen);
++ 
++ 	return READ_ONCE(sock->ops)->connect(sock, (struct sockaddr *)&address,
++ 					     addrlen, flags);
+++>>>>>>> 0bdf399342c5 (net: Avoid address overwrite in kernel_connect)
+  }
+  EXPORT_SYMBOL(kernel_connect);
+  
+* Unmerged path net/socket.c
