From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, slipper <slipper.alive@gmail.com>,
Paolo Abeni <pabeni@redhat.com>, Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH 5.15 10/10] net/ulp: prevent ULP without clone op from entering the LISTEN status
Date: Thu, 12 Jan 2023 14:56:47 +0100 [thread overview]
Message-ID: <20230112135327.087488002@linuxfoundation.org> (raw)
In-Reply-To: <20230112135326.689857506@linuxfoundation.org>
From: Paolo Abeni <pabeni@redhat.com>
commit 2c02d41d71f90a5168391b6a5f2954112ba2307c upstream.
When an ULP-enabled socket enters the LISTEN status, the listener ULP data
pointer is copied inside the child/accepted sockets by sk_clone_lock().
The relevant ULP can take care of de-duplicating the context pointer via
the clone() operation, but only MPTCP and SMC implement such op.
Other ULPs may end-up with a double-free at socket disposal time.
We can't simply clear the ULP data at clone time, as TLS replaces the
socket ops with custom ones assuming a valid TLS ULP context is
available.
Instead completely prevent clone-less ULP sockets from entering the
LISTEN status.
Fixes: 734942cc4ea6 ("tcp: ULP infrastructure")
Reported-by: slipper <slipper.alive@gmail.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Link: https://lore.kernel.org/r/4b80c3d1dbe3d0ab072f80450c202d9bc88b4b03.1672740602.git.pabeni@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/inet_connection_sock.c | 16 +++++++++++++++-
net/ipv4/tcp_ulp.c | 4 ++++
2 files changed, 19 insertions(+), 1 deletion(-)
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -1040,11 +1040,25 @@ void inet_csk_prepare_forced_close(struc
}
EXPORT_SYMBOL(inet_csk_prepare_forced_close);
+static int inet_ulp_can_listen(const struct sock *sk)
+{
+ const struct inet_connection_sock *icsk = inet_csk(sk);
+
+ if (icsk->icsk_ulp_ops && !icsk->icsk_ulp_ops->clone)
+ return -EINVAL;
+
+ return 0;
+}
+
int inet_csk_listen_start(struct sock *sk, int backlog)
{
struct inet_connection_sock *icsk = inet_csk(sk);
struct inet_sock *inet = inet_sk(sk);
- int err = -EADDRINUSE;
+ int err;
+
+ err = inet_ulp_can_listen(sk);
+ if (unlikely(err))
+ return err;
reqsk_queue_alloc(&icsk->icsk_accept_queue);
--- a/net/ipv4/tcp_ulp.c
+++ b/net/ipv4/tcp_ulp.c
@@ -136,6 +136,10 @@ static int __tcp_set_ulp(struct sock *sk
if (icsk->icsk_ulp_ops)
goto out_err;
+ err = -EINVAL;
+ if (!ulp_ops->clone && sk->sk_state == TCP_LISTEN)
+ goto out_err;
+
err = ulp_ops->init(sk);
if (err)
goto out_err;
next prev parent reply other threads:[~2023-01-12 13:57 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-12 13:56 [PATCH 5.15 00/10] 5.15.88-rc1 review Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.15 01/10] parisc: Align parisc MADV_XXX constants with all other architectures Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.15 02/10] x86/fpu: Take task_struct* in copy_sigframe_from_user_to_xstate() Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.15 03/10] x86/fpu: Add a pkru argument to copy_uabi_from_kernel_to_xstate() Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.15 04/10] x86/fpu: Add a pkru argument to copy_uabi_to_xstate() Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.15 05/10] x86/fpu: Allow PKRU to be (once again) written by ptrace Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.15 06/10] x86/fpu: Emulate XRSTORs behavior if the xfeatures PKRU bit is not set Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.15 07/10] selftests/vm/pkeys: Add a regression test for setting PKRU through ptrace Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.15 08/10] serial: fixup backport of "serial: Deassert Transmit Enable on probe in driver-specific way" Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.15 09/10] net: sched: disallow noqueue for qdisc classes Greg Kroah-Hartman
2023-01-12 13:56 ` Greg Kroah-Hartman [this message]
2023-01-12 20:52 ` [PATCH 5.15 00/10] 5.15.88-rc1 review Florian Fainelli
2023-01-13 0:28 ` Shuah Khan
2023-01-13 1:36 ` Kelsey Steele
2023-01-13 4:15 ` Bagas Sanjaya
2023-01-13 5:50 ` Guenter Roeck
2023-01-13 12:32 ` Sudip Mukherjee
2023-01-13 13:19 ` Jon Hunter
2023-01-13 17:42 ` Naresh Kamboju
2023-01-13 18:00 ` Allen Pais
2023-01-13 23:39 ` Ron Economos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230112135327.087488002@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=kuba@kernel.org \
--cc=pabeni@redhat.com \
--cc=patches@lists.linux.dev \
--cc=slipper.alive@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.