From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 48B8F6FA0 for ; Mon, 16 Jan 2023 17:14:44 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C0328C433F1; Mon, 16 Jan 2023 17:14:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1673889284; bh=m+hr9itkdl22VVvwcVGr9bqF7C8fVeomx3FsQxuBlL4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hXuCuaf3+OQ5sPn0jT6UV+JqNty/jcYBnhrhZGaQssDf3wjCOK59V8a513tDxVc0e IdDEtpNJB5z8FZjy/VvuZY/j8dI8Rv62E+ZTF9TpWqTLSOZbPJ+M/3xzGsQWHv0Bi6 1Axrb7wA5fzdeAPDfmoB3aXv+khQ8qCpXGVXF0uw= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, slipper , Paolo Abeni , Jakub Kicinski Subject: [PATCH 4.14 328/338] net/ulp: prevent ULP without clone op from entering the LISTEN status Date: Mon, 16 Jan 2023 16:53:21 +0100 Message-Id: <20230116154835.388105788@linuxfoundation.org> X-Mailer: git-send-email 2.39.0 In-Reply-To: <20230116154820.689115727@linuxfoundation.org> References: <20230116154820.689115727@linuxfoundation.org> User-Agent: quilt/0.67 Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From: Paolo Abeni commit 2c02d41d71f90a5168391b6a5f2954112ba2307c upstream. When an ULP-enabled socket enters the LISTEN status, the listener ULP data pointer is copied inside the child/accepted sockets by sk_clone_lock(). The relevant ULP can take care of de-duplicating the context pointer via the clone() operation, but only MPTCP and SMC implement such op. Other ULPs may end-up with a double-free at socket disposal time. We can't simply clear the ULP data at clone time, as TLS replaces the socket ops with custom ones assuming a valid TLS ULP context is available. Instead completely prevent clone-less ULP sockets from entering the LISTEN status. Fixes: 734942cc4ea6 ("tcp: ULP infrastructure") Reported-by: slipper Signed-off-by: Paolo Abeni Link: https://lore.kernel.org/r/4b80c3d1dbe3d0ab072f80450c202d9bc88b4b03.1672740602.git.pabeni@redhat.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman --- net/ipv4/inet_connection_sock.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) --- a/net/ipv4/inet_connection_sock.c +++ b/net/ipv4/inet_connection_sock.c @@ -894,11 +894,25 @@ void inet_csk_prepare_forced_close(struc } EXPORT_SYMBOL(inet_csk_prepare_forced_close); +static int inet_ulp_can_listen(const struct sock *sk) +{ + const struct inet_connection_sock *icsk = inet_csk(sk); + + if (icsk->icsk_ulp_ops) + return -EINVAL; + + return 0; +} + int inet_csk_listen_start(struct sock *sk, int backlog) { struct inet_connection_sock *icsk = inet_csk(sk); struct inet_sock *inet = inet_sk(sk); - int err = -EADDRINUSE; + int err; + + err = inet_ulp_can_listen(sk); + if (unlikely(err)) + return err; reqsk_queue_alloc(&icsk->icsk_accept_queue);