6.1-stable patches

[thirdparty/kernel/stable-queue.git] / queue-6.1 / tcp-fix-bind-regression-for-v6-only-wildcard-and-v4-.patch

From 961f27c6b980bd03433c02a3b405cc917c093f0f Mon Sep 17 00:00:00 2001
From: Sasha Levin <sashal@kernel.org>
Date: Tue, 26 Mar 2024 13:42:45 -0700
Subject: tcp: Fix bind() regression for v6-only wildcard and v4(-mapped-v6)
 non-wildcard addresses.

From: Kuniyuki Iwashima <kuniyu@amazon.com>

[ Upstream commit d91ef1e1b55f730bee8ce286b02b7bdccbc42973 ]

Jianguo Wu reported another bind() regression introduced by bhash2.

Calling bind() for the following 3 addresses on the same port, the
3rd one should fail but now succeeds.

  1. 0.0.0.0 or ::ffff:0.0.0.0
  2. [::] w/ IPV6_V6ONLY
  3. IPv4 non-wildcard address or v4-mapped-v6 non-wildcard address

The first two bind() create tb2 like this:

  bhash2 -> tb2(:: w/ IPV6_V6ONLY) -> tb2(0.0.0.0)

The 3rd bind() will match with the IPv6 only wildcard address bucket
in inet_bind2_bucket_match_addr_any(), however, no conflicting socket
exists in the bucket.  So, inet_bhash2_conflict() will returns false,
and thus, inet_bhash2_addr_any_conflict() returns false consequently.

As a result, the 3rd bind() bypasses conflict check, which should be
done against the IPv4 wildcard address bucket.

So, in inet_bhash2_addr_any_conflict(), we must iterate over all buckets.

Note that we cannot add ipv6_only flag for inet_bind2_bucket as it
would confuse the following patetrn.

  1. [::] w/ SO_REUSE{ADDR,PORT} and IPV6_V6ONLY
  2. [::] w/ SO_REUSE{ADDR,PORT}
  3. IPv4 non-wildcard address or v4-mapped-v6 non-wildcard address

The first bind() would create a bucket with ipv6_only flag true,
the second bind() would add the [::] socket into the same bucket,
and the third bind() could succeed based on the wrong assumption
that ipv6_only bucket would not conflict with v4(-mapped-v6) address.

Fixes: 28044fc1d495 ("net: Add a bhash2 table hashed by port and address")
Diagnosed-by: Jianguo Wu <wujianguo106@163.com>
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://lore.kernel.org/r/20240326204251.51301-3-kuniyu@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ipv4/inet_connection_sock.c | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index f7832d4253820..8407098a59391 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -289,6 +289,7 @@ static bool inet_bhash2_addr_any_conflict(const struct sock *sk, int port, int l
        struct sock_reuseport *reuseport_cb;
        struct inet_bind_hashbucket *head2;
        struct inet_bind2_bucket *tb2;
+       bool conflict = false;
        bool reuseport_cb_ok;
 
        rcu_read_lock();
@@ -301,18 +302,20 @@ static bool inet_bhash2_addr_any_conflict(const struct sock *sk, int port, int l
 
        spin_lock(&head2->lock);
 
-       inet_bind_bucket_for_each(tb2, &head2->chain)
-               if (inet_bind2_bucket_match_addr_any(tb2, net, port, l3mdev, sk))
-                       break;
+       inet_bind_bucket_for_each(tb2, &head2->chain) {
+               if (!inet_bind2_bucket_match_addr_any(tb2, net, port, l3mdev, sk))
+                       continue;
 
-       if (tb2 && inet_bhash2_conflict(sk, tb2, uid, relax, reuseport_cb_ok,
-                                       reuseport_ok)) {
-               spin_unlock(&head2->lock);
-               return true;
+               if (!inet_bhash2_conflict(sk, tb2, uid, relax, reuseport_cb_ok, reuseport_ok))
+                       continue;
+
+               conflict = true;
+               break;
        }
 
        spin_unlock(&head2->lock);
-       return false;
+
+       return conflict;
 }
 
 /*
-- 
2.43.0