From: Greg Kroah-Hartman Date: Fri, 13 Jan 2023 11:40:52 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v5.10.163~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5d79ca73dc373046db94fdd9e1bcdfdb43f04b8b;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: net-ulp-prevent-ulp-without-clone-op-from-entering-the-listen-status.patch --- diff --git a/queue-4.14/net-ulp-prevent-ulp-without-clone-op-from-entering-the-listen-status.patch b/queue-4.14/net-ulp-prevent-ulp-without-clone-op-from-entering-the-listen-status.patch new file mode 100644 index 00000000000..d845553e12e --- /dev/null +++ b/queue-4.14/net-ulp-prevent-ulp-without-clone-op-from-entering-the-listen-status.patch @@ -0,0 +1,63 @@ +From 2c02d41d71f90a5168391b6a5f2954112ba2307c Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Tue, 3 Jan 2023 12:19:17 +0100 +Subject: net/ulp: prevent ULP without clone op from entering the LISTEN status + +From: Paolo Abeni + +commit 2c02d41d71f90a5168391b6a5f2954112ba2307c upstream. + +When an ULP-enabled socket enters the LISTEN status, the listener ULP data +pointer is copied inside the child/accepted sockets by sk_clone_lock(). + +The relevant ULP can take care of de-duplicating the context pointer via +the clone() operation, but only MPTCP and SMC implement such op. + +Other ULPs may end-up with a double-free at socket disposal time. + +We can't simply clear the ULP data at clone time, as TLS replaces the +socket ops with custom ones assuming a valid TLS ULP context is +available. + +Instead completely prevent clone-less ULP sockets from entering the +LISTEN status. + +Fixes: 734942cc4ea6 ("tcp: ULP infrastructure") +Reported-by: slipper +Signed-off-by: Paolo Abeni +Link: https://lore.kernel.org/r/4b80c3d1dbe3d0ab072f80450c202d9bc88b4b03.1672740602.git.pabeni@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/inet_connection_sock.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -894,11 +894,25 @@ void inet_csk_prepare_forced_close(struc + } + EXPORT_SYMBOL(inet_csk_prepare_forced_close); + ++static int inet_ulp_can_listen(const struct sock *sk) ++{ ++ const struct inet_connection_sock *icsk = inet_csk(sk); ++ ++ if (icsk->icsk_ulp_ops) ++ return -EINVAL; ++ ++ return 0; ++} ++ + int inet_csk_listen_start(struct sock *sk, int backlog) + { + struct inet_connection_sock *icsk = inet_csk(sk); + struct inet_sock *inet = inet_sk(sk); +- int err = -EADDRINUSE; ++ int err; ++ ++ err = inet_ulp_can_listen(sk); ++ if (unlikely(err)) ++ return err; + + reqsk_queue_alloc(&icsk->icsk_accept_queue); + diff --git a/queue-4.14/series b/queue-4.14/series index 962dd2a1e23..02ba4f95d88 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -322,3 +322,4 @@ parisc-align-parisc-madv_xxx-constants-with-all-other-architectures.patch driver-core-fix-bus_type.match-error-handling-in-__driver_attach.patch ravb-fix-failed-to-switch-device-to-config-mode-message-during-unbind.patch net-sched-disallow-noqueue-for-qdisc-classes.patch +net-ulp-prevent-ulp-without-clone-op-from-entering-the-listen-status.patch