From 2618015f10c7ca24bac8c839fc57f2a717b895b9 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 13 Jan 2023 12:41:30 +0100 Subject: [PATCH] 4.19-stable patches added patches: net-ulp-prevent-ulp-without-clone-op-from-entering-the-listen-status.patch --- ...e-op-from-entering-the-listen-status.patch | 63 +++++++++++++++++++ queue-4.19/series | 1 + 2 files changed, 64 insertions(+) create mode 100644 queue-4.19/net-ulp-prevent-ulp-without-clone-op-from-entering-the-listen-status.patch diff --git a/queue-4.19/net-ulp-prevent-ulp-without-clone-op-from-entering-the-listen-status.patch b/queue-4.19/net-ulp-prevent-ulp-without-clone-op-from-entering-the-listen-status.patch new file mode 100644 index 00000000000..a66db0b84ba --- /dev/null +++ b/queue-4.19/net-ulp-prevent-ulp-without-clone-op-from-entering-the-listen-status.patch @@ -0,0 +1,63 @@ +From 2c02d41d71f90a5168391b6a5f2954112ba2307c Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Tue, 3 Jan 2023 12:19:17 +0100 +Subject: net/ulp: prevent ULP without clone op from entering the LISTEN status + +From: Paolo Abeni + +commit 2c02d41d71f90a5168391b6a5f2954112ba2307c upstream. + +When an ULP-enabled socket enters the LISTEN status, the listener ULP data +pointer is copied inside the child/accepted sockets by sk_clone_lock(). + +The relevant ULP can take care of de-duplicating the context pointer via +the clone() operation, but only MPTCP and SMC implement such op. + +Other ULPs may end-up with a double-free at socket disposal time. + +We can't simply clear the ULP data at clone time, as TLS replaces the +socket ops with custom ones assuming a valid TLS ULP context is +available. + +Instead completely prevent clone-less ULP sockets from entering the +LISTEN status. + +Fixes: 734942cc4ea6 ("tcp: ULP infrastructure") +Reported-by: slipper +Signed-off-by: Paolo Abeni +Link: https://lore.kernel.org/r/4b80c3d1dbe3d0ab072f80450c202d9bc88b4b03.1672740602.git.pabeni@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/inet_connection_sock.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -903,11 +903,25 @@ void inet_csk_prepare_forced_close(struc + } + EXPORT_SYMBOL(inet_csk_prepare_forced_close); + ++static int inet_ulp_can_listen(const struct sock *sk) ++{ ++ const struct inet_connection_sock *icsk = inet_csk(sk); ++ ++ if (icsk->icsk_ulp_ops) ++ return -EINVAL; ++ ++ return 0; ++} ++ + int inet_csk_listen_start(struct sock *sk, int backlog) + { + struct inet_connection_sock *icsk = inet_csk(sk); + struct inet_sock *inet = inet_sk(sk); +- int err = -EADDRINUSE; ++ int err; ++ ++ err = inet_ulp_can_listen(sk); ++ if (unlikely(err)) ++ return err; + + reqsk_queue_alloc(&icsk->icsk_accept_queue); + diff --git a/queue-4.19/series b/queue-4.19/series index ce738ac246c..f5669eff009 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -463,3 +463,4 @@ mbcache-avoid-nesting-of-cache-c_list_lock-under-bit-locks.patch parisc-align-parisc-madv_xxx-constants-with-all-other-architectures.patch driver-core-fix-bus_type.match-error-handling-in-__driver_attach.patch net-sched-disallow-noqueue-for-qdisc-classes.patch +net-ulp-prevent-ulp-without-clone-op-from-entering-the-listen-status.patch -- 2.47.3