From 4f954cb220ef7cf5c3abc7930bcba8fb9a1990d6 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 13 Jan 2023 12:41:56 +0100 Subject: [PATCH] 5.4-stable patches added patches: net-ulp-prevent-ulp-without-clone-op-from-entering-the-listen-status.patch --- ...e-op-from-entering-the-listen-status.patch | 63 +++++++++++++++++++ queue-5.4/series | 1 + 2 files changed, 64 insertions(+) create mode 100644 queue-5.4/net-ulp-prevent-ulp-without-clone-op-from-entering-the-listen-status.patch diff --git a/queue-5.4/net-ulp-prevent-ulp-without-clone-op-from-entering-the-listen-status.patch b/queue-5.4/net-ulp-prevent-ulp-without-clone-op-from-entering-the-listen-status.patch new file mode 100644 index 00000000000..d9fa40ece24 --- /dev/null +++ b/queue-5.4/net-ulp-prevent-ulp-without-clone-op-from-entering-the-listen-status.patch @@ -0,0 +1,63 @@ +From 2c02d41d71f90a5168391b6a5f2954112ba2307c Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Tue, 3 Jan 2023 12:19:17 +0100 +Subject: net/ulp: prevent ULP without clone op from entering the LISTEN status + +From: Paolo Abeni + +commit 2c02d41d71f90a5168391b6a5f2954112ba2307c upstream. + +When an ULP-enabled socket enters the LISTEN status, the listener ULP data +pointer is copied inside the child/accepted sockets by sk_clone_lock(). + +The relevant ULP can take care of de-duplicating the context pointer via +the clone() operation, but only MPTCP and SMC implement such op. + +Other ULPs may end-up with a double-free at socket disposal time. + +We can't simply clear the ULP data at clone time, as TLS replaces the +socket ops with custom ones assuming a valid TLS ULP context is +available. + +Instead completely prevent clone-less ULP sockets from entering the +LISTEN status. + +Fixes: 734942cc4ea6 ("tcp: ULP infrastructure") +Reported-by: slipper +Signed-off-by: Paolo Abeni +Link: https://lore.kernel.org/r/4b80c3d1dbe3d0ab072f80450c202d9bc88b4b03.1672740602.git.pabeni@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/inet_connection_sock.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -902,11 +902,25 @@ void inet_csk_prepare_forced_close(struc + } + EXPORT_SYMBOL(inet_csk_prepare_forced_close); + ++static int inet_ulp_can_listen(const struct sock *sk) ++{ ++ const struct inet_connection_sock *icsk = inet_csk(sk); ++ ++ if (icsk->icsk_ulp_ops) ++ return -EINVAL; ++ ++ return 0; ++} ++ + int inet_csk_listen_start(struct sock *sk, int backlog) + { + struct inet_connection_sock *icsk = inet_csk(sk); + struct inet_sock *inet = inet_sk(sk); +- int err = -EADDRINUSE; ++ int err; ++ ++ err = inet_ulp_can_listen(sk); ++ if (unlikely(err)) ++ return err; + + reqsk_queue_alloc(&icsk->icsk_accept_queue); + diff --git a/queue-5.4/series b/queue-5.4/series index ef303943975..4a921fe2c18 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -600,3 +600,4 @@ selftests-fix-kselftest-o-objdir-build-from-cluttering-top-level-objdir.patch selftests-set-the-build-variable-to-absolute-path.patch driver-core-fix-bus_type.match-error-handling-in-__driver_attach.patch net-sched-disallow-noqueue-for-qdisc-classes.patch +net-ulp-prevent-ulp-without-clone-op-from-entering-the-listen-status.patch -- 2.47.3