From patchwork Mon Apr 17 14:00:39 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthieu Baerts X-Patchwork-Id: 8299 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp2150073vqo; Mon, 17 Apr 2023 07:04:17 -0700 (PDT) X-Google-Smtp-Source: AKy350YVKkxmjT8Dke9F3thZ4rBkUOuGugnMy0PJQDYdCTsf6Tk99dbYKfSG0LXebethEZOf4ecH X-Received: by 2002:a05:6a00:168e:b0:626:2984:8a76 with SMTP id k14-20020a056a00168e00b0062629848a76mr20951053pfc.34.1681740257310; Mon, 17 Apr 2023 07:04:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681740257; cv=none; d=google.com; s=arc-20160816; b=gkKTNZDzPZewMysSm4bh88AGShaLN/7TCWPXr0dXMNUdr1AiF8dXfX6axMzs71mXlI dbE0pE+z8sYBjLVoSPxpXy2QpOujDP8WsW75hCTurEIs3d0nXoIVYyxLSM4UtVkx3JoB ZuUUZQxNBTWj9nlDwzwSCflnN2zltQk7pIe4B8TCIxGEVhc7jAGr5OChDzHNKiwi4uu3 oBdCnaAJN22yhcj5r002qNIBrEO3wRZMxCWkyJdR3FJoyXwsia5lAmvB3kJmj4Mr9IwZ zy23QoS4f3Cck7FUN6Z0L7514dxZh5vpsWqMdhKngfhF04v6BJXVutkfxbYa7MN/AgN3 840Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:content-transfer-encoding:mime-version :message-id:date:subject:from:dkim-signature; bh=lwYZr0tdmSWA2lS4jSh8G0uHrl4ssZt285ILCs+hSX0=; b=NQ4oWmJfTyWOrUo/nIJ3l48I4N8XPBANOJBmUzNYubggF9eU5uOHB3P2bfCjCE6aD7 oN83kdG3hdF6fqwdTN2AkkfOIjaG//SqlQGu+JcyIHcamNdgXX+6VdKSl8WwMpUiueIQ KVdtKCVAFsEQ0W2M5qjdK30xpsYuoIycpqlfOH64wt6TARcb2SzJSwLJ8Jh7JhGBdymt 1fzFMgMXEekjGoeIRNPW2fVXFZjISQIOX8hfOETGGkpnDBjrsX7/nhtDqSDVK9snYp7G y0Kc8U7XgpLBHqPQ92MkDdAVhC9OehazT1RvlxC6yQj6nIyNgCGxl5yrsFzpZk4SI+Fc fAfg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@tessares.net header.s=google header.b=MOoHIpZO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=tessares.net Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j67-20020a625546000000b0063473a51539si11215871pfb.398.2023.04.17.07.03.44; Mon, 17 Apr 2023 07:04:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@tessares.net header.s=google header.b=MOoHIpZO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=tessares.net Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230199AbjDQOBY (ORCPT + 99 others); Mon, 17 Apr 2023 10:01:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52258 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229972AbjDQOBV (ORCPT ); Mon, 17 Apr 2023 10:01:21 -0400 Received: from mail-wm1-x332.google.com (mail-wm1-x332.google.com [IPv6:2a00:1450:4864:20::332]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1171886AC for ; Mon, 17 Apr 2023 07:00:48 -0700 (PDT) Received: by mail-wm1-x332.google.com with SMTP id o29-20020a05600c511d00b003f1739de43cso1409409wms.4 for ; Mon, 17 Apr 2023 07:00:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tessares.net; s=google; t=1681740047; x=1684332047; h=cc:to:content-transfer-encoding:mime-version:message-id:date :subject:from:from:to:cc:subject:date:message-id:reply-to; bh=lwYZr0tdmSWA2lS4jSh8G0uHrl4ssZt285ILCs+hSX0=; b=MOoHIpZOiD5XrGBLi+alDgsoj4qZK4BazoRK5tcbh1e3yizm/aY40p+Dwxa97Ch1mb odtqFczGCXEBV65kL46gMTBWjEth9fsT7GPvuLPHx6+eM4ASdzgY7g9b3re0cHfeB7Fc 6l/EwJSK52F4/zhh5QnAAzdVCTUQDE8ur6LMFM8KRG0LCIoquphE+bpY+TJr09Gi+/r2 Y+YvnM7DoCMtUnYqRZ2YqKKZ3zPdo4m1WIHh/lN0FPiRoWKHNa/eTxUXnoX/vpfI8UQv HBfdYPKq0s7rz49af4Z6UiVa9YDKnCrCufB7a/o6GfftgNDz9hL3gTC4Wif2CGq1axur yhGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681740047; x=1684332047; h=cc:to:content-transfer-encoding:mime-version:message-id:date :subject:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=lwYZr0tdmSWA2lS4jSh8G0uHrl4ssZt285ILCs+hSX0=; b=B5AOju+UCvdF6e0gQcHlnJvjldRB1m/VKJhBoKdZC2RBT1klbNO8dDuvgEz6jY+TF+ SaM2mNzHfGWY5c/qcx0/88R/I2WtinwC/N8ypa82eZYloWs+n0rQQMpDjCkxtQ04PqtU lF0DwHJRb3wubgXNY0J3JVX71n4153jJ+H2W/NYUP/AmGbQNUBQhjEwCMAWs0b+VAD+j 1AWe+FNnKISgzda5dRI0/jpEp9yBXiWMAVKa6hoSWdqRWWQUEMYXYuuEeWAHUbYhJTmL ZXk1lXamzhh4dDuyM279CsqX8GfrANXFIWWz32Hk8jfCOS2aGiJtxSifSbNY8IiQYRqV jG3Q== X-Gm-Message-State: AAQBX9e7eRPHnT5PlqUAMWnbMAM23J5BfoOFvVgLJ6sh2pjrW+fSYWVt pU1l5hwhqFEKaClUN0qBtNZftw== X-Received: by 2002:a7b:cb06:0:b0:3ef:f26b:a187 with SMTP id u6-20020a7bcb06000000b003eff26ba187mr9822770wmj.0.1681740046780; Mon, 17 Apr 2023 07:00:46 -0700 (PDT) Received: from vdi08.nix.tessares.net (static.219.156.76.144.clients.your-server.de. [144.76.156.219]) by smtp.gmail.com with ESMTPSA id x12-20020adff0cc000000b002d64fcb362dsm10580652wro.111.2023.04.17.07.00.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Apr 2023 07:00:46 -0700 (PDT) From: Matthieu Baerts Subject: [PATCH net 0/2] mptcp: fixes around listening sockets and the MPTCP worker Date: Mon, 17 Apr 2023 16:00:39 +0200 Message-Id: <20230417-upstream-net-20230417-mptcp-worker-acceptw-v1-0-1d2ecf6d1ae4@tessares.net> MIME-Version: 1.0 X-B4-Tracking: v=1; b=H4sIAAdRPWQC/z3OwQqDMBAE0F+RPXepMS3S/krxsK5rDcUYNmkVx H83FtrjzMBjVoiiTiLcixVUPi66yedgTgXwQP4p6LqcoSorW15Mje8QkwqN6CXhvx1D4oDzpC9 RJGYJaUZrenvtarZyI8hgS1GwVfI8HGQ6/6xjDCq9W75PHpBtaLZtBwd70WqeAAAA To: mptcp@lists.linux.dev, "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Christoph Paasch , Matthieu Baerts , stable@vger.kernel.org X-Mailer: b4 0.12.2 X-Developer-Signature: v=1; a=openpgp-sha256; l=1777; i=matthieu.baerts@tessares.net; h=from:subject:message-id; bh=sE3/rnP5lAEFTV7sAWWzUeeAVYS7OAXmYmfeSexbhZ4=; b=owEBbQKS/ZANAwAIAfa3gk9CaaBzAcsmYgBkPVENs23FmmZFYmqwW+NbjgJm5qm1Ri21lKPlc /QvqpmSzZyJAjMEAAEIAB0WIQToy4X3aHcFem4n93r2t4JPQmmgcwUCZD1RDQAKCRD2t4JPQmmg c574EACF4M/8vhN6Xxj2AN1dcf/5sFKLreu6hGictpgTQCg3XWa71jJTaBoWiX3D1/4ZIw6uwhd q0b2gCP/l6lWW1IoKYp4euGGwEgPwhRuOKgMVKqrsrLv9ifzLlFhPbsAlN+cbrYs0tZgLyoJTWM nGjq4GFENyrMWujwG5e/z7almhDcWEu7RLDzX2vkvxCVlr2Gnd/ByLAP51Epmmo36APeS+/PoR4 DOcpmeWaPQfvObUQJS9cyN+UB1zTwcnzQ7YYwUFER4Q5qp3ge/SwgAXYWsSJZGk55skv5ZJTpT7 zmsW9XTNn7B0tiilaNKHOQYeEDnCap/VhjHVQw9zphsN4ely2EvJL9mDVXmQyScQ01tR2fq5Ku9 r5sBW8ZtDWZW4HYhJvMQGSeY4XrTrWUe4BfBioPqtOBjhGTw7tavb9juHiWk2syfw+PFDtZE2TZ 08iqKTwEzZcxpPiJNS5FtIr9MxvjFDv5cqGCt3Frp3dbkfWCgHeY+LOA7RL7wu1vynZ/qACC2AK mGUlY4A0lueCGIxLJB+iELvzTwd0Zg8lfvE6VAklgSlZFefj5b070hTtZFLjm8l2yj2k8AfJwre 4nExvTx50gk9W6nHa7JMbV9wypeBdDXUZCihffd9wagdFaD+M+GbiFGLajShYNyweG1ydGU6Fvr YsOUUM4Le0+JD1w== X-Developer-Key: i=matthieu.baerts@tessares.net; a=openpgp; fpr=E8CB85F76877057A6E27F77AF6B7824F4269A073 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1763432472399590031?= X-GMAIL-MSGID: =?utf-8?q?1763432472399590031?= Christoph Paasch reported a couple of issues found by syzkaller and linked to operations done by the MPTCP worker on (un)accepted sockets. Fixing these issues was not obvious and rather complex but Paolo Abeni nicely managed to propose these excellent patches that seem to satisfy syzkaller. Patch 1 partially reverts a recent fix but while still providing a solution for the previous issue, it also prevents the MPTCP worker from running concurrently with inet_csk_listen_stop(). A warning is then avoided. The partially reverted patch has been introduced in v6.3-rc3, backported up to v6.1 and fixing an issue visible from v5.18. Patch 2 prevents the MPTCP worker to race with mptcp_accept() causing a UaF when a fallback to TCP is done while in parallel, the socket is being accepted by the userspace. This is also a fix of a previous fix introduced in v6.3-rc3, backported up to v6.1 but here fixing an issue that is in theory there from v5.7. There is no need to backport it up to here as it looks like it is only visible later, around v5.18, see the previous cover-letter linked to this original fix. Signed-off-by: Matthieu Baerts --- Paolo Abeni (2): mptcp: stops worker on unaccepted sockets at listener close mptcp: fix accept vs worker race net/mptcp/protocol.c | 74 ++++++++++++++++++++++++++++++++---------------- net/mptcp/protocol.h | 2 ++ net/mptcp/subflow.c | 80 ++++++++++++++++++++++++++++++++++++++++++++++++++-- 3 files changed, 129 insertions(+), 27 deletions(-) --- base-commit: 338469d677e5d426f5ada88761f16f6d2c7c1981 change-id: 20230417-upstream-net-20230417-mptcp-worker-acceptw-31f35d7c3e9a Best regards,