From patchwork Mon Feb 27 17:29:24 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthieu Baerts X-Patchwork-Id: 13153944 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3D98BC64ED6 for ; Mon, 27 Feb 2023 17:30:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229971AbjB0RaC (ORCPT ); Mon, 27 Feb 2023 12:30:02 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38630 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229806AbjB0RaA (ORCPT ); Mon, 27 Feb 2023 12:30:00 -0500 Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com [IPv6:2a00:1450:4864:20::430]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 061121DBA8 for ; Mon, 27 Feb 2023 09:29:58 -0800 (PST) Received: by mail-wr1-x430.google.com with SMTP id j2so7042428wrh.9 for ; Mon, 27 Feb 2023 09:29:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tessares.net; s=google; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=CkrVR8IpelSR7zXBF4SBBe4tWOQsLGXK04CO9kW0/yg=; b=Yn/px1am7cbKSlGsDURXtIvwA23GniZ6Ac9vJqqJAkyPAUvr190mJbn6mnsF9kDWyV 2tpRDmMYD7s2f+TABsDUn2EbMwYu4/RQk5SbfjUCv9ksW0HY9xcTjbi35nT4tlA9zdSM MXqDBbLK7PoPkbXQ70VSEZtvsABshbcM0NWuGmAp0Y5hlPJ3l6KERe+lns2Ty0bXkc8U zfDTqC2fxsipgCFC9g5PQ0vfTqs4pzuziQln2/PTwtS8irmqdNLmyJMdSKRDAj+OL3jt VA60oFXs1gXx5bGmIDKJ8LxtxWVaSJuw0CudHHLVq6Ci9Kv+4rLZNKF2pYcl2MAVd/+C Sg4A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=CkrVR8IpelSR7zXBF4SBBe4tWOQsLGXK04CO9kW0/yg=; b=GadKb9hWMAXzJV3K66u73nm26IdvjDAYbcba0Wbh3YquB64NDC5zedFcnqzHLLRmZX IOVgwAEwttYS/g0/TF/H/HO2CcysrEuVpmuEGe1u0uuJQ+J1VkRg2c/oo5w8+8cN/a9r bg1uJtcZuTzm79aFR3lDuSIi2sUuYfI77znDjJGehMcjYNgBs94S+CVjQjuBKxZE6lMz auBcdoxW+AM4knQpgiuOvltshnbiaX68NLPnvWyr+AIGnnYqmjruc+jtTpA/7Wm7O8IR gf7wjrx0LAI7MWWKRBBOXqaK4rZuAFl9rsjaIlJb6l5lBaMSqfkiVOgwLKLkuJ6ebdwd 9/KA== X-Gm-Message-State: AO0yUKVQ62N6OYkgZ3+Ulyf8/pb7/cnxH2w1vCuHbTccgeAW0E1TuD6d c1lFWOix6kuJ2R0XT6F0qWDd6w== X-Google-Smtp-Source: AK7set/JnWk1UyaRb1YKMa1DF4RW4nfkaEQh89lVtdGl+srvgLKb0mXKKO11wQjPgt2FhCH9F4fm0w== X-Received: by 2002:a05:6000:1084:b0:2c9:9b81:11de with SMTP id y4-20020a056000108400b002c99b8111demr6415376wrw.20.1677518996458; Mon, 27 Feb 2023 09:29:56 -0800 (PST) Received: from vdi08.nix.tessares.net (static.219.156.76.144.clients.your-server.de. [144.76.156.219]) by smtp.gmail.com with ESMTPSA id t1-20020a5d6a41000000b002c70a68111asm7763689wrw.83.2023.02.27.09.29.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Feb 2023 09:29:56 -0800 (PST) From: Matthieu Baerts Date: Mon, 27 Feb 2023 18:29:24 +0100 Subject: [PATCH net 1/7] mptcp: fix possible deadlock in subflow_error_report MIME-Version: 1.0 Message-Id: <20230227-upstream-net-20230227-mptcp-fixes-v1-1-070e30ae4a8e@tessares.net> References: <20230227-upstream-net-20230227-mptcp-fixes-v1-0-070e30ae4a8e@tessares.net> In-Reply-To: <20230227-upstream-net-20230227-mptcp-fixes-v1-0-070e30ae4a8e@tessares.net> To: mptcp@lists.linux.dev, "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Menglong Dong , Mengen Sun , Shuah Khan , Florian Westphal , Jiang Biao Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Matthieu Baerts , stable@vger.kernel.org, Christoph Paasch X-Mailer: b4 0.12.1 X-Developer-Signature: v=1; a=openpgp-sha256; l=1773; i=matthieu.baerts@tessares.net; h=from:subject:message-id; bh=TTLxtOJXIxhAzU2Ans9CXrgkFiujzShJkR9NjXQn9rY=; b=owEBbQKS/ZANAwAIAfa3gk9CaaBzAcsmYgBj/OiRE3F5ay5kGiWIfxQsUKE7LlPzVFaNd5SKZ U2P3p8ptlqJAjMEAAEIAB0WIQToy4X3aHcFem4n93r2t4JPQmmgcwUCY/zokQAKCRD2t4JPQmmg c6BZEADuXb8S+o9AGKfBIncaTRHfx1t03EFWmhpNgaijVxi0IPqa4aUg4ANgX/8mhldc4Nro56n rQigc6Wn1isU5dlU2rLUKWj0dHqJEmI1WbIXJJ5hNeetC7nvkMNyOmMGmGzgzfi7PiyH7p8eKVy w9n8DiNdkVESgusKCCzN7ZQK9cPGShpKXMlGmj0P8lOsfxwX5H2Q4gaHVEASeQBDNWrpQPG/vjy NQFH3Gfy85TNeFchETPh1jgh4vXIRPTIvlCyShQkWqb+RA05VtlUrjRF81paOCAk1eK7xRAyqZE WhngO9R8v3oItScnxxzc0UK6LXx+sVK3fyrw0a99MU8RjqSQo8VSB8ns6mePLrUnSilBXj6qHi7 gyqCB1GIM3C3/TMzVomsPuo2SZY82K+aSNsrPC1SiXQMYUC6MHWtjF1fhqPISpatgQV+Tzsf12B eLIxipvrqVW1ChvdhXqMOXKGdPvCkKGBMKWYI9X56ZOpxK1ubxAGzlp1qqvMcy5TS0jZ1jfS8pr C8ZiZD5hS0Kxe790PbfT8xmB7kVwb5+LXYyyBJn7R5RvjGDc3A1FfsjZlesKBFupO2+//voOBrx GNZYCk/tY1Wk7AhmHqWXeM7JVPlNKtA3fqvaBPgaic2sn/+AJ/FSf0G601WRv40r3Oj3zXHdC5v L/YGb2wt2idFWaA== X-Developer-Key: i=matthieu.baerts@tessares.net; a=openpgp; fpr=E8CB85F76877057A6E27F77AF6B7824F4269A073 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org From: Paolo Abeni Christoph reported a possible deadlock while the TCP stack destroys an unaccepted subflow due to an incoming reset: the MPTCP socket error path tries to acquire the msk-level socket lock while TCP still owns the listener socket accept queue spinlock, and the reverse dependency already exists in the TCP stack. Note that the above is actually a lockdep false positive, as the chain involves two separate sockets. A different per-socket lockdep key will address the issue, but such a change will be quite invasive. Instead, we can simply stop earlier the socket error handling for orphaned or unaccepted subflows, breaking the critical lockdep chain. Error handling in such a scenario is a no-op. Fixes: 15cc10453398 ("mptcp: deliver ssk errors to msk") Cc: stable@vger.kernel.org Reported-and-tested-by: Christoph Paasch Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/355 Signed-off-by: Paolo Abeni Reviewed-by: Matthieu Baerts Signed-off-by: Matthieu Baerts --- net/mptcp/subflow.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c index 4ae1a7304cf0..5070dc33675d 100644 --- a/net/mptcp/subflow.c +++ b/net/mptcp/subflow.c @@ -1432,6 +1432,13 @@ static void subflow_error_report(struct sock *ssk) { struct sock *sk = mptcp_subflow_ctx(ssk)->conn; + /* bail early if this is a no-op, so that we avoid introducing a + * problematic lockdep dependency between TCP accept queue lock + * and msk socket spinlock + */ + if (!sk->sk_socket) + return; + mptcp_data_lock(sk); if (!sock_owned_by_user(sk)) __mptcp_error_report(sk); From patchwork Mon Feb 27 17:29:25 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthieu Baerts X-Patchwork-Id: 13153945 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C27E1C7EE33 for ; Mon, 27 Feb 2023 17:30:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230004AbjB0RaD (ORCPT ); Mon, 27 Feb 2023 12:30:03 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38668 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229939AbjB0RaB (ORCPT ); Mon, 27 Feb 2023 12:30:01 -0500 Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2863220575 for ; Mon, 27 Feb 2023 09:29:59 -0800 (PST) Received: by mail-wm1-x336.google.com with SMTP id c18so4733138wmr.3 for ; Mon, 27 Feb 2023 09:29:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tessares.net; s=google; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=+xwuLbzzjRRAh6S1DAVgsmzERI5QGCnConEd5TaEfo4=; b=SWimbnPLiF1N/GlRQ5/q8E8L5dN00xq57D8orIk66VcANRv25R9CLGh9/3zQ6qS3RA h1KExRW90aAa7e//nAsveFPi4/XeOfJ7ebcq8oaKd43K0tRxAaeft3F+0882qiOBGzzI sk5mtoF1w+Gs0z6RhDjjUiGIvT4vjj2V5I6m4iQa2E7FO9jHSDh2EBYyMYHuBaIG1lcd nkZw36Mg5zRuL9XJ3EKewvSc/ANORQ1FRw5HhuTJmtHb/V7KSvrnHeoH+xr/4PIkYt95 ox9Tzw0hMVkamcfs0HyLM5NYVyY3Sf0Rt5Xjr/X+IWKlLm93tlpo1M5bR3Y/9DcS+rZp 3yNw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+xwuLbzzjRRAh6S1DAVgsmzERI5QGCnConEd5TaEfo4=; b=4vREtqa/VIaY/uN1epMO+NnHWRM9sA/wScqyEbLoJSIHGKKm6EO+jzciD5gU1W3WqB UXJB0oXketDIZwfJxCVMEYSGbpRV45mgOIFeTrvH/JvJ/vfoZGejs1MG5OmIjZI3g1iO 4eaU1dfTQctWLzQDP3zt8HUpbO8KcMqxx6TDEeDxnFYp0uCiJ/bkySbWetrsgqeiGDar q7/r7LpJaFOuj4prn4wjEaw3mHhrZKfU+zBNRc0xcerTMJGYfOK+kTHXscFdv1M8bvek v+7icmK2Ps1M6V1SLWxx4RalQR1kndS5dFLizaOVcBKJiBvlD591y2wg39/Zl/atVLon TdDQ== X-Gm-Message-State: AO0yUKUFHSJLea9XxTPg5lRy9roeUv/br4uu/W7J3mu+7wVRLZWjZFe8 JsfQaqLi+l8KiSEdQrw7zYHG8w== X-Google-Smtp-Source: AK7set9Clk/FM2QwxcSEAPA5qm1nnCc2bIYe6BTRBKFPrx5I7r52bjQObZ9AV9NQu5ivfTKg00SakA== X-Received: by 2002:a05:600c:4d26:b0:3ea:e4bb:33ef with SMTP id u38-20020a05600c4d2600b003eae4bb33efmr10833906wmp.9.1677518997551; Mon, 27 Feb 2023 09:29:57 -0800 (PST) Received: from vdi08.nix.tessares.net (static.219.156.76.144.clients.your-server.de. [144.76.156.219]) by smtp.gmail.com with ESMTPSA id t1-20020a5d6a41000000b002c70a68111asm7763689wrw.83.2023.02.27.09.29.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Feb 2023 09:29:57 -0800 (PST) From: Matthieu Baerts Date: Mon, 27 Feb 2023 18:29:25 +0100 Subject: [PATCH net 2/7] mptcp: refactor passive socket initialization MIME-Version: 1.0 Message-Id: <20230227-upstream-net-20230227-mptcp-fixes-v1-2-070e30ae4a8e@tessares.net> References: <20230227-upstream-net-20230227-mptcp-fixes-v1-0-070e30ae4a8e@tessares.net> In-Reply-To: <20230227-upstream-net-20230227-mptcp-fixes-v1-0-070e30ae4a8e@tessares.net> To: mptcp@lists.linux.dev, "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Menglong Dong , Mengen Sun , Shuah Khan , Florian Westphal , Jiang Biao Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Matthieu Baerts , stable@vger.kernel.org, Christoph Paasch X-Mailer: b4 0.12.1 X-Developer-Signature: v=1; a=openpgp-sha256; l=5109; i=matthieu.baerts@tessares.net; h=from:subject:message-id; bh=tbFi78t3ZJmGgmk77mV71qPhyEiu8592XCXi0Sgwm/E=; b=owEBbQKS/ZANAwAIAfa3gk9CaaBzAcsmYgBj/OiRMixVhjQITtEfa8+FE1hs0nnPrY7e2/glP 5zeMGcvplmJAjMEAAEIAB0WIQToy4X3aHcFem4n93r2t4JPQmmgcwUCY/zokQAKCRD2t4JPQmmg c2ABEACE47Ez3BM0QOq9aru05LBJ3HdJpAJ6NmkQApWR68gK5pffFSZTXaJx1I8nHUMnbjY9vJ8 TwyC72pxDM585GbcFrQ0P4e7VR1I18eVlsvbFssAW27Z+Aa/8sSa9Mif3kIdhC7gNRBEs4erGW2 cPm7jVJPVq/zubehF3IxPSfUETdQyJKMM1IDVYKTtlQVakk+LOONQtS1cDJm2DWJUXGpnrBSIoq EMlNzU+8rqphpKiDdD4iXe5nFtmj6mF3+bSyzIp81gtuLprPLWol3CK3SHXqvAPelD5fXq986Ov Q2iDRxUDlvoQR05P0yhHzhO0cW/vm0Zk/Eu3voy6hGtsg1O7DYsbKY+gQc7Ca0haxh1J4H52aIf ZT0fhdyPL+RUPQWmzg1ElAQ0sp2g9OGShUNTHY6A5dn2i0XLVrrsXequ36M3ojMMX1oJQDI6F7N /exmEZiJKupvpWs3jfdKLJv9sO1im7790CdFF62U/KryYLS1c//kE09MBfgjU3kzB3udwfaCfvK TKJDH2WflZN7U0RLqOJjoe1S6qGClKWT31+Vlcvzam4l5duTEwWQCUcRmmYovNsHeRMqgUn8/a4 NhmD1dpy61IG1YouwZ59oP6T3OGQOlR8C/fOq5AFMVhTbQUTNu2Iaf7WC0UpAcotVEDuANhLWP+ 179QYpvncDR3vbw== X-Developer-Key: i=matthieu.baerts@tessares.net; a=openpgp; fpr=E8CB85F76877057A6E27F77AF6B7824F4269A073 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org From: Paolo Abeni After commit 30e51b923e43 ("mptcp: fix unreleased socket in accept queue") unaccepted msk sockets go throu complete shutdown, we don't need anymore to delay inserting the first subflow into the subflow lists. The reference counting deserve some extra care, as __mptcp_close() is unaware of the request socket linkage to the first subflow. Please note that this is more a refactoring than a fix but because this modification is needed to include other corrections, see the following commits. Then a Fixes tag has been added here to help the stable team. Fixes: 30e51b923e43 ("mptcp: fix unreleased socket in accept queue") Cc: stable@vger.kernel.org # v6.0+ Signed-off-by: Paolo Abeni Reviewed-by: Matthieu Baerts Tested-by: Christoph Paasch Signed-off-by: Matthieu Baerts --- net/mptcp/protocol.c | 17 ----------------- net/mptcp/subflow.c | 27 +++++++++++++++++++++------ 2 files changed, 21 insertions(+), 23 deletions(-) diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index 3ad9c46202fc..447641d34c2c 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -825,7 +825,6 @@ static bool __mptcp_finish_join(struct mptcp_sock *msk, struct sock *ssk) if (sk->sk_socket && !ssk->sk_socket) mptcp_sock_graft(ssk, sk->sk_socket); - mptcp_propagate_sndbuf((struct sock *)msk, ssk); mptcp_sockopt_sync_locked(msk, ssk); return true; } @@ -3708,22 +3707,6 @@ static int mptcp_stream_accept(struct socket *sock, struct socket *newsock, lock_sock(newsk); - /* PM/worker can now acquire the first subflow socket - * lock without racing with listener queue cleanup, - * we can notify it, if needed. - * - * Even if remote has reset the initial subflow by now - * the refcnt is still at least one. - */ - subflow = mptcp_subflow_ctx(msk->first); - list_add(&subflow->node, &msk->conn_list); - sock_hold(msk->first); - if (mptcp_is_fully_established(newsk)) - mptcp_pm_fully_established(msk, msk->first, GFP_KERNEL); - - mptcp_rcv_space_init(msk, msk->first); - mptcp_propagate_sndbuf(newsk, msk->first); - /* set ssk->sk_socket of accept()ed flows to mptcp socket. * This is needed so NOSPACE flag can be set from tcp stack. */ diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c index 5070dc33675d..a631a5e6fc7b 100644 --- a/net/mptcp/subflow.c +++ b/net/mptcp/subflow.c @@ -397,6 +397,12 @@ void mptcp_subflow_reset(struct sock *ssk) struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(ssk); struct sock *sk = subflow->conn; + /* mptcp_mp_fail_no_response() can reach here on an already closed + * socket + */ + if (ssk->sk_state == TCP_CLOSE) + return; + /* must hold: tcp_done() could drop last reference on parent */ sock_hold(sk); @@ -750,6 +756,7 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk, struct mptcp_options_received mp_opt; bool fallback, fallback_is_fatal; struct sock *new_msk = NULL; + struct mptcp_sock *owner; struct sock *child; pr_debug("listener=%p, req=%p, conn=%p", listener, req, listener->conn); @@ -824,6 +831,8 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk, ctx->setsockopt_seq = listener->setsockopt_seq; if (ctx->mp_capable) { + owner = mptcp_sk(new_msk); + /* this can't race with mptcp_close(), as the msk is * not yet exposted to user-space */ @@ -832,14 +841,14 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk, /* record the newly created socket as the first msk * subflow, but don't link it yet into conn_list */ - WRITE_ONCE(mptcp_sk(new_msk)->first, child); + WRITE_ONCE(owner->first, child); /* new mpc subflow takes ownership of the newly * created mptcp socket */ mptcp_sk(new_msk)->setsockopt_seq = ctx->setsockopt_seq; - mptcp_pm_new_connection(mptcp_sk(new_msk), child, 1); - mptcp_token_accept(subflow_req, mptcp_sk(new_msk)); + mptcp_pm_new_connection(owner, child, 1); + mptcp_token_accept(subflow_req, owner); ctx->conn = new_msk; new_msk = NULL; @@ -847,15 +856,21 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk, * uses the correct data */ mptcp_copy_inaddrs(ctx->conn, child); + mptcp_propagate_sndbuf(ctx->conn, child); + + mptcp_rcv_space_init(owner, child); + list_add(&ctx->node, &owner->conn_list); + sock_hold(child); /* with OoO packets we can reach here without ingress * mpc option */ - if (mp_opt.suboptions & OPTION_MPTCP_MPC_ACK) + if (mp_opt.suboptions & OPTION_MPTCP_MPC_ACK) { mptcp_subflow_fully_established(ctx, &mp_opt); + mptcp_pm_fully_established(owner, child, GFP_ATOMIC); + ctx->pm_notified = 1; + } } else if (ctx->mp_join) { - struct mptcp_sock *owner; - owner = subflow_req->msk; if (!owner) { subflow_add_reset_reason(skb, MPTCP_RST_EPROHIBIT); From patchwork Mon Feb 27 17:29:26 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthieu Baerts X-Patchwork-Id: 13153946 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 658C3C7EE2E for ; Mon, 27 Feb 2023 17:30:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230217AbjB0RaU (ORCPT ); Mon, 27 Feb 2023 12:30:20 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38710 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229898AbjB0RaC (ORCPT ); Mon, 27 Feb 2023 12:30:02 -0500 Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2D1E42068D for ; Mon, 27 Feb 2023 09:30:00 -0800 (PST) Received: by mail-wr1-x431.google.com with SMTP id j2so7042529wrh.9 for ; Mon, 27 Feb 2023 09:30:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tessares.net; s=google; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=i9GAyEl4C9LnoVvjZlnA+Dugg3thSow4Nn5Pvy+ljcg=; b=z2YscE1HF1nyhdu76M8ShTWxbvnfPVOhE+bAk5dsEHiBEmWF2C+IUBeJYYYJim78jR lSkxA1b3hB9p4MazbhcemYEIq/y8cadBJgrnt2kdHIy/gDtn9qpiGbxp0ygMmBLxFT9K kPYAU3u4+tMEb5fWyp8ayOjqJaz/dY24wINt/fpOI6vziHabCExEHdqkAmPI2q3WQgM7 qljASj0gX1vgE6TlgK96lLCV/5/gegjlLql3ELqZqX+SCe9WYm5XXk2ZkTDIBO1PtmY2 0Yzu76ukXLP0/d+NXZHBx1vjLLgBInUtoCRSPw9k17NVscWoBrsdbzJkWSOnMVtzc8bA CHWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=i9GAyEl4C9LnoVvjZlnA+Dugg3thSow4Nn5Pvy+ljcg=; b=Xzr8cIww7KsAfNycFuDWKODqunhxPq2h7pDPJGLTwEIWrWChq2VhtDtsNNonHpgcU6 FrI6/4oPgBB5LQxBz52mbKq1qf7EEQk3UeS7RLydeWwbCJ6A4f5W0w4S2JNHN0x+ScA6 o5TFY7sYiVsNlrwl7z/TNWegJrGhvC042qgVAHz71b/+m02hDSHdGuDvQPdD/+k+hcBj al86+7ulWuwagGFXBAZW+Culz3kYdkmPNYfsxaapODOE2bbGwzs5MW49HdXuBvwfBuHA 7ZrRqxGS0lISyh10QNDakuNGt3WEEt2u96B2LrLhBMOyLCwd+HWOILkJRCf/XK+uk0i0 SunQ== X-Gm-Message-State: AO0yUKUQT7/a6Ug97M1XPchlkPDD/qxlffJlyqWuw0seh8FTMigIaxQO XkhCwTLX2xZVLostBn1YR4eYAw== X-Google-Smtp-Source: AK7set9vUiz8NZ0pTcZiJrkRVRm+/qi90uWNf+1p81Dn7o1cG6dKUHYDXKo1xygqzhUYiVBjASSzIg== X-Received: by 2002:a5d:66ce:0:b0:2c5:c71:4a84 with SMTP id k14-20020a5d66ce000000b002c50c714a84mr19019574wrw.68.1677518998639; Mon, 27 Feb 2023 09:29:58 -0800 (PST) Received: from vdi08.nix.tessares.net (static.219.156.76.144.clients.your-server.de. [144.76.156.219]) by smtp.gmail.com with ESMTPSA id t1-20020a5d6a41000000b002c70a68111asm7763689wrw.83.2023.02.27.09.29.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Feb 2023 09:29:58 -0800 (PST) From: Matthieu Baerts Date: Mon, 27 Feb 2023 18:29:26 +0100 Subject: [PATCH net 3/7] mptcp: use the workqueue to destroy unaccepted sockets MIME-Version: 1.0 Message-Id: <20230227-upstream-net-20230227-mptcp-fixes-v1-3-070e30ae4a8e@tessares.net> References: <20230227-upstream-net-20230227-mptcp-fixes-v1-0-070e30ae4a8e@tessares.net> In-Reply-To: <20230227-upstream-net-20230227-mptcp-fixes-v1-0-070e30ae4a8e@tessares.net> To: mptcp@lists.linux.dev, "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Menglong Dong , Mengen Sun , Shuah Khan , Florian Westphal , Jiang Biao Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Matthieu Baerts , stable@vger.kernel.org, Christoph Paasch X-Mailer: b4 0.12.1 X-Developer-Signature: v=1; a=openpgp-sha256; l=6857; i=matthieu.baerts@tessares.net; h=from:subject:message-id; bh=309aB02I4occX7z9b72eaeFVfr8MkhEIbsSJWdCuxCs=; b=owEBbQKS/ZANAwAIAfa3gk9CaaBzAcsmYgBj/OiRb6ItuVn+gwOomDlkQV+IcngyV+LdEmFHC 4vSLDDcRlSJAjMEAAEIAB0WIQToy4X3aHcFem4n93r2t4JPQmmgcwUCY/zokQAKCRD2t4JPQmmg c6UVD/wJqMv0Xswv8nzWWoMs80prU8GVnJzDLy5zxpPH70HsPiS6fOB0HaJ/SkCsnDCHFKlOMTG dSoqWE1gllVDL6iiduYqV9QBw0xdMbYl7VXWe1cdrFHzFE+r4HeSFlAiWJHY+r2SU6RAxM4lVag Q6jUy1wVhJ030zIbgzzPrkf4fe51y4QHK+K6+GthRQRKYZZCmYNIpZoz5JP1z3jZXSeBcvVjPZs QSY/4LEnrRjA4Kt4JXYbSQZ6tl6aSQ3C37rmLUpVhOuPoAmFiOLCzc+B3F+zSp5lHEy4HcTIIPG q3STm0dGfi4XybOjibwBRR6FkY8dKhPoczM5X/FW+jyqg8icxpvKM23Jmgp1U0PhE/CJxkNbMb9 9DY7/Ro0p5MoChxAZ9E3ML2RoPCXIT1CWFnOSkU8TOis4j/010pSEnNi9c0iowsiI1PFUniZxdl rXHLe1VQk0l5LMzrGr0X7cEINmXSI5gnEqRKvnETe4y+RqtA8BAZV1JAPze5LQQ94B78KrJsWSB /XidsejUOiUrLk114oDt0Mej0ZFbkQ3EbvGpfHaQzPe4kDYFutmqYTzm1YZU/lc1wyQJKkEk3Uo A9ILF5KisjdHWDeQeXYauIQ+/JkGfXAYS8UM69yWManBBtGTyuz+1sZ6IQ22AwCFWL7rnvUZjDg TSDrt1eAqp0h9YA== X-Developer-Key: i=matthieu.baerts@tessares.net; a=openpgp; fpr=E8CB85F76877057A6E27F77AF6B7824F4269A073 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org From: Paolo Abeni Christoph reported a UaF at token lookup time after having refactored the passive socket initialization part: BUG: KASAN: use-after-free in __token_bucket_busy+0x253/0x260 Read of size 4 at addr ffff88810698d5b0 by task syz-executor653/3198 CPU: 1 PID: 3198 Comm: syz-executor653 Not tainted 6.2.0-rc59af4eaa31c1f6c00c8f1e448ed99a45c66340dd5 #6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack_lvl+0x6e/0x91 print_report+0x16a/0x46f kasan_report+0xad/0x130 __token_bucket_busy+0x253/0x260 mptcp_token_new_connect+0x13d/0x490 mptcp_connect+0x4ed/0x860 __inet_stream_connect+0x80e/0xd90 tcp_sendmsg_fastopen+0x3ce/0x710 mptcp_sendmsg+0xff1/0x1a20 inet_sendmsg+0x11d/0x140 __sys_sendto+0x405/0x490 __x64_sys_sendto+0xdc/0x1b0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc We need to properly clean-up all the paired MPTCP-level resources and be sure to release the msk last, even when the unaccepted subflow is destroyed by the TCP internals via inet_child_forget(). We can re-use the existing MPTCP_WORK_CLOSE_SUBFLOW infra, explicitly checking that for the critical scenario: the closed subflow is the MPC one, the msk is not accepted and eventually going through full cleanup. With such change, __mptcp_destroy_sock() is always called on msk sockets, even on accepted ones. We don't need anymore to transiently drop one sk reference at msk clone time. Please note this commit depends on the parent one: mptcp: refactor passive socket initialization Fixes: 58b09919626b ("mptcp: create msk early") Cc: stable@vger.kernel.org # v6.0+ Reported-and-tested-by: Christoph Paasch Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/347 Signed-off-by: Paolo Abeni Reviewed-by: Matthieu Baerts Signed-off-by: Matthieu Baerts --- net/mptcp/protocol.c | 26 +++++++++++++++++--------- net/mptcp/protocol.h | 3 ++- net/mptcp/subflow.c | 11 +++++++++-- 3 files changed, 28 insertions(+), 12 deletions(-) diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index 447641d34c2c..b7014f939236 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -2398,9 +2398,10 @@ static unsigned int mptcp_sync_mss(struct sock *sk, u32 pmtu) return 0; } -static void __mptcp_close_subflow(struct mptcp_sock *msk) +static void __mptcp_close_subflow(struct sock *sk) { struct mptcp_subflow_context *subflow, *tmp; + struct mptcp_sock *msk = mptcp_sk(sk); might_sleep(); @@ -2414,7 +2415,15 @@ static void __mptcp_close_subflow(struct mptcp_sock *msk) if (!skb_queue_empty_lockless(&ssk->sk_receive_queue)) continue; - mptcp_close_ssk((struct sock *)msk, ssk, subflow); + mptcp_close_ssk(sk, ssk, subflow); + } + + /* if the MPC subflow has been closed before the msk is accepted, + * msk will never be accept-ed, close it now + */ + if (!msk->first && msk->in_accept_queue) { + sock_set_flag(sk, SOCK_DEAD); + inet_sk_state_store(sk, TCP_CLOSE); } } @@ -2623,6 +2632,9 @@ static void mptcp_worker(struct work_struct *work) __mptcp_check_send_data_fin(sk); mptcp_check_data_fin(sk); + if (test_and_clear_bit(MPTCP_WORK_CLOSE_SUBFLOW, &msk->flags)) + __mptcp_close_subflow(sk); + /* There is no point in keeping around an orphaned sk timedout or * closed, but we need the msk around to reply to incoming DATA_FIN, * even if it is orphaned and in FIN_WAIT2 state @@ -2638,9 +2650,6 @@ static void mptcp_worker(struct work_struct *work) } } - if (test_and_clear_bit(MPTCP_WORK_CLOSE_SUBFLOW, &msk->flags)) - __mptcp_close_subflow(msk); - if (test_and_clear_bit(MPTCP_WORK_RTX, &msk->flags)) __mptcp_retrans(sk); @@ -3078,6 +3087,7 @@ struct sock *mptcp_sk_clone(const struct sock *sk, msk->local_key = subflow_req->local_key; msk->token = subflow_req->token; msk->subflow = NULL; + msk->in_accept_queue = 1; WRITE_ONCE(msk->fully_established, false); if (mp_opt->suboptions & OPTION_MPTCP_CSUMREQD) WRITE_ONCE(msk->csum_enabled, true); @@ -3095,8 +3105,7 @@ struct sock *mptcp_sk_clone(const struct sock *sk, security_inet_csk_clone(nsk, req); bh_unlock_sock(nsk); - /* keep a single reference */ - __sock_put(nsk); + /* note: the newly allocated socket refcount is 2 now */ return nsk; } @@ -3152,8 +3161,6 @@ static struct sock *mptcp_accept(struct sock *sk, int flags, int *err, goto out; } - /* acquire the 2nd reference for the owning socket */ - sock_hold(new_mptcp_sock); newsk = new_mptcp_sock; MPTCP_INC_STATS(sock_net(sk), MPTCP_MIB_MPCAPABLEPASSIVEACK); } else { @@ -3704,6 +3711,7 @@ static int mptcp_stream_accept(struct socket *sock, struct socket *newsock, struct sock *newsk = newsock->sk; set_bit(SOCK_CUSTOM_SOCKOPT, &newsock->flags); + msk->in_accept_queue = 0; lock_sock(newsk); diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h index 61fd8eabfca2..901c9da8fe66 100644 --- a/net/mptcp/protocol.h +++ b/net/mptcp/protocol.h @@ -295,7 +295,8 @@ struct mptcp_sock { u8 recvmsg_inq:1, cork:1, nodelay:1, - fastopening:1; + fastopening:1, + in_accept_queue:1; int connect_flags; struct work_struct work; struct sk_buff *ooo_last_skb; diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c index a631a5e6fc7b..9d5bf2a020ef 100644 --- a/net/mptcp/subflow.c +++ b/net/mptcp/subflow.c @@ -699,9 +699,10 @@ static bool subflow_hmac_valid(const struct request_sock *req, static void mptcp_force_close(struct sock *sk) { - /* the msk is not yet exposed to user-space */ + /* the msk is not yet exposed to user-space, and refcount is 2 */ inet_sk_state_store(sk, TCP_CLOSE); sk_common_release(sk); + sock_put(sk); } static void subflow_ulp_fallback(struct sock *sk, @@ -1866,7 +1867,6 @@ void mptcp_subflow_queue_clean(struct sock *listener_sk, struct sock *listener_s struct sock *sk = (struct sock *)msk; bool do_cancel_work; - sock_hold(sk); lock_sock_nested(sk, SINGLE_DEPTH_NESTING); next = msk->dl_next; msk->first = NULL; @@ -1954,6 +1954,13 @@ static void subflow_ulp_release(struct sock *ssk) * when the subflow is still unaccepted */ release = ctx->disposable || list_empty(&ctx->node); + + /* inet_child_forget() does not call sk_state_change(), + * explicitly trigger the socket close machinery + */ + if (!release && !test_and_set_bit(MPTCP_WORK_CLOSE_SUBFLOW, + &mptcp_sk(sk)->flags)) + mptcp_schedule_work(sk); sock_put(sk); } From patchwork Mon Feb 27 17:29:27 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthieu Baerts X-Patchwork-Id: 13153947 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 86BDDC7EE30 for ; Mon, 27 Feb 2023 17:30:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230297AbjB0RaV (ORCPT ); Mon, 27 Feb 2023 12:30:21 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39566 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229942AbjB0RaS (ORCPT ); Mon, 27 Feb 2023 12:30:18 -0500 Received: from mail-wr1-x436.google.com (mail-wr1-x436.google.com [IPv6:2a00:1450:4864:20::436]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4E08E206A7 for ; Mon, 27 Feb 2023 09:30:00 -0800 (PST) Received: by mail-wr1-x436.google.com with SMTP id r7so7055124wrz.6 for ; Mon, 27 Feb 2023 09:30:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tessares.net; s=google; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=7VFmRYD7EMVth9E5zOKW4RQmSSmpk/PjXvKOxVcGjvs=; b=Uc7yvnl/x4ikM4FRLzPpSs6CsEU1ZmU1wkGsIpewMOjhz2ofpnNc20AeRT0iJuMwF7 W1QxQZAQs4ZzV2Yx0vsSnJy1tncFofoh51ULcVA+pR+Topyd3n1b+3WXygPWhXE/sD5a 3MqWwr3CrsB1E4xJa0eszQDW2384WgsZy3Csu+lHdXBkO1WELFYgdXrC5IUD8g1zGR54 qpShOhELEyVaKapUdhG74FwpX5ZVwg3ViKEEzlxbb62edaqok5JXnz9FYIkianJ96C0U KdKIJQEYxg/RjFSQSrKRM8HdznbJS1Y98pY6+gSZjQUjkufE89e1IgNLe+yycafwMnPK bb8Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7VFmRYD7EMVth9E5zOKW4RQmSSmpk/PjXvKOxVcGjvs=; b=SR6IeShG0sNuOQCA0kJ9rEZnIvzwOt/KhC2rcTJNxdjtx7WnEp7YlqdQAkB+D2I9ph +wi5ECaChVVflPS/RzpgOZQ4XYeNNdWBOp0J/oFr1UZrM1maBh96ayzsob6LBG3CDpfS xZS94VrM8UM9UehZD4s2mm+isc9yRpdfQokamoTqyRxeEOQ7ojAzOXV3CgQALRtGkwRJ fRZDkrTkEViNd1LLut5YN9RskkURa0opHrlIlKYdTz548sMTnWcWF/Lii1aBMNeAW43l MW2YNhIXVy1DRByFgFnaApkmPV22kibtC5WPmKyh0W9JBMhv3SkUrHPTbYHHxTcji26s W4YA== X-Gm-Message-State: AO0yUKU8ey9nv1QY7HSotud9JEeDLREt34ystA1Pe6YVF1bXelVm2CZQ WkVVkJh2h6qV/9oresRJYrWWGQ== X-Google-Smtp-Source: AK7set+qpVc8BvDfv4WWS1dTyIJUimUAFi8acYYMQcTA/cgxBnpPZ//DJZsLHgd8sWlnwnUlTZgUKg== X-Received: by 2002:adf:e7cc:0:b0:2c5:9eaa:831 with SMTP id e12-20020adfe7cc000000b002c59eaa0831mr22545456wrn.69.1677518999737; Mon, 27 Feb 2023 09:29:59 -0800 (PST) Received: from vdi08.nix.tessares.net (static.219.156.76.144.clients.your-server.de. [144.76.156.219]) by smtp.gmail.com with ESMTPSA id t1-20020a5d6a41000000b002c70a68111asm7763689wrw.83.2023.02.27.09.29.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Feb 2023 09:29:59 -0800 (PST) From: Matthieu Baerts Date: Mon, 27 Feb 2023 18:29:27 +0100 Subject: [PATCH net 4/7] mptcp: fix UaF in listener shutdown MIME-Version: 1.0 Message-Id: <20230227-upstream-net-20230227-mptcp-fixes-v1-4-070e30ae4a8e@tessares.net> References: <20230227-upstream-net-20230227-mptcp-fixes-v1-0-070e30ae4a8e@tessares.net> In-Reply-To: <20230227-upstream-net-20230227-mptcp-fixes-v1-0-070e30ae4a8e@tessares.net> To: mptcp@lists.linux.dev, "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Menglong Dong , Mengen Sun , Shuah Khan , Florian Westphal , Jiang Biao Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Matthieu Baerts , stable@vger.kernel.org, Christoph Paasch X-Mailer: b4 0.12.1 X-Developer-Signature: v=1; a=openpgp-sha256; l=6163; i=matthieu.baerts@tessares.net; h=from:subject:message-id; bh=P3ZnFzItTouH4bjDWHh+dFhxtMTdGvUTAOmm2ipU+Ao=; b=owEBbQKS/ZANAwAIAfa3gk9CaaBzAcsmYgBj/OiRtH9klLpvPTITZ839UJHIRGw61XNnHsv0M sUcTkZrT2KJAjMEAAEIAB0WIQToy4X3aHcFem4n93r2t4JPQmmgcwUCY/zokQAKCRD2t4JPQmmg cw7kEACwVNGO0U7QzVbA0TjPNo7s/gzmLNeF4c3IYY+4QvRZUpfTnxH/xNQxsE4tJatKDeexlY5 YJoQq1cbUHEs0Kj57LbW9X93wynffXAAecZP5BtuIpdCVuS7qTZC7SvshSB0A+PZOyH+OPHVsLj ugw+4WcS+aPFLNIEkZy2yLc473uHOJxhYGYgfWrSgkkcb8M9LYMTNwQSD/WJGRLqvgtBHbEErXv LGHRsA1zM5dmjuG5BAECLw0tEI9jtM3Pdkp1uBB6TJQJzhA+hteWWJu792bp6cy+qLfLFFtSpEK xWWgYjPh9vBObjAsQzS5yPXx+diixBHGj77Ym25sVWmejWw1En+IYxZ9YiFGQ1Trvsr2WBSPbIT Vntf0BIM3E7sF54/aSygyyMIdBr7rYd3MuPiZLEa4AgfcjUAxev7bak62r67i5ee4teb1cPoniY uMCEvRHzHEVkfB4qPxpfbaEFAxnKeUoP/bT8FPav4OKRltcgVARkl3iAHTSQWWu7ykhvVhyj4g+ Sj1S6KLI/69f10GDAQg9kvvt/kpFK5Br79LUxIEIdFFSGfvb8JqZ7J5AZB9t9KIoHCdVufy2foK DkBb6HC+mT6j9rBmb43Bwc9TcbbZxzzH5G059pezUdwmwiJkFbWQ0LW7OxWwqJ2tG+TVzI9k7RI znq2okMUlA6YuVQ== X-Developer-Key: i=matthieu.baerts@tessares.net; a=openpgp; fpr=E8CB85F76877057A6E27F77AF6B7824F4269A073 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org From: Paolo Abeni As reported by Christoph after having refactored the passive socket initialization, the mptcp listener shutdown path is prone to an UaF issue. BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x73/0xe0 Write of size 4 at addr ffff88810cb23098 by task syz-executor731/1266 CPU: 1 PID: 1266 Comm: syz-executor731 Not tainted 6.2.0-rc59af4eaa31c1f6c00c8f1e448ed99a45c66340dd5 #6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack_lvl+0x6e/0x91 print_report+0x16a/0x46f kasan_report+0xad/0x130 kasan_check_range+0x14a/0x1a0 _raw_spin_lock_bh+0x73/0xe0 subflow_error_report+0x6d/0x110 sk_error_report+0x3b/0x190 tcp_disconnect+0x138c/0x1aa0 inet_child_forget+0x6f/0x2e0 inet_csk_listen_stop+0x209/0x1060 __mptcp_close_ssk+0x52d/0x610 mptcp_destroy_common+0x165/0x640 mptcp_destroy+0x13/0x80 __mptcp_destroy_sock+0xe7/0x270 __mptcp_close+0x70e/0x9b0 mptcp_close+0x2b/0x150 inet_release+0xe9/0x1f0 __sock_release+0xd2/0x280 sock_close+0x15/0x20 __fput+0x252/0xa20 task_work_run+0x169/0x250 exit_to_user_mode_prepare+0x113/0x120 syscall_exit_to_user_mode+0x1d/0x40 do_syscall_64+0x48/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc The msk grace period can legitly expire in between the last reference count dropped in mptcp_subflow_queue_clean() and the later eventual access in inet_csk_listen_stop() After the previous patch we don't need anymore special-casing msk listener socket cleanup: the mptcp worker will process each of the unaccepted msk sockets. Just drop the now unnecessary code. Please note this commit depends on the two parent ones: mptcp: refactor passive socket initialization mptcp: use the workqueue to destroy unaccepted sockets Fixes: 6aeed9045071 ("mptcp: fix race on unaccepted mptcp sockets") Cc: stable@vger.kernel.org # v6.0+ Reported-and-tested-by: Christoph Paasch Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/346 Signed-off-by: Paolo Abeni Reviewed-by: Matthieu Baerts Signed-off-by: Matthieu Baerts --- net/mptcp/protocol.c | 1 - net/mptcp/protocol.h | 1 - net/mptcp/subflow.c | 72 ---------------------------------------------------- 3 files changed, 74 deletions(-) diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index b7014f939236..420d6616da7d 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -2355,7 +2355,6 @@ static void __mptcp_close_ssk(struct sock *sk, struct sock *ssk, /* otherwise tcp will dispose of the ssk and subflow ctx */ if (ssk->sk_state == TCP_LISTEN) { tcp_set_state(ssk, TCP_CLOSE); - mptcp_subflow_queue_clean(sk, ssk); inet_csk_listen_stop(ssk); mptcp_event_pm_listener(ssk, MPTCP_EVENT_LISTENER_CLOSED); } diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h index 901c9da8fe66..bda5ad723d38 100644 --- a/net/mptcp/protocol.h +++ b/net/mptcp/protocol.h @@ -629,7 +629,6 @@ void mptcp_close_ssk(struct sock *sk, struct sock *ssk, struct mptcp_subflow_context *subflow); void __mptcp_subflow_send_ack(struct sock *ssk); void mptcp_subflow_reset(struct sock *ssk); -void mptcp_subflow_queue_clean(struct sock *sk, struct sock *ssk); void mptcp_sock_graft(struct sock *sk, struct socket *parent); struct socket *__mptcp_nmpc_socket(const struct mptcp_sock *msk); bool __mptcp_close(struct sock *sk, long timeout); diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c index 9d5bf2a020ef..5a3b17811b6b 100644 --- a/net/mptcp/subflow.c +++ b/net/mptcp/subflow.c @@ -1826,78 +1826,6 @@ static void subflow_state_change(struct sock *sk) } } -void mptcp_subflow_queue_clean(struct sock *listener_sk, struct sock *listener_ssk) -{ - struct request_sock_queue *queue = &inet_csk(listener_ssk)->icsk_accept_queue; - struct mptcp_sock *msk, *next, *head = NULL; - struct request_sock *req; - - /* build a list of all unaccepted mptcp sockets */ - spin_lock_bh(&queue->rskq_lock); - for (req = queue->rskq_accept_head; req; req = req->dl_next) { - struct mptcp_subflow_context *subflow; - struct sock *ssk = req->sk; - struct mptcp_sock *msk; - - if (!sk_is_mptcp(ssk)) - continue; - - subflow = mptcp_subflow_ctx(ssk); - if (!subflow || !subflow->conn) - continue; - - /* skip if already in list */ - msk = mptcp_sk(subflow->conn); - if (msk->dl_next || msk == head) - continue; - - msk->dl_next = head; - head = msk; - } - spin_unlock_bh(&queue->rskq_lock); - if (!head) - return; - - /* can't acquire the msk socket lock under the subflow one, - * or will cause ABBA deadlock - */ - release_sock(listener_ssk); - - for (msk = head; msk; msk = next) { - struct sock *sk = (struct sock *)msk; - bool do_cancel_work; - - lock_sock_nested(sk, SINGLE_DEPTH_NESTING); - next = msk->dl_next; - msk->first = NULL; - msk->dl_next = NULL; - - do_cancel_work = __mptcp_close(sk, 0); - release_sock(sk); - if (do_cancel_work) { - /* lockdep will report a false positive ABBA deadlock - * between cancel_work_sync and the listener socket. - * The involved locks belong to different sockets WRT - * the existing AB chain. - * Using a per socket key is problematic as key - * deregistration requires process context and must be - * performed at socket disposal time, in atomic - * context. - * Just tell lockdep to consider the listener socket - * released here. - */ - mutex_release(&listener_sk->sk_lock.dep_map, _RET_IP_); - mptcp_cancel_work(sk); - mutex_acquire(&listener_sk->sk_lock.dep_map, - SINGLE_DEPTH_NESTING, 0, _RET_IP_); - } - sock_put(sk); - } - - /* we are still under the listener msk socket lock */ - lock_sock_nested(listener_ssk, SINGLE_DEPTH_NESTING); -} - static int subflow_ulp_init(struct sock *sk) { struct inet_connection_sock *icsk = inet_csk(sk); From patchwork Mon Feb 27 17:29:28 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthieu Baerts X-Patchwork-Id: 13153950 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E726CC7EE23 for ; Mon, 27 Feb 2023 17:30:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230071AbjB0Ra1 (ORCPT ); Mon, 27 Feb 2023 12:30:27 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39590 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230118AbjB0RaT (ORCPT ); Mon, 27 Feb 2023 12:30:19 -0500 Received: from mail-wr1-x435.google.com (mail-wr1-x435.google.com [IPv6:2a00:1450:4864:20::435]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 84E6F23665 for ; Mon, 27 Feb 2023 09:30:02 -0800 (PST) Received: by mail-wr1-x435.google.com with SMTP id l25so7070829wrb.3 for ; Mon, 27 Feb 2023 09:30:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tessares.net; s=google; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=FXsFeSYXhhebwYsbMFUFO6H/liA5A1XnJx5Vo1iUzXc=; b=jiVVUh6ZHHuKpGgbeAqEhbPiahxX+jfZWSAjgEXV8ubCHO2eeD3cm9dO+ZMPTOo+0v c4Zm5N40uRAJ4i98u0ChAFvGiXUCcdFBvVCqxsB6131UdLT8Cq8ob/S0/UCBi3Z1FCWv GWFT7FXNdspyMXNozScqtQ379CI964ap5nyUewPyzOajMluOjP6wrX+JjZ0R4j89RToF IplencS/rDEOm3RBcw2swu5QGQAyPM5Jtoq569WrQTGUD2dpxFMPc6wdkBcP9Fjytr/I BzMyL0AJjTap2JgXMqrDICHxy4+wD16ZCyUBB61BIc6JmfsF0dvc8mHF8jhdUNzXSZ3k bhsw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=FXsFeSYXhhebwYsbMFUFO6H/liA5A1XnJx5Vo1iUzXc=; b=CMSDRx5Xj+F/UGSAeSMyfutI13qMrIdqNNe0RAi1YL6NI/+D6CkRy45CPpzWXqZolD jHSuF5D5a0ZiKeHQw1wSsn4/hY/xnRLI70S7XvBiMG0lxp7ejlWqSiRZlKN0J8aPfuWO /yHH9LUNZunuiFr2aDNrZgymqBtyYdHf3a9gDtSF9BJfNuCHX5I4s6eiBJxkiRmDBt1Z gEbE6xddzzVBWWPjqh5P9D0S+SZpP8Ef4kRM+z97C9mwr5Zhs1y26HLKPQbJ8fsKizon SdOFGtqI60Pe3L8lQAkvJ3MciobqbPFk0FGrbEXmukHFkHm4znjWnIPDZvy5cGPSwzYA lMhQ== X-Gm-Message-State: AO0yUKXAzVweMjoJhdRQ+0+lE02IovLzsP+dh18hGt02o9FC8o+3/Eyy /yYwl2U4gXdQOwwTWKidM1y5UQ== X-Google-Smtp-Source: AK7set+GD+WdRwGtNhuSqMvqcdGrq1Sd6/n+McpoTWgTeywGeLxJqtJDYSevMGIS0lbn1/7OP4Bheg== X-Received: by 2002:a5d:4905:0:b0:242:1809:7e17 with SMTP id x5-20020a5d4905000000b0024218097e17mr18569252wrq.6.1677519000848; Mon, 27 Feb 2023 09:30:00 -0800 (PST) Received: from vdi08.nix.tessares.net (static.219.156.76.144.clients.your-server.de. [144.76.156.219]) by smtp.gmail.com with ESMTPSA id t1-20020a5d6a41000000b002c70a68111asm7763689wrw.83.2023.02.27.09.29.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Feb 2023 09:30:00 -0800 (PST) From: Matthieu Baerts Date: Mon, 27 Feb 2023 18:29:28 +0100 Subject: [PATCH net 5/7] selftests: mptcp: userspace pm: fix printed values MIME-Version: 1.0 Message-Id: <20230227-upstream-net-20230227-mptcp-fixes-v1-5-070e30ae4a8e@tessares.net> References: <20230227-upstream-net-20230227-mptcp-fixes-v1-0-070e30ae4a8e@tessares.net> In-Reply-To: <20230227-upstream-net-20230227-mptcp-fixes-v1-0-070e30ae4a8e@tessares.net> To: mptcp@lists.linux.dev, "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Menglong Dong , Mengen Sun , Shuah Khan , Florian Westphal , Jiang Biao Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Matthieu Baerts , stable@vger.kernel.org, Geliang Tang X-Mailer: b4 0.12.1 X-Developer-Signature: v=1; a=openpgp-sha256; l=1019; i=matthieu.baerts@tessares.net; h=from:subject:message-id; bh=u14VopBS7eG+GMQE/e+myn6drxPOU35I+54NgBvgJVc=; b=owEBbQKS/ZANAwAIAfa3gk9CaaBzAcsmYgBj/OiRvO1nGXreLTk1oRKPUSKUwo3sjBg8CHxXj F8Jh9Ior+6JAjMEAAEIAB0WIQToy4X3aHcFem4n93r2t4JPQmmgcwUCY/zokQAKCRD2t4JPQmmg czLTEAC66fH926z1SBI5/RVMdkXuHWcrSbzqIIAesibSfPKAd89A72IhbHffWOhgnzvfpsbG6YS 7bWsdjYKS4DN8bvwYeoRDGPnul0H+PdaIr2P0DNW9Yewqkahkcq5fPlZvbHnz8daq5yVK63CFwg T7/R8aNz7484dT+yiLKjVPJSpAA9lt+kXrqBIDag+nxh3jy85+Y856hMRif3Jqq75c37+QxE3Nb 9Swwp4GKoDBV/kmufiXgIBi2p6XC6aC6FBucSeQr3PcZox01SxcTjnOBgOqJJ0ONGaPVYlNrCUP O7gHIZN4jpMBkRdd3K/hNcUtncIwOSJK4WOTyKL2kKBupA3VTy3SBtQqwK3dVHDcpnOBYhrsbX3 w7t9rGU/pOucT7fRnAoZZCrWIDCuNVmDN4KmoEShDzItBhnHdA/gyoc/77qYpWc2eh05naGu7yr qNY9Hg5Yu6bghEG83vUNOaFwHg9gSDSAMJ192GbViaEEsEmRuDJh8heC5bdytdU44ln+3OFZUjj /smLEYPqGpUnHYbFiXTYAikWsg1lE5XYATp1Zu4GUB5fSOi53eFSj3G4gqmpOKTc7iwcn7cRmpx ny2YtCYVVWLmB7Wt13LEMgWkyEYhcCkJawiNEvokIb+GGTXO4bppiBHvfRxyfAP852JH9kLcR6i S9gTyG1YrdUdv9A== X-Developer-Key: i=matthieu.baerts@tessares.net; a=openpgp; fpr=E8CB85F76877057A6E27F77AF6B7824F4269A073 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org In case of errors, the printed message had the expected and the seen value inverted. This patch simply correct the order: first the expected value, then the one that has been seen. Fixes: 10d4273411be ("selftests: mptcp: userspace: print error details if any") Cc: stable@vger.kernel.org Acked-by: Geliang Tang Signed-off-by: Matthieu Baerts --- tools/testing/selftests/net/mptcp/userspace_pm.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/testing/selftests/net/mptcp/userspace_pm.sh b/tools/testing/selftests/net/mptcp/userspace_pm.sh index 66c5be25c13d..48e52f995a98 100755 --- a/tools/testing/selftests/net/mptcp/userspace_pm.sh +++ b/tools/testing/selftests/net/mptcp/userspace_pm.sh @@ -240,7 +240,7 @@ check_expected_one() fi stdbuf -o0 -e0 printf "\tExpected value for '%s': '%s', got '%s'.\n" \ - "${var}" "${!var}" "${!exp}" + "${var}" "${!exp}" "${!var}" return 1 } From patchwork Mon Feb 27 17:29:29 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthieu Baerts X-Patchwork-Id: 13153949 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0BD3CC7EE30 for ; Mon, 27 Feb 2023 17:30:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229981AbjB0Ra0 (ORCPT ); Mon, 27 Feb 2023 12:30:26 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39566 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230182AbjB0RaU (ORCPT ); Mon, 27 Feb 2023 12:30:20 -0500 Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com [IPv6:2a00:1450:4864:20::430]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8D04623C6E for ; Mon, 27 Feb 2023 09:30:03 -0800 (PST) Received: by mail-wr1-x430.google.com with SMTP id h14so7064010wru.4 for ; Mon, 27 Feb 2023 09:30:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tessares.net; s=google; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=wv98y8dQ5akEeeGDMXXhLyBc+qsUn14H5JhwBcLUMC8=; b=ypFkDG8GwihaWq3wQQ0dfXIFbK1saigQkWJ6G37ZuynA5pBPyddMjIr2OLdiLj4t7T uRysDcqk7QBJbpMAl37INfvGgyve0VFS52g2zZt4tI2hr6WUP/FXbytgVmKTXme/zq6+ ikTusHmJWpPKmz8NbE5MElYYe28l2oshnYnxulyqWyFPGHQpS2fUpG9FYBA7qpGYkfLu i54SPLlI5FkTZwCmKGOTyrwlcsRUVDxQtrqFhM9ETTIK/dtHQZRzRsH9+kndkjurzUiK zWuEyYxarg6U+RTGSHduLfiXX4nAg/laNXsvt7bjWwGXltbm7N41WSvCH+BoRqP152PE vDiQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=wv98y8dQ5akEeeGDMXXhLyBc+qsUn14H5JhwBcLUMC8=; b=eCY9QzW8VfHtaTy7ibCHkoHL0HcaOUx8GPY+SGD95i3qFWOS98stcek8inNUnz7x+l mUsh3MypuHlY+NiV8VuO35FAN0I7/ZovfmiFNXWylHQ2u+lmxQ0wdeQRLfxSGYIUBdMe S92W43j4C7FvndBWqDN/buSJtQwKvdM1kaWtI6dV76iPx4OQahgbdgcR4lZmHEtxnAno tQqvxDfZ6v1hRwDxUbyGVsT7SfpZpMho6WZ0bf2ilbPZixrLwshMK/VJv8+JIirHOBFr 3NgR/eEQuRTYYw6V2B95bZNf0Be/p0bdVNrYuCVWFsC1jwAEJDJ5V1YxnMI04pQsLDgb BoUA== X-Gm-Message-State: AO0yUKXdCQO64TvA0yqWzs2jlIG3ejtEdMkuOY7TfJyEaZ0m3anPJtoO fen8MvZSB3Aopyj/pZY1jghTGA== X-Google-Smtp-Source: AK7set/j6FKuw14wpYWEr4jRGRzBW+lQOieBJgr//bQ80n0qcNR1pteX36cjnx1y5zz1mouFY1ofww== X-Received: by 2002:adf:fb8d:0:b0:2c5:5391:8ab1 with SMTP id a13-20020adffb8d000000b002c553918ab1mr21254490wrr.53.1677519001919; Mon, 27 Feb 2023 09:30:01 -0800 (PST) Received: from vdi08.nix.tessares.net (static.219.156.76.144.clients.your-server.de. [144.76.156.219]) by smtp.gmail.com with ESMTPSA id t1-20020a5d6a41000000b002c70a68111asm7763689wrw.83.2023.02.27.09.30.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Feb 2023 09:30:01 -0800 (PST) From: Matthieu Baerts Date: Mon, 27 Feb 2023 18:29:29 +0100 Subject: [PATCH net 6/7] mptcp: add ro_after_init for tcp{,v6}_prot_override MIME-Version: 1.0 Message-Id: <20230227-upstream-net-20230227-mptcp-fixes-v1-6-070e30ae4a8e@tessares.net> References: <20230227-upstream-net-20230227-mptcp-fixes-v1-0-070e30ae4a8e@tessares.net> In-Reply-To: <20230227-upstream-net-20230227-mptcp-fixes-v1-0-070e30ae4a8e@tessares.net> To: mptcp@lists.linux.dev, "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Menglong Dong , Mengen Sun , Shuah Khan , Florian Westphal , Jiang Biao Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Matthieu Baerts , Geliang Tang , stable@vger.kernel.org X-Mailer: b4 0.12.1 X-Developer-Signature: v=1; a=openpgp-sha256; l=1660; i=matthieu.baerts@tessares.net; h=from:subject:message-id; bh=jad8yULOXT9XROjJ8QI8on4tZ/e81AQT8x0klIvJ/Yo=; b=owEBbQKS/ZANAwAIAfa3gk9CaaBzAcsmYgBj/OiR3KUJa9kYhI2LRjDO/52fDmz/M6wMTMFDW qw5jQ4h0HSJAjMEAAEIAB0WIQToy4X3aHcFem4n93r2t4JPQmmgcwUCY/zokQAKCRD2t4JPQmmg c3f8D/423O98/uc4yGGg3XG6tCgIxWH5h/CIcb+d7+YxJwBDOudfPSp45LXimy9VGwwrxepjZt8 K7Zc2AZiS21+SgFSF8potBC/JBzkzu7YrECTrzsidoveL8bkXVNlSbJlbeYWEE19zHs7vQr6C24 JhneTo4YrfJFIPbEDIKyzlW+8Cvp73s/FyT0Kq/s0+JqK0RK7PxG6o6eVBWY9sGOTK/mKhrDQJq 4Viqh3DGmgnguVxfLQf2b8+su9mHZ/hO4TSyIBSNSjAsKIdZUVDtKm4LDKmc5ehKMSwthJCQDRj tJHa/PtTlome4LD6OPnPfeeSgBnDPapxWaeEKKnYYVo3vuofdvqIlXDQO1iVps8U5oHr/3BAqNi hkT3rrvjtVmqkzeKlxGjLC9vns1Xj9VoFEd6//us88LVX+9jbXmbYbqfhj+h589jd0R9SnZ5Lx2 0yLL23AvODWm/m6lPlgs5oA6GDyvGqOuQgDO8BptiG3p8IsLOcyXDNakazooDAd3ma8ps9N3M6f v5JKSYLMGJ91SLcny3JBe4PdrLkyxhHvPoc4eu9m5xdbrN6261x19VVt0IPEBMrKXqrf02mmPdQ NzlN0RyvPzJbyRNqr9gvCdiU6YZDlIbG6FmUx8fgFBpvqkkioyhbr/hNzmumGYUe/ZDCysoiHWG RGTpRtjC/EvuDGA== X-Developer-Key: i=matthieu.baerts@tessares.net; a=openpgp; fpr=E8CB85F76877057A6E27F77AF6B7824F4269A073 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org From: Geliang Tang Add __ro_after_init labels for the variables tcp_prot_override and tcpv6_prot_override, just like other variables adjacent to them, to indicate that they are initialised from the init hooks and no writes occur afterwards. Fixes: b19bc2945b40 ("mptcp: implement delegated actions") Cc: stable@vger.kernel.org Fixes: 51fa7f8ebf0e ("mptcp: mark ops structures as ro_after_init") Signed-off-by: Geliang Tang Reviewed-by: Matthieu Baerts Signed-off-by: Matthieu Baerts --- net/mptcp/subflow.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c index 5a3b17811b6b..f6b4511b09b0 100644 --- a/net/mptcp/subflow.c +++ b/net/mptcp/subflow.c @@ -628,7 +628,7 @@ static struct request_sock_ops mptcp_subflow_v6_request_sock_ops __ro_after_init static struct tcp_request_sock_ops subflow_request_sock_ipv6_ops __ro_after_init; static struct inet_connection_sock_af_ops subflow_v6_specific __ro_after_init; static struct inet_connection_sock_af_ops subflow_v6m_specific __ro_after_init; -static struct proto tcpv6_prot_override; +static struct proto tcpv6_prot_override __ro_after_init; static int subflow_v6_conn_request(struct sock *sk, struct sk_buff *skb) { @@ -926,7 +926,7 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk, } static struct inet_connection_sock_af_ops subflow_specific __ro_after_init; -static struct proto tcp_prot_override; +static struct proto tcp_prot_override __ro_after_init; enum mapping_status { MAPPING_OK, From patchwork Mon Feb 27 17:29:30 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthieu Baerts X-Patchwork-Id: 13153948 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9E26EC64ED8 for ; Mon, 27 Feb 2023 17:30:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229671AbjB0RaY (ORCPT ); Mon, 27 Feb 2023 12:30:24 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39578 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229842AbjB0RaV (ORCPT ); Mon, 27 Feb 2023 12:30:21 -0500 Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com [IPv6:2a00:1450:4864:20::42e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 90AB923D85 for ; Mon, 27 Feb 2023 09:30:04 -0800 (PST) Received: by mail-wr1-x42e.google.com with SMTP id v16so4253957wrn.0 for ; Mon, 27 Feb 2023 09:30:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tessares.net; s=google; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=deRiawW7JdNy0QaIv3Yy/aPFkC3toFzqqvaPGWyei48=; b=6Pk5Pum7YSnsna2htNtZ4tY+1XBtoXGAfekKOkX/jGa7ar2SGAS6DoDav+oex+/Hz1 eHedgZLDdIFpfJD9rNYGpKydSdjkYoQvsfxJlhDTJpElH3QNraf5N8QL+0NBlg/SIMUy pcBe4q3e5VQpcx3L8IL2BJdcffJJ39mZdmG5JZ3qWGTIYvWntw8vjwfRyJKR+pvlGH52 5gpD/3yBQkxMpxI6/679DC0mZ7Kkc4IR1vG0gLocmBaohYQGBxGMJANctFk2HQbX3pwc QllXXfbbwnDeWITQ01EKy1B31Vi1JV9QfwGahyZncUUyKIr/v3cJhrmJpTYiBVOKIS9v YoTA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=deRiawW7JdNy0QaIv3Yy/aPFkC3toFzqqvaPGWyei48=; b=kdocecBnB4WHuGCQGbIhAyhB7utDWNcbmOFkTC9O+mMVxWADxnH3Hf+CMfw+5/G1NE cM/RMBwC5PEl+eL6OQx9ROLTO9RxE2DYlK5RqhWzbC3fIsdMMrGzjaTucda4jwpbRC7w vMDPFMRUAprU6YHdSoaBiF/hZpn1DF/DqEPx9ortx6P9jvpbdsap79hjQOlSgVO9aVUR L+Pcjoj6xHW1zijTSX65IyO6lhMC1ypAReRb/n51E6U3nVwhQHRyTRsEMJXAHh42gFkr SEfGhtHnMMb10nketRdZgW73sD25MLJshaCQv6NTyrkL3KGZZ2QurZuo9hFLRQvYnLSx Gurw== X-Gm-Message-State: AO0yUKVt1Gq1s2lS0AFi3OvvlNhr9AEsexBNpr/Qm8TlfDMTyeCT4jxw 4Pq0SpLybejQSjXgBYgPmzlwfA== X-Google-Smtp-Source: AK7set8/XDombvwT5MsIh/G8JzGbdq8e5xfVCkBm6t112lsnOD03lHNvPYejla3hWvZROcw51RCHdQ== X-Received: by 2002:a5d:52d2:0:b0:2ca:8ae5:ea6 with SMTP id r18-20020a5d52d2000000b002ca8ae50ea6mr4965384wrv.44.1677519003021; Mon, 27 Feb 2023 09:30:03 -0800 (PST) Received: from vdi08.nix.tessares.net (static.219.156.76.144.clients.your-server.de. [144.76.156.219]) by smtp.gmail.com with ESMTPSA id t1-20020a5d6a41000000b002c70a68111asm7763689wrw.83.2023.02.27.09.30.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Feb 2023 09:30:02 -0800 (PST) From: Matthieu Baerts Date: Mon, 27 Feb 2023 18:29:30 +0100 Subject: [PATCH net 7/7] mptcp: avoid setting TCP_CLOSE state twice MIME-Version: 1.0 Message-Id: <20230227-upstream-net-20230227-mptcp-fixes-v1-7-070e30ae4a8e@tessares.net> References: <20230227-upstream-net-20230227-mptcp-fixes-v1-0-070e30ae4a8e@tessares.net> In-Reply-To: <20230227-upstream-net-20230227-mptcp-fixes-v1-0-070e30ae4a8e@tessares.net> To: mptcp@lists.linux.dev, "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Menglong Dong , Mengen Sun , Shuah Khan , Florian Westphal , Jiang Biao Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Matthieu Baerts , stable@vger.kernel.org X-Mailer: b4 0.12.1 X-Developer-Signature: v=1; a=openpgp-sha256; l=963; i=matthieu.baerts@tessares.net; h=from:subject:message-id; bh=ZQAflEk+Pt3pdyX3H49VKj6DNfbIjbdl8OwWNGZf1oo=; b=owEBbQKS/ZANAwAIAfa3gk9CaaBzAcsmYgBj/OiSKcNbYspP4is6sagaj4lgSe0AAKke2eBo6 b0pUvD32P2JAjMEAAEIAB0WIQToy4X3aHcFem4n93r2t4JPQmmgcwUCY/zokgAKCRD2t4JPQmmg c+fQEADo3jnVu0BRlzREUet2ygwyPhNLWvDv5KQ6kMiT0FqqEzpgZEMzhRU5Pi+6JHGMIK01hRh RNdXmRQ9kGBwlTmPWhjt2lYivyVJcR3BJY59q6HRnAkCp887qyf/fcUziyaIVXU3HmHWWjr0dGT eSjDAOVfa2Tl9PvUhfpor3rC03ayatTiKZrLNbuUpJKkBET4BKWd+OdgA7Le/Nnhz5nZQPAe3Y/ 5O84AUf4w3LKOsSzTeyJ0Yd+s8z0wcAXp5l2S47H7kI/F1BHxKNn+flQSu/yCVjiSb0MEv3dYBO cWSG1CFdNiUVrZEsUWHboLw9Ypk67HcAKzOaL7srmEGBzpD7u2sQJw0fuhEViLvjx2WFyxL7jGi 2PgpvOn3B8F7tA7vKEt8Qap+pjebxrgM/w/gV0uA4XrpFmQQehP5ySO/2s+dKyqHoWaNrRK9HrP oVCyRbgOYijYjTsCVHB7SK90jKBamk+bdSbS5JHoNnRZPo0J8fOoP7ElkdrGjuMajjwrnTPxHze O6Zc37mBVdeTz2TV7Y9mT47mWrsnanyn7egrdfmtuBLWuDliSC217cBuYZ3Q6ci/NJFCLWQVmrQ 5new4VkeIto0Y1u85+6Akcs30TfEsmwRC5H/tfDjWNI56eAy6Pe+y/bwk0dQj2NspYxsrl4BPML iUOtjUnOdSsJSrw== X-Developer-Key: i=matthieu.baerts@tessares.net; a=openpgp; fpr=E8CB85F76877057A6E27F77AF6B7824F4269A073 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org tcp_set_state() is called from tcp_done() already. There is then no need to first set the state to TCP_CLOSE, then call tcp_done(). Fixes: d582484726c4 ("mptcp: fix fallback for MP_JOIN subflows") Cc: stable@vger.kernel.org Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/362 Acked-by: Paolo Abeni Signed-off-by: Matthieu Baerts --- net/mptcp/subflow.c | 1 - 1 file changed, 1 deletion(-) diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c index f6b4511b09b0..b865ba911bc4 100644 --- a/net/mptcp/subflow.c +++ b/net/mptcp/subflow.c @@ -406,7 +406,6 @@ void mptcp_subflow_reset(struct sock *ssk) /* must hold: tcp_done() could drop last reference on parent */ sock_hold(sk); - tcp_set_state(ssk, TCP_CLOSE); tcp_send_active_reset(ssk, GFP_ATOMIC); tcp_done(ssk); if (!test_and_set_bit(MPTCP_WORK_CLOSE_SUBFLOW, &mptcp_sk(sk)->flags) &&