Patch 1 adds MPTCP long time contributor -- Geliang Tang -- as a new reviewer for the project. Thanks!
Patch 2 prevents a warning when TCP Diag is used to close internal MPTCP listener subflows. This is a correction for a patch introduced in v6.4 which was fixing an issue from v5.17.
Signed-off-by: Matthieu Baerts matttbe@kernel.org --- Matthieu Baerts (1): MAINTAINERS: add Geliang as reviewer for MPTCP
Paolo Abeni (1): mptcp: prevent tcp diag from closing listener subflows
MAINTAINERS | 1 + net/mptcp/subflow.c | 13 +++++++++++++ 2 files changed, 14 insertions(+) --- base-commit: dff90e4a092b771354287fbe55e557467c9da620 change-id: 20231226-upstream-net-20231226-mptcp-prevent-warn-24f9494bb2a0
Best regards,
From: Paolo Abeni pabeni@redhat.com
The MPTCP protocol does not expect that any other entity could change the first subflow status when such socket is listening. Unfortunately the TCP diag interface allows aborting any TCP socket, including MPTCP listeners subflows. As reported by syzbot, that trigger a WARN() and could lead to later bigger trouble.
The MPTCP protocol needs to do some MPTCP-level cleanup actions to properly shutdown the listener. To keep the fix simple, prevent entirely the diag interface from stopping such listeners.
We could refine the diag callback in a later, larger patch targeting net-next.
Fixes: 57fc0f1ceaa4 ("mptcp: ensure listener is unhashed before updating the sk status") Cc: stable@vger.kernel.org Reported-by: syzbot+5a01c3a666e726bc8752@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/0000000000004f4579060c68431b@google.com/ Signed-off-by: Paolo Abeni pabeni@redhat.com Reviewed-by: Mat Martineau martineau@kernel.org Signed-off-by: Matthieu Baerts matttbe@kernel.org --- net/mptcp/subflow.c | 13 +++++++++++++ 1 file changed, 13 insertions(+)
diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c index 6d7684c35e93..852b3f4af000 100644 --- a/net/mptcp/subflow.c +++ b/net/mptcp/subflow.c @@ -1982,6 +1982,17 @@ static void tcp_release_cb_override(struct sock *ssk) tcp_release_cb(ssk); }
+static int tcp_abort_override(struct sock *ssk, int err) +{ + /* closing a listener subflow requires a great deal of care. + * keep it simple and just prevent such operation + */ + if (inet_sk_state_load(ssk) == TCP_LISTEN) + return -EINVAL; + + return tcp_abort(ssk, err); +} + static struct tcp_ulp_ops subflow_ulp_ops __read_mostly = { .name = "mptcp", .owner = THIS_MODULE, @@ -2026,6 +2037,7 @@ void __init mptcp_subflow_init(void)
tcp_prot_override = tcp_prot; tcp_prot_override.release_cb = tcp_release_cb_override; + tcp_prot_override.diag_destroy = tcp_abort_override;
#if IS_ENABLED(CONFIG_MPTCP_IPV6) /* In struct mptcp_subflow_request_sock, we assume the TCP request sock @@ -2061,6 +2073,7 @@ void __init mptcp_subflow_init(void)
tcpv6_prot_override = tcpv6_prot; tcpv6_prot_override.release_cb = tcp_release_cb_override; + tcpv6_prot_override.diag_destroy = tcp_abort_override; #endif
mptcp_diag_subflow_init(&subflow_ulp_ops);
Hello:
This series was applied to netdev/net.git (main) by Jakub Kicinski kuba@kernel.org:
On Tue, 26 Dec 2023 13:10:16 +0100 you wrote:
Patch 1 adds MPTCP long time contributor -- Geliang Tang -- as a new reviewer for the project. Thanks!
Patch 2 prevents a warning when TCP Diag is used to close internal MPTCP listener subflows. This is a correction for a patch introduced in v6.4 which was fixing an issue from v5.17.
[...]
Here is the summary with links: - [net,1/2] MAINTAINERS: add Geliang as reviewer for MPTCP https://git.kernel.org/netdev/net/c/118ba479d02c - [net,2/2] mptcp: prevent tcp diag from closing listener subflows https://git.kernel.org/netdev/net/c/4c0288299fd0
You are awesome, thank you!
linux-stable-mirror@lists.linaro.org
-
Matthieu Baerts -
patchwork-bot+netdevbpf@kernel.org