Received: by 2002:a05:6a10:9afc:0:0:0:0 with SMTP id t28csp3112936pxm; Mon, 28 Feb 2022 12:16:46 -0800 (PST) X-Google-Smtp-Source: ABdhPJyXuQxZ/B2bUYm0+HyOO2ECWG8Qh/LMdoD9BqJEnU2tQcn6SFwdWglcueNS5tgwhw4b1rWb X-Received: by 2002:a17:902:a989:b0:14f:969b:f6b6 with SMTP id bh9-20020a170902a98900b0014f969bf6b6mr21517193plb.15.1646079406667; Mon, 28 Feb 2022 12:16:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1646079406; cv=none; d=google.com; s=arc-20160816; b=JK7BHsQV94N0HPqhT8V0UwAuVqbezhc122DNCvOUH+BcxSOk0US4Ea6di4ZmF0y5a5 lviMx2B9QvfRjWgsgM+TBkRL7tp4LWuzoCynKzCHHOXnqgSJHyuiXU4A60aCXBUWypro BBSO5c4CHbREDB1op01ojYy0UMRgnE57Hg0KjaDOWtpl5tex8aTtH/huSQopoNy+wQtK ZsOU0WEOIGEVbu+UC3VX8ZP1bJV2eEOw/fkM5v8F7saiAuRo7K7YNKmoNKk3TlGNp2mH C9Qmd0KIgA5dXvKCf5kOmLxySu/qG+9tnWOiOgybIULF6fEq14mAiZoCdXC8c3G0lKwa o5bg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=1FvWRkaGzIPsoefkeCeDkhjFalTehw38XlQ3FWeim7o=; b=Z4SuZtrwDQut/umWDTs1Tk63qXoyqyHlJ6cTPUHkjVs9Ui3624Tfvwi/cKVUYbakZz pZth1ee77GmkgTwllWqiebMbqyL7MifrQbSDSsTmLatWJy7F16da4Zl6HRUazOWFzQH7 ANMR/qHTLFH52ZGc2Iq+hwLsm7YGJ/JkrQapmsZQ3jijCOqnyWwrHMVVIi2sEHmDQEri g4tf32LhZsyBr4isO5OoPXuPoOT/GGe4dj5d4NhVHhGVDzNJqy9iqPRNJ5nn6XqmPTxY MykcBNWNwl6xlqUKASoNBGCXXEiyWgzyatPD2tMO0bbADILxnUzaWdnxWrUCAzTgfsLy FQnw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=p2VXuByL; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id w197-20020a62ddce000000b004bc1f473b12si9969876pff.91.2022.02.28.12.16.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 28 Feb 2022 12:16:46 -0800 (PST) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=p2VXuByL; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 0D1AD6E8DB; Mon, 28 Feb 2022 11:39:06 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239794AbiB1SCo (ORCPT + 99 others); Mon, 28 Feb 2022 13:02:44 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46992 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234827AbiB1Ryq (ORCPT ); Mon, 28 Feb 2022 12:54:46 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 66CBAF2B; Mon, 28 Feb 2022 09:44:08 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 0F383B81085; Mon, 28 Feb 2022 17:44:07 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 74F2AC340E7; Mon, 28 Feb 2022 17:44:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1646070245; bh=TQEvo4SlinlRCuCloRelj2WzOa4s+iA4H9FM7v2aA1c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=p2VXuByLqeKUqyWfEXMsP2hbkTYrOARLPlovdasaP8tgHehnRLq+mQLbRHDXZ3Ewa ErWenudfie/SSFBDC5U4Av96J5+Xsn55T6nMGZUy9Ay5WyLgipDIxg7ZoLIROFFNV/ ScxQq8Tttlj+X3Xs7EmBM5Grwf6FUTPEGN/nJQgY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Matthieu Baerts , Paolo Abeni , Mat Martineau , "David S. Miller" Subject: [PATCH 5.16 038/164] mptcp: fix race in incoming ADD_ADDR option processing Date: Mon, 28 Feb 2022 18:23:20 +0100 Message-Id: <20220228172403.732021961@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220228172359.567256961@linuxfoundation.org> References: <20220228172359.567256961@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Paolo Abeni commit 837cf45df163a3780bc04b555700231e95b31dc9 upstream. If an MPTCP endpoint received multiple consecutive incoming ADD_ADDR options, mptcp_pm_add_addr_received() can overwrite the current remote address value after the PM lock is released in mptcp_pm_nl_add_addr_received() and before such address is echoed. Fix the issue caching the remote address value a little earlier and always using the cached value after releasing the PM lock. Fixes: f7efc7771eac ("mptcp: drop argument port from mptcp_pm_announce_addr") Reviewed-by: Matthieu Baerts Signed-off-by: Paolo Abeni Signed-off-by: Mat Martineau Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/mptcp/pm_netlink.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) --- a/net/mptcp/pm_netlink.c +++ b/net/mptcp/pm_netlink.c @@ -606,6 +606,7 @@ static void mptcp_pm_nl_add_addr_receive unsigned int add_addr_accept_max; struct mptcp_addr_info remote; unsigned int subflows_max; + bool reset_port = false; int i, nr; add_addr_accept_max = mptcp_pm_get_add_addr_accept_max(msk); @@ -615,15 +616,19 @@ static void mptcp_pm_nl_add_addr_receive msk->pm.add_addr_accepted, add_addr_accept_max, msk->pm.remote.family); - if (lookup_subflow_by_daddr(&msk->conn_list, &msk->pm.remote)) + remote = msk->pm.remote; + if (lookup_subflow_by_daddr(&msk->conn_list, &remote)) goto add_addr_echo; + /* pick id 0 port, if none is provided the remote address */ + if (!remote.port) { + reset_port = true; + remote.port = sk->sk_dport; + } + /* connect to the specified remote address, using whatever * local address the routing configuration will pick. */ - remote = msk->pm.remote; - if (!remote.port) - remote.port = sk->sk_dport; nr = fill_local_addresses_vec(msk, addrs); msk->pm.add_addr_accepted++; @@ -636,8 +641,12 @@ static void mptcp_pm_nl_add_addr_receive __mptcp_subflow_connect(sk, &addrs[i], &remote); spin_lock_bh(&msk->pm.lock); + /* be sure to echo exactly the received address */ + if (reset_port) + remote.port = 0; + add_addr_echo: - mptcp_pm_announce_addr(msk, &msk->pm.remote, true); + mptcp_pm_announce_addr(msk, &remote, true); mptcp_pm_nl_addr_send_ack(msk); }