| commit | 0ee6c6430e12016e89461c35c3e24fe0e4b96b15 | [log] [tgz] |
|---|---|---|
| author | Paolo Abeni <[email protected]> | Tue Jan 03 12:19:17 2023 +0100 |
| committer | Vaibhav Rustagi <[email protected]> | Fri Jan 20 18:09:41 2023 +0000 |
| tree | fbd149fdd3639273374380225c97992f9a37e541 | |
| parent | 7bb47791ee8479e7b8fb4b6b1735918fc8b934f4 [diff] |
net/ulp: prevent ULP without clone op from entering the LISTEN status
commit 2c02d41d71f90a5168391b6a5f2954112ba2307c upstream.
When an ULP-enabled socket enters the LISTEN status, the listener ULP data
pointer is copied inside the child/accepted sockets by sk_clone_lock().
The relevant ULP can take care of de-duplicating the context pointer via
the clone() operation, but only MPTCP and SMC implement such op.
Other ULPs may end-up with a double-free at socket disposal time.
We can't simply clear the ULP data at clone time, as TLS replaces the
socket ops with custom ones assuming a valid TLS ULP context is
available.
Instead completely prevent clone-less ULP sockets from entering the
LISTEN status.
BUG=b/266088721
TEST=presubmit
RELEASE_NOTE=See b/266088721 for more details.
Fixes: 734942cc4ea6 ("tcp: ULP infrastructure")
Reported-by: slipper <[email protected]>
Change-Id: Ia519f296225aae60a4e03ee515e87b38d566f75e
Signed-off-by: Paolo Abeni <[email protected]>
Link: https://lore.kernel.org/r/4b80c3d1dbe3d0ab072f80450c202d9bc88b4b03.1672740602.git.pabeni@redhat.com
Signed-off-by: Jakub Kicinski <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
(cherry picked from commit f8ed0a93b5d576bbaf01639ad816473bdfd1dcb0)
Signed-off-by: Vaibhav Rustagi <[email protected]>
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/41368
Reviewed-by: Meena Shanmugam <[email protected]>
Tested-by: Cusky Presubmit Bot <[email protected]>