| commit | 596fd00b0ed52f5524a8414339348b755202d44d | [log] [tgz] |
|---|---|---|
| author | Paolo Abeni <[email protected]> | Tue Jan 03 12:19:17 2023 +0100 |
| committer | Vaibhav Rustagi <[email protected]> | Fri Jan 20 18:14:40 2023 +0000 |
| tree | e6ee775c7ed7d28ee4c5e5815c63168acd603b3d | |
| parent | 883fa318b429edb0e19a887572aef5438e65eec3 [diff] |
net/ulp: prevent ULP without clone op from entering the LISTEN status
commit 2c02d41d71f90a5168391b6a5f2954112ba2307c upstream.
When an ULP-enabled socket enters the LISTEN status, the listener ULP data
pointer is copied inside the child/accepted sockets by sk_clone_lock().
The relevant ULP can take care of de-duplicating the context pointer via
the clone() operation, but only MPTCP and SMC implement such op.
Other ULPs may end-up with a double-free at socket disposal time.
We can't simply clear the ULP data at clone time, as TLS replaces the
socket ops with custom ones assuming a valid TLS ULP context is
available.
Instead completely prevent clone-less ULP sockets from entering the
LISTEN status.
BUG=b/266088428
TEST=presubmit
RELEASE_NOTE=See b/266088428 for more details.
Fixes: 734942cc4ea6 ("tcp: ULP infrastructure")
Reported-by: slipper <[email protected]>
Change-Id: Ie64664dc14573961d4c314eff6594c4624132bbd
Signed-off-by: Paolo Abeni <[email protected]>
Link: https://lore.kernel.org/r/4b80c3d1dbe3d0ab072f80450c202d9bc88b4b03.1672740602.git.pabeni@redhat.com
Signed-off-by: Jakub Kicinski <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
(cherry picked from commit c6d29a5ffdbc362314853462a0e24e63330a654d)
Signed-off-by: Vaibhav Rustagi <[email protected]>
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/41370
Tested-by: Cusky Presubmit Bot <[email protected]>
Reviewed-by: Meena Shanmugam <[email protected]>