From: "Matthieu Baerts (NGI0)" matttbe@kernel.org
mainline inclusion from mainline-v6.11-rc5 commit 1c1f721375989579e46741f59523e39ec9b2a9bd category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAQOJM CVE: CVE-2024-45009
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
Adding the following warning ...
WARN_ON_ONCE(msk->pm.add_addr_accepted == 0)
... before decrementing the add_addr_accepted counter helped to find a bug when running the "remove single subflow" subtest from the mptcp_join.sh selftest.
Removing a 'subflow' endpoint will first trigger a RM_ADDR, then the subflow closure. Before this patch, and upon the reception of the RM_ADDR, the other peer will then try to decrement this add_addr_accepted. That's not correct because the attached subflows have not been created upon the reception of an ADD_ADDR.
A way to solve that is to decrement the counter only if the attached subflow was an MP_JOIN to a remote id that was not 0, and initiated by the host receiving the RM_ADDR.
Fixes: d0876b2284cf ("mptcp: add the incoming RM_ADDR support") Cc: stable@vger.kernel.org Reviewed-by: Mat Martineau martineau@kernel.org Signed-off-by: Matthieu Baerts (NGI0) matttbe@kernel.org Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-9-38035d40de5b@... Signed-off-by: Jakub Kicinski kuba@kernel.org Conflicts: net/mptcp/pm_netlink.c [conflicts due to not mergered 9f12e97bf16c ("mptcp: unify RM_ADDR and RM_SUBFLOW receiving")] Signed-off-by: Wang Liang wangliang74@huawei.com --- net/mptcp/pm_netlink.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/net/mptcp/pm_netlink.c b/net/mptcp/pm_netlink.c index 14f10f1ba75a..122833ade4ef 100644 --- a/net/mptcp/pm_netlink.c +++ b/net/mptcp/pm_netlink.c @@ -426,6 +426,7 @@ void mptcp_pm_nl_rm_addr_received(struct mptcp_sock *msk) struct sock *ssk = mptcp_subflow_tcp_sock(subflow); int how = RCV_SHUTDOWN | SEND_SHUTDOWN; long timeout = 0; + bool removed = false;
if (msk->pm.rm_id != subflow->remote_id) continue; @@ -435,7 +436,13 @@ void mptcp_pm_nl_rm_addr_received(struct mptcp_sock *msk) __mptcp_close_ssk(sk, ssk, subflow, timeout); spin_lock_bh(&msk->pm.lock);
- msk->pm.add_addr_accepted--; + removed |= subflow->request_join; + if (removed && msk->pm.rm_id && + !WARN_ON_ONCE(msk->pm.add_addr_accepted == 0)) + /* Note: if the subflow has been closed before, this + * add_addr_accepted counter will not be decremented. + */ + msk->pm.add_addr_accepted--; msk->pm.subflows--; WRITE_ONCE(msk->pm.accept_addr, true);