Commit 39c5128d authored by Matthieu Baerts (NGI0)'s avatar Matthieu Baerts (NGI0) Committed by Wang Liang
Browse files

mptcp: pm: only decrement add_addr_accepted for MPJ req 

stable inclusion
from stable-v6.6.48
commit d20bf2c96d7ffd171299b32f562f70e5bf5dc608
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAQOJM
CVE: CVE-2024-45009

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=d20bf2c96d7ffd171299b32f562f70e5bf5dc608



--------------------------------

commit 1c1f721375989579e46741f59523e39ec9b2a9bd upstream.

Adding the following warning ...

  WARN_ON_ONCE(msk->pm.add_addr_accepted == 0)

... before decrementing the add_addr_accepted counter helped to find a
bug when running the "remove single subflow" subtest from the
mptcp_join.sh selftest.

Removing a 'subflow' endpoint will first trigger a RM_ADDR, then the
subflow closure. Before this patch, and upon the reception of the
RM_ADDR, the other peer will then try to decrement this
add_addr_accepted. That's not correct because the attached subflows have
not been created upon the reception of an ADD_ADDR.

A way to solve that is to decrement the counter only if the attached
subflow was an MP_JOIN to a remote id that was not 0, and initiated by
the host receiving the RM_ADDR.

Fixes: d0876b22 ("mptcp: add the incoming RM_ADDR support")
Cc: stable@vger.kernel.org
Reviewed-by: default avatarMat Martineau <martineau@kernel.org>
Signed-off-by: default avatarMatthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-9-38035d40de5b@kernel.org


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarWang Liang <wangliang74@huawei.com>
parent 6d1d24f5

net/mptcp/pm_netlink.c

+6 −2
Original line number Diff line number Diff line
@@ -841,7 +841,7 @@ static void mptcp_pm_nl_rm_addr_or_subflow(struct mptcp_sock *msk, 
			mptcp_close_ssk(sk, ssk, subflow);

			spin_lock_bh(&msk->pm.lock);



			removed = true;

			removed |= subflow->request_join;

			if (rm_type == MPTCP_MIB_RMSUBFLOW)

				__MPTCP_INC_STATS(sock_net(sk), rm_type);

		}
@@ -855,7 +855,11 @@ static void mptcp_pm_nl_rm_addr_or_subflow(struct mptcp_sock *msk, 
		if (!mptcp_pm_is_kernel(msk))

			continue;



		if (rm_type == MPTCP_MIB_RMADDR) {

		if (rm_type == MPTCP_MIB_RMADDR && rm_id &&

		    !WARN_ON_ONCE(msk->pm.add_addr_accepted == 0)) {

			/* Note: if the subflow has been closed before, this

			 * add_addr_accepted counter will not be decremented.

			 */

			msk->pm.add_addr_accepted--;

			WRITE_ONCE(msk->pm.accept_addr, true);

		} else if (rm_type == MPTCP_MIB_RMSUBFLOW) {