Commit 86214366 authored May 05, 2021 by Cong Wang Committed by David S. Miller May 05, 2021

smc: disallow TCP_ULP in smc_setsockopt()



syzbot is able to setup kTLS on an SMC socket which coincidentally
uses sk_user_data too. Later, kTLS treats it as psock so triggers a
refcnt warning. The root cause is that smc_setsockopt() simply calls
TCP setsockopt() which includes TCP_ULP. I do not think it makes
sense to setup kTLS on top of SMC sockets, so we should just disallow
this setup.

It is hard to find a commit to blame, but we can apply this patch
since the beginning of TCP_ULP.

Reported-and-tested-by:  <syzbot+b54a1ce86ba4a623b7f0@syzkaller.appspotmail.com>
Fixes: 734942cc ("tcp: ULP infrastructure")
Cc: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Karsten Graul <kgraul@linux.ibm.com>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 2c16db6c

net/smc/af_smc.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -2161,6 +2161,9 @@ static int smc_setsockopt(struct socket *sock, int level, int optname,
		struct smc_sock *smc;
		int val, rc;

		if (level == SOL_TCP && optname == TCP_ULP)
		return -EOPNOTSUPP;

		smc = smc_sk(sk);

		/* generic setsockopts reaching us here always apply to the
		@@ -2185,7 +2188,6 @@ static int smc_setsockopt(struct socket *sock, int level, int optname,
		if (rc \|\| smc->use_fallback)
		goto out;
		switch (optname) {
		case TCP_ULP:
		case TCP_FASTOPEN:
		case TCP_FASTOPEN_CONNECT:
		case TCP_FASTOPEN_KEY: