From nobody Fri Apr 19 18:45:17 2024 Delivered-To: wpasupplicant.patchew@gmail.com Received: by 2002:a02:1d48:0:0:0:0:0 with SMTP id 69csp100003jaj; Wed, 15 Sep 2021 05:12:01 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx4wyT/NLINV4WcO8mlLTv0vOVqI0EYELZ6XyKTIhfJ+akPszRdodGewLxVU3NqRhdlPr3X X-Received: by 2002:a67:e291:: with SMTP id g17mr2800219vsf.6.1631707921646; Wed, 15 Sep 2021 05:12:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631707921; cv=none; d=google.com; s=arc-20160816; b=Y6Ng1PbrlAYjIPidVzYt45sOHqAikAHQQa7iXXGsTJn78x1eB/nv4guPRWlh0/Uezj nAL9JNc3mJyyGxS9TCnqjETM5EuxaKBGn7Pt/8WyjHiX7gMxPZJPg0XLG3WFcBSnWHNm omqfZEsAQA4bCTNnm72XBYAK+kCcpvhDcRIs2+w6rcC3COh+EYemMfVSPaxd7jSW67IM RpOPQNxjUpupebrezfHytNh0SDkN8YuRn8Fcsvz5HMDx1lnyRGtqVO1ApyrCOeGYD0U0 QBTeLUbPUotCEm6PjWYUjtOwlbedjS0P9hH7CSpKYqRSxi/jPGbAAK7VdL4S3gh99x2m et7g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:cc:to :from; bh=/gijkgzFUgpiV0BZ7+LA/gvuqwGgdgm/SinmUToMR5M=; b=lkplmkZgpb/gUGLLX2dHhhxEz5wDwzYwuW1Z7OECL5y1LnZ8QsAzYp5EUhHf6tJCQ3 zXLU7i3CmI3F+644Onh1ky3eiWvpEktay8rsXhg8Y3oAZi2N9NMvjcAY3MmYuAzn+TZc r6ku+Gfwyp10f6qvGAiBBsJx1awuefUGj3Jk4reM2ZD1oGyu/Xrd3GJqENyT6nZxJC/s GMo15j5WHUiDqDpzR1uhC0y78wh9JNY9Z2PDmuWOX7yYuuJlAxh7962u8TUYKSL3IYop ds9IkKdI3rbfxwEDFSR+J3Mw1dce49+gdIe7SwXPV6GKk7rg8tdVeepDyTrlHbST6zYi 3qQQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of mptcp+bounces-1937-wpasupplicant.patchew=gmail.com@lists.linux.dev designates 147.75.69.165 as permitted sender) smtp.mailfrom="mptcp+bounces-1937-wpasupplicant.patchew=gmail.com@lists.linux.dev" Return-Path: Received: from sjc.edge.kernel.org (sjc.edge.kernel.org. [147.75.69.165]) by mx.google.com with ESMTPS id g24si2892609vsk.171.2021.09.15.05.12.01 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 15 Sep 2021 05:12:01 -0700 (PDT) Received-SPF: pass (google.com: domain of mptcp+bounces-1937-wpasupplicant.patchew=gmail.com@lists.linux.dev designates 147.75.69.165 as permitted sender) client-ip=147.75.69.165; Authentication-Results: mx.google.com; spf=pass (google.com: domain of mptcp+bounces-1937-wpasupplicant.patchew=gmail.com@lists.linux.dev designates 147.75.69.165 as permitted sender) smtp.mailfrom="mptcp+bounces-1937-wpasupplicant.patchew=gmail.com@lists.linux.dev" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sjc.edge.kernel.org (Postfix) with ESMTPS id 300303E0F79 for ; Wed, 15 Sep 2021 12:12:00 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 1A9132FB2; Wed, 15 Sep 2021 12:11:59 +0000 (UTC) X-Original-To: mptcp@lists.linux.dev Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [193.142.43.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 737AA3FC9 for ; Wed, 15 Sep 2021 12:11:57 +0000 (UTC) Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92) (envelope-from ) id 1mQTlW-00053r-B9; Wed, 15 Sep 2021 14:11:50 +0200 From: Florian Westphal To: Cc: Florian Westphal Subject: [PATCH mptcp] mptcp: don't return sockets in foreign netns Date: Wed, 15 Sep 2021 14:11:44 +0200 Message-Id: <20210915121144.9891-1-fw@strlen.de> X-Mailer: git-send-email 2.32.0 Precedence: bulk X-Mailing-List: mptcp@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" mptcp_token_get_sock() may return a mptcp socket that is in a different net namespace than the socket that received the token value. The mptcp syncookie code path had an explicit check for this, this moves the test intp mptcp_token_get_sock() function. Eventually token.c should be converted to pernet storage, but such change is not suitable for net tree. Signed-off-by: Florian Westphal Reviewed-by: Mat Martineau --- net/mptcp/mptcp_diag.c | 2 +- net/mptcp/protocol.h | 2 +- net/mptcp/subflow.c | 2 +- net/mptcp/syncookies.c | 13 +------------ net/mptcp/token.c | 10 +++++++--- net/mptcp/token_test.c | 14 ++++++++------ 6 files changed, 19 insertions(+), 24 deletions(-) diff --git a/net/mptcp/mptcp_diag.c b/net/mptcp/mptcp_diag.c index fdf0c1f15a65..f44125dd6697 100644 --- a/net/mptcp/mptcp_diag.c +++ b/net/mptcp/mptcp_diag.c @@ -36,7 +36,7 @@ static int mptcp_diag_dump_one(struct netlink_callback *c= b, struct sock *sk; =20 net =3D sock_net(in_skb->sk); - msk =3D mptcp_token_get_sock(req->id.idiag_cookie[0]); + msk =3D mptcp_token_get_sock(net, req->id.idiag_cookie[0]); if (!msk) goto out_nosk; =20 diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h index d3e6fd1615f1..dc984676c5eb 100644 --- a/net/mptcp/protocol.h +++ b/net/mptcp/protocol.h @@ -709,7 +709,7 @@ int mptcp_token_new_connect(struct sock *sk); void mptcp_token_accept(struct mptcp_subflow_request_sock *r, struct mptcp_sock *msk); bool mptcp_token_exists(u32 token); -struct mptcp_sock *mptcp_token_get_sock(u32 token); +struct mptcp_sock *mptcp_token_get_sock(struct net *net, u32 token); struct mptcp_sock *mptcp_token_iter_next(const struct net *net, long *s_sl= ot, long *s_num); void mptcp_token_destroy(struct mptcp_sock *msk); diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c index 1de7ce883c37..6172f380dfb7 100644 --- a/net/mptcp/subflow.c +++ b/net/mptcp/subflow.c @@ -86,7 +86,7 @@ static struct mptcp_sock *subflow_token_join_request(stru= ct request_sock *req) struct mptcp_sock *msk; int local_id; =20 - msk =3D mptcp_token_get_sock(subflow_req->token); + msk =3D mptcp_token_get_sock(sock_net(req_to_sk(req)), subflow_req->token= ); if (!msk) { SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINNOTOKEN); return NULL; diff --git a/net/mptcp/syncookies.c b/net/mptcp/syncookies.c index 37127781aee9..7f22526346a7 100644 --- a/net/mptcp/syncookies.c +++ b/net/mptcp/syncookies.c @@ -108,18 +108,12 @@ bool mptcp_token_join_cookie_init_state(struct mptcp_= subflow_request_sock *subfl =20 e->valid =3D 0; =20 - msk =3D mptcp_token_get_sock(e->token); + msk =3D mptcp_token_get_sock(net, e->token); if (!msk) { spin_unlock_bh(&join_entry_locks[i]); return false; } =20 - /* If this fails, the token got re-used in the mean time by another - * mptcp socket in a different netns, i.e. entry is outdated. - */ - if (!net_eq(sock_net((struct sock *)msk), net)) - goto err_put; - subflow_req->remote_nonce =3D e->remote_nonce; subflow_req->local_nonce =3D e->local_nonce; subflow_req->backup =3D e->backup; @@ -128,11 +122,6 @@ bool mptcp_token_join_cookie_init_state(struct mptcp_s= ubflow_request_sock *subfl subflow_req->msk =3D msk; spin_unlock_bh(&join_entry_locks[i]); return true; - -err_put: - spin_unlock_bh(&join_entry_locks[i]); - sock_put((struct sock *)msk); - return false; } =20 void __init mptcp_join_cookie_init(void) diff --git a/net/mptcp/token.c b/net/mptcp/token.c index a98e554b034f..313a3e793e61 100644 --- a/net/mptcp/token.c +++ b/net/mptcp/token.c @@ -238,7 +238,7 @@ bool mptcp_token_exists(u32 token) * * returns NULL if no connection with the given token value exists. */ -struct mptcp_sock *mptcp_token_get_sock(u32 token) +struct mptcp_sock *mptcp_token_get_sock(struct net *net, u32 token) { struct hlist_nulls_node *pos; struct token_bucket *bucket; @@ -251,11 +251,15 @@ struct mptcp_sock *mptcp_token_get_sock(u32 token) again: sk_nulls_for_each_rcu(sk, pos, &bucket->msk_chain) { msk =3D mptcp_sk(sk); - if (READ_ONCE(msk->token) !=3D token) + if (READ_ONCE(msk->token) !=3D token || + !net_eq(sock_net(sk), net)) continue; + if (!refcount_inc_not_zero(&sk->sk_refcnt)) goto not_found; - if (READ_ONCE(msk->token) !=3D token) { + + if (READ_ONCE(msk->token) !=3D token || + !net_eq(sock_net(sk), net)) { sock_put(sk); goto again; } diff --git a/net/mptcp/token_test.c b/net/mptcp/token_test.c index e1bd6f0a0676..5d984bec1cd8 100644 --- a/net/mptcp/token_test.c +++ b/net/mptcp/token_test.c @@ -11,6 +11,7 @@ static struct mptcp_subflow_request_sock *build_req_sock(= struct kunit *test) GFP_USER); KUNIT_EXPECT_NOT_ERR_OR_NULL(test, req); mptcp_token_init_request((struct request_sock *)req); + sock_net_set((struct sock *)req, &init_net); return req; } =20 @@ -22,7 +23,7 @@ static void mptcp_token_test_req_basic(struct kunit *test) KUNIT_ASSERT_EQ(test, 0, mptcp_token_new_request((struct request_sock *)req)); KUNIT_EXPECT_NE(test, 0, (int)req->token); - KUNIT_EXPECT_PTR_EQ(test, null_msk, mptcp_token_get_sock(req->token)); + KUNIT_EXPECT_PTR_EQ(test, null_msk, mptcp_token_get_sock(&init_net, req->= token)); =20 /* cleanup */ mptcp_token_destroy_request((struct request_sock *)req); @@ -55,6 +56,7 @@ static struct mptcp_sock *build_msk(struct kunit *test) msk =3D kunit_kzalloc(test, sizeof(struct mptcp_sock), GFP_USER); KUNIT_EXPECT_NOT_ERR_OR_NULL(test, msk); refcount_set(&((struct sock *)msk)->sk_refcnt, 1); + sock_net_set((struct sock *)msk, &init_net); return msk; } =20 @@ -74,11 +76,11 @@ static void mptcp_token_test_msk_basic(struct kunit *te= st) mptcp_token_new_connect((struct sock *)icsk)); KUNIT_EXPECT_NE(test, 0, (int)ctx->token); KUNIT_EXPECT_EQ(test, ctx->token, msk->token); - KUNIT_EXPECT_PTR_EQ(test, msk, mptcp_token_get_sock(ctx->token)); + KUNIT_EXPECT_PTR_EQ(test, msk, mptcp_token_get_sock(&init_net, ctx->token= )); KUNIT_EXPECT_EQ(test, 2, (int)refcount_read(&sk->sk_refcnt)); =20 mptcp_token_destroy(msk); - KUNIT_EXPECT_PTR_EQ(test, null_msk, mptcp_token_get_sock(ctx->token)); + KUNIT_EXPECT_PTR_EQ(test, null_msk, mptcp_token_get_sock(&init_net, ctx->= token)); } =20 static void mptcp_token_test_accept(struct kunit *test) @@ -90,11 +92,11 @@ static void mptcp_token_test_accept(struct kunit *test) mptcp_token_new_request((struct request_sock *)req)); msk->token =3D req->token; mptcp_token_accept(req, msk); - KUNIT_EXPECT_PTR_EQ(test, msk, mptcp_token_get_sock(msk->token)); + KUNIT_EXPECT_PTR_EQ(test, msk, mptcp_token_get_sock(&init_net, msk->token= )); =20 /* this is now a no-op */ mptcp_token_destroy_request((struct request_sock *)req); - KUNIT_EXPECT_PTR_EQ(test, msk, mptcp_token_get_sock(msk->token)); + KUNIT_EXPECT_PTR_EQ(test, msk, mptcp_token_get_sock(&init_net, msk->token= )); =20 /* cleanup */ mptcp_token_destroy(msk); @@ -116,7 +118,7 @@ static void mptcp_token_test_destroyed(struct kunit *te= st) =20 /* simulate race on removal */ refcount_set(&sk->sk_refcnt, 0); - KUNIT_EXPECT_PTR_EQ(test, null_msk, mptcp_token_get_sock(msk->token)); + KUNIT_EXPECT_PTR_EQ(test, null_msk, mptcp_token_get_sock(&init_net, msk->= token)); =20 /* cleanup */ mptcp_token_destroy(msk); --=20 2.32.0