The user-space PM subflow removal path uses a couple of helpers
that must be called under the msk socket lock and the current
code lacks such requirement.

Change the existing lock scope so that the relevant code is under
its protection.

Fixes: d9a4594edabf ("mptcp: netlink: Add MPTCP_PM_CMD_REMOVE")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
---
It should close issues/287, let's see what the CI says
---
 net/mptcp/pm_userspace.c | 19 ++++++-------------
 1 file changed, 6 insertions(+), 13 deletions(-)

diff --git a/net/mptcp/pm_userspace.c b/net/mptcp/pm_userspace.c
index 3d1d365e9c6f..33be79f0e9c2 100644
--- a/net/mptcp/pm_userspace.c
+++ b/net/mptcp/pm_userspace.c
@@ -307,15 +307,11 @@ static struct sock *mptcp_nl_find_ssk(struct mptcp_sock *msk,
 				      const struct mptcp_addr_info *local,
 				      const struct mptcp_addr_info *remote)
 {
-	struct sock *sk = &msk->sk.icsk_inet.sk;
 	struct mptcp_subflow_context *subflow;
-	struct sock *found = NULL;
 
 	if (local->family != remote->family)
 		return NULL;
 
-	lock_sock(sk);
-
 	mptcp_for_each_subflow(msk, subflow) {
 		const struct inet_sock *issk;
 		struct sock *ssk;
@@ -348,16 +344,11 @@ static struct sock *mptcp_nl_find_ssk(struct mptcp_sock *msk,
 		}
 
 		if (issk->inet_sport == local->port &&
-		    issk->inet_dport == remote->port) {
-			found = ssk;
-			goto found;
-		}
+		    issk->inet_dport == remote->port)
+			return ssk;
 	}
 
-found:
-	release_sock(sk);
-
-	return found;
+	return NULL;
 }
 
 int mptcp_nl_cmd_sf_destroy(struct sk_buff *skb, struct genl_info *info)
@@ -413,6 +404,7 @@ int mptcp_nl_cmd_sf_destroy(struct sk_buff *skb, struct genl_info *info)
 	}
 
 	sk = &msk->sk.icsk_inet.sk;
+	lock_sock(sk);
 	ssk = mptcp_nl_find_ssk(msk, &addr_l, &addr_r);
 	if (ssk) {
 		struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(ssk);
@@ -424,8 +416,9 @@ int mptcp_nl_cmd_sf_destroy(struct sk_buff *skb, struct genl_info *info)
 	} else {
 		err = -ESRCH;
 	}
+	release_sock(sk);
 
- destroy_err:
+destroy_err:
 	sock_put((struct sock *)msk);
 	return err;
 }
-- 
2.35.3

Hi Paolo, Mat,

On 27/06/2022 11:58, Paolo Abeni wrote:
> The user-space PM subflow removal path uses a couple of helpers
> that must be called under the msk socket lock and the current
> code lacks such requirement.
> 
> Change the existing lock scope so that the relevant code is under
> its protection.
> 
> Fixes: d9a4594edabf ("mptcp: netlink: Add MPTCP_PM_CMD_REMOVE")
> Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Thank you for the patch and the review!

Now in our tree (fixes for -net) with Mat's RvB tag:

New patches for t/upstream-net:
- 106e35505557: mptcp: fix locking in mptcp_nl_cmd_sf_destroy()
- 52865f3cc71f: tg:msg: add Closes tag
- Results: 93f7e050cd84..d964bfb845c8 (export)

New patches for t/upstream:
- 106e35505557: mptcp: fix locking in mptcp_nl_cmd_sf_destroy()
- 52865f3cc71f: tg:msg: add Closes tag
- Results: 9756359748a6..a972bdf0fdec (export)

Builds and tests are now in progress:

https://cirrus-ci.com/github/multipath-tcp/mptcp_net-next/export-net/20220628T160121

https://github.com/multipath-tcp/mptcp_net-next/actions/workflows/build-validation.yml?query=branch:export-net
https://cirrus-ci.com/github/multipath-tcp/mptcp_net-next/export/20220628T160121
https://github.com/multipath-tcp/mptcp_net-next/actions/workflows/build-validation.yml?query=branch:export


> ---
> It should close issues/287, let's see what the CI says


I added the "Closes" tag in the commit message to link the patch with
the issue and automatically close the ticket ;-)

Cheers,
Matt
-- 
Tessares | Belgium | Hybrid Access Solutions
www.tessares.net

On Mon, 27 Jun 2022, Paolo Abeni wrote:

> The user-space PM subflow removal path uses a couple of helpers
> that must be called under the msk socket lock and the current
> code lacks such requirement.
>
> Change the existing lock scope so that the relevant code is under
> its protection.
>
> Fixes: d9a4594edabf ("mptcp: netlink: Add MPTCP_PM_CMD_REMOVE")
> Signed-off-by: Paolo Abeni <pabeni@redhat.com>
> ---
> It should close issues/287, let's see what the CI says

Thanks for tracking this down, Paolo. Patch looks good, tests are passing 
for me.

Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>

> ---
> net/mptcp/pm_userspace.c | 19 ++++++-------------
> 1 file changed, 6 insertions(+), 13 deletions(-)
>
> diff --git a/net/mptcp/pm_userspace.c b/net/mptcp/pm_userspace.c
> index 3d1d365e9c6f..33be79f0e9c2 100644
> --- a/net/mptcp/pm_userspace.c
> +++ b/net/mptcp/pm_userspace.c
> @@ -307,15 +307,11 @@ static struct sock *mptcp_nl_find_ssk(struct mptcp_sock *msk,
> 				      const struct mptcp_addr_info *local,
> 				      const struct mptcp_addr_info *remote)
> {
> -	struct sock *sk = &msk->sk.icsk_inet.sk;
> 	struct mptcp_subflow_context *subflow;
> -	struct sock *found = NULL;
>
> 	if (local->family != remote->family)
> 		return NULL;
>
> -	lock_sock(sk);
> -
> 	mptcp_for_each_subflow(msk, subflow) {
> 		const struct inet_sock *issk;
> 		struct sock *ssk;
> @@ -348,16 +344,11 @@ static struct sock *mptcp_nl_find_ssk(struct mptcp_sock *msk,
> 		}
>
> 		if (issk->inet_sport == local->port &&
> -		    issk->inet_dport == remote->port) {
> -			found = ssk;
> -			goto found;
> -		}
> +		    issk->inet_dport == remote->port)
> +			return ssk;
> 	}
>
> -found:
> -	release_sock(sk);
> -
> -	return found;
> +	return NULL;
> }
>
> int mptcp_nl_cmd_sf_destroy(struct sk_buff *skb, struct genl_info *info)
> @@ -413,6 +404,7 @@ int mptcp_nl_cmd_sf_destroy(struct sk_buff *skb, struct genl_info *info)
> 	}
>
> 	sk = &msk->sk.icsk_inet.sk;
> +	lock_sock(sk);
> 	ssk = mptcp_nl_find_ssk(msk, &addr_l, &addr_r);
> 	if (ssk) {
> 		struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(ssk);
> @@ -424,8 +416,9 @@ int mptcp_nl_cmd_sf_destroy(struct sk_buff *skb, struct genl_info *info)
> 	} else {
> 		err = -ESRCH;
> 	}
> +	release_sock(sk);
>
> - destroy_err:
> +destroy_err:
> 	sock_put((struct sock *)msk);
> 	return err;
> }
> -- 
> 2.35.3
>
>
>

--
Mat Martineau
Intel