mptcp: tentative fix for issues246 &&

[PATCH mptcp-net 0/2] mptcp: tentative fix for issues246 &&

Paolo Abeni posted 2 patches 1 year, 2 months ago

Download series mbox

Patches applied successfully (tree, apply log)
git fetch https://github.com/multipath-tcp/mptcp_net-next tags/patchew/cover.1675892307.git.pabeni@redhat.com

Maintainers: Matthieu Baerts <matthieu.baerts@tessares.net>, "David S. Miller" <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>

net/mptcp/protocol.c | 27 ++++++++-----
net/mptcp/protocol.h |  4 +-
net/mptcp/subflow.c  | 91 +++++---------------------------------------
3 files changed, 28 insertions(+), 94 deletions(-)

Expand all Fold all

[PATCH mptcp-net 0/2] mptcp: tentative fix for issues246 &&

Posted by Paolo Abeni 1 year, 2 months ago

Sharing these very early, because I can't reproduce the issues locally.
Even the commit messages are early draft.

@Christoph could you please check the relevant repros here?

I *think* there still some refcount problem to address in the new code,
any sharp eyes more then welcome ;)

Targeting -net even if bases on top of corrent mptcp-next, as
the merge window is almost imminent.

Paolo Abeni (2):
  mptcp: use the workqueue to destroy unaccepted sockets.
  mptcp: fix UaF in listener shutdown

 net/mptcp/protocol.c | 27 ++++++++-----
 net/mptcp/protocol.h |  4 +-
 net/mptcp/subflow.c  | 91 +++++---------------------------------------
 3 files changed, 28 insertions(+), 94 deletions(-)

-- 
2.39.1

Re: [PATCH mptcp-net 0/2] mptcp: tentative fix for issues246 &&

Posted by Christoph Paasch 1 year, 2 months ago


> On Feb 8, 2023, at 1:44 PM, Paolo Abeni <pabeni@redhat.com> wrote:
> 
> Sharing these very early, because I can't reproduce the issues locally.
> Even the commit messages are early draft.
> 
> @Christoph could you please check the relevant repros here?
> 
> I *think* there still some refcount problem to address in the new code,
> any sharp eyes more then welcome ;)
> 
> Targeting -net even if bases on top of corrent mptcp-next, as
> the merge window is almost imminent.
> 
> Paolo Abeni (2):
>  mptcp: use the workqueue to destroy unaccepted sockets.
>  mptcp: fix UaF in listener shutdown
> 
> net/mptcp/protocol.c | 27 ++++++++-----
> net/mptcp/protocol.h |  4 +-
> net/mptcp/subflow.c  | 91 +++++---------------------------------------
> 3 files changed, 28 insertions(+), 94 deletions(-)

I was able to get a new reproducer for a UaF read in subflow_error_report.

Your patches (with the schedule-work fix) indeed fix the KASAN-issue.

Tested-by: Christoph Paasch <cpaasch@apple.com>


Christoph

Re: [PATCH mptcp-net 0/2] mptcp: tentative fix for issues246 &&

Posted by Christoph Paasch 1 year, 2 months ago

> On Feb 8, 2023, at 1:44 PM, Paolo Abeni <pabeni@redhat.com> wrote:
> 
> Sharing these very early, because I can't reproduce the issues locally.
> Even the commit messages are early draft.

Turns out I can’t repro either (neither with the syzkaller-repro nor with the c-repro). All I have is the syzkaller report…

I will update my syzkaller kernel and also apply Kuniyuki’s patch and run syzkaller again.


Christoph

> 
> @Christoph could you please check the relevant repros here?
> 
> I *think* there still some refcount problem to address in the new code,
> any sharp eyes more then welcome ;)
> 
> Targeting -net even if bases on top of corrent mptcp-next, as
> the merge window is almost imminent.
> 
> Paolo Abeni (2):
>  mptcp: use the workqueue to destroy unaccepted sockets.
>  mptcp: fix UaF in listener shutdown
> 
> net/mptcp/protocol.c | 27 ++++++++-----
> net/mptcp/protocol.h |  4 +-
> net/mptcp/subflow.c  | 91 +++++---------------------------------------
> 3 files changed, 28 insertions(+), 94 deletions(-)
> 
> -- 
> 2.39.1
> 
>