From nobody Mon Jun  8 09:49:07 2026
Received: from smtp.kernel.org
 (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A442838A722
	for <mptcp@lists.linux.dev>; Sat, 30 May 2026 07:50:43 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=100.103.45.18
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780127444; cv=none;
 b=T1e+m6A6CyYq44756ccvVrMv8ymA9Eu23ZFoJxkDzRJiHckuD+BprlZFAnf+HrMYmut/tUarm0fHM5bw6gdp/ekkiGHHtCTSBRFVRIuzUbS7lfYMR2p2y8wf7w1i6VV++KBzz2QX5RyJoLsU3qi73jnd/Dipz3mDU1PJlktnWfg=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780127444; c=relaxed/simple;
	bh=1Xa3HorqdIXeDTzjraadWn6wS4K9TVN9YjZYy4vzsd8=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=rsNEiE3PwB6CuE2iyZuCN1640YC9s72d6NLyUuzTRnbQTMUZH1cQhiktuSoXLuiK2Lmi6eO3uggKbZk1RabMS4Ybc4cgjBiaXDQaWGKIltbxTDCRFE4HO0l/4yW+9GSezAzuCoMqOXxq16AiNOqmS4sIpyFY5O9NX+PRfP2HTy0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=mVyV7kVu; arc=none smtp.client-ip=100.103.45.18
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="mVyV7kVu"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id A92BD1F00898;
	Sat, 30 May 2026 07:50:42 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org;
	s=k20260515; t=1780127443;
	bh=BIgpVhxMWzmPQViSnTnFslQq5dT70KsqNF1d0bAU2Vs=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=mVyV7kVu+gfSfBhJw94oxjt2IDW+KOJBmSpZWS+0OxSRxFBWDXVMc7RK5yqCIASQK
	 pe+ZM8NxQ17khiJlC6BdCYw/Ra1sELLZ+X2l6gDGJrJa0A3llrt4ta6epbpMulTdFp
	 6ZeFrNk2DETpP0o32W00CIz8Fqe0VhdgXpc9zFR/8OwIFG2Q75D59vzDTaXBBmB2eP
	 n0LaAd5Qtsp6Q562mNUDGZQjafFSqH9e7MRoWWEs1Dwefq1e0TaxTO7REtqWDDKHIi
	 0NmRtxY+tb+6RgdIdbsCKYwAkLAggFayPzS7RKBMPkRRTIXs/eiUMOeBBANOF5C0lM
	 trROP3gtukJKQ==
From: Geliang Tang <geliang@kernel.org>
To: mptcp@lists.linux.dev
Cc: Geliang Tang <tanggeliang@kylinos.cn>
Subject: [PATCH mptcp-next 1/5] tls: add clone callback to prevent NULL crash
 case
Date: Sat, 30 May 2026 15:50:07 +0800
Message-ID: 
 <f3bf97a9492a4bec4eaeddc45ca7a15479dc8c6f.1780127277.git.tanggeliang@kylinos.cn>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <cover.1780127277.git.tanggeliang@kylinos.cn>
References: <cover.1780127277.git.tanggeliang@kylinos.cn>
Precedence: bulk
X-Mailing-List: mptcp@lists.linux.dev
List-Id: <mptcp.lists.linux.dev>
List-Subscribe: <mailto:mptcp+subscribe@lists.linux.dev>
List-Unsubscribe: <mailto:mptcp+unsubscribe@lists.linux.dev>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Geliang Tang <tanggeliang@kylinos.cn>

When a listening socket unintentionally has a TLS ULP attached (e.g., via
setsockopt(TCP_ULP, "tls") before accept()), inet_clone_ulp() dereferences
ulp_ops->clone. Since tcp_tls_ulp_ops lacked a .clone member, this causes
a NULL pointer dereference and kernel panic on accept().

Add tls_clone() that clears the icsk_ulp_data pointer on the newly cloned
socket. This prevents the child socket from sharing the parent's TLS
context, avoiding use-after-free and double-free issues. The parent's TLS
context (used for TOE hardware offload) remains intact, while the child
starts without TLS, which is safe because hardware offload handles new
connections independently.

This serves as a safety net even though tls_init() normally prevents TLS
on listen sockets.

Signed-off-by: Geliang Tang <tanggeliang@kylinos.cn>
---
 net/tls/tls_main.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index fd39acf41a61..c7ad212c97a0 100644
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -1082,6 +1082,15 @@ static int tls_init(struct sock *sk)
 	return rc;
 }
=20
+static void tls_clone(const struct request_sock *req,
+		      struct sock *newsk,
+		      const gfp_t priority)
+{
+	struct inet_connection_sock *new_icsk =3D inet_csk(newsk);
+
+	rcu_assign_pointer(new_icsk->icsk_ulp_data, NULL);
+}
+
 static void tls_update(struct sock *sk, struct proto *p,
 		       void (*write_space)(struct sock *sk))
 {
@@ -1231,6 +1240,7 @@ static struct tcp_ulp_ops tcp_tls_ulp_ops __read_most=
ly =3D {
 	.name			=3D "tls",
 	.owner			=3D THIS_MODULE,
 	.init			=3D tls_init,
+	.clone			=3D tls_clone,
 	.update			=3D tls_update,
 	.get_info		=3D tls_get_info,
 	.get_info_size		=3D tls_get_info_size,
--=20
2.53.0
From nobody Mon Jun  8 09:49:07 2026
Received: from smtp.kernel.org
 (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 84DAA337B97
	for <mptcp@lists.linux.dev>; Sat, 30 May 2026 07:50:45 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=100.103.45.18
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780127446; cv=none;
 b=ArmD0iwZgc9f2oy09f4l1+kSDNUN7w0jZZ0BOXHi3wzWHH/gIX5LzmNTIoIf89zFjJ5RZYgxjYLBHLNcYkKejfITcrZOLhpd1yjKlJCNyXqtl+dV5DoWYMTGzEc88rrdVrKi4dni1cNT5/0F+Zd3/zmcEkKNNifb/RQ6HCLTAIA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780127446; c=relaxed/simple;
	bh=3zP4uKWI0L1Cit//nGEjZLj+VW87U2tszFrRDNo7cS0=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=bWYQrnvKk40eXCz/NLL/V53gcfOpzQicZOkoKf4zvAax0Ce/Jo7xHbRn00aiMfGHMekJ4lBGEg2kBmgV1SIYITRGcUJQTINTnqq3UiSYwPNn1EliJRsoRz8XztjKzx6xy+Xptaase0bvqrxfTyqjdQSLsXE++TLg4djJQvFO+fY=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=Qj6mxK2G; arc=none smtp.client-ip=100.103.45.18
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="Qj6mxK2G"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2F5FB1F00893;
	Sat, 30 May 2026 07:50:43 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org;
	s=k20260515; t=1780127445;
	bh=6eLa5XMFd9c3V5WAaxR7+H8n3+RT+gYHK8RF38MGCwg=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=Qj6mxK2G1wUgWgkdikWPnggT+I/Tvq0XDUQvFGYn8LFlBfeNeF2gYzowQWvY1GxPN
	 IFYXMbzjHS20IiFCf7A9+AUYC+F4f4WfkGoc5G4biYSGg6tyxRfg+Z1CLVqxu/yZDf
	 aUCSuyLmAWRllteyUThD1V0wIvoG2bg9PyMo0XFpkKCxxRswXFbcM3jusChtKRlIk7
	 36hMGtPQhlJnf/O63jdp6Jil3AVaTuYAcfWdsuVYqHM7uQPGD07vhrFVpf3EhOr0Qe
	 drbiLKZQEAJtsKK04qhRdnJizp+8gQ0TJ+YajjZPr6tqXelzv349g6QatdIOJhStjq
	 v/HGbTG/sUUxQ==
From: Geliang Tang <geliang@kernel.org>
To: mptcp@lists.linux.dev
Cc: Geliang Tang <tanggeliang@kylinos.cn>
Subject: [PATCH mptcp-next 2/5] tls: init mixed SW/TOE proto to prevent NULL
 call
Date: Sat, 30 May 2026 15:50:08 +0800
Message-ID: 
 <e496f6d7ce25fd1f161e33093d7d07f1e6bca488.1780127277.git.tanggeliang@kylinos.cn>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <cover.1780127277.git.tanggeliang@kylinos.cn>
References: <cover.1780127277.git.tanggeliang@kylinos.cn>
Precedence: bulk
X-Mailing-List: mptcp@lists.linux.dev
List-Id: <mptcp.lists.linux.dev>
List-Subscribe: <mailto:mptcp+subscribe@lists.linux.dev>
List-Unsubscribe: <mailto:mptcp+unsubscribe@lists.linux.dev>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Geliang Tang <tanggeliang@kylinos.cn>

When a TOE socket falls back to software offload, update_sk_prot() accesses
prot->prots[TLS_SW][TLS_HW_RECORD] and proto_ops[TLS_SW][TLS_HW_RECORD].
These entries were never initialized, causing NULL function pointers and
kernel panic. Add the missing entries for [TLS_SW][TLS_HW_RECORD] and
[TLS_HW_RECORD][TLS_SW] in both build_protos() and build_proto_ops().

Signed-off-by: Geliang Tang <tanggeliang@kylinos.cn>
---
 net/tls/tls_main.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index c7ad212c97a0..3966cda068f9 100644
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -965,6 +965,9 @@ static void build_proto_ops(struct proto_ops ops[TLS_NU=
M_CONFIG][TLS_NUM_CONFIG]
 #endif
 #ifdef CONFIG_TLS_TOE
 	ops[TLS_HW_RECORD][TLS_HW_RECORD] =3D *base;
+
+	ops[TLS_SW][TLS_HW_RECORD] =3D *base;
+	ops[TLS_HW_RECORD][TLS_SW] =3D *base;
 #endif
 }
=20
@@ -1041,6 +1044,9 @@ static void build_protos(struct proto prot[TLS_NUM_CO=
NFIG][TLS_NUM_CONFIG],
 	prot[TLS_HW_RECORD][TLS_HW_RECORD] =3D *base;
 	prot[TLS_HW_RECORD][TLS_HW_RECORD].hash		=3D tls_toe_hash;
 	prot[TLS_HW_RECORD][TLS_HW_RECORD].unhash	=3D tls_toe_unhash;
+
+	prot[TLS_SW][TLS_HW_RECORD] =3D prot[TLS_SW][TLS_SW];
+	prot[TLS_HW_RECORD][TLS_SW] =3D prot[TLS_BASE][TLS_SW];
 #endif
 }
=20
--=20
2.53.0
From nobody Mon Jun  8 09:49:07 2026
Received: from smtp.kernel.org
 (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 517E6337B97
	for <mptcp@lists.linux.dev>; Sat, 30 May 2026 07:50:47 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=100.103.45.18
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780127448; cv=none;
 b=FaayFAuKnu3K1bQgDQB0Yjh7hfn6CmuibfGWT+y/NGR7apIPAwQ2+OMyyyPHD+eZwsCUm2fjP0ey4Wbf7sU+TAB9ljLQLKB2q93KyXWMhnHoJpZ/ExA7Lo1SZvXZSOrDjP6a8uBu1pxRYpEAIlmhvlY1DdLNIf6KjFeyEIBN6XE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780127448; c=relaxed/simple;
	bh=/rZmJR6yifVUPVHPjtrXjyieNQkKpUS/mZSyFkg7W7U=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=Ucd6Nbw+E0eoJYphzYOJKGzeSIR8ldwikZormFJDSWMdHmO2GTNM5ZM/ihfg18HIpz+Lkne586AiZvsPSXXlMCmpUUUqAcV/Pdl3Qc5gsCM8QfzO2JnvK0XenOzMnKdrjtSHMs3/qxbQDmu6zzg4+5Y270JY9G32kVaqwJsAM8w=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=ooJYA8CE; arc=none smtp.client-ip=100.103.45.18
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="ooJYA8CE"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id C90A11F00898;
	Sat, 30 May 2026 07:50:45 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org;
	s=k20260515; t=1780127447;
	bh=w14KsHrOlH/HAVfBJsbHWhszse0UmtOfPr3ZNsUzvSY=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=ooJYA8CEEYQ2++giJna4Z6gmyB3UePRwydj5t91Jhl9ShGeR9CQELtViliKDr3Evv
	 HxCX9GHIhimelerwVsHerFIq0AgBMdqOo7yh+AisOvZrLHkjo8UytaYffqb6K1KAUE
	 Op0EZBU9hxZGVFXpKB5qAQfiImfhO+McxsimfzKnQIrgdi7kAXdPql/W6Izvx5PEU1
	 OpYR89YAvhcCwKi9YpOto595gKbLCrJ/I5No68BzWbxiyeSFTEiH+/CVnTOWq/GeYl
	 lPz0QEtAIGOPHZbWTd05GXPisSyQxiWYwrTfHyF5bfieI85xGnZRj8hH3xx3gOgi3a
	 02ti59T8chgYg==
From: Geliang Tang <geliang@kernel.org>
To: mptcp@lists.linux.dev
Cc: Geliang Tang <tanggeliang@kylinos.cn>
Subject: [PATCH mptcp-next 3/5] tls: fix concurrency in TOE device list
 iterations
Date: Sat, 30 May 2026 15:50:09 +0800
Message-ID: 
 <a8c28c3db89e63d120f55b70737136d58d179fc6.1780127277.git.tanggeliang@kylinos.cn>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <cover.1780127277.git.tanggeliang@kylinos.cn>
References: <cover.1780127277.git.tanggeliang@kylinos.cn>
Precedence: bulk
X-Mailing-List: mptcp@lists.linux.dev
List-Id: <mptcp.lists.linux.dev>
List-Subscribe: <mailto:mptcp+subscribe@lists.linux.dev>
List-Unsubscribe: <mailto:mptcp+unsubscribe@lists.linux.dev>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Geliang Tang <tanggeliang@kylinos.cn>

tls_toe_hash() and tls_toe_unhash() iterate over the global device list
while temporarily dropping the spinlock to call the device callbacks.
If a concurrent tls_toe_unregister_device() removes a device during this
window, the list pointers become poisoned (LIST_POISON1/LIST_POISON2),
causing a crash when the iteration resumes even if the device object is
still referenced via kref.

Fix by replacing the lock-dropping iteration with a safe two-pass
approach: first count the number of devices that need the operation,
then allocate a dynamic array, collect device pointers under the lock
with a reference increment, and finally call the callbacks after the
lock is released. This eliminates the window where the list could be
mutated while iteration is in progress.

Signed-off-by: Geliang Tang <tanggeliang@kylinos.cn>
---
 net/tls/tls_toe.c | 63 +++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 53 insertions(+), 10 deletions(-)

diff --git a/net/tls/tls_toe.c b/net/tls/tls_toe.c
index 825669e1ab47..c588c702296f 100644
--- a/net/tls/tls_toe.c
+++ b/net/tls/tls_toe.c
@@ -84,41 +84,84 @@ int tls_toe_bypass(struct sock *sk)
 void tls_toe_unhash(struct sock *sk)
 {
 	struct tls_context *ctx =3D tls_get_ctx(sk);
-	struct tls_toe_device *dev;
+	struct tls_toe_device *dev, **devs;
+	int ndev =3D 0, i =3D 0;
+
+	spin_lock_bh(&device_spinlock);
+	list_for_each_entry(dev, &device_list, dev_list) {
+		if (dev->unhash)
+			ndev++;
+	}
+	spin_unlock_bh(&device_spinlock);
+
+	if (!ndev)
+		goto out;
+
+	devs =3D kmalloc_array(ndev, sizeof(*devs), GFP_KERNEL);
+	if (!devs)
+		goto out;
=20
 	spin_lock_bh(&device_spinlock);
 	list_for_each_entry(dev, &device_list, dev_list) {
 		if (dev->unhash) {
 			kref_get(&dev->kref);
-			spin_unlock_bh(&device_spinlock);
-			dev->unhash(dev, sk);
-			kref_put(&dev->kref, dev->release);
-			spin_lock_bh(&device_spinlock);
+			devs[i++] =3D dev;
 		}
 	}
 	spin_unlock_bh(&device_spinlock);
+
+	for (i =3D 0; i < ndev; i++) {
+		dev =3D devs[i];
+		dev->unhash(dev, sk);
+		kref_put(&dev->kref, dev->release);
+	}
+	kfree(devs);
+
+out:
 	ctx->sk_proto->unhash(sk);
 }
=20
 int tls_toe_hash(struct sock *sk)
 {
 	struct tls_context *ctx =3D tls_get_ctx(sk);
-	struct tls_toe_device *dev;
+	struct tls_toe_device *dev, **devs;
+	int ndev =3D 0, i =3D 0;
 	int err;
=20
 	err =3D ctx->sk_proto->hash(sk);
+	spin_lock_bh(&device_spinlock);
+	list_for_each_entry(dev, &device_list, dev_list) {
+		if (dev->hash)
+			ndev++;
+	}
+	spin_unlock_bh(&device_spinlock);
+
+	if (!ndev)
+		goto out;
+
+	devs =3D kmalloc_array(ndev, sizeof(*devs), GFP_KERNEL);
+	if (!devs) {
+		err =3D -ENOMEM;
+		goto out;
+	}
+
 	spin_lock_bh(&device_spinlock);
 	list_for_each_entry(dev, &device_list, dev_list) {
 		if (dev->hash) {
 			kref_get(&dev->kref);
-			spin_unlock_bh(&device_spinlock);
-			err |=3D dev->hash(dev, sk);
-			kref_put(&dev->kref, dev->release);
-			spin_lock_bh(&device_spinlock);
+			devs[i++] =3D dev;
 		}
 	}
 	spin_unlock_bh(&device_spinlock);
=20
+	for (i =3D 0; i < ndev; i++) {
+		dev =3D devs[i];
+		err |=3D dev->hash(dev, sk);
+		kref_put(&dev->kref, dev->release);
+	}
+	kfree(devs);
+
+out:
 	if (err)
 		tls_toe_unhash(sk);
 	return err;
--=20
2.53.0
From nobody Mon Jun  8 09:49:07 2026
Received: from smtp.kernel.org
 (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id E2973337B97
	for <mptcp@lists.linux.dev>; Sat, 30 May 2026 07:50:48 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=100.103.45.18
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780127449; cv=none;
 b=BsGxVSxW2T4KTBOCm0Wa1dSnHQDktev+a8JBc5adzNAFvHM18GlSh9Mkf9INi3iIYv+wghQTagOz/1tBuv0e31kt1lQdMz4RqWTPBUT3dnHp/p7xfkYuOLOpSrlJhBj80QiFkmdGewVVrrdiU1gHK6Id+sp3UygQIAnP8acNp7I=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780127449; c=relaxed/simple;
	bh=md2W6E8hUS9PSeCFZeer557QYxVMsIiNkuHALsVaBms=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=oZjaaj7WPByh82JUamzI4jfbGIg/5RMZ4XY0M4iWDqNCZweCl+3bjpL+jeQ6znVytv6SeyDDOn9MXTtqSeDrF3BYl2cmO5ymT053tQY45+EJ6b6F4CivngrPHz+koocoFPE3uDWg8XJFz+BzSoxOJyZva8JGIrdilZglm7/zeE8=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=LpLH8o5h; arc=none smtp.client-ip=100.103.45.18
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="LpLH8o5h"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7BF361F00893;
	Sat, 30 May 2026 07:50:47 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org;
	s=k20260515; t=1780127448;
	bh=dh/9vtk0h6W+FRIK8g0S0seuCc09OIrdlemifKpOjUk=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=LpLH8o5hkIVJhBrv6VOUXgGuNCp42oOJPw/65f/EUBst7C/fG5Z2NbTHqYqFMTmXx
	 2v/eSKgSuYUZz9DJxA1Gz6wNOTTQum8VdAE0ujBZc6EaLzcqPf+23QQfttivh6aieD
	 h6hvMd1tgisWZ+XJlPYmk8YZWUc9smQsYxnqTHhrFMSZHIJtKYLCuLVkLevrVWAhor
	 RDbzA/b0rvFO7ThUpWjZGc3qBedFJ6i9muxYbXPYY9gGAxWa3z7+EC2LfXFPoWb//S
	 0SAQyBSNlUleTUVBM/ySC8PIQOm7ZzkPx+1bGtkjBKhjk+OQ045kWUupDEZVd4UYdF
	 SITWCVpAlFibA==
From: Geliang Tang <geliang@kernel.org>
To: mptcp@lists.linux.dev
Cc: Geliang Tang <tanggeliang@kylinos.cn>
Subject: [PATCH mptcp-next 4/5] tcp: add socket lock to TCP_ULP getsockopt
 safely
Date: Sat, 30 May 2026 15:50:10 +0800
Message-ID: 
 <e212d4ab9b48976c108716223bed9150d49e7783.1780127277.git.tanggeliang@kylinos.cn>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <cover.1780127277.git.tanggeliang@kylinos.cn>
References: <cover.1780127277.git.tanggeliang@kylinos.cn>
Precedence: bulk
X-Mailing-List: mptcp@lists.linux.dev
List-Id: <mptcp.lists.linux.dev>
List-Subscribe: <mailto:mptcp+subscribe@lists.linux.dev>
List-Unsubscribe: <mailto:mptcp+unsubscribe@lists.linux.dev>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Geliang Tang <tanggeliang@kylinos.cn>

When handling TCP_ULP getsockopt, do_tcp_getsockopt() accesses
icsk->icsk_ulp_ops without holding the socket lock. A concurrent
connect(AF_UNSPEC) (or other operation that calls tcp_cleanup_ulp())
can set icsk_ulp_ops to NULL and release the module reference.
If this occurs between the NULL check and the dereference of ->name,
the kernel may access a NULL pointer or a stale pointer, leading to
a crash or use-after-free.

Extract the TCP_ULP getsockopt logic into a helper tcp_sock_get_ulp()
and wrap the call with lock_sock()/release_sock() to ensure the ULP
operation is protected against concurrent modification.

Signed-off-by: Geliang Tang <tanggeliang@kylinos.cn>
---
 net/ipv4/tcp.c | 44 +++++++++++++++++++++++++++++---------------
 1 file changed, 29 insertions(+), 15 deletions(-)

diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index a058f350a759..c01f97d5dfe8 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -4481,6 +4481,28 @@ struct sk_buff *tcp_get_timestamping_opt_stats(const=
 struct sock *sk,
 	return stats;
 }
=20
+static int tcp_sock_get_ulp(struct sock *sk, sockptr_t optval,
+			    sockptr_t optlen)
+{
+	struct inet_connection_sock *icsk =3D inet_csk(sk);
+	int len;
+
+	if (copy_from_sockptr(&len, optlen, sizeof(int)))
+		return -EFAULT;
+	len =3D min_t(unsigned int, len, TCP_ULP_NAME_MAX);
+	if (!icsk->icsk_ulp_ops) {
+		len =3D 0;
+		if (copy_to_sockptr(optlen, &len, sizeof(int)))
+			return -EFAULT;
+		return 0;
+	}
+	if (copy_to_sockptr(optlen, &len, sizeof(int)))
+		return -EFAULT;
+	if (copy_to_sockptr(optval, icsk->icsk_ulp_ops->name, len))
+		return -EFAULT;
+	return 0;
+}
+
 int do_tcp_getsockopt(struct sock *sk, int level,
 		      int optname, sockptr_t optval, sockptr_t optlen)
 {
@@ -4589,22 +4611,14 @@ int do_tcp_getsockopt(struct sock *sk, int level,
 			return -EFAULT;
 		return 0;
=20
-	case TCP_ULP:
-		if (copy_from_sockptr(&len, optlen, sizeof(int)))
-			return -EFAULT;
-		len =3D min_t(unsigned int, len, TCP_ULP_NAME_MAX);
-		if (!icsk->icsk_ulp_ops) {
-			len =3D 0;
-			if (copy_to_sockptr(optlen, &len, sizeof(int)))
-				return -EFAULT;
-			return 0;
-		}
-		if (copy_to_sockptr(optlen, &len, sizeof(int)))
-			return -EFAULT;
-		if (copy_to_sockptr(optval, icsk->icsk_ulp_ops->name, len))
-			return -EFAULT;
-		return 0;
+	case TCP_ULP: {
+		int err;
=20
+		lock_sock(sk);
+		err =3D tcp_sock_get_ulp(sk, optval, optlen);
+		release_sock(sk);
+		return err;
+	}
 	case TCP_FASTOPEN_KEY: {
 		u64 key[TCP_FASTOPEN_KEY_BUF_LENGTH / sizeof(u64)];
 		unsigned int key_len;
--=20
2.53.0
From nobody Mon Jun  8 09:49:07 2026
Received: from smtp.kernel.org
 (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9967038A722
	for <mptcp@lists.linux.dev>; Sat, 30 May 2026 07:50:50 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=100.103.45.18
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780127451; cv=none;
 b=LkuytV/3J+edTGxD7FH12qKN+TIHPaJb1PLNGstQ/tXSgA1WIMuhL1HfBHj1xyASqh8OaKmAqdcRd1wAwrYPvvDULOkSUIslO2zhKiQGo3JCP2yinejiQrzTZJZM11DKpAqC68oSMXwvvCPffk03VgsoRBoJb/vq5dMmK/S4v3o=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780127451; c=relaxed/simple;
	bh=R7nQoxTl303r8AJmiK0qOoPGvJ4RhTGoGQyfhIokHxs=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=ea3otocSJMWgQJj9P0aSyu6gnWnDeCFgaiEQt3w5m2vWzUTslznUMP5XAWU6MNoqXpVvnKZE3GNLr+mGcK67U1RzXUoWdmzVxprYLIkWg7WR9W5Oqnad4gwDGX0WIx7WovVDAyOnLwJpq9ETl35vHsUzPc/mkxyq0UeZGFmOAR8=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=FjC2ZmdN; arc=none smtp.client-ip=100.103.45.18
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="FjC2ZmdN"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 33A811F00898;
	Sat, 30 May 2026 07:50:48 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org;
	s=k20260515; t=1780127450;
	bh=7gemWASG8spRb7VwBUFZraypj2I/Q1VoEgsjVnCwK4Y=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=FjC2ZmdNDv8J4sDv3ttoZ+pzLNJ1dn6ZXjbgamQf4xPIwPWvfiKtGvjhis2p/Q5MH
	 KAAikY1QYSS0nBSPSISuxk+ldZC+zZ3bfCQ2H4iJ4V0AibtjD5ZnzgjWsWHb1QUJ3Y
	 eeO2XefE8bFlPxJG7kwgVTrZZuouRr+XZHQZRz+speJm4GZGA3d5dv86niglumfpLt
	 iReScGaxIwpq6AfuaN3ZbfTrX00xvZ16GssIEzPwZbr7ejB07oWcHH/0NZeD0CNtRy
	 S91DfSFz0l218BxwDL8sTSvterWV4kUaSaz6dJovpV+hCyIL/XhKX9rCMCJ7+lGXUy
	 qm7Ba3sP5CvoA==
From: Geliang Tang <geliang@kernel.org>
To: mptcp@lists.linux.dev
Cc: Geliang Tang <tanggeliang@kylinos.cn>
Subject: [PATCH mptcp-next 5/5] tcp: fix ULP diag race by RCU read locks
 properly
Date: Sat, 30 May 2026 15:50:11 +0800
Message-ID: 
 <9c48fe51896f77bb03aca1c3511d88f85bb99736.1780127277.git.tanggeliang@kylinos.cn>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <cover.1780127277.git.tanggeliang@kylinos.cn>
References: <cover.1780127277.git.tanggeliang@kylinos.cn>
Precedence: bulk
X-Mailing-List: mptcp@lists.linux.dev
List-Id: <mptcp.lists.linux.dev>
List-Subscribe: <mailto:mptcp+subscribe@lists.linux.dev>
List-Unsubscribe: <mailto:mptcp+unsubscribe@lists.linux.dev>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Geliang Tang <tanggeliang@kylinos.cn>

Protect icsk->icsk_ulp_ops access in TCP diag with RCU read lock and
rcu_dereference(). Use smp_store_release() when clearing the pointer
in tcp_cleanup_ulp() to pair with readers, preventing use-after-free
when a socket is aborted concurrently with a diag dump.

Signed-off-by: Geliang Tang <tanggeliang@kylinos.cn>
---
 net/ipv4/tcp_diag.c | 15 ++++++++-------
 net/ipv4/tcp_ulp.c  | 14 ++++++++------
 2 files changed, 16 insertions(+), 13 deletions(-)

diff --git a/net/ipv4/tcp_diag.c b/net/ipv4/tcp_diag.c
index ba1fdbe9807f..6580bb8d190a 100644
--- a/net/ipv4/tcp_diag.c
+++ b/net/ipv4/tcp_diag.c
@@ -133,14 +133,13 @@ static int tcp_diag_get_aux(struct sock *sk, bool net=
_admin,
 	}
 #endif
=20
-	ulp_ops =3D icsk->icsk_ulp_ops;
-	if (ulp_ops) {
+	rcu_read_lock();
+	ulp_ops =3D rcu_dereference(icsk->icsk_ulp_ops);
+	if (ulp_ops)
 		err =3D tcp_diag_put_ulp(skb, sk, ulp_ops, net_admin);
-		if (err < 0)
-			return err;
-	}
+	rcu_read_unlock();
=20
-	return 0;
+	return err;
 }
=20
 static size_t tcp_diag_get_aux_size(struct sock *sk, bool net_admin)
@@ -169,13 +168,15 @@ static size_t tcp_diag_get_aux_size(struct sock *sk, =
bool net_admin)
 	if (sk_fullsock(sk)) {
 		const struct tcp_ulp_ops *ulp_ops;
=20
-		ulp_ops =3D icsk->icsk_ulp_ops;
+		rcu_read_lock();
+		ulp_ops =3D rcu_dereference(icsk->icsk_ulp_ops);
 		if (ulp_ops) {
 			size +=3D nla_total_size(0) +
 				nla_total_size(TCP_ULP_NAME_MAX);
 			if (ulp_ops->get_info_size)
 				size +=3D ulp_ops->get_info_size(sk, net_admin);
 		}
+		rcu_read_unlock();
 	}
=20
 	return size
diff --git a/net/ipv4/tcp_ulp.c b/net/ipv4/tcp_ulp.c
index 2aa442128630..aa7fed4ffff2 100644
--- a/net/ipv4/tcp_ulp.c
+++ b/net/ipv4/tcp_ulp.c
@@ -112,19 +112,21 @@ void tcp_update_ulp(struct sock *sk, struct proto *pr=
oto,
 void tcp_cleanup_ulp(struct sock *sk)
 {
 	struct inet_connection_sock *icsk =3D inet_csk(sk);
+	const struct tcp_ulp_ops *ulp_ops;
=20
 	/* No sock_owned_by_me() check here as at the time the
 	 * stack calls this function, the socket is dead and
 	 * about to be destroyed.
 	 */
-	if (!icsk->icsk_ulp_ops)
+	ulp_ops =3D icsk->icsk_ulp_ops;
+	if (!ulp_ops)
 		return;
=20
-	if (icsk->icsk_ulp_ops->release)
-		icsk->icsk_ulp_ops->release(sk);
-	module_put(icsk->icsk_ulp_ops->owner);
-
-	icsk->icsk_ulp_ops =3D NULL;
+	if (ulp_ops->release)
+		ulp_ops->release(sk);
+	/* Pairs with rcu_dereference() in tcp_diag readers. */
+	smp_store_release(&icsk->icsk_ulp_ops, NULL);
+	module_put(ulp_ops->owner);
 }
=20
 static int __tcp_set_ulp(struct sock *sk, const struct tcp_ulp_ops *ulp_op=
s)
--=20
2.53.0