Commit 0154b949 authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge branch 'mptcp-fixes-addressing-syzbot-reports' 

Matthieu Baerts says:

====================
mptcp: fixes addressing syzbot reports

Recently, a few issues linked to MPTCP have been reported by syzbot. All
the remaining ones are addressed in this series.

- Patch 1: Address "KMSAN: uninit-value in mptcp_incoming_options (2)".
  A fix for v5.11.

- Patch 2: Address "WARNING in mptcp_pm_nl_set_flags (2)". A fix for
  v5.18.

- Patch 3: Address "WARNING in __mptcp_clean_una (2)". A fix for v6.4,
  backported up to v6.1.
====================

Link: https://patch.msgid.link/20250123-net-mptcp-syzbot-issues-v1-0-af73258a726f@kernel.org


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents 19e65c45 619af16b

net/mptcp/options.c

+5 −8
Original line number Diff line number Diff line
@@ -108,7 +108,6 @@ static void mptcp_parse_option(const struct sk_buff *skb, 
			mp_opt->suboptions |= OPTION_MPTCP_DSS;

			mp_opt->use_map = 1;

			mp_opt->mpc_map = 1;

			mp_opt->use_ack = 0;

			mp_opt->data_len = get_unaligned_be16(ptr);

			ptr += 2;

		}
@@ -157,11 +156,6 @@ static void mptcp_parse_option(const struct sk_buff *skb, 
		pr_debug("DSS\n");

		ptr++;



		/* we must clear 'mpc_map' be able to detect MP_CAPABLE

		 * map vs DSS map in mptcp_incoming_options(), and reconstruct

		 * map info accordingly

		 */

		mp_opt->mpc_map = 0;

		flags = (*ptr++) & MPTCP_DSS_FLAG_MASK;

		mp_opt->data_fin = (flags & MPTCP_DSS_DATA_FIN) != 0;

		mp_opt->dsn64 = (flags & MPTCP_DSS_DSN64) != 0;
@@ -369,8 +363,11 @@ void mptcp_get_options(const struct sk_buff *skb, 
	const unsigned char *ptr;

	int length;



	/* initialize option status */

	mp_opt->suboptions = 0;

	/* Ensure that casting the whole status to u32 is efficient and safe */

	BUILD_BUG_ON(sizeof_field(struct mptcp_options_received, status) != sizeof(u32));

	BUILD_BUG_ON(!IS_ALIGNED(offsetof(struct mptcp_options_received, status),

				 sizeof(u32)));

	*(u32 *)&mp_opt->status = 0;



	length = (th->doff * 4) - sizeof(struct tcphdr);

	ptr = (const unsigned char *)(th + 1);

net/mptcp/pm_netlink.c

+2 −1
Original line number Diff line number Diff line
@@ -2020,7 +2020,8 @@ int mptcp_pm_nl_set_flags(struct sk_buff *skb, struct genl_info *info) 
		return -EINVAL;

	}

	if ((addr.flags & MPTCP_PM_ADDR_FLAG_FULLMESH) &&

	    (entry->flags & MPTCP_PM_ADDR_FLAG_SIGNAL)) {

	    (entry->flags & (MPTCP_PM_ADDR_FLAG_SIGNAL |

			     MPTCP_PM_ADDR_FLAG_IMPLICIT))) {

		spin_unlock_bh(&pernet->lock);

		GENL_SET_ERR_MSG(info, "invalid addr flags");

		return -EINVAL;

net/mptcp/protocol.c

+3 −1
Original line number Diff line number Diff line
@@ -1767,9 +1767,11 @@ static int mptcp_sendmsg_fastopen(struct sock *sk, struct msghdr *msg, 
		 * see mptcp_disconnect().

		 * Attempt it again outside the problematic scope.

		 */

		if (!mptcp_disconnect(sk, 0))

		if (!mptcp_disconnect(sk, 0)) {

			sk->sk_disconnects++;

			sk->sk_socket->state = SS_UNCONNECTED;

		}

	}

	inet_clear_bit(DEFER_CONNECT, sk);



	return ret;

net/mptcp/protocol.h

+16 −14
Original line number Diff line number Diff line
@@ -149,9 +149,8 @@ struct mptcp_options_received { 
	u32	subflow_seq;

	u16	data_len;

	__sum16	csum;

	struct_group(status,

		u16 suboptions;

	u32	token;

	u32	nonce;

		u16 use_map:1,

		    dsn64:1,

		    data_fin:1,
@@ -164,7 +163,10 @@ struct mptcp_options_received { 
		    backup:1,

		    deny_join_id0:1,

		    __unused:2;

	);

	u8	join_id;

	u32	token;

	u32	nonce;

	u64	thmac;

	u8	hmac[MPTCPOPT_HMAC_LEN];

	struct mptcp_addr_info addr;