mptcp: fix msk traversal in mptcp_nl_cmd_set_flags()
authorPaolo Abeni <pabeni@redhat.com>
Fri, 21 Jan 2022 00:35:27 +0000 (16:35 -0800)
committerJakub Kicinski <kuba@kernel.org>
Fri, 21 Jan 2022 04:24:01 +0000 (20:24 -0800)
The MPTCP endpoint list is under RCU protection, guarded by the
pernet spinlock. mptcp_nl_cmd_set_flags() traverses the list
without acquiring the spin-lock nor under the RCU critical section.

This change addresses the issue performing the lookup and the endpoint
update under the pernet spinlock.

Fixes: 0f9f696a502e ("mptcp: add set_flags command in PM netlink")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
net/mptcp/pm_netlink.c

index 75af1f701e1d1fe93be901a569dd820d1ad01a9a..f17a09f7fbf97df53b2806f0c31ce4e8bc31797c 100644 (file)
@@ -478,6 +478,20 @@ __lookup_addr_by_id(struct pm_nl_pernet *pernet, unsigned int id)
        return NULL;
 }
 
+static struct mptcp_pm_addr_entry *
+__lookup_addr(struct pm_nl_pernet *pernet, const struct mptcp_addr_info *info,
+             bool lookup_by_id)
+{
+       struct mptcp_pm_addr_entry *entry;
+
+       list_for_each_entry(entry, &pernet->local_addr_list, list) {
+               if ((!lookup_by_id && addresses_equal(&entry->addr, info, true)) ||
+                   (lookup_by_id && entry->addr.id == info->id))
+                       return entry;
+       }
+       return NULL;
+}
+
 static int
 lookup_id_by_addr(struct pm_nl_pernet *pernet, const struct mptcp_addr_info *addr)
 {
@@ -1763,18 +1777,21 @@ static int mptcp_nl_cmd_set_flags(struct sk_buff *skb, struct genl_info *info)
                        return -EOPNOTSUPP;
        }
 
-       list_for_each_entry(entry, &pernet->local_addr_list, list) {
-               if ((!lookup_by_id && addresses_equal(&entry->addr, &addr.addr, true)) ||
-                   (lookup_by_id && entry->addr.id == addr.addr.id)) {
-                       mptcp_nl_addr_backup(net, &entry->addr, bkup);
-
-                       if (bkup)
-                               entry->flags |= MPTCP_PM_ADDR_FLAG_BACKUP;
-                       else
-                               entry->flags &= ~MPTCP_PM_ADDR_FLAG_BACKUP;
-               }
+       spin_lock_bh(&pernet->lock);
+       entry = __lookup_addr(pernet, &addr.addr, lookup_by_id);
+       if (!entry) {
+               spin_unlock_bh(&pernet->lock);
+               return -EINVAL;
        }
 
+       if (bkup)
+               entry->flags |= MPTCP_PM_ADDR_FLAG_BACKUP;
+       else
+               entry->flags &= ~MPTCP_PM_ADDR_FLAG_BACKUP;
+       addr = *entry;
+       spin_unlock_bh(&pernet->lock);
+
+       mptcp_nl_addr_backup(net, &addr.addr, bkup);
        return 0;
 }