Patch "net/rose: Fix to not accept on connected socket" has been added to the 4.14-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Wed, 15 Feb 2023 11:37:46 -0500

This is a note to let you know that I've just added the patch titled

    net/rose: Fix to not accept on connected socket

to the 4.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-rose-fix-to-not-accept-on-connected-socket.patch
and it can be found in the queue-4.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 86feed2b6e6d8b2ed21e2884542c517676f93ff1
Author: Hyunwoo Kim <v4bel@xxxxxxxxx>
Date:   Wed Jan 25 02:59:44 2023 -0800

    net/rose: Fix to not accept on connected socket
    
    [ Upstream commit 14caefcf9837a2be765a566005ad82cd0d2a429f ]
    
    If you call listen() and accept() on an already connect()ed
    rose socket, accept() can successfully connect.
    This is because when the peer socket sends data to sendmsg,
    the skb with its own sk stored in the connected socket's
    sk->sk_receive_queue is connected, and rose_accept() dequeues
    the skb waiting in the sk->sk_receive_queue.
    
    This creates a child socket with the sk of the parent
    rose socket, which can cause confusion.
    
    Fix rose_listen() to return -EINVAL if the socket has
    already been successfully connected, and add lock_sock
    to prevent this issue.
    
    Signed-off-by: Hyunwoo Kim <v4bel@xxxxxxxxx>
    Reviewed-by: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20230125105944.GA133314@ubuntu
    Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
index b53468edf35a6..ac2ea4ebf7c7c 100644
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -490,6 +490,12 @@ static int rose_listen(struct socket *sock, int backlog)
 {
 	struct sock *sk = sock->sk;
 
+	lock_sock(sk);
+	if (sock->state != SS_UNCONNECTED) {
+		release_sock(sk);
+		return -EINVAL;
+	}
+
 	if (sk->sk_state != TCP_LISTEN) {
 		struct rose_sock *rose = rose_sk(sk);
 
@@ -499,8 +505,10 @@ static int rose_listen(struct socket *sock, int backlog)
 		memset(rose->dest_digis, 0, AX25_ADDR_LEN * ROSE_MAX_DIGIS);
 		sk->sk_max_ack_backlog = backlog;
 		sk->sk_state           = TCP_LISTEN;
+		release_sock(sk);
 		return 0;
 	}
+	release_sock(sk);
 
 	return -EOPNOTSUPP;
 }






