Patch "tcp: fix possible sk_priority leak in tcp_v4_send_reset()" has been added to the 5.15-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 22 May 2023 07:56:47 -0400

This is a note to let you know that I've just added the patch titled

    tcp: fix possible sk_priority leak in tcp_v4_send_reset()

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     tcp-fix-possible-sk_priority-leak-in-tcp_v4_send_res.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 2a96170d8877cbcac816bec199ead6e25700a730
Author: Eric Dumazet <edumazet@xxxxxxxxxx>
Date:   Thu May 11 11:47:49 2023 +0000

    tcp: fix possible sk_priority leak in tcp_v4_send_reset()
    
    [ Upstream commit 1e306ec49a1f206fd2cc89a42fac6e6f592a8cc1 ]
    
    When tcp_v4_send_reset() is called with @sk == NULL,
    we do not change ctl_sk->sk_priority, which could have been
    set from a prior invocation.
    
    Change tcp_v4_send_reset() to set sk_priority and sk_mark
    fields before calling ip_send_unicast_reply().
    
    This means tcp_v4_send_reset() and tcp_v4_send_ack()
    no longer have to clear ctl_sk->sk_mark after
    their call to ip_send_unicast_reply().
    
    Fixes: f6c0f5d209fa ("tcp: honor SO_PRIORITY in TIME_WAIT state")
    Signed-off-by: Eric Dumazet <edumazet@xxxxxxxxxx>
    Cc: Antoine Tenart <atenart@xxxxxxxxxx>
    Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 63472c9b39ae4..db05ab4287e30 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -820,6 +820,9 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb)
 				   inet_twsk(sk)->tw_priority : sk->sk_priority;
 		transmit_time = tcp_transmit_time(sk);
 		xfrm_sk_clone_policy(ctl_sk, sk);
+	} else {
+		ctl_sk->sk_mark = 0;
+		ctl_sk->sk_priority = 0;
 	}
 	ip_send_unicast_reply(ctl_sk,
 			      skb, &TCP_SKB_CB(skb)->header.h4.opt,
@@ -827,7 +830,6 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb)
 			      &arg, arg.iov[0].iov_len,
 			      transmit_time);
 
-	ctl_sk->sk_mark = 0;
 	xfrm_sk_free_policy(ctl_sk);
 	sock_net_set(ctl_sk, &init_net);
 	__TCP_INC_STATS(net, TCP_MIB_OUTSEGS);
@@ -926,7 +928,6 @@ static void tcp_v4_send_ack(const struct sock *sk,
 			      &arg, arg.iov[0].iov_len,
 			      transmit_time);
 
-	ctl_sk->sk_mark = 0;
 	sock_net_set(ctl_sk, &init_net);
 	__TCP_INC_STATS(net, TCP_MIB_OUTSEGS);
 	local_bh_enable();






