Patch "tcp: Fix bind() regression for v6-only wildcard and v4(-mapped-v6) non-wildcard addresses." has been added to the 6.1-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    tcp: Fix bind() regression for v6-only wildcard and v4(-mapped-v6) non-wildcard addresses.

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     tcp-fix-bind-regression-for-v6-only-wildcard-and-v4-.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 961f27c6b980bd03433c02a3b405cc917c093f0f
Author: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>
Date:   Tue Mar 26 13:42:45 2024 -0700

    tcp: Fix bind() regression for v6-only wildcard and v4(-mapped-v6) non-wildcard addresses.
    
    [ Upstream commit d91ef1e1b55f730bee8ce286b02b7bdccbc42973 ]
    
    Jianguo Wu reported another bind() regression introduced by bhash2.
    
    Calling bind() for the following 3 addresses on the same port, the
    3rd one should fail but now succeeds.
    
      1. 0.0.0.0 or ::ffff:0.0.0.0
      2. [::] w/ IPV6_V6ONLY
      3. IPv4 non-wildcard address or v4-mapped-v6 non-wildcard address
    
    The first two bind() create tb2 like this:
    
      bhash2 -> tb2(:: w/ IPV6_V6ONLY) -> tb2(0.0.0.0)
    
    The 3rd bind() will match with the IPv6 only wildcard address bucket
    in inet_bind2_bucket_match_addr_any(), however, no conflicting socket
    exists in the bucket.  So, inet_bhash2_conflict() will returns false,
    and thus, inet_bhash2_addr_any_conflict() returns false consequently.
    
    As a result, the 3rd bind() bypasses conflict check, which should be
    done against the IPv4 wildcard address bucket.
    
    So, in inet_bhash2_addr_any_conflict(), we must iterate over all buckets.
    
    Note that we cannot add ipv6_only flag for inet_bind2_bucket as it
    would confuse the following patetrn.
    
      1. [::] w/ SO_REUSE{ADDR,PORT} and IPV6_V6ONLY
      2. [::] w/ SO_REUSE{ADDR,PORT}
      3. IPv4 non-wildcard address or v4-mapped-v6 non-wildcard address
    
    The first bind() would create a bucket with ipv6_only flag true,
    the second bind() would add the [::] socket into the same bucket,
    and the third bind() could succeed based on the wrong assumption
    that ipv6_only bucket would not conflict with v4(-mapped-v6) address.
    
    Fixes: 28044fc1d495 ("net: Add a bhash2 table hashed by port and address")
    Diagnosed-by: Jianguo Wu <wujianguo106@xxxxxxx>
    Signed-off-by: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20240326204251.51301-3-kuniyu@xxxxxxxxxx
    Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index f7832d4253820..8407098a59391 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -289,6 +289,7 @@ static bool inet_bhash2_addr_any_conflict(const struct sock *sk, int port, int l
 	struct sock_reuseport *reuseport_cb;
 	struct inet_bind_hashbucket *head2;
 	struct inet_bind2_bucket *tb2;
+	bool conflict = false;
 	bool reuseport_cb_ok;
 
 	rcu_read_lock();
@@ -301,18 +302,20 @@ static bool inet_bhash2_addr_any_conflict(const struct sock *sk, int port, int l
 
 	spin_lock(&head2->lock);
 
-	inet_bind_bucket_for_each(tb2, &head2->chain)
-		if (inet_bind2_bucket_match_addr_any(tb2, net, port, l3mdev, sk))
-			break;
+	inet_bind_bucket_for_each(tb2, &head2->chain) {
+		if (!inet_bind2_bucket_match_addr_any(tb2, net, port, l3mdev, sk))
+			continue;
 
-	if (tb2 && inet_bhash2_conflict(sk, tb2, uid, relax, reuseport_cb_ok,
-					reuseport_ok)) {
-		spin_unlock(&head2->lock);
-		return true;
+		if (!inet_bhash2_conflict(sk, tb2, uid, relax, reuseport_cb_ok,	reuseport_ok))
+			continue;
+
+		conflict = true;
+		break;
 	}
 
 	spin_unlock(&head2->lock);
-	return false;
+
+	return conflict;
 }
 
 /*




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux