From: Matthieu Baerts (NGI0) <matttbe@xxxxxxxxxx> commit 09355f7abb9fbfc1a240be029837921ea417bf4f upstream. When reacting upon the reception of an ADD_ADDR, the in-kernel PM first looks for fullmesh endpoints. If there are some, it will pick them, using their entry ID. It should set the ID 0 when using the endpoint corresponding to the initial subflow, it is a special case imposed by the MPTCP specs. Note that msk->mpc_endpoint_id might not be set when receiving the first ADD_ADDR from the server. So better to compare the addresses. Fixes: 1a0d6136c5f0 ("mptcp: local addresses fullmesh") Cc: stable@xxxxxxxxxxxxxxx Reviewed-by: Mat Martineau <martineau@xxxxxxxxxx> Signed-off-by: Matthieu Baerts (NGI0) <matttbe@xxxxxxxxxx> Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-12-38035d40de5b@xxxxxxxxxx Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- net/mptcp/pm_netlink.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) --- a/net/mptcp/pm_netlink.c +++ b/net/mptcp/pm_netlink.c @@ -644,6 +644,7 @@ static unsigned int fill_local_addresses { struct sock *sk = (struct sock *)msk; struct mptcp_pm_addr_entry *entry; + struct mptcp_addr_info mpc_addr; struct pm_nl_pernet *pernet; unsigned int subflows_max; int i = 0; @@ -651,6 +652,8 @@ static unsigned int fill_local_addresses pernet = pm_nl_get_pernet_from_msk(msk); subflows_max = mptcp_pm_get_subflows_max(msk); + mptcp_local_address((struct sock_common *)msk, &mpc_addr); + rcu_read_lock(); list_for_each_entry_rcu(entry, &pernet->local_addr_list, list) { if (!(entry->flags & MPTCP_PM_ADDR_FLAG_FULLMESH)) @@ -661,7 +664,13 @@ static unsigned int fill_local_addresses if (msk->pm.subflows < subflows_max) { msk->pm.subflows++; - addrs[i++] = entry->addr; + addrs[i] = entry->addr; + + /* Special case for ID0: set the correct ID */ + if (mptcp_addresses_equal(&entry->addr, &mpc_addr, entry->addr.port)) + addrs[i].id = 0; + + i++; } } rcu_read_unlock(); Patches currently in stable-queue which might be from matttbe@xxxxxxxxxx are queue-6.6/mptcp-pm-avoid-possible-uaf-when-selecting-endp.patch queue-6.6/mptcp-pm-only-decrement-add_addr_accepted-for-mpj-req.patch queue-6.6/mptcp-pm-only-in-kernel-cannot-have-entries-with-id-0.patch queue-6.6/mptcp-pm-fullmesh-select-the-right-id-later.patch queue-6.6/selftests-net-lib-kill-pids-before-del-netns.patch queue-6.6/mptcp-pm-re-using-id-of-unused-flushed-subflows.patch queue-6.6/selftests-mptcp-join-validate-fullmesh-endp-on-1st-sf.patch queue-6.6/mptcp-pm-only-mark-subflow-endp-as-available.patch queue-6.6/selftests-net-lib-ignore-possible-errors.patch queue-6.6/selftests-mptcp-join-check-re-using-id-of-closed-subflow.patch queue-6.6/mptcp-pm-re-using-id-of-unused-removed-add_addr.patch queue-6.6/mptcp-pm-check-add_addr_accept_max-before-accepting-new-add_addr.patch queue-6.6/mptcp-pm-re-using-id-of-unused-removed-subflows.patch queue-6.6/mptcp-correct-mptcp_subflow_attr_ssn_offset-reserved.patch queue-6.6/mptcp-pm-remove-mptcp_pm_remove_subflow.patch