From: "Matthieu Baerts (NGI0)" <matttbe@xxxxxxxxxx> commit 09355f7abb9fbfc1a240be029837921ea417bf4f upstream. When reacting upon the reception of an ADD_ADDR, the in-kernel PM first looks for fullmesh endpoints. If there are some, it will pick them, using their entry ID. It should set the ID 0 when using the endpoint corresponding to the initial subflow, it is a special case imposed by the MPTCP specs. Note that msk->mpc_endpoint_id might not be set when receiving the first ADD_ADDR from the server. So better to compare the addresses. Fixes: 1a0d6136c5f0 ("mptcp: local addresses fullmesh") Cc: stable@xxxxxxxxxxxxxxx Reviewed-by: Mat Martineau <martineau@xxxxxxxxxx> Signed-off-by: Matthieu Baerts (NGI0) <matttbe@xxxxxxxxxx> Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-12-38035d40de5b@xxxxxxxxxx Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx> [ Conflicts in pm_netlink.c, because the new 'mpc_addr' variable is added where the 'local' one was, before commit b9d69db87fb7 ("mptcp: let the in-kernel PM use mixed IPv4 and IPv6 addresses"), that is not a candidate for the backports. This 'local' variable has been moved to the new place to reduce the scope, and help with possible future backports. Note that addresses_equal() has been used instead of mptcp_addresses_equal(), renamed in commit 4638de5aefe5 ("mptcp: handle local addrs announced by userspace PMs"), not in this version. ] Signed-off-by: Matthieu Baerts (NGI0) <matttbe@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- net/mptcp/pm_netlink.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) --- a/net/mptcp/pm_netlink.c +++ b/net/mptcp/pm_netlink.c @@ -554,7 +554,7 @@ static unsigned int fill_local_addresses { struct sock *sk = (struct sock *)msk; struct mptcp_pm_addr_entry *entry; - struct mptcp_addr_info local; + struct mptcp_addr_info mpc_addr; struct pm_nl_pernet *pernet; unsigned int subflows_max; int i = 0; @@ -562,6 +562,8 @@ static unsigned int fill_local_addresses pernet = net_generic(sock_net(sk), pm_nl_pernet_id); subflows_max = mptcp_pm_get_subflows_max(msk); + mptcp_local_address((struct sock_common *)msk, &mpc_addr); + rcu_read_lock(); __mptcp_flush_join_list(msk); list_for_each_entry_rcu(entry, &pernet->local_addr_list, list) { @@ -580,7 +582,13 @@ static unsigned int fill_local_addresses if (msk->pm.subflows < subflows_max) { msk->pm.subflows++; - addrs[i++] = entry->addr; + addrs[i] = entry->addr; + + /* Special case for ID0: set the correct ID */ + if (addresses_equal(&entry->addr, &mpc_addr, entry->addr.port)) + addrs[i].id = 0; + + i++; } } rcu_read_unlock(); @@ -589,6 +597,8 @@ static unsigned int fill_local_addresses * 'IPADDRANY' local address */ if (!i) { + struct mptcp_addr_info local; + memset(&local, 0, sizeof(local)); local.family = msk->pm.remote.family; Patches currently in stable-queue which might be from matttbe@xxxxxxxxxx are queue-5.15/mptcp-pm-avoid-possible-uaf-when-selecting-endp.patch queue-5.15/mptcp-pm-only-decrement-add_addr_accepted-for-mpj-req.patch queue-5.15/mptcp-pm-fullmesh-select-the-right-id-later.patch queue-5.15/mptcp-pm-skip-connecting-to-already-established-sf.patch queue-5.15/mptcp-pm-re-using-id-of-unused-flushed-subflows.patch queue-5.15/mptcp-pm-add_addr-0-is-not-a-new-address.patch queue-5.15/mptcp-constify-a-bunch-of-of-helpers.patch queue-5.15/mptcp-pm-do-not-remove-already-closed-subflows.patch queue-5.15/mptcp-pr_debug-add-missing-n-at-the-end.patch queue-5.15/mptcp-pm-check-add_addr_accept_max-before-accepting-new-add_addr.patch queue-5.15/mptcp-close-subflow-when-receiving-tcp-fin.patch queue-5.15/mptcp-avoid-duplicated-sub_closed-events.patch queue-5.15/mptcp-pm-send-ack-on-an-active-subflow.patch