Hi,
When I was working on CVE-2023-0461, I found the below backport commit in stable-4.19.x maybe something wrong?
755193f2523c ("net/ulp: prevent ULP without clone op from entering the LISTEN status")
1. err = -EADDRINUSE in inet_csk_listen_start() was removed. But it is the error code when get_port() fails.
2. The change in __tcp_set_ulp() should not be discarded?
Can I modify the patch like below?
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index 0a69f92da71b..3ed2f753628e 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -903,11 +903,25 @@ void inet_csk_prepare_forced_close(struct sock *sk)
}
EXPORT_SYMBOL(inet_csk_prepare_forced_close);
+static int inet_ulp_can_listen(const struct sock *sk)
+{
+ const struct inet_connection_sock *icsk = inet_csk(sk);
+
+ if (icsk->icsk_ulp_ops)
+ return -EINVAL;
+
+ return 0;
+}
+
int inet_csk_listen_start(struct sock *sk, int backlog)
{
struct inet_connection_sock *icsk = inet_csk(sk);
struct inet_sock *inet = inet_sk(sk);
- int err = -EADDRINUSE;
+ int err;
+
+ err = inet_ulp_can_listen(sk);
+ if (unlikely(err))
+ return err;
reqsk_queue_alloc(&icsk->icsk_accept_queue);
@@ -921,6 +935,7 @@ int inet_csk_listen_start(struct sock *sk, int backlog)
* after validation is complete.
*/
inet_sk_state_store(sk, TCP_LISTEN);
+ err = -EADDRINUSE;
if (!sk->sk_prot->get_port(sk, inet->inet_num)) {
inet->inet_sport = htons(inet->inet_num);
diff --git a/net/ipv4/tcp_ulp.c b/net/ipv4/tcp_ulp.c
index a5995bb2eaca..437987be68be 100644
--- a/net/ipv4/tcp_ulp.c
+++ b/net/ipv4/tcp_ulp.c
@@ -152,6 +152,11 @@ int tcp_set_ulp(struct sock *sk, const char *name)
return -ENOENT;
}
+ if (sk->sk_state == TCP_LISTEN) {
+ module_put(ulp_ops->owner);
+ return -EINVAL
+ }
+
err = ulp_ops->init(sk);
if (err) {
module_put(ulp_ops->owner);
