Commit 0c02e0c3 authored Aug 16, 2018 by Daniel Borkmann Committed by Greg Kroah-Hartman Sep 15, 2018

tcp, ulp: add alias for all ulp modules



[ Upstream commit 037b0b86ecf5646f8eae777d8b52ff8b401692ec ]

Lets not turn the TCP ULP lookup into an arbitrary module loader as
we only intend to load ULP modules through this mechanism, not other
unrelated kernel modules:

  [root@bar]# cat foo.c
  #include <sys/types.h>
  #include <sys/socket.h>
  #include <linux/tcp.h>
  #include <linux/in.h>

  int main(void)
  {
      int sock = socket(PF_INET, SOCK_STREAM, 0);
      setsockopt(sock, IPPROTO_TCP, TCP_ULP, "sctp", sizeof("sctp"));
      return 0;
  }

  [root@bar]# gcc foo.c -O2 -Wall
  [root@bar]# lsmod | grep sctp
  [root@bar]# ./a.out
  [root@bar]# lsmod | grep sctp
  sctp                 1077248  4
  libcrc32c              16384  3 nf_conntrack,nf_nat,sctp
  [root@bar]#

Fix it by adding module alias to TCP ULP modules, so probing module
via request_module() will be limited to tcp-ulp-[name]. The existing
modules like kTLS will load fine given tcp-ulp-tls alias, but others
will fail to load:

  [root@bar]# lsmod | grep sctp
  [root@bar]# ./a.out
  [root@bar]# lsmod | grep sctp
  [root@bar]#

Sockmap is not affected from this since it's either built-in or not.

Fixes: 734942cc ("tcp: ULP infrastructure")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 58de2cef

include/net/tcp.h

+4 −0

Original line number	Diff line number	Diff line
		@@ -2063,6 +2063,10 @@ int tcp_set_ulp(struct sock sk, const char name);
		void tcp_get_available_ulp(char *buf, size_t len);
		void tcp_cleanup_ulp(struct sock *sk);

		#define MODULE_ALIAS_TCP_ULP(name) \
		__MODULE_INFO(alias, alias_userspace, name); \
		__MODULE_INFO(alias, alias_tcp_ulp, "tcp-ulp-" name)

		/* Call BPF_SOCK_OPS program that returns an int. If the return value
		* is < 0, then the BPF op failed (for example if the loaded BPF
		* program does not support the chosen operation or there is no BPF

net/ipv4/tcp_ulp.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -39,7 +39,7 @@ static const struct tcp_ulp_ops __tcp_ulp_find_autoload(const char name)
		#ifdef CONFIG_MODULES
		if (!ulp && capable(CAP_NET_ADMIN)) {
		rcu_read_unlock();
		request_module("%s", name);
		request_module("tcp-ulp-%s", name);
		rcu_read_lock();
		ulp = tcp_ulp_find(name);
		}

net/tls/tls_main.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -44,6 +44,7 @@
		MODULE_AUTHOR("Mellanox Technologies");
		MODULE_DESCRIPTION("Transport Layer Security Support");
		MODULE_LICENSE("Dual BSD/GPL");
		MODULE_ALIAS_TCP_ULP("tls");

		static struct proto tls_base_prot;
		static struct proto tls_sw_prot;