From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Christoph Paasch <cpaasch@apple.com>,
Paolo Abeni <pabeni@redhat.com>,
Matthieu Baerts <matthieu.baerts@tessares.net>,
Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH 5.15 01/15] mptcp: fix possible divide by zero in recvmsg()
Date: Mon, 3 Jul 2023 20:54:46 +0200 [thread overview]
Message-ID: <20230703184518.936530437@linuxfoundation.org> (raw)
In-Reply-To: <20230703184518.896751186@linuxfoundation.org>
From: Paolo Abeni <pabeni@redhat.com>
commit 0ad529d9fd2bfa3fc619552a8d2fb2f2ef0bce2e upstream.
Christoph reported a divide by zero bug in mptcp_recvmsg():
divide error: 0000 [#1] PREEMPT SMP
CPU: 1 PID: 19978 Comm: syz-executor.6 Not tainted 6.4.0-rc2-gffcc7899081b #20
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
RIP: 0010:__tcp_select_window+0x30e/0x420 net/ipv4/tcp_output.c:3018
Code: 11 ff 0f b7 cd c1 e9 0c b8 ff ff ff ff d3 e0 89 c1 f7 d1 01 cb 21 c3 eb 17 e8 2e 83 11 ff 31 db eb 0e e8 25 83 11 ff 89 d8 99 <f7> 7c 24 04 29 d3 65 48 8b 04 25 28 00 00 00 48 3b 44 24 10 75 60
RSP: 0018:ffffc90000a07a18 EFLAGS: 00010246
RAX: 000000000000ffd7 RBX: 000000000000ffd7 RCX: 0000000000040000
RDX: 0000000000000000 RSI: 000000000003ffff RDI: 0000000000040000
RBP: 000000000000ffd7 R08: ffffffff820cf297 R09: 0000000000000001
R10: 0000000000000000 R11: ffffffff8103d1a0 R12: 0000000000003f00
R13: 0000000000300000 R14: ffff888101cf3540 R15: 0000000000180000
FS: 00007f9af4c09640(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b33824000 CR3: 000000012f241001 CR4: 0000000000170ee0
Call Trace:
<TASK>
__tcp_cleanup_rbuf+0x138/0x1d0 net/ipv4/tcp.c:1611
mptcp_recvmsg+0xcb8/0xdd0 net/mptcp/protocol.c:2034
inet_recvmsg+0x127/0x1f0 net/ipv4/af_inet.c:861
____sys_recvmsg+0x269/0x2b0 net/socket.c:1019
___sys_recvmsg+0xe6/0x260 net/socket.c:2764
do_recvmmsg+0x1a5/0x470 net/socket.c:2858
__do_sys_recvmmsg net/socket.c:2937 [inline]
__se_sys_recvmmsg net/socket.c:2953 [inline]
__x64_sys_recvmmsg+0xa6/0x130 net/socket.c:2953
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x47/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7f9af58fc6a9
Code: 5c c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 4f 37 0d 00 f7 d8 64 89 01 48
RSP: 002b:00007f9af4c08cd8 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00000000006bc050 RCX: 00007f9af58fc6a9
RDX: 0000000000000001 RSI: 0000000020000140 RDI: 0000000000000004
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000f00 R11: 0000000000000246 R12: 00000000006bc05c
R13: fffffffffffffea8 R14: 00000000006bc050 R15: 000000000001fe40
</TASK>
mptcp_recvmsg is allowed to release the msk socket lock when
blocking, and before re-acquiring it another thread could have
switched the sock to TCP_LISTEN status - with a prior
connect(AF_UNSPEC) - also clearing icsk_ack.rcv_mss.
Address the issue preventing the disconnect if some other process is
concurrently performing a blocking syscall on the same socket, alike
commit 4faeee0cf8a5 ("tcp: deny tcp_disconnect() when threads are waiting").
Fixes: a6b118febbab ("mptcp: add receive buffer auto-tuning")
Cc: stable@vger.kernel.org
Reported-by: Christoph Paasch <cpaasch@apple.com>
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/404
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Tested-by: Christoph Paasch <cpaasch@apple.com>
Reviewed-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -2807,6 +2807,12 @@ static int mptcp_disconnect(struct sock
struct mptcp_subflow_context *subflow;
struct mptcp_sock *msk = mptcp_sk(sk);
+ /* Deny disconnect if other threads are blocked in sk_wait_event()
+ * or inet_wait_for_connect().
+ */
+ if (sk->sk_wait_pending)
+ return -EBUSY;
+
mptcp_do_flush_join_list(msk);
mptcp_for_each_subflow(msk, subflow) {
@@ -2845,6 +2851,7 @@ struct sock *mptcp_sk_clone(const struct
inet_sk(nsk)->pinet6 = mptcp_inet6_sk(nsk);
#endif
+ nsk->sk_wait_pending = 0;
__mptcp_init_sock(nsk);
msk = mptcp_sk(nsk);
next prev parent reply other threads:[~2023-07-03 18:57 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-03 18:54 [PATCH 5.15 00/15] 5.15.120-rc1 review Greg Kroah-Hartman
2023-07-03 18:54 ` Greg Kroah-Hartman [this message]
2023-07-03 18:54 ` [PATCH 5.15 02/15] mptcp: consolidate fallback and non fallback state machine Greg Kroah-Hartman
2023-07-03 18:54 ` [PATCH 5.15 03/15] mm, hwpoison: try to recover from copy-on write faults Greg Kroah-Hartman
2023-07-03 18:54 ` [PATCH 5.15 04/15] mm, hwpoison: when copy-on-write hits poison, take page offline Greg Kroah-Hartman
2023-07-03 18:54 ` [PATCH 5.15 05/15] drm/amdgpu: Set vmbo destroy after pt bo is created Greg Kroah-Hartman
2023-07-03 18:54 ` [PATCH 5.15 06/15] x86/microcode/AMD: Load late on both threads too Greg Kroah-Hartman
2023-07-03 18:54 ` [PATCH 5.15 07/15] x86/smp: Use dedicated cache-line for mwait_play_dead() Greg Kroah-Hartman
2023-07-03 18:54 ` [PATCH 5.15 08/15] can: isotp: isotp_sendmsg(): fix return error fix on TX path Greg Kroah-Hartman
2023-07-03 18:54 ` [PATCH 5.15 09/15] bpf: ensure main program has an extable Greg Kroah-Hartman
2023-07-03 18:54 ` [PATCH 5.15 10/15] HID: wacom: Use ktime_t rather than int when dealing with timestamps Greg Kroah-Hartman
2023-07-03 18:54 ` [PATCH 5.15 11/15] HID: logitech-hidpp: add HIDPP_QUIRK_DELAYED_INIT for the T651 Greg Kroah-Hartman
2023-07-03 18:54 ` [PATCH 5.15 12/15] Revert "thermal/drivers/mediatek: Use devm_of_iomap to avoid resource leak in mtk_thermal_probe" Greg Kroah-Hartman
2023-07-03 18:54 ` [PATCH 5.15 13/15] perf symbols: Symbol lookup with kcore can fail if multiple segments match stext Greg Kroah-Hartman
2023-07-03 18:54 ` [PATCH 5.15 14/15] scripts/tags.sh: Resolve gtags empty index generation Greg Kroah-Hartman
2023-07-03 18:55 ` [PATCH 5.15 15/15] drm/amdgpu: Validate VM ioctl flags Greg Kroah-Hartman
2023-07-04 7:00 ` [PATCH 5.15 00/15] 5.15.120-rc1 review Naresh Kamboju
2023-07-04 7:16 ` Helge Deller
2023-07-04 7:31 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230703184518.936530437@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=cpaasch@apple.com \
--cc=kuba@kernel.org \
--cc=matthieu.baerts@tessares.net \
--cc=pabeni@redhat.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.