From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Christoph Paasch <cpaasch@apple.com>,
Paolo Abeni <pabeni@redhat.com>,
Matthieu Baerts <matthieu.baerts@tessares.net>,
Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH 6.1 03/30] mptcp: ensure listener is unhashed before updating the sk status
Date: Thu, 29 Jun 2023 20:43:22 +0200 [thread overview]
Message-ID: <20230629184151.798150717@linuxfoundation.org> (raw)
In-Reply-To: <20230629184151.651069086@linuxfoundation.org>
From: Paolo Abeni <pabeni@redhat.com>
commit 57fc0f1ceaa4016354cf6f88533e20b56190e41a upstream.
The MPTCP protocol access the listener subflow in a lockless
manner in a couple of places (poll, diag). That works only if
the msk itself leaves the listener status only after that the
subflow itself has been closed/disconnected. Otherwise we risk
deadlock in diag, as reported by Christoph.
Address the issue ensuring that the first subflow (the listener
one) is always disconnected before updating the msk socket status.
Reported-by: Christoph Paasch <cpaasch@apple.com>
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/407
Fixes: b29fcfb54cd7 ("mptcp: full disconnect implementation")
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 1 +
net/mptcp/protocol.c | 26 ++++++++++++++++++++------
2 files changed, 21 insertions(+), 6 deletions(-)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -1039,6 +1039,7 @@ static int mptcp_pm_nl_create_listen_soc
return err;
}
+ inet_sk_state_store(newsk, TCP_LISTEN);
err = kernel_listen(ssock, backlog);
if (err) {
pr_warn("kernel_listen error, err=%d", err);
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -2400,12 +2400,6 @@ static void __mptcp_close_ssk(struct soc
kfree_rcu(subflow, rcu);
} else {
/* otherwise tcp will dispose of the ssk and subflow ctx */
- if (ssk->sk_state == TCP_LISTEN) {
- tcp_set_state(ssk, TCP_CLOSE);
- mptcp_subflow_queue_clean(sk, ssk);
- inet_csk_listen_stop(ssk);
- }
-
__tcp_close(ssk, 0);
/* close acquired an extra ref */
@@ -2939,6 +2933,24 @@ static __poll_t mptcp_check_readable(str
return EPOLLIN | EPOLLRDNORM;
}
+static void mptcp_check_listen_stop(struct sock *sk)
+{
+ struct sock *ssk;
+
+ if (inet_sk_state_load(sk) != TCP_LISTEN)
+ return;
+
+ ssk = mptcp_sk(sk)->first;
+ if (WARN_ON_ONCE(!ssk || inet_sk_state_load(ssk) != TCP_LISTEN))
+ return;
+
+ lock_sock_nested(ssk, SINGLE_DEPTH_NESTING);
+ mptcp_subflow_queue_clean(sk, ssk);
+ inet_csk_listen_stop(ssk);
+ tcp_set_state(ssk, TCP_CLOSE);
+ release_sock(ssk);
+}
+
bool __mptcp_close(struct sock *sk, long timeout)
{
struct mptcp_subflow_context *subflow;
@@ -2949,6 +2961,7 @@ bool __mptcp_close(struct sock *sk, long
WRITE_ONCE(sk->sk_shutdown, SHUTDOWN_MASK);
if ((1 << sk->sk_state) & (TCPF_LISTEN | TCPF_CLOSE)) {
+ mptcp_check_listen_stop(sk);
inet_sk_state_store(sk, TCP_CLOSE);
goto cleanup;
}
@@ -3062,6 +3075,7 @@ static int mptcp_disconnect(struct sock
if (msk->fastopening)
return -EBUSY;
+ mptcp_check_listen_stop(sk);
inet_sk_state_store(sk, TCP_CLOSE);
mptcp_stop_timer(sk);
next prev parent reply other threads:[~2023-06-29 18:45 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-29 18:43 [PATCH 6.1 00/30] 6.1.37-rc1 review Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.1 01/30] mm/mmap: Fix error path in do_vmi_align_munmap() Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.1 02/30] mm/mmap: Fix error return " Greg Kroah-Hartman
2023-06-29 18:43 ` Greg Kroah-Hartman [this message]
2023-06-29 18:43 ` [PATCH 6.1 04/30] mm, hwpoison: try to recover from copy-on write faults Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.1 05/30] mm, hwpoison: when copy-on-write hits poison, take page offline Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.1 06/30] x86/microcode/AMD: Load late on both threads too Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.1 07/30] x86/smp: Make stop_other_cpus() more robust Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.1 08/30] x86/smp: Dont access non-existing CPUID leaf Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.1 09/30] x86/smp: Remove pointless wmb()s from native_stop_other_cpus() Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.1 10/30] x86/smp: Use dedicated cache-line for mwait_play_dead() Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.1 11/30] x86/smp: Cure kexec() vs. mwait_play_dead() breakage Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.1 12/30] can: isotp: isotp_sendmsg(): fix return error fix on TX path Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.1 13/30] maple_tree: fix potential out-of-bounds access in mas_wr_end_piv() Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.1 14/30] mm: introduce new lock_mm_and_find_vma() page fault helper Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.1 15/30] mm: make the page fault mmap locking killable Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.1 16/30] arm64/mm: Convert to using lock_mm_and_find_vma() Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.1 17/30] powerpc/mm: " Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.1 18/30] mips/mm: " Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.1 19/30] riscv/mm: " Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.1 20/30] arm/mm: " Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.1 21/30] mm/fault: convert remaining simple cases to lock_mm_and_find_vma() Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.1 22/30] powerpc/mm: convert coprocessor fault " Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.1 23/30] mm: make find_extend_vma() fail if write lock not held Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.1 24/30] execve: expand new process stack manually ahead of time Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.1 25/30] mm: always expand the stack with the mmap write lock held Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.1 26/30] fbdev: fix potential OOB read in fast_imageblit() Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.1 27/30] HID: hidraw: fix data race on device refcount Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.1 28/30] HID: wacom: Use ktime_t rather than int when dealing with timestamps Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.1 29/30] HID: logitech-hidpp: add HIDPP_QUIRK_DELAYED_INIT for the T651 Greg Kroah-Hartman
2023-06-29 18:43 ` [PATCH 6.1 30/30] Revert "thermal/drivers/mediatek: Use devm_of_iomap to avoid resource leak in mtk_thermal_probe" Greg Kroah-Hartman
2023-06-29 21:56 ` [PATCH 6.1 00/30] 6.1.37-rc1 review ogasawara takeshi
2023-06-29 22:25 ` Daniel Díaz
2023-06-30 5:18 ` Greg Kroah-Hartman
2023-06-30 5:21 ` Daniel Díaz
2023-06-30 5:30 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230629184151.798150717@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=cpaasch@apple.com \
--cc=kuba@kernel.org \
--cc=matthieu.baerts@tessares.net \
--cc=pabeni@redhat.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox