From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Christoph Paasch <cpaasch@apple.com>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>,
Nikolay Kuratov <kniv@yandex-team.ru>
Subject: [PATCH 5.15 78/87] net: relax socket state check at accept time.
Date: Thu, 25 Jul 2024 16:37:51 +0200 [thread overview]
Message-ID: <20240725142741.381494123@linuxfoundation.org> (raw)
In-Reply-To: <20240725142738.422724252@linuxfoundation.org>
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit 26afda78cda3da974fd4c287962c169e9462c495 upstream.
Christoph reported the following splat:
WARNING: CPU: 1 PID: 772 at net/ipv4/af_inet.c:761 __inet_accept+0x1f4/0x4a0
Modules linked in:
CPU: 1 PID: 772 Comm: syz-executor510 Not tainted 6.9.0-rc7-g7da7119fe22b #56
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
RIP: 0010:__inet_accept+0x1f4/0x4a0 net/ipv4/af_inet.c:759
Code: 04 38 84 c0 0f 85 87 00 00 00 41 c7 04 24 03 00 00 00 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 ec b7 da fd <0f> 0b e9 7f fe ff ff e8 e0 b7 da fd 0f 0b e9 fe fe ff ff 89 d9 80
RSP: 0018:ffffc90000c2fc58 EFLAGS: 00010293
RAX: ffffffff836bdd14 RBX: 0000000000000000 RCX: ffff888104668000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: dffffc0000000000 R08: ffffffff836bdb89 R09: fffff52000185f64
R10: dffffc0000000000 R11: fffff52000185f64 R12: dffffc0000000000
R13: 1ffff92000185f98 R14: ffff88810754d880 R15: ffff8881007b7800
FS: 000000001c772880(0000) GS:ffff88811b280000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb9fcf2e178 CR3: 00000001045d2002 CR4: 0000000000770ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
inet_accept+0x138/0x1d0 net/ipv4/af_inet.c:786
do_accept+0x435/0x620 net/socket.c:1929
__sys_accept4_file net/socket.c:1969 [inline]
__sys_accept4+0x9b/0x110 net/socket.c:1999
__do_sys_accept net/socket.c:2016 [inline]
__se_sys_accept net/socket.c:2013 [inline]
__x64_sys_accept+0x7d/0x90 net/socket.c:2013
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x58/0x100 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x4315f9
Code: fd ff 48 81 c4 80 00 00 00 e9 f1 fe ff ff 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab b4 fd ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffdb26d9c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002b
RAX: ffffffffffffffda RBX: 0000000000400300 RCX: 00000000004315f9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00000000006e1018 R08: 0000000000400300 R09: 0000000000400300
R10: 0000000000400300 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000040cdf0 R14: 000000000040ce80 R15: 0000000000000055
</TASK>
The reproducer invokes shutdown() before entering the listener status.
After commit 94062790aedb ("tcp: defer shutdown(SEND_SHUTDOWN) for
TCP_SYN_RECV sockets"), the above causes the child to reach the accept
syscall in FIN_WAIT1 status.
Eric noted we can relax the existing assertion in __inet_accept()
Reported-by: Christoph Paasch <cpaasch@apple.com>
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/490
Suggested-by: Eric Dumazet <edumazet@google.com>
Fixes: 94062790aedb ("tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets")
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/23ab880a44d8cfd967e84de8b93dbf48848e3d8c.1716299669.git.pabeni@redhat.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Nikolay Kuratov <kniv@yandex-team.ru>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/af_inet.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -761,7 +761,9 @@ int inet_accept(struct socket *sock, str
sock_rps_record_flow(sk2);
WARN_ON(!((1 << sk2->sk_state) &
(TCPF_ESTABLISHED | TCPF_SYN_RECV |
- TCPF_CLOSE_WAIT | TCPF_CLOSE)));
+ TCPF_FIN_WAIT1 | TCPF_FIN_WAIT2 |
+ TCPF_CLOSING | TCPF_CLOSE_WAIT |
+ TCPF_CLOSE)));
sock_graft(sk2, newsock);
next prev parent reply other threads:[~2024-07-25 14:54 UTC|newest]
Thread overview: 99+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-25 14:36 [PATCH 5.15 00/87] 5.15.164-rc1 review Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 5.15 01/87] gcc-plugins: Rename last_stmt() for GCC 14+ Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 5.15 02/87] filelock: Remove locks reliably when fcntl/close race is detected Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 5.15 03/87] ARM: 9324/1: fix get_user() broken with veneer Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 5.15 04/87] ACPI: processor_idle: Fix invalid comparison with insertion sort for latency Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 5.15 05/87] bpf: Fix overrunning reservations in ringbuf Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 5.15 06/87] scsi: core: Fix a use-after-free Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 5.15 07/87] scsi: core: alua: I/O errors for ALUA state transitions Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 5.15 08/87] scsi: qedf: Dont process stag work during unload and recovery Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 5.15 09/87] scsi: qedf: Wait for stag work during unload Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 5.15 10/87] scsi: qedf: Set qed_slowpath_params to zero before use Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 5.15 11/87] ACPI: EC: Abort address space access upon error Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 5.15 12/87] ACPI: EC: Avoid returning AE_OK on errors in address space handler Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 5.15 13/87] tools/power/cpupower: Fix Pstate frequency reporting on AMD Family 1Ah CPUs Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 5.15 14/87] wifi: mac80211: mesh: init nonpeer_pm to active by default in mesh sdata Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 5.15 15/87] wifi: mac80211: handle tasklet frames before stopping Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 5.15 16/87] wifi: iwlwifi: mvm: d3: fix WoWLAN command version lookup Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 5.15 17/87] wifi: iwlwifi: mvm: Handle BIGTK cipher in kek_kck cmd Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 5.15 18/87] wifi: iwlwifi: mvm: properly set 6 GHz channel direct probe option Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 5.15 19/87] wifi: mac80211: fix UBSAN noise in ieee80211_prep_hw_scan() Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 5.15 20/87] selftests/openat2: Fix build warnings on ppc64 Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 5.15 21/87] Input: silead - Always support 10 fingers Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 5.15 22/87] net: ipv6: rpl_iptunnel: block BH in rpl_output() and rpl_input() Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 5.15 23/87] ila: block BH in ila_output() Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 5.15 24/87] arm64: armv8_deprecated: Fix warning in isndep cpuhp starting process Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 5.15 25/87] null_blk: fix validation of block size Greg Kroah-Hartman
2024-07-25 14:36 ` [PATCH 5.15 26/87] kconfig: gconf: give a proper initial state to the Save button Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 27/87] kconfig: remove wrong expr_trans_bool() Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 28/87] fs/file: fix the check in find_next_fd() Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 29/87] mei: demote client disconnect warning on suspend to debug Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 30/87] nvme: avoid double free special payload Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 31/87] wifi: cfg80211: wext: add extra SIOCSIWSCAN data check Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 32/87] KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group() Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 33/87] drm/vmwgfx: Fix missing HYPERVISOR_GUEST dependency Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 34/87] ALSA: hda/realtek: Add more codec ID to no shutup pins list Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 35/87] mips: fix compat_sys_lseek syscall Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 36/87] Input: elantech - fix touchpad state on resume for Lenovo N24 Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 37/87] Input: i8042 - add Ayaneo Kun to i8042 quirk table Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 38/87] bytcr_rt5640 : inverse jack detect for Archos 101 cesium Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 39/87] ALSA: dmaengine: Synchronize dma channel after drop() Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 40/87] ASoC: ti: davinci-mcasp: Set min period size using FIFO config Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 41/87] ASoC: ti: omap-hdmi: Fix too long driver name Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 42/87] can: kvaser_usb: fix return value for hif_usb_send_regout Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 43/87] s390/sclp: Fix sclp_init() cleanup on failure Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 44/87] platform/x86: wireless-hotkey: Add support for LG Airplane Button Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 45/87] platform/x86: lg-laptop: Remove LGEX0815 hotkey handling Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 46/87] platform/x86: lg-laptop: Change ACPI device id Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 47/87] platform/x86: lg-laptop: Use ACPI device handle when evaluating WMAB/WMBB Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 48/87] btrfs: qgroup: fix quota root leak after quota disable failure Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 49/87] ALSA: hda/relatek: Enable Mute LED on HP Laptop 15-gw0xxx Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 50/87] ALSA: dmaengine_pcm: terminate dmaengine before synchronize Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 51/87] net: usb: qmi_wwan: add Telit FN912 compositions Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 52/87] net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and DEV_STATS_ADD() Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 53/87] powerpc/pseries: Whitelist dtl slub object for copying to userspace Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 54/87] powerpc/eeh: avoid possible crash when edev->pdev changes Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 55/87] scsi: libsas: Fix exp-attached device scan after probe failure scanned in again after probe failed Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 56/87] Bluetooth: hci_core: cancel all works upon hci_unregister_dev() Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 57/87] drm/radeon: check bo_va->bo is non-NULL before using it Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 58/87] fs: better handle deep ancestor chains in is_subdir() Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 59/87] riscv: stacktrace: fix usage of ftrace_graph_ret_addr() Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 60/87] spi: imx: Dont expect DMA for i.MX{25,35,50,51,53} cspi devices Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 61/87] selftests/vDSO: fix clang build errors and warnings Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 62/87] hfsplus: fix uninit-value in copy_name Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 63/87] spi: mux: set ctlr->bits_per_word_mask Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 64/87] tracing: Define the is_signed_type() macro once Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 65/87] minmax: sanity check constant bounds when clamping Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 66/87] minmax: clamp more efficiently by avoiding extra comparison Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 67/87] minmax: fix header inclusions Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 68/87] minmax: allow min()/max()/clamp() if the arguments have the same signedness Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 69/87] minmax: allow comparisons of int against unsigned char/short Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 70/87] minmax: relax check to allow comparison between unsigned arguments and signed constants Greg Kroah-Hartman
2024-07-25 16:58 ` Linus Torvalds
2024-07-26 5:21 ` Greg Kroah-Hartman
2024-07-26 16:05 ` SeongJae Park
2024-07-27 5:08 ` Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 71/87] mm/damon/core: merge regions aggressively when max_nr_regions is unmet Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 72/87] wifi: mac80211: disable softirqs for queued frame handling Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 73/87] drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq() Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 74/87] samples: Add fs error monitoring example Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 75/87] samples: Make fs-monitor depend on libc and headers Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 76/87] docs: Fix formatting of literal sections in fanotify docs Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 77/87] Add gitignore file for samples/fanotify/ subdirectory Greg Kroah-Hartman
2024-07-25 14:37 ` Greg Kroah-Hartman [this message]
2024-07-25 14:37 ` [PATCH 5.15 79/87] ocfs2: add bounds checking to ocfs2_check_dir_entry() Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 80/87] jfs: dont walk off the end of ealist Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 81/87] fs/ntfs3: Validate ff offset Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 82/87] ALSA: hda/realtek: Enable headset mic on Positivo SU C1400 Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 83/87] ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book Pro 360 Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 84/87] arm64: dts: qcom: msm8996: Disable SS instance in Parkmode for USB Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 85/87] arm64: dts: qcom: sdm630: " Greg Kroah-Hartman
2024-07-25 14:37 ` [PATCH 5.15 86/87] ALSA: pcm_dmaengine: Dont synchronize DMA channel when DMA is paused Greg Kroah-Hartman
2024-07-25 14:38 ` [PATCH 5.15 87/87] filelock: Fix fcntl/close race recovery compat path Greg Kroah-Hartman
2024-07-25 16:48 ` [PATCH 5.15 00/87] 5.15.164-rc1 review Naresh Kamboju
2024-07-26 6:33 ` Greg Kroah-Hartman
2024-07-26 8:15 ` Pavel Machek
2024-07-25 17:37 ` ChromeOS Kernel Stable Merge
2024-07-25 23:19 ` SeongJae Park
2024-07-26 5:23 ` Harshit Mogalapalli
2024-07-26 16:38 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240725142741.381494123@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=cpaasch@apple.com \
--cc=edumazet@google.com \
--cc=kniv@yandex-team.ru \
--cc=pabeni@redhat.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox