From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Christoph Paasch <cpaasch@apple.com>,
Paolo Abeni <pabeni@redhat.com>,
Matthieu Baerts <matthieu.baerts@tessares.net>,
Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH 5.15 66/91] mptcp: stricter state check in mptcp_worker
Date: Tue, 18 Apr 2023 14:22:10 +0200 [thread overview]
Message-ID: <20230418120307.864966639@linuxfoundation.org> (raw)
In-Reply-To: <20230418120305.520719816@linuxfoundation.org>
From: Paolo Abeni <pabeni@redhat.com>
commit d6a0443733434408f2cbd4c53fea6910599bab9e upstream.
As reported by Christoph, the mptcp protocol can run the
worker when the relevant msk socket is in an unexpected state:
connect()
// incoming reset + fastclose
// the mptcp worker is scheduled
mptcp_disconnect()
// msk is now CLOSED
listen()
mptcp_worker()
Leading to the following splat:
divide error: 0000 [#1] PREEMPT SMP
CPU: 1 PID: 21 Comm: kworker/1:0 Not tainted 6.3.0-rc1-gde5e8fd0123c #11
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
Workqueue: events mptcp_worker
RIP: 0010:__tcp_select_window+0x22c/0x4b0 net/ipv4/tcp_output.c:3018
RSP: 0018:ffffc900000b3c98 EFLAGS: 00010293
RAX: 000000000000ffd7 RBX: 000000000000ffd7 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8214ce97 RDI: 0000000000000004
RBP: 000000000000ffd7 R08: 0000000000000004 R09: 0000000000010000
R10: 000000000000ffd7 R11: ffff888005afa148 R12: 000000000000ffd7
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88803ed00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000405270 CR3: 000000003011e006 CR4: 0000000000370ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
tcp_select_window net/ipv4/tcp_output.c:262 [inline]
__tcp_transmit_skb+0x356/0x1280 net/ipv4/tcp_output.c:1345
tcp_transmit_skb net/ipv4/tcp_output.c:1417 [inline]
tcp_send_active_reset+0x13e/0x320 net/ipv4/tcp_output.c:3459
mptcp_check_fastclose net/mptcp/protocol.c:2530 [inline]
mptcp_worker+0x6c7/0x800 net/mptcp/protocol.c:2705
process_one_work+0x3bd/0x950 kernel/workqueue.c:2390
worker_thread+0x5b/0x610 kernel/workqueue.c:2537
kthread+0x138/0x170 kernel/kthread.c:376
ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308
</TASK>
This change addresses the issue explicitly checking for bad states
before running the mptcp worker.
Fixes: e16163b6e2b7 ("mptcp: refactor shutdown and close")
Cc: stable@vger.kernel.org
Reported-by: Christoph Paasch <cpaasch@apple.com>
Link: https://github.com/multipath-tcp/mptcp_net-next/issues/374
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Tested-by: Christoph Paasch <cpaasch@apple.com>
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -2448,7 +2448,7 @@ static void mptcp_worker(struct work_str
lock_sock(sk);
state = sk->sk_state;
- if (unlikely(state == TCP_CLOSE))
+ if (unlikely((1 << state) & (TCPF_CLOSE | TCPF_LISTEN)))
goto unlock;
mptcp_check_data_fin_ack(sk);
next prev parent reply other threads:[~2023-04-18 12:40 UTC|newest]
Thread overview: 105+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-18 12:21 [PATCH 5.15 00/91] 5.15.108-rc1 review Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 01/91] Revert "pinctrl: amd: Disable and mask interrupts on resume" Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 02/91] ALSA: emu10k1: fix capture interrupt handler unlinking Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 03/91] ALSA: hda/sigmatel: add pin overrides for Intel DP45SG motherboard Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 04/91] ALSA: i2c/cs8427: fix iec958 mixer control deactivation Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 05/91] ALSA: firewire-tascam: add missing unwind goto in snd_tscm_stream_start_duplex() Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 06/91] ALSA: emu10k1: dont create old pass-through playback device on Audigy Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 07/91] ALSA: hda/sigmatel: fix S/PDIF out on Intel D*45* motherboards Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 08/91] Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp} Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 09/91] Bluetooth: Fix race condition in hidp_session_thread Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 10/91] btrfs: print checksum type and implementation at mount time Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 11/91] btrfs: fix fast csum implementation detection Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 12/91] fbmem: Reject FB_ACTIVATE_KD_TEXT from userspace Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 13/91] mtdblock: tolerate corrected bit-flips Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 14/91] mtd: rawnand: meson: fix bitmask for length in command word Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 15/91] mtd: rawnand: stm32_fmc2: remove unsupported EDO mode Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 16/91] mtd: rawnand: stm32_fmc2: use timings.mode instead of checking tRC_min Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 17/91] KVM: arm64: PMU: Restore the guests EL0 event counting after migration Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 18/91] drm/i915/dsi: fix DSS CTL register offsets for TGL+ Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 19/91] clk: sprd: set max_register according to mapping range Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 20/91] RDMA/irdma: Fix memory leak of PBLE objects Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 21/91] RDMA/irdma: Increase iWARP CM default rexmit count Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 22/91] RDMA/irdma: Add ipv4 check to irdma_find_listener() Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 23/91] IB/mlx5: Add support for 400G_8X lane speed Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 24/91] RDMA/cma: Allow UD qp_type to join multicast only Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 25/91] bpf: tcp: Use sock_gen_put instead of sock_put in bpf_iter_tcp Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 26/91] 9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race condition Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 27/91] niu: Fix missing unwind goto in niu_alloc_channels() Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 28/91] tcp: restrict net.ipv4.tcp_app_win Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 29/91] drm/armada: Fix a potential double free in an error handling path Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 30/91] qlcnic: check pci_reset_function result Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 31/91] net: qrtr: Fix an uninit variable access bug in qrtr_tx_resume() Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 32/91] sctp: fix a potential overflow in sctp_ifwdtsn_skip Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 33/91] RDMA/core: Fix GID entry ref leak when create_ah fails Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 34/91] udp6: fix potential access to stale information Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 35/91] net: macb: fix a memory corruption in extended buffer descriptor mode Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 36/91] skbuff: Fix a race between coalescing and releasing SKBs Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 37/91] libbpf: Fix single-line struct definition output in btf_dump Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 38/91] ARM: 9290/1: uaccess: Fix KASAN false-positives Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 39/91] power: supply: cros_usbpd: reclassify "default case!" as debug Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 40/91] wifi: mwifiex: mark OF related data as maybe unused Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 41/91] i2c: imx-lpi2c: clean rx/tx buffers upon new message Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 42/91] i2c: hisi: Avoid redundant interrupts Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 43/91] efi: sysfb_efi: Add quirk for Lenovo Yoga Book X91F/L Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 44/91] drm: panel-orientation-quirks: Add quirk for Lenovo Yoga Book X90F Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 45/91] verify_pefile: relax wrapper length check Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 46/91] asymmetric_keys: log on fatal failures in PE/pkcs7 Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 47/91] wifi: iwlwifi: mvm: fix mvmtxq->stopped handling Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 48/91] ACPI: resource: Add Medion S17413 to IRQ override quirk Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 49/91] counter: stm32-lptimer-cnt: Provide defines for clock polarities Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 50/91] counter: stm32-timer-cnt: Provide defines for slave mode selection Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 51/91] counter: Internalize sysfs interface code Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 52/91] counter: 104-quad-8: Fix Synapse action reported for Index signals Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 53/91] tracing: Add trace_array_puts() to write into instance Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 54/91] tracing: Have tracing_snapshot_instance_cond() write errors to the appropriate instance Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 55/91] i915/perf: Replace DRM_DEBUG with driver specific drm_dbg call Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 56/91] drm/i915: fix race condition UAF in i915_perf_add_config_ioctl Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 57/91] riscv: Do not set initial_boot_params to the linear address of the dtb Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 58/91] riscv: add icache flush for nommu sigreturn trampoline Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 59/91] net: sfp: initialize sfp->i2c_block_size at sfp allocation Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 60/91] net: phy: nxp-c45-tja11xx: add remove callback Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 61/91] net: phy: nxp-c45-tja11xx: fix unsigned long multiplication overflow Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 62/91] scsi: ses: Handle enclosure with just a primary component gracefully Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 63/91] x86/PCI: Add quirk for AMD XHCI controller that loses MSI-X state in D3hot Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 64/91] cgroup/cpuset: Wake up cpuset_attach_wq tasks in cpuset_cancel_attach() Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 65/91] mptcp: use mptcp_schedule_work instead of open-coding it Greg Kroah-Hartman
2023-04-18 12:22 ` Greg Kroah-Hartman [this message]
2023-04-18 12:22 ` [PATCH 5.15 67/91] ubi: Fix failure attaching when vid_hdr offset equals to (sub)page size Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 68/91] ubi: Fix deadlock caused by recursively holding work_sem Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 69/91] powerpc/papr_scm: Update the NUMA distance table for the target node Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 70/91] sched/fair: Move calculate of avg_load to a better location Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 71/91] sched/fair: Fix imbalance overflow Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 72/91] x86/rtc: Remove __init for runtime functions Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 73/91] i2c: ocores: generate stop condition after timeout in polling mode Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 74/91] sh: remove meaningless archclean line Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 75/91] kbuild: use more subdir- for visiting subdirectories while cleaning Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 76/91] purgatory: fix disabling debug info Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 77/91] nvme-pci: add NVME_QUIRK_BOGUS_NID for ADATA XPG GAMMIX S50 Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 78/91] nvme-pci: avoid the deepest sleep state on ZHITAI TiPro7000 SSDs Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 79/91] nvme-pci: Crucial P2 has bogus namespace ids Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 80/91] nvme-pci: add NVME_QUIRK_BOGUS_NID for Lexar NM610 Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 81/91] nvme-pci: add NVME_QUIRK_BOGUS_NID for Lexar NM760 Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 82/91] nvme-pci: mark Lexar NM760 as IGNORE_DEV_SUBNQN Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 83/91] nvme-pci: add NVME_QUIRK_BOGUS_NID for T-FORCE Z330 SSD Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 84/91] cgroup/cpuset: Skip spread flags update on v2 Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 85/91] cgroup/cpuset: Make cpuset_fork() handle CLONE_INTO_CGROUP properly Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 86/91] cgroup/cpuset: Add cpuset_can_fork() and cpuset_cancel_fork() methods Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 87/91] kexec: turn all kexec_mutex acquisitions into trylocks Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 88/91] panic, kexec: make __crash_kexec() NMI safe Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 89/91] counter: fix docum. build problems after filename change Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 90/91] counter: Add the necessary colons and indents to the comments of counter_compi Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 91/91] nvme-pci: avoid the deepest sleep state on ZHITAI TiPro5000 SSDs Greg Kroah-Hartman
2023-04-18 14:47 ` [PATCH 5.15 00/91] 5.15.108-rc1 review Naresh Kamboju
2023-04-18 16:17 ` Harshit Mogalapalli
2023-04-18 16:51 ` Tom Saeger
2023-04-19 4:18 ` Bagas Sanjaya
2023-04-19 4:56 ` Yu Zhao
2023-04-19 7:22 ` Greg Kroah-Hartman
2023-04-19 8:44 ` Pavel Machek
2023-04-19 15:09 ` Tom Saeger
2023-04-19 7:24 ` Greg Kroah-Hartman
2023-04-18 20:37 ` Florian Fainelli
2023-04-18 21:26 ` Shuah Khan
2023-04-19 3:54 ` Guenter Roeck
2023-04-19 4:23 ` Bagas Sanjaya
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230418120307.864966639@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=cpaasch@apple.com \
--cc=kuba@kernel.org \
--cc=matthieu.baerts@tessares.net \
--cc=pabeni@redhat.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).