[PATCH 6.1.y 1/7] mptcp: cope racing subflow creation in mptcp_rcv_space_adjust

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
To: mptcp@lists.linux.dev, stable@vger.kernel.org,
	gregkh@linuxfoundation.org
Cc: Paolo Abeni <pabeni@redhat.com>,
	sashal@kernel.org, Matthieu Baerts <matttbe@kernel.org>,
	Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH 6.1.y 1/7] mptcp: cope racing subflow creation in mptcp_rcv_space_adjust
Date: Tue, 19 Nov 2024 09:35:49 +0100	[thread overview]
Message-ID: <20241119083547.3234013-10-matttbe@kernel.org> (raw)
In-Reply-To: <20241119083547.3234013-9-matttbe@kernel.org>

From: Paolo Abeni <pabeni@redhat.com>

commit ce7356ae35943cc6494cc692e62d51a734062b7d upstream.

Additional active subflows - i.e. created by the in kernel path
manager - are included into the subflow list before starting the
3whs.

A racing recvmsg() spooling data received on an already established
subflow would unconditionally call tcp_cleanup_rbuf() on all the
current subflows, potentially hitting a divide by zero error on
the newly created ones.

Explicitly check that the subflow is in a suitable state before
invoking tcp_cleanup_rbuf().

Fixes: c76c6956566f ("mptcp: call tcp_cleanup_rbuf on subflows")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/02374660836e1b52afc91966b7535c8c5f7bafb0.1731060874.git.pabeni@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Conflicts in protocol.c, because commit f410cbea9f3d ("tcp: annotate
  data-races around tp->window_clamp") has not been backported to this
  version. The conflict is easy to resolve, because only the context is
  different, but not the line to modify. ]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
---
 net/mptcp/protocol.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
index 78ac5c538e13..1acd4e37a0ea 100644
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -2057,7 +2057,8 @@ static void mptcp_rcv_space_adjust(struct mptcp_sock *msk, int copied)
 				slow = lock_sock_fast(ssk);
 				WRITE_ONCE(ssk->sk_rcvbuf, rcvbuf);
 				tcp_sk(ssk)->window_clamp = window_clamp;
-				tcp_cleanup_rbuf(ssk, 1);
+				if (tcp_can_send_ack(ssk))
+					tcp_cleanup_rbuf(ssk, 1);
 				unlock_sock_fast(ssk, slow);
 			}
 		}
-- 
2.45.2

WARNING: multiple messages have this Message-ID (diff)

From: Sasha Levin <sashal@kernel.org>
To: stable@vger.kernel.org
Cc: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>,
	Sasha Levin <sashal@kernel.org>
Subject: Re: [PATCH 6.1.y 1/7] mptcp: cope racing subflow creation in mptcp_rcv_space_adjust
Date: Tue, 19 Nov 2024 09:46:47 -0500	[thread overview]
Message-ID: <20241119083547.3234013-10-matttbe@kernel.org> (raw)
Message-ID: <20241119144647.DHnFA4H7vtUqNXtS5mM-01OPS4uNJqHnZMFswg9Y-EQ@z> (raw)
In-Reply-To: <20241119083547.3234013-10-matttbe@kernel.org>

[ Sasha's backport helper bot ]

Hi,

The upstream commit SHA1 provided is correct: ce7356ae35943cc6494cc692e62d51a734062b7d

WARNING: Author mismatch between patch and upstream commit:
Backport author: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
Commit author: Paolo Abeni <pabeni@redhat.com>


Status in newer kernel trees:
6.11.y | Present (different SHA1: 8cccaf4eb99b)
6.6.y | Present (different SHA1: 4e86acecbba9)
6.1.y | Not found

Note: The patch differs from the upstream commit:
---
--- -	2024-11-19 08:38:07.302555583 -0500
+++ /tmp/tmp.UE8LSqsrXJ	2024-11-19 08:38:07.300507479 -0500
@@ -1,3 +1,5 @@
+commit ce7356ae35943cc6494cc692e62d51a734062b7d upstream.
+
 Additional active subflows - i.e. created by the in kernel path
 manager - are included into the subflow list before starting the
 3whs.
@@ -15,21 +17,29 @@
 Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
 Link: https://patch.msgid.link/02374660836e1b52afc91966b7535c8c5f7bafb0.1731060874.git.pabeni@redhat.com
 Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ Conflicts in protocol.c, because commit f410cbea9f3d ("tcp: annotate
+  data-races around tp->window_clamp") has not been backported to this
+  version. The conflict is easy to resolve, because only the context is
+  different, but not the line to modify. ]
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
 ---
  net/mptcp/protocol.c | 3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
-index 95a5a3da39447..48d480982b787 100644
+index 78ac5c538e13..1acd4e37a0ea 100644
 --- a/net/mptcp/protocol.c
 +++ b/net/mptcp/protocol.c
-@@ -2082,7 +2082,8 @@ static void mptcp_rcv_space_adjust(struct mptcp_sock *msk, int copied)
+@@ -2057,7 +2057,8 @@ static void mptcp_rcv_space_adjust(struct mptcp_sock *msk, int copied)
  				slow = lock_sock_fast(ssk);
  				WRITE_ONCE(ssk->sk_rcvbuf, rcvbuf);
- 				WRITE_ONCE(tcp_sk(ssk)->window_clamp, window_clamp);
+ 				tcp_sk(ssk)->window_clamp = window_clamp;
 -				tcp_cleanup_rbuf(ssk, 1);
 +				if (tcp_can_send_ack(ssk))
 +					tcp_cleanup_rbuf(ssk, 1);
  				unlock_sock_fast(ssk, slow);
  			}
  		}
+-- 
+2.45.2
+
---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.1.y        |  Success    |  Success   |

next prev parent reply	other threads:[~2024-11-19  8:35 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-11-19  8:35 [PATCH 6.1.y 0/7] mptcp: fix recent failed backports Matthieu Baerts (NGI0)
2024-11-19  8:35 ` Matthieu Baerts (NGI0) [this message]
2024-11-19 14:46   ` [PATCH 6.1.y 1/7] mptcp: cope racing subflow creation in mptcp_rcv_space_adjust Sasha Levin
2024-11-19  8:35 ` [PATCH 6.1.y 2/7] mptcp: define more local variables sk Matthieu Baerts (NGI0)
2024-11-19 14:46   ` Sasha Levin
2024-11-19  8:35 ` [PATCH 6.1.y 3/7] mptcp: add userspace_pm_lookup_addr_by_id helper Matthieu Baerts (NGI0)
2024-11-19 14:46   ` Sasha Levin
2024-11-19  8:35 ` [PATCH 6.1.y 4/7] mptcp: update local address flags when setting it Matthieu Baerts (NGI0)
2024-11-19 14:46   ` Sasha Levin
2024-11-19  8:35 ` [PATCH 6.1.y 5/7] mptcp: hold pm lock when deleting entry Matthieu Baerts (NGI0)
2024-11-19 14:46   ` Sasha Levin
2024-11-19  8:35 ` [PATCH 6.1.y 6/7] mptcp: drop lookup_by_id in lookup_addr Matthieu Baerts (NGI0)
2024-11-19 14:46   ` Sasha Levin
2024-11-19  8:35 ` [PATCH 6.1.y 7/7] mptcp: pm: use _rcu variant under rcu_read_lock Matthieu Baerts (NGI0)
2024-11-19 14:47   ` Sasha Levin
2024-11-19 13:05 ` [PATCH 6.1.y 0/7] mptcp: fix recent failed backports Greg KH

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:78ac5c538e1 dfblob:1acd4e37a0e )
 OR (
bs:"Re: [PATCH 6.1.y 1/7] mptcp: cope racing subflow creation in mptcp_rcv_space_adjust" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20241119083547.3234013-10-matttbe@kernel.org \
    --to=matttbe@kernel.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=kuba@kernel.org \
    --cc=mptcp@lists.linux.dev \
    --cc=pabeni@redhat.com \
    --cc=sashal@kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox