korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-15 16:24:13 +08:00
Code Issues Packages Projects Releases Wiki Activity
0ad529d9fd
linux/net/mptcp
History
Paolo Abeni 0ad529d9fd mptcp: fix possible divide by zero in recvmsg() 
Christoph reported a divide by zero bug in mptcp_recvmsg():

divide error: 0000 [#1] PREEMPT SMP
CPU: 1 PID: 19978 Comm: syz-executor.6 Not tainted 6.4.0-rc2-gffcc7899081b #20
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
RIP: 0010:__tcp_select_window+0x30e/0x420 net/ipv4/tcp_output.c:3018
Code: 11 ff 0f b7 cd c1 e9 0c b8 ff ff ff ff d3 e0 89 c1 f7 d1 01 cb 21 c3 eb 17 e8 2e 83 11 ff 31 db eb 0e e8 25 83 11 ff 89 d8 99 <f7> 7c 24 04 29 d3 65 48 8b 04 25 28 00 00 00 48 3b 44 24 10 75 60
RSP: 0018:ffffc90000a07a18 EFLAGS: 00010246
RAX: 000000000000ffd7 RBX: 000000000000ffd7 RCX: 0000000000040000
RDX: 0000000000000000 RSI: 000000000003ffff RDI: 0000000000040000
RBP: 000000000000ffd7 R08: ffffffff820cf297 R09: 0000000000000001
R10: 0000000000000000 R11: ffffffff8103d1a0 R12: 0000000000003f00
R13: 0000000000300000 R14: ffff888101cf3540 R15: 0000000000180000
FS:  00007f9af4c09640(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b33824000 CR3: 000000012f241001 CR4: 0000000000170ee0
Call Trace:
 <TASK>
 __tcp_cleanup_rbuf+0x138/0x1d0 net/ipv4/tcp.c:1611
 mptcp_recvmsg+0xcb8/0xdd0 net/mptcp/protocol.c:2034
 inet_recvmsg+0x127/0x1f0 net/ipv4/af_inet.c:861
 ____sys_recvmsg+0x269/0x2b0 net/socket.c:1019
 ___sys_recvmsg+0xe6/0x260 net/socket.c:2764
 do_recvmmsg+0x1a5/0x470 net/socket.c:2858
 __do_sys_recvmmsg net/socket.c:2937 [inline]
 __se_sys_recvmmsg net/socket.c:2953 [inline]
 __x64_sys_recvmmsg+0xa6/0x130 net/socket.c:2953
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x47/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7f9af58fc6a9
Code: 5c c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 4f 37 0d 00 f7 d8 64 89 01 48
RSP: 002b:00007f9af4c08cd8 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00000000006bc050 RCX: 00007f9af58fc6a9
RDX: 0000000000000001 RSI: 0000000020000140 RDI: 0000000000000004
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000f00 R11: 0000000000000246 R12: 00000000006bc05c
R13: fffffffffffffea8 R14: 00000000006bc050 R15: 000000000001fe40
 </TASK>

mptcp_recvmsg is allowed to release the msk socket lock when
blocking, and before re-acquiring it another thread could have
switched the sock to TCP_LISTEN status - with a prior
connect(AF_UNSPEC) - also clearing icsk_ack.rcv_mss.

Address the issue preventing the disconnect if some other process is
concurrently performing a blocking syscall on the same socket, alike
commit 4faeee0cf8 ("tcp: deny tcp_disconnect() when threads are waiting").

Fixes: a6b118febb ("mptcp: add receive buffer auto-tuning")
Cc: stable@vger.kernel.org
Reported-by: Christoph Paasch <cpaasch@apple.com>
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/404
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Tested-by: Christoph Paasch <cpaasch@apple.com>
Reviewed-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-06-21 22:44:54 -07:00
..
bpf.c bpf: Add bpf_skc_to_mptcp_sock_proto 2022-05-20 15:29:00 -07:00
crypto_test.c mptcp: move crypto test to KUNIT 2020-06-26 16:21:39 -07:00
crypto.c kunit: mptcp: adhere to KUNIT formatting standard 2021-04-16 17:10:40 -07:00
ctrl.c mptcp: Add a per-namespace sysctl to set the default path manager type 2022-04-29 17:25:14 -07:00
diag.c mptcp: allow dumping subflow context to userspace 2020-03-29 22:14:48 -07:00
fastopen.c mptcp: fix NULL pointer dereference on fastopen early fallback 2023-04-13 09:58:55 -07:00
Kconfig kunit: mptcp: adhere to KUNIT formatting standard 2021-04-16 17:10:40 -07:00
Makefile mptcp: implement delayed seq generation for passive fastopen 2022-11-29 20:24:25 -08:00
mib.c mptcp: add more offered MIBs counter 2022-05-05 19:00:16 -07:00
mib.h mptcp: add more offered MIBs counter 2022-05-05 19:00:16 -07:00
mptcp_diag.c tcp: Access &tcp_hashinfo via net. 2022-09-20 10:21:49 -07:00
options.c mptcp: remove unused 'remaining' variable 2023-04-17 08:25:33 +01:00
pm_netlink.c mptcp: only send RM_ADDR in nl_cmd_remove 2023-06-05 15:15:57 +01:00
pm_userspace.c mptcp: update userspace pm infos 2023-06-05 15:15:57 +01:00
pm.c mptcp: update userspace pm infos 2023-06-05 15:15:57 +01:00
protocol.c mptcp: fix possible divide by zero in recvmsg() 2023-06-21 22:44:54 -07:00
protocol.h mptcp: only send RM_ADDR in nl_cmd_remove 2023-06-05 15:15:57 +01:00
sockopt.c mptcp: move first subflow allocation at mpc access time 2023-04-17 08:18:34 +01:00
subflow.c mptcp: consolidate passive msk socket initialization 2023-06-01 10:04:04 -07:00
syncookies.c mptcp: don't return sockets in foreign netns 2021-09-24 10:51:36 +01:00
token_test.c mptcp: init sk->sk_prot in build_msk() 2023-01-09 07:30:50 +00:00
token.c mptcp: add statistics for mptcp socket in use 2023-01-09 07:30:50 +00:00