From: Greg Kroah-Hartman Date: Mon, 29 Aug 2022 08:26:55 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v5.10.140~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5feeffe742008eb159e238a6cbb294592445c3ab;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: mptcp-fix-crash-due-to-tcp_tsorted_anchor-was-initialized-before-release-skb.patch --- diff --git a/queue-5.15/mptcp-fix-crash-due-to-tcp_tsorted_anchor-was-initialized-before-release-skb.patch b/queue-5.15/mptcp-fix-crash-due-to-tcp_tsorted_anchor-was-initialized-before-release-skb.patch new file mode 100644 index 00000000000..4e5a3a067b7 --- /dev/null +++ b/queue-5.15/mptcp-fix-crash-due-to-tcp_tsorted_anchor-was-initialized-before-release-skb.patch @@ -0,0 +1,62 @@ +From 3ef3905aa3b5b3e222ee6eb0210bfd999417a8cc Mon Sep 17 00:00:00 2001 +From: Yonglong Li +Date: Thu, 17 Mar 2022 15:09:53 -0700 +Subject: mptcp: Fix crash due to tcp_tsorted_anchor was initialized before release skb + +From: Yonglong Li + +commit 3ef3905aa3b5b3e222ee6eb0210bfd999417a8cc upstream. + +Got crash when doing pressure test of mptcp: + +=========================================================================== +dst_release: dst:ffffa06ce6e5c058 refcnt:-1 +kernel tried to execute NX-protected page - exploit attempt? (uid: 0) +BUG: unable to handle kernel paging request at ffffa06ce6e5c058 +PGD 190a01067 P4D 190a01067 PUD 43fffb067 PMD 22e403063 PTE 8000000226e5c063 +Oops: 0011 [#1] SMP PTI +CPU: 7 PID: 7823 Comm: kworker/7:0 Kdump: loaded Tainted: G E +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.2.1 04/01/2014 +Call Trace: + ? skb_release_head_state+0x68/0x100 + ? skb_release_all+0xe/0x30 + ? kfree_skb+0x32/0xa0 + ? mptcp_sendmsg_frag+0x57e/0x750 + ? __mptcp_retrans+0x21b/0x3c0 + ? __switch_to_asm+0x35/0x70 + ? mptcp_worker+0x25e/0x320 + ? process_one_work+0x1a7/0x360 + ? worker_thread+0x30/0x390 + ? create_worker+0x1a0/0x1a0 + ? kthread+0x112/0x130 + ? kthread_flush_work_fn+0x10/0x10 + ? ret_from_fork+0x35/0x40 +=========================================================================== + +In __mptcp_alloc_tx_skb skb was allocated and skb->tcp_tsorted_anchor will +be initialized, in under memory pressure situation sk_wmem_schedule will +return false and then kfree_skb. In this case skb->_skb_refdst is not null +because_skb_refdst and tcp_tsorted_anchor are stored in the same mem, and +kfree_skb will try to release dst and cause crash. + +Fixes: f70cad1085d1 ("mptcp: stop relying on tcp_tx_skb_cache") +Reviewed-by: Paolo Abeni +Signed-off-by: Yonglong Li +Signed-off-by: Mat Martineau +Link: https://lore.kernel.org/r/20220317220953.426024-1-mathew.j.martineau@linux.intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -1246,6 +1246,7 @@ static struct sk_buff *__mptcp_alloc_tx_ + tcp_skb_entail(ssk, skb); + return skb; + } ++ tcp_skb_tsorted_anchor_cleanup(skb); + kfree_skb(skb); + return NULL; + } diff --git a/queue-5.15/series b/queue-5.15/series index f1ce32cceb2..5af2c958ada 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -121,3 +121,4 @@ revert-usbnet-smsc95xx-forward-phy-interrupts-to-phy-driver-to-avoid-polling.pat mm-hugetlb-fix-hugetlb-not-supporting-softdirty-tracking.patch revert-md-raid-destroy-the-bitmap-after-destroying-the-thread.patch md-call-__md_stop_writes-in-md_stop.patch +mptcp-fix-crash-due-to-tcp_tsorted_anchor-was-initialized-before-release-skb.patch