From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 19 Nov 2024 13:12:22 +0000 (+0100)
Subject: 5.15-stable patches
X-Git-Tag: v6.12.1~24
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7bf4e02c0cf768de918ebd21547af2c26694a3e8;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	mptcp-cope-racing-subflow-creation-in-mptcp_rcv_space_adjust.patch
---

diff --git a/queue-5.15/mptcp-cope-racing-subflow-creation-in-mptcp_rcv_space_adjust.patch b/queue-5.15/mptcp-cope-racing-subflow-creation-in-mptcp_rcv_space_adjust.patch
new file mode 100644
index 00000000000..8735c118ac3
--- /dev/null
+++ b/queue-5.15/mptcp-cope-racing-subflow-creation-in-mptcp_rcv_space_adjust.patch
@@ -0,0 +1,48 @@
+From ce7356ae35943cc6494cc692e62d51a734062b7d Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Fri, 8 Nov 2024 11:58:17 +0100
+Subject: mptcp: cope racing subflow creation in mptcp_rcv_space_adjust
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+commit ce7356ae35943cc6494cc692e62d51a734062b7d upstream.
+
+Additional active subflows - i.e. created by the in kernel path
+manager - are included into the subflow list before starting the
+3whs.
+
+A racing recvmsg() spooling data received on an already established
+subflow would unconditionally call tcp_cleanup_rbuf() on all the
+current subflows, potentially hitting a divide by zero error on
+the newly created ones.
+
+Explicitly check that the subflow is in a suitable state before
+invoking tcp_cleanup_rbuf().
+
+Fixes: c76c6956566f ("mptcp: call tcp_cleanup_rbuf on subflows")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/02374660836e1b52afc91966b7535c8c5f7bafb0.1731060874.git.pabeni@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ Conflicts in protocol.c, because commit f410cbea9f3d ("tcp: annotate
+  data-races around tp->window_clamp") has not been backported to this
+  version. The conflict is easy to resolve, because only the context is
+  different, but not the line to modify. ]
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -1986,7 +1986,8 @@ static void mptcp_rcv_space_adjust(struc
+ 				slow = lock_sock_fast(ssk);
+ 				WRITE_ONCE(ssk->sk_rcvbuf, rcvbuf);
+ 				tcp_sk(ssk)->window_clamp = window_clamp;
+-				tcp_cleanup_rbuf(ssk, 1);
++				if (tcp_can_send_ack(ssk))
++					tcp_cleanup_rbuf(ssk, 1);
+ 				unlock_sock_fast(ssk, slow);
+ 			}
+ 		}
diff --git a/queue-5.15/series b/queue-5.15/series
index 32de14e5ee2..699dbb78895 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -25,3 +25,4 @@ nfsd-async-copy-result-needs-to-return-a-write-verifier.patch
 nfsd-limit-the-number-of-concurrent-async-copy-operations.patch
 nfsd-initialize-struct-nfsd4_copy-earlier.patch
 nfsd-never-decrement-pending_async_copies-on-error.patch
+mptcp-cope-racing-subflow-creation-in-mptcp_rcv_space_adjust.patch