From: Greg Kroah-Hartman Date: Mon, 6 Jan 2025 12:30:04 +0000 (+0100) Subject: 6.12-stable patches X-Git-Tag: v5.4.289~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bb881becb750b4cd6072074b4f42f34893d55a25;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: mptcp-don-t-always-assume-copied-data-in-mptcp_cleanup_rbuf.patch mptcp-fix-recvbuffer-adjust-on-sleeping-rcvmsg.patch mptcp-fix-tcp-options-overflow.patch mptcp-prevent-excessive-coalescing-on-receive.patch --- diff --git a/queue-6.12/mptcp-don-t-always-assume-copied-data-in-mptcp_cleanup_rbuf.patch b/queue-6.12/mptcp-don-t-always-assume-copied-data-in-mptcp_cleanup_rbuf.patch new file mode 100644 index 00000000000..78d58f49816 --- /dev/null +++ b/queue-6.12/mptcp-don-t-always-assume-copied-data-in-mptcp_cleanup_rbuf.patch @@ -0,0 +1,100 @@ +From 551844f26da2a9f76c0a698baaffa631d1178645 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Mon, 30 Dec 2024 19:12:31 +0100 +Subject: mptcp: don't always assume copied data in mptcp_cleanup_rbuf() + +From: Paolo Abeni + +commit 551844f26da2a9f76c0a698baaffa631d1178645 upstream. + +Under some corner cases the MPTCP protocol can end-up invoking +mptcp_cleanup_rbuf() when no data has been copied, but such helper +assumes the opposite condition. + +Explicitly drop such assumption and performs the costly call only +when strictly needed - before releasing the msk socket lock. + +Fixes: fd8976790a6c ("mptcp: be careful on MPTCP-level ack.") +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Abeni +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20241230-net-mptcp-rbuf-fixes-v1-2-8608af434ceb@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -528,13 +528,13 @@ static void mptcp_send_ack(struct mptcp_ + mptcp_subflow_send_ack(mptcp_subflow_tcp_sock(subflow)); + } + +-static void mptcp_subflow_cleanup_rbuf(struct sock *ssk) ++static void mptcp_subflow_cleanup_rbuf(struct sock *ssk, int copied) + { + bool slow; + + slow = lock_sock_fast(ssk); + if (tcp_can_send_ack(ssk)) +- tcp_cleanup_rbuf(ssk, 1); ++ tcp_cleanup_rbuf(ssk, copied); + unlock_sock_fast(ssk, slow); + } + +@@ -551,7 +551,7 @@ static bool mptcp_subflow_could_cleanup( + (ICSK_ACK_PUSHED2 | ICSK_ACK_PUSHED))); + } + +-static void mptcp_cleanup_rbuf(struct mptcp_sock *msk) ++static void mptcp_cleanup_rbuf(struct mptcp_sock *msk, int copied) + { + int old_space = READ_ONCE(msk->old_wspace); + struct mptcp_subflow_context *subflow; +@@ -559,14 +559,14 @@ static void mptcp_cleanup_rbuf(struct mp + int space = __mptcp_space(sk); + bool cleanup, rx_empty; + +- cleanup = (space > 0) && (space >= (old_space << 1)); +- rx_empty = !__mptcp_rmem(sk); ++ cleanup = (space > 0) && (space >= (old_space << 1)) && copied; ++ rx_empty = !__mptcp_rmem(sk) && copied; + + mptcp_for_each_subflow(msk, subflow) { + struct sock *ssk = mptcp_subflow_tcp_sock(subflow); + + if (cleanup || mptcp_subflow_could_cleanup(ssk, rx_empty)) +- mptcp_subflow_cleanup_rbuf(ssk); ++ mptcp_subflow_cleanup_rbuf(ssk, copied); + } + } + +@@ -2220,9 +2220,6 @@ static int mptcp_recvmsg(struct sock *sk + + copied += bytes_read; + +- /* be sure to advertise window change */ +- mptcp_cleanup_rbuf(msk); +- + if (skb_queue_empty(&msk->receive_queue) && __mptcp_move_skbs(msk)) + continue; + +@@ -2271,6 +2268,7 @@ static int mptcp_recvmsg(struct sock *sk + } + + pr_debug("block timeout %ld\n", timeo); ++ mptcp_cleanup_rbuf(msk, copied); + err = sk_wait_data(sk, &timeo, NULL); + if (err < 0) { + err = copied ? : err; +@@ -2278,6 +2276,8 @@ static int mptcp_recvmsg(struct sock *sk + } + } + ++ mptcp_cleanup_rbuf(msk, copied); ++ + out_err: + if (cmsg_flags && copied >= 0) { + if (cmsg_flags & MPTCP_CMSG_TS) diff --git a/queue-6.12/mptcp-fix-recvbuffer-adjust-on-sleeping-rcvmsg.patch b/queue-6.12/mptcp-fix-recvbuffer-adjust-on-sleeping-rcvmsg.patch new file mode 100644 index 00000000000..3f12fc536ab --- /dev/null +++ b/queue-6.12/mptcp-fix-recvbuffer-adjust-on-sleeping-rcvmsg.patch @@ -0,0 +1,69 @@ +From 449e6912a2522af672e99992e1201a454910864e Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Mon, 30 Dec 2024 19:12:30 +0100 +Subject: mptcp: fix recvbuffer adjust on sleeping rcvmsg + +From: Paolo Abeni + +commit 449e6912a2522af672e99992e1201a454910864e upstream. + +If the recvmsg() blocks after receiving some data - i.e. due to +SO_RCVLOWAT - the MPTCP code will attempt multiple times to +adjust the receive buffer size, wrongly accounting every time the +cumulative of received data - instead of accounting only for the +delta. + +Address the issue moving mptcp_rcv_space_adjust just after the +data reception and passing it only the just received bytes. + +This also removes an unneeded difference between the TCP and MPTCP +RX code path implementation. + +Fixes: 581302298524 ("mptcp: error out earlier on disconnect") +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Abeni +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20241230-net-mptcp-rbuf-fixes-v1-1-8608af434ceb@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -1939,6 +1939,8 @@ do_error: + goto out; + } + ++static void mptcp_rcv_space_adjust(struct mptcp_sock *msk, int copied); ++ + static int __mptcp_recvmsg_mskq(struct mptcp_sock *msk, + struct msghdr *msg, + size_t len, int flags, +@@ -1992,6 +1994,7 @@ static int __mptcp_recvmsg_mskq(struct m + break; + } + ++ mptcp_rcv_space_adjust(msk, copied); + return copied; + } + +@@ -2268,7 +2271,6 @@ static int mptcp_recvmsg(struct sock *sk + } + + pr_debug("block timeout %ld\n", timeo); +- mptcp_rcv_space_adjust(msk, copied); + err = sk_wait_data(sk, &timeo, NULL); + if (err < 0) { + err = copied ? : err; +@@ -2276,8 +2278,6 @@ static int mptcp_recvmsg(struct sock *sk + } + } + +- mptcp_rcv_space_adjust(msk, copied); +- + out_err: + if (cmsg_flags && copied >= 0) { + if (cmsg_flags & MPTCP_CMSG_TS) diff --git a/queue-6.12/mptcp-fix-tcp-options-overflow.patch b/queue-6.12/mptcp-fix-tcp-options-overflow.patch new file mode 100644 index 00000000000..39028f697af --- /dev/null +++ b/queue-6.12/mptcp-fix-tcp-options-overflow.patch @@ -0,0 +1,121 @@ +From cbb26f7d8451fe56ccac802c6db48d16240feebd Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Sat, 21 Dec 2024 09:51:46 +0100 +Subject: mptcp: fix TCP options overflow. + +From: Paolo Abeni + +commit cbb26f7d8451fe56ccac802c6db48d16240feebd upstream. + +Syzbot reported the following splat: + +Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI +KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] +CPU: 1 UID: 0 PID: 5836 Comm: sshd Not tainted 6.13.0-rc3-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 +RIP: 0010:_compound_head include/linux/page-flags.h:242 [inline] +RIP: 0010:put_page+0x23/0x260 include/linux/mm.h:1552 +Code: 90 90 90 90 90 90 90 55 41 57 41 56 53 49 89 fe 48 bd 00 00 00 00 00 fc ff df e8 f8 5e 12 f8 49 8d 5e 08 48 89 d8 48 c1 e8 03 <80> 3c 28 00 74 08 48 89 df e8 8f c7 78 f8 48 8b 1b 48 89 de 48 83 +RSP: 0000:ffffc90003916c90 EFLAGS: 00010202 +RAX: 0000000000000001 RBX: 0000000000000008 RCX: ffff888030458000 +RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: dffffc0000000000 R08: ffffffff898ca81d R09: 1ffff110054414ac +R10: dffffc0000000000 R11: ffffed10054414ad R12: 0000000000000007 +R13: ffff88802a20a542 R14: 0000000000000000 R15: 0000000000000000 +FS: 00007f34f496e800(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f9d6ec9ec28 CR3: 000000004d260000 CR4: 00000000003526f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + skb_page_unref include/linux/skbuff_ref.h:43 [inline] + __skb_frag_unref include/linux/skbuff_ref.h:56 [inline] + skb_release_data+0x483/0x8a0 net/core/skbuff.c:1119 + skb_release_all net/core/skbuff.c:1190 [inline] + __kfree_skb+0x55/0x70 net/core/skbuff.c:1204 + tcp_clean_rtx_queue net/ipv4/tcp_input.c:3436 [inline] + tcp_ack+0x2442/0x6bc0 net/ipv4/tcp_input.c:4032 + tcp_rcv_state_process+0x8eb/0x44e0 net/ipv4/tcp_input.c:6805 + tcp_v4_do_rcv+0x77d/0xc70 net/ipv4/tcp_ipv4.c:1939 + tcp_v4_rcv+0x2dc0/0x37f0 net/ipv4/tcp_ipv4.c:2351 + ip_protocol_deliver_rcu+0x22e/0x440 net/ipv4/ip_input.c:205 + ip_local_deliver_finish+0x341/0x5f0 net/ipv4/ip_input.c:233 + NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 + NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 + __netif_receive_skb_one_core net/core/dev.c:5672 [inline] + __netif_receive_skb+0x2bf/0x650 net/core/dev.c:5785 + process_backlog+0x662/0x15b0 net/core/dev.c:6117 + __napi_poll+0xcb/0x490 net/core/dev.c:6883 + napi_poll net/core/dev.c:6952 [inline] + net_rx_action+0x89b/0x1240 net/core/dev.c:7074 + handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561 + __do_softirq kernel/softirq.c:595 [inline] + invoke_softirq kernel/softirq.c:435 [inline] + __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662 + irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 + instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] + sysvec_apic_timer_interrupt+0x57/0xc0 arch/x86/kernel/apic/apic.c:1049 + asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 +RIP: 0033:0x7f34f4519ad5 +Code: 85 d2 74 0d 0f 10 02 48 8d 54 24 20 0f 11 44 24 20 64 8b 04 25 18 00 00 00 85 c0 75 27 41 b8 08 00 00 00 b8 0f 01 00 00 0f 05 <48> 3d 00 f0 ff ff 76 75 48 8b 15 24 73 0d 00 f7 d8 64 89 02 48 83 +RSP: 002b:00007ffec5b32ce0 EFLAGS: 00000246 +RAX: 0000000000000001 RBX: 00000000000668a0 RCX: 00007f34f4519ad5 +RDX: 00007ffec5b32d00 RSI: 0000000000000004 RDI: 0000564f4bc6cae0 +RBP: 0000564f4bc6b5a0 R08: 0000000000000008 R09: 0000000000000000 +R10: 00007ffec5b32de8 R11: 0000000000000246 R12: 0000564f48ea8aa4 +R13: 0000000000000001 R14: 0000564f48ea93e8 R15: 00007ffec5b32d68 + + +Eric noted a probable shinfo->nr_frags corruption, which indeed +occurs. + +The root cause is a buggy MPTCP option len computation in some +circumstances: the ADD_ADDR option should be mutually exclusive +with DSS since the blamed commit. + +Still, mptcp_established_options_add_addr() tries to set the +relevant info in mptcp_out_options, if the remaining space is +large enough even when DSS is present. + +Since the ADD_ADDR infos and the DSS share the same union +fields, adding first corrupts the latter. In the worst-case +scenario, such corruption increases the DSS binary layout, +exceeding the computed length and possibly overwriting the +skb shared info. + +Address the issue by enforcing mutual exclusion in +mptcp_established_options_add_addr(), too. + +Cc: stable@vger.kernel.org +Reported-by: syzbot+38a095a81f30d82884c1@syzkaller.appspotmail.com +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/538 +Fixes: 1bff1e43a30e ("mptcp: optimize out option generation") +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts (NGI0) +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/025d9df8cde3c9a557befc47e9bc08fbbe3476e5.1734771049.git.pabeni@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/options.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/mptcp/options.c ++++ b/net/mptcp/options.c +@@ -667,8 +667,15 @@ static bool mptcp_established_options_ad + &echo, &drop_other_suboptions)) + return false; + ++ /* ++ * Later on, mptcp_write_options() will enforce mutually exclusion with ++ * DSS, bail out if such option is set and we can't drop it. ++ */ + if (drop_other_suboptions) + remaining += opt_size; ++ else if (opts->suboptions & OPTION_MPTCP_DSS) ++ return false; ++ + len = mptcp_add_addr_len(opts->addr.family, echo, !!opts->addr.port); + if (remaining < len) + return false; diff --git a/queue-6.12/mptcp-prevent-excessive-coalescing-on-receive.patch b/queue-6.12/mptcp-prevent-excessive-coalescing-on-receive.patch new file mode 100644 index 00000000000..f0d3bdfd183 --- /dev/null +++ b/queue-6.12/mptcp-prevent-excessive-coalescing-on-receive.patch @@ -0,0 +1,37 @@ +From 56b824eb49d6258aa0bad09a406ceac3f643cdae Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Mon, 30 Dec 2024 19:12:32 +0100 +Subject: mptcp: prevent excessive coalescing on receive + +From: Paolo Abeni + +commit 56b824eb49d6258aa0bad09a406ceac3f643cdae upstream. + +Currently the skb size after coalescing is only limited by the skb +layout (the skb must not carry frag_list). A single coalesced skb +covering several MSS can potentially fill completely the receive +buffer. In such a case, the snd win will zero until the receive buffer +will be empty again, affecting tput badly. + +Fixes: 8268ed4c9d19 ("mptcp: introduce and use mptcp_try_coalesce()") +Cc: stable@vger.kernel.org # please delay 2 weeks after 6.13-final release +Signed-off-by: Paolo Abeni +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20241230-net-mptcp-rbuf-fixes-v1-3-8608af434ceb@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -136,6 +136,7 @@ static bool mptcp_try_coalesce(struct so + int delta; + + if (MPTCP_SKB_CB(from)->offset || ++ ((to->len + from->len) > (sk->sk_rcvbuf >> 3)) || + !skb_try_coalesce(to, from, &fragstolen, &delta)) + return false; + diff --git a/queue-6.12/series b/queue-6.12/series index 99624302040..b39887ecc9c 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -152,3 +152,7 @@ mm-kmemleak-fix-sleeping-function-called-from-invalid-context-at-print-message.p mm-vmscan-account-for-free-pages-to-prevent-infinite-loop-in-throttle_direct_reclaim.patch mm-reinstate-ability-to-map-write-sealed-memfd-mappings-read-only.patch mm-hugetlb-independent-pmd-page-table-shared-count.patch +mptcp-fix-tcp-options-overflow.patch +mptcp-fix-recvbuffer-adjust-on-sleeping-rcvmsg.patch +mptcp-don-t-always-assume-copied-data-in-mptcp_cleanup_rbuf.patch +mptcp-prevent-excessive-coalescing-on-receive.patch