]> git.baikalelectronics.ru Git - kernel.git/commit
mptcp: fix infinite loop on recvmsg()/worker() race.
authorPaolo Abeni <pabeni@redhat.com>
Tue, 6 Oct 2020 06:27:34 +0000 (08:27 +0200)
committerJakub Kicinski <kuba@kernel.org>
Fri, 9 Oct 2020 00:24:04 +0000 (17:24 -0700)
commit385d00eeb6ce5b4cb0fdce776001159a2f1249c9
treeea28f4211367233c1b9cc584930d32070b635750
parented5233dcc8bba7050c5b28e9407cbf3f4ff8995b
mptcp: fix infinite loop on recvmsg()/worker() race.

If recvmsg() and the workqueue race to dequeue the data
pending on some subflow, the current mapping for such
subflow covers several skbs and some of them have not
reached yet the received, either the worker or recvmsg()
can find a subflow with the data_avail flag set - since
the current mapping is valid and in sequence - but no
skbs in the receive queue - since the other entity just
processed them.

The above will lead to an unbounded loop in __mptcp_move_skbs()
and a subsequent hang of any task trying to acquiring the msk
socket lock.

This change addresses the issue stopping the __mptcp_move_skbs()
loop as soon as we detect the above race (empty receive queue
with data_avail set).

Reported-and-tested-by: syzbot+fcf8ca5817d6e92c6567@syzkaller.appspotmail.com
Fixes: 00a56791f4a8 ("mptcp: move ooo skbs into msk out of order queue.")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
net/mptcp/protocol.c