diff options
author | Paolo Abeni <pabeni@redhat.com> | 2021-05-28 01:31:37 +0200 |
---|---|---|
committer | Jakub Kicinski <kuba@kernel.org> | 2021-05-28 22:51:39 +0200 |
commit | b5941f066b4ca331db225a976dae1d6ca8cf0ae3 (patch) | |
tree | b6fa9bcf8c7680ae478f77f611f2fcf94df7cc13 /net/mptcp/subflow.c | |
parent | Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf (diff) | |
download | linux-b5941f066b4ca331db225a976dae1d6ca8cf0ae3.tar.xz linux-b5941f066b4ca331db225a976dae1d6ca8cf0ae3.zip |
mptcp: fix sk_forward_memory corruption on retransmission
MPTCP sk_forward_memory handling is a bit special, as such field
is protected by the msk socket spin_lock, instead of the plain
socket lock.
Currently we have a code path updating such field without handling
the relevant lock:
__mptcp_retrans() -> __mptcp_clean_una_wakeup()
Several helpers in __mptcp_clean_una_wakeup() will update
sk_forward_alloc, possibly causing such field corruption, as reported
by Matthieu.
Address the issue providing and using a new variant of blamed function
which explicitly acquires the msk spin lock.
Fixes: 64b9cea7a0af ("mptcp: fix spurious retransmissions")
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/172
Reported-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Tested-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'net/mptcp/subflow.c')
0 files changed, 0 insertions, 0 deletions