[PATCH 5.7 110/163] mptcp: fix races between shutdown and recvmsg

From: Greg Kroah-Hartman
Date: Tue Jun 16 2020 - 11:46:36 EST

Next message: Greg Kroah-Hartman: "[PATCH 5.7 114/163] net/mlx5e: CT: Fix ipv6 nat header rewrite actions"
Previous message: Greg Kroah-Hartman: "[PATCH 5.7 109/163] ionic: wait on queue start until after IFF_UP"
In reply to: Greg Kroah-Hartman: "[PATCH 5.7 109/163] ionic: wait on queue start until after IFF_UP"
Next in thread: Greg Kroah-Hartman: "[PATCH 5.7 114/163] net/mlx5e: CT: Fix ipv6 nat header rewrite actions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Paolo Abeni <pabeni@xxxxxxxxxx>

[ Upstream commit 5969856ae8ce29c9d523a1a6145cbd9e87f7046c ]

The msk sk_shutdown flag is set by a workqueue, possibly
introducing some delay in user-space notification. If the last
subflow carries some data with the fin packet, the user space
can wake-up before RCV_SHUTDOWN is set. If it executes unblocking
recvmsg(), it may return with an error instead of eof.

Address the issue explicitly checking for eof in recvmsg(), when
no data is found.

Fixes: 59832e246515 ("mptcp: subflow: check parent mptcp socket on subflow state change")
Signed-off-by: Paolo Abeni <pabeni@xxxxxxxxxx>
Reviewed-by: Matthieu Baerts <matthieu.baerts@xxxxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/mptcp/protocol.c | 45 ++++++++++++++++++++++++---------------------
1 file changed, 24 insertions(+), 21 deletions(-)

--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -357,6 +357,27 @@ void mptcp_subflow_eof(struct sock *sk)
sock_hold(sk);
}

+static void mptcp_check_for_eof(struct mptcp_sock *msk)
+{
+ struct mptcp_subflow_context *subflow;
+ struct sock *sk = (struct sock *)msk;
+ int receivers = 0;
+
+ mptcp_for_each_subflow(msk, subflow)
+ receivers += !subflow->rx_eof;
+
+ if (!receivers && !(sk->sk_shutdown & RCV_SHUTDOWN)) {
+ /* hopefully temporary hack: propagate shutdown status
+ * to msk, when all subflows agree on it
+ */
+ sk->sk_shutdown |= RCV_SHUTDOWN;
+
+ smp_mb__before_atomic(); /* SHUTDOWN must be visible first */
+ set_bit(MPTCP_DATA_READY, &msk->flags);
+ sk->sk_data_ready(sk);
+ }
+}
+
static void mptcp_stop_timer(struct sock *sk)
{
struct inet_connection_sock *icsk = inet_csk(sk);
@@ -933,6 +954,9 @@ fallback:
break;
}

+ if (test_and_clear_bit(MPTCP_WORK_EOF, &msk->flags))
+ mptcp_check_for_eof(msk);
+
if (sk->sk_shutdown & RCV_SHUTDOWN)
break;

@@ -1070,27 +1094,6 @@ static unsigned int mptcp_sync_mss(struc
return 0;
}

-static void mptcp_check_for_eof(struct mptcp_sock *msk)
-{
- struct mptcp_subflow_context *subflow;
- struct sock *sk = (struct sock *)msk;
- int receivers = 0;
-
- mptcp_for_each_subflow(msk, subflow)
- receivers += !subflow->rx_eof;
-
- if (!receivers && !(sk->sk_shutdown & RCV_SHUTDOWN)) {
- /* hopefully temporary hack: propagate shutdown status
- * to msk, when all subflows agree on it
- */
- sk->sk_shutdown |= RCV_SHUTDOWN;
-
- smp_mb__before_atomic(); /* SHUTDOWN must be visible first */
- set_bit(MPTCP_DATA_READY, &msk->flags);
- sk->sk_data_ready(sk);
- }
-}
-
static void mptcp_worker(struct work_struct *work)
{
struct mptcp_sock *msk = container_of(work, struct mptcp_sock, work);

Next message: Greg Kroah-Hartman: "[PATCH 5.7 114/163] net/mlx5e: CT: Fix ipv6 nat header rewrite actions"
Previous message: Greg Kroah-Hartman: "[PATCH 5.7 109/163] ionic: wait on queue start until after IFF_UP"
In reply to: Greg Kroah-Hartman: "[PATCH 5.7 109/163] ionic: wait on queue start until after IFF_UP"
Next in thread: Greg Kroah-Hartman: "[PATCH 5.7 114/163] net/mlx5e: CT: Fix ipv6 nat header rewrite actions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]