Here are 4 unrelated patches:
- Patch 1: fix a NULL pointer when two SYN-ACK for the same request are handled in parallel. A fix for up to v5.9.
- Patch 2: selftests: fix check for the wrong FD. A fix for up to v5.17.
- Patch 3: selftests: close all FDs in case of error. A fix for up to v5.17.
- Patch 4: selftests: ignore a new generated file. A fix for 6.15-rc0.
Signed-off-by: Matthieu Baerts (NGI0) matttbe@kernel.org --- Cong Liu (1): selftests: mptcp: fix incorrect fd checks in main_loop
Gang Yan (1): mptcp: fix NULL pointer in can_accept_new_subflow
Geliang Tang (1): selftests: mptcp: close fd_in before returning in main_loop
Matthieu Baerts (NGI0) (1): selftests: mptcp: ignore mptcp_diag binary
net/mptcp/subflow.c | 15 ++++++++------- tools/testing/selftests/net/mptcp/.gitignore | 1 + tools/testing/selftests/net/mptcp/mptcp_connect.c | 11 +++++++---- 3 files changed, 16 insertions(+), 11 deletions(-) --- base-commit: 2ea396448f26d0d7d66224cb56500a6789c7ed07 change-id: 20250328-net-mptcp-misc-fixes-6-15-98bfbeaa15ac
Best regards,
From: Gang Yan yangang@kylinos.cn
When testing valkey benchmark tool with MPTCP, the kernel panics in 'mptcp_can_accept_new_subflow' because subflow_req->msk is NULL.
Call trace:
mptcp_can_accept_new_subflow (./net/mptcp/subflow.c:63 (discriminator 4)) (P) subflow_syn_recv_sock (./net/mptcp/subflow.c:854) tcp_check_req (./net/ipv4/tcp_minisocks.c:863) tcp_v4_rcv (./net/ipv4/tcp_ipv4.c:2268) ip_protocol_deliver_rcu (./net/ipv4/ip_input.c:207) ip_local_deliver_finish (./net/ipv4/ip_input.c:234) ip_local_deliver (./net/ipv4/ip_input.c:254) ip_rcv_finish (./net/ipv4/ip_input.c:449) ...
According to the debug log, the same req received two SYN-ACK in a very short time, very likely because the client retransmits the syn ack due to multiple reasons.
Even if the packets are transmitted with a relevant time interval, they can be processed by the server on different CPUs concurrently). The 'subflow_req->msk' ownership is transferred to the subflow the first, and there will be a risk of a null pointer dereference here.
This patch fixes this issue by moving the 'subflow_req->msk' under the `own_req == true` conditional.
Note that the !msk check in subflow_hmac_valid() can be dropped, because the same check already exists under the own_req mpj branch where the code has been moved to.
Fixes: 9466a1ccebbe ("mptcp: enable JOIN requests even if cookies are in use") Cc: stable@vger.kernel.org Suggested-by: Paolo Abeni pabeni@redhat.com Signed-off-by: Gang Yan yangang@kylinos.cn Reviewed-by: Matthieu Baerts (NGI0) matttbe@kernel.org Signed-off-by: Matthieu Baerts (NGI0) matttbe@kernel.org --- net/mptcp/subflow.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c index efe8d86496dbd06a3c4cae6ffc6462e43e42c959..409bd415ef1d190d5599658d01323ad8c8a9be93 100644 --- a/net/mptcp/subflow.c +++ b/net/mptcp/subflow.c @@ -754,8 +754,6 @@ static bool subflow_hmac_valid(const struct request_sock *req,
subflow_req = mptcp_subflow_rsk(req); msk = subflow_req->msk; - if (!msk) - return false;
subflow_generate_hmac(READ_ONCE(msk->remote_key), READ_ONCE(msk->local_key), @@ -850,12 +848,8 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk,
} else if (subflow_req->mp_join) { mptcp_get_options(skb, &mp_opt); - if (!(mp_opt.suboptions & OPTION_MPTCP_MPJ_ACK) || - !subflow_hmac_valid(req, &mp_opt) || - !mptcp_can_accept_new_subflow(subflow_req->msk)) { - SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINACKMAC); + if (!(mp_opt.suboptions & OPTION_MPTCP_MPJ_ACK)) fallback = true; - } }
create_child: @@ -905,6 +899,13 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk, goto dispose_child; }
+ if (!subflow_hmac_valid(req, &mp_opt) || + !mptcp_can_accept_new_subflow(subflow_req->msk)) { + SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINACKMAC); + subflow_add_reset_reason(skb, MPTCP_RST_EPROHIBIT); + goto dispose_child; + } + /* move the msk reference ownership to the subflow */ subflow_req->msk = NULL; ctx->conn = (struct sock *)owner;
From: Cong Liu liucong2@kylinos.cn
Fix a bug where the code was checking the wrong file descriptors when opening the input files. The code was checking 'fd' instead of 'fd_in', which could lead to incorrect error handling.
Fixes: 05be5e273c84 ("selftests: mptcp: add disconnect tests") Cc: stable@vger.kernel.org Fixes: ca7ae8916043 ("selftests: mptcp: mptfo Initiator/Listener") Co-developed-by: Geliang Tang geliang@kernel.org Signed-off-by: Geliang Tang geliang@kernel.org Signed-off-by: Cong Liu liucong2@kylinos.cn Reviewed-by: Matthieu Baerts (NGI0) matttbe@kernel.org Signed-off-by: Matthieu Baerts (NGI0) matttbe@kernel.org --- tools/testing/selftests/net/mptcp/mptcp_connect.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/testing/selftests/net/mptcp/mptcp_connect.c b/tools/testing/selftests/net/mptcp/mptcp_connect.c index d240d02fa443a1cd802f0e705ab36db5c22063a8..893dc36b12f607bec56a41c9961eff272a7837c7 100644 --- a/tools/testing/selftests/net/mptcp/mptcp_connect.c +++ b/tools/testing/selftests/net/mptcp/mptcp_connect.c @@ -1270,7 +1270,7 @@ int main_loop(void)
if (cfg_input && cfg_sockopt_types.mptfo) { fd_in = open(cfg_input, O_RDONLY); - if (fd < 0) + if (fd_in < 0) xerror("can't open %s:%d", cfg_input, errno); }
@@ -1293,7 +1293,7 @@ int main_loop(void)
if (cfg_input && !cfg_sockopt_types.mptfo) { fd_in = open(cfg_input, O_RDONLY); - if (fd < 0) + if (fd_in < 0) xerror("can't open %s:%d", cfg_input, errno); }
From: Geliang Tang tanggeliang@kylinos.cn
The file descriptor 'fd_in' is opened when cfg_input is configured, but not closed in main_loop(), this patch fixes it.
Fixes: 05be5e273c84 ("selftests: mptcp: add disconnect tests") Cc: stable@vger.kernel.org Co-developed-by: Cong Liu liucong2@kylinos.cn Signed-off-by: Cong Liu liucong2@kylinos.cn Signed-off-by: Geliang Tang tanggeliang@kylinos.cn Reviewed-by: Matthieu Baerts (NGI0) matttbe@kernel.org Signed-off-by: Matthieu Baerts (NGI0) matttbe@kernel.org --- tools/testing/selftests/net/mptcp/mptcp_connect.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/tools/testing/selftests/net/mptcp/mptcp_connect.c b/tools/testing/selftests/net/mptcp/mptcp_connect.c index 893dc36b12f607bec56a41c9961eff272a7837c7..c83a8b47bbdfa5fcf1462e2b2949b41fd32c9b14 100644 --- a/tools/testing/selftests/net/mptcp/mptcp_connect.c +++ b/tools/testing/selftests/net/mptcp/mptcp_connect.c @@ -1299,7 +1299,7 @@ int main_loop(void)
ret = copyfd_io(fd_in, fd, 1, 0, &winfo); if (ret) - return ret; + goto out;
if (cfg_truncate > 0) { shutdown(fd, SHUT_WR); @@ -1320,7 +1320,10 @@ int main_loop(void) close(fd); }
- return 0; +out: + if (cfg_input) + close(fd_in); + return ret; }
int parse_proto(const char *proto)
Hello:
This series was applied to netdev/net.git (main) by Jakub Kicinski kuba@kernel.org:
On Fri, 28 Mar 2025 15:27:15 +0100 you wrote:
Here are 4 unrelated patches:
Patch 1: fix a NULL pointer when two SYN-ACK for the same request are handled in parallel. A fix for up to v5.9.
Patch 2: selftests: fix check for the wrong FD. A fix for up to v5.17.
[...]
Here is the summary with links: - [net,1/4] mptcp: fix NULL pointer in can_accept_new_subflow https://git.kernel.org/netdev/net/c/443041deb5ef - [net,2/4] selftests: mptcp: fix incorrect fd checks in main_loop https://git.kernel.org/netdev/net/c/7335d4ac8129 - [net,3/4] selftests: mptcp: close fd_in before returning in main_loop https://git.kernel.org/netdev/net/c/c183165f87a4 - [net,4/4] selftests: mptcp: ignore mptcp_diag binary https://git.kernel.org/netdev/net/c/b44a4c28228f
You are awesome, thank you!
linux-stable-mirror@lists.linaro.org