Commit fff63521 authored by David S. Miller's avatar David S. Miller
Browse files

Merge branch 'mptcp-fixes' 



Mat Martineau says:

====================
mptcp: Fixes for buffer reclaim and option writing

Here are three fixes dealing with a syzkaller crash MPTCP triggers in
the memory manager in 5.16-rc8, and some option writing problems.

Patches 1 and 2 fix some corner cases in MPTCP option writing.

Patch 3 addresses a crash that syzkaller found a way to trigger in the mm
subsystem by passing an invalid value to __sk_mem_reduce_allocated().
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 14676c04 269bda9e

net/mptcp/options.c

+7 −3
Original line number Diff line number Diff line
@@ -821,10 +821,13 @@ bool mptcp_established_options(struct sock *sk, struct sk_buff *skb, 
	if (mptcp_established_options_mp(sk, skb, snd_data_fin, &opt_size, remaining, opts))

		ret = true;

	else if (mptcp_established_options_dss(sk, skb, snd_data_fin, &opt_size, remaining, opts)) {

		unsigned int mp_fail_size;



		ret = true;

		if (mptcp_established_options_mp_fail(sk, &opt_size, remaining, opts)) {

			*size += opt_size;

			remaining -= opt_size;

		if (mptcp_established_options_mp_fail(sk, &mp_fail_size,

						      remaining - opt_size, opts)) {

			*size += opt_size + mp_fail_size;

			remaining -= opt_size - mp_fail_size;

			return true;

		}

	}
@@ -1316,6 +1319,7 @@ void mptcp_write_options(__be32 *ptr, const struct tcp_sock *tp, 
				put_unaligned_be32(mpext->data_len << 16 |

						   TCPOPT_NOP << 8 | TCPOPT_NOP, ptr);

			}

			ptr += 1;

		}

	} else if (OPTIONS_MPTCP_MPC & opts->suboptions) {

		u8 len, flag = MPTCP_CAP_HMAC_SHA256;

net/mptcp/protocol.c

+3 −1
Original line number Diff line number Diff line
@@ -972,7 +972,9 @@ static void __mptcp_mem_reclaim_partial(struct sock *sk) 


	lockdep_assert_held_once(&sk->sk_lock.slock);



	if (reclaimable > SK_MEM_QUANTUM)

		__mptcp_rmem_reclaim(sk, reclaimable - 1);



	sk_mem_reclaim_partial(sk);

}