lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 8 Oct 2020 17:28:23 -0700 From: Jakub Kicinski <kuba@...nel.org> To: Paolo Abeni <pabeni@...hat.com> Cc: netdev@...r.kernel.org, "David S. Miller" <davem@...emloft.net>, mptcp@...ts.01.org Subject: Re: [PATCH net-next] mptcp: fix infinite loop on recvmsg()/worker() race. On Tue, 6 Oct 2020 08:27:34 +0200 Paolo Abeni wrote: > If recvmsg() and the workqueue race to dequeue the data > pending on some subflow, the current mapping for such > subflow covers several skbs and some of them have not > reached yet the received, either the worker or recvmsg() > can find a subflow with the data_avail flag set - since > the current mapping is valid and in sequence - but no > skbs in the receive queue - since the other entity just > processed them. > > The above will lead to an unbounded loop in __mptcp_move_skbs() > and a subsequent hang of any task trying to acquiring the msk > socket lock. > > This change addresses the issue stopping the __mptcp_move_skbs() > loop as soon as we detect the above race (empty receive queue > with data_avail set). Applied, thanks!
Powered by blists - more mailing lists