diff options
| author | David S. Miller <davem@davemloft.net> | 2022-01-07 11:29:45 +0000 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2022-01-07 11:29:45 +0000 |
| commit | fff63521cd6e197738db9297076d83b4081ac80f (patch) | |
| tree | f1b43abcd3191f0c8ef1238b6e546bac231370a2 | |
| parent | 14676c04783c6363b71072c01b42bb7838eb56eb (diff) | |
| parent | 269bda9e7da48eafb599d01c96199caa2f7547e5 (diff) | |
| download | mac80211-next-fff63521cd6e197738db9297076d83b4081ac80f.tar.gz | |
Merge branch 'mptcp-fixes'
Mat Martineau says:
====================
mptcp: Fixes for buffer reclaim and option writing
Here are three fixes dealing with a syzkaller crash MPTCP triggers in
the memory manager in 5.16-rc8, and some option writing problems.
Patches 1 and 2 fix some corner cases in MPTCP option writing.
Patch 3 addresses a crash that syzkaller found a way to trigger in the mm
subsystem by passing an invalid value to __sk_mem_reduce_allocated().
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | net/mptcp/options.c | 10 | ||||
| -rw-r--r-- | net/mptcp/protocol.c | 4 |
2 files changed, 10 insertions, 4 deletions
diff --git a/net/mptcp/options.c b/net/mptcp/options.c index fe98e4f475baa4..6661b1d6520f17 100644 --- a/net/mptcp/options.c +++ b/net/mptcp/options.c @@ -821,10 +821,13 @@ bool mptcp_established_options(struct sock *sk, struct sk_buff *skb, if (mptcp_established_options_mp(sk, skb, snd_data_fin, &opt_size, remaining, opts)) ret = true; else if (mptcp_established_options_dss(sk, skb, snd_data_fin, &opt_size, remaining, opts)) { + unsigned int mp_fail_size; + ret = true; - if (mptcp_established_options_mp_fail(sk, &opt_size, remaining, opts)) { - *size += opt_size; - remaining -= opt_size; + if (mptcp_established_options_mp_fail(sk, &mp_fail_size, + remaining - opt_size, opts)) { + *size += opt_size + mp_fail_size; + remaining -= opt_size - mp_fail_size; return true; } } @@ -1316,6 +1319,7 @@ void mptcp_write_options(__be32 *ptr, const struct tcp_sock *tp, put_unaligned_be32(mpext->data_len << 16 | TCPOPT_NOP << 8 | TCPOPT_NOP, ptr); } + ptr += 1; } } else if (OPTIONS_MPTCP_MPC & opts->suboptions) { u8 len, flag = MPTCP_CAP_HMAC_SHA256; diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index 54613f5b752171..0cd55e4c30fab8 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -972,7 +972,9 @@ static void __mptcp_mem_reclaim_partial(struct sock *sk) lockdep_assert_held_once(&sk->sk_lock.slock); - __mptcp_rmem_reclaim(sk, reclaimable - 1); + if (reclaimable > SK_MEM_QUANTUM) + __mptcp_rmem_reclaim(sk, reclaimable - 1); + sk_mem_reclaim_partial(sk); } |