From nobody Thu Nov 27 12:37:14 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2676534844B; Fri, 21 Nov 2025 09:58:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763719090; cv=none; b=Tj9mpXQ8kv5/3UqfG7P6XHJORl0N2Qq2OqtDLqf24oi6FQjjMX1kKRnYGhSEBFwV515KIyzvJdImOWJeuRZUc8evLYxhfYRctCCRDKXC5lFVPX7rVNvam0d5dkKoocHtXE4sE8rSmyZAwT5UOQjc9tqQOP0/JgXoJ6uqmi7adbA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763719090; c=relaxed/simple; bh=foIZAITlbJnMtClLNIHPb1yM8sbAba6wyWQDOCljLXo=; h=Subject:To:Cc:From:Date:In-Reply-To:Message-ID:MIME-Version: Content-Type; b=NpSTjWt2pHAHSMqezRwmMqHxisB2sWmUguVoo+qJs6VHMsjgjAhNrF3TGznY1Ya/1s7jcpk6BjfMyPNABtuWhtpA/blUYuDadsYtF/jxbvHUy5K/5PvoN1akz0ygkew4ZmRc/6S+dhCZNJy0YgdfbAj7yCfAkXmBY/hcOnuOCPU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=gmciclvs; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="gmciclvs" Received: by smtp.kernel.org (Postfix) with ESMTPSA id E650CC116D0; Fri, 21 Nov 2025 09:58:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1763719089; bh=foIZAITlbJnMtClLNIHPb1yM8sbAba6wyWQDOCljLXo=; h=Subject:To:Cc:From:Date:In-Reply-To:From; b=gmciclvs1sD6pidoKRKvhJ6NxSRcmNnSuYJBeLDcjpdPK7TEgxgb1JzpIbS+XO9tH v94DyJODlqmptp+pJCK0eynhARXGpPdaVjG+6iY0g68Af3s7nT4kMWex2DLwJPKixZ RyUonupo/L7rRBsal0MDpBL0Q3o8KmyqrNwhKL2c= Subject: Patch "mptcp: fix MSG_PEEK stream corruption" has been added to the 6.12-stable tree To: geliang@kernel.org,gregkh@linuxfoundation.org,kuba@kernel.org,martineau@kernel.org,matttbe@kernel.org,mptcp@lists.linux.dev,pabeni@redhat.com,sashal@kernel.org Cc: From: Date: Fri, 21 Nov 2025 10:57:41 +0100 In-Reply-To: <20251104121515.1093006-2-matttbe@kernel.org> Message-ID: <2025112141-recent-lend-65b7@gregkh> Precedence: bulk X-Mailing-List: mptcp@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-stable: commit X-Patchwork-Hint: ignore Content-Type: text/plain; charset="utf-8" This is a note to let you know that I've just added the patch titled mptcp: fix MSG_PEEK stream corruption to the 6.12-stable tree which can be found at: http://www.kernel.org/git/?p=3Dlinux/kernel/git/stable/stable-queue.git= ;a=3Dsummary The filename of the patch is: mptcp-fix-msg_peek-stream-corruption.patch and it can be found in the queue-6.12 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. From stable+bounces-192373-greg=3Dkroah.com@vger.kernel.org Tue Nov 4 13:1= 7:04 2025 From: "Matthieu Baerts (NGI0)" Date: Tue, 4 Nov 2025 13:15:16 +0100 Subject: mptcp: fix MSG_PEEK stream corruption To: stable@vger.kernel.org, gregkh@linuxfoundation.org Cc: MPTCP Upstream , Paolo Abeni = , Geliang Tang , Mat Martineau , = "Matthieu Baerts (NGI0)" , Jakub Kicinski , Sasha Levin Message-ID: <20251104121515.1093006-2-matttbe@kernel.org> From: Paolo Abeni [ Upstream commit 8e04ce45a8db7a080220e86e249198fa676b83dc ] If a MSG_PEEK | MSG_WAITALL read operation consumes all the bytes in the receive queue and recvmsg() need to waits for more data - i.e. it's a blocking one - upon arrival of the next packet the MPTCP protocol will start again copying the oldest data present in the receive queue, corrupting the data stream. Address the issue explicitly tracking the peeked sequence number, restarting from the last peeked byte. Fixes: ca4fb892579f ("mptcp: add MSG_PEEK support") Cc: stable@vger.kernel.org Signed-off-by: Paolo Abeni Reviewed-by: Geliang Tang Tested-by: Geliang Tang Reviewed-by: Mat Martineau Signed-off-by: Matthieu Baerts (NGI0) Link: https://patch.msgid.link/20251028-net-mptcp-send-timeout-v1-2-38ffff5= a9ec8@kernel.org Signed-off-by: Jakub Kicinski [ Adjust context ] Signed-off-by: Sasha Levin Signed-off-by: Matthieu Baerts (NGI0) Signed-off-by: Greg Kroah-Hartman --- Note: this is the patch Sasha sent for the v6.6 which applies on v6.12 without conflicts. On v6.12, Sasha sent another version with dependences that caused some issues, see: https://lore.kernel.org/bbe84711-95b2-4257-9f01-560b4473a3da@kernel.org Signed-off-by: Greg Kroah-Hartman --- net/mptcp/protocol.c | 36 +++++++++++++++++++++++++----------- 1 file changed, 25 insertions(+), 11 deletions(-) --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -1977,19 +1977,35 @@ static void mptcp_rcv_space_adjust(struc =20 static int __mptcp_recvmsg_mskq(struct mptcp_sock *msk, struct msghdr *msg, - size_t len, int flags, + size_t len, int flags, int copied_total, struct scm_timestamping_internal *tss, int *cmsg_flags) { struct sk_buff *skb, *tmp; + int total_data_len =3D 0; int copied =3D 0; =20 skb_queue_walk_safe(&msk->receive_queue, skb, tmp) { - u32 offset =3D MPTCP_SKB_CB(skb)->offset; + u32 delta, offset =3D MPTCP_SKB_CB(skb)->offset; u32 data_len =3D skb->len - offset; - u32 count =3D min_t(size_t, len - copied, data_len); + u32 count; int err; =20 + if (flags & MSG_PEEK) { + /* skip already peeked skbs */ + if (total_data_len + data_len <=3D copied_total) { + total_data_len +=3D data_len; + continue; + } + + /* skip the already peeked data in the current skb */ + delta =3D copied_total - total_data_len; + offset +=3D delta; + data_len -=3D delta; + } + + count =3D min_t(size_t, len - copied, data_len); + if (!(flags & MSG_TRUNC)) { err =3D skb_copy_datagram_msg(skb, offset, msg, count); if (unlikely(err < 0)) { @@ -2006,22 +2022,19 @@ static int __mptcp_recvmsg_mskq(struct m =20 copied +=3D count; =20 - if (count < data_len) { - if (!(flags & MSG_PEEK)) { + if (!(flags & MSG_PEEK)) { + msk->bytes_consumed +=3D count; + if (count < data_len) { MPTCP_SKB_CB(skb)->offset +=3D count; MPTCP_SKB_CB(skb)->map_seq +=3D count; - msk->bytes_consumed +=3D count; + break; } - break; - } =20 - if (!(flags & MSG_PEEK)) { /* we will bulk release the skb memory later */ skb->destructor =3D NULL; WRITE_ONCE(msk->rmem_released, msk->rmem_released + skb->truesize); __skb_unlink(skb, &msk->receive_queue); __kfree_skb(skb); - msk->bytes_consumed +=3D count; } =20 if (copied >=3D len) @@ -2245,7 +2258,8 @@ static int mptcp_recvmsg(struct sock *sk while (copied < len) { int err, bytes_read; =20 - bytes_read =3D __mptcp_recvmsg_mskq(msk, msg, len - copied, flags, &tss,= &cmsg_flags); + bytes_read =3D __mptcp_recvmsg_mskq(msk, msg, len - copied, flags, + copied, &tss, &cmsg_flags); if (unlikely(bytes_read < 0)) { if (!copied) copied =3D bytes_read; Patches currently in stable-queue which might be from matttbe@kernel.org are queue-6.12/selftests-mptcp-join-endpoints-longer-transfer.patch queue-6.12/selftests-mptcp-connect-trunc-read-all-recv-data.patch queue-6.12/selftests-mptcp-join-rm-set-backup-flag.patch queue-6.12/selftests-mptcp-connect-fix-fallback-note-due-to-ooo.patch queue-6.12/mptcp-fix-msg_peek-stream-corruption.patch queue-6.12/selftests-mptcp-join-properly-kill-background-tasks.patch queue-6.12/selftests-mptcp-join-userspace-longer-transfer.patch queue-6.12/gcov-add-support-for-gcc-15.patch