possible deadlock in mptcp_push_pending
by syzbot
Hello,
syzbot found the following issue on:
HEAD commit: c48f8607 Merge branch 'PTP-for-DSA-tag_ocelot_8021q'
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=16525cb0d00000
kernel config: https://syzkaller.appspot.com/x/.config?x=dbc1ca9e55dc1f9f
dashboard link: https://syzkaller.appspot.com/bug?extid=d1b1723faccb7a43f6d1
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d1b1723faccb7a43f6d1(a)syzkaller.appspotmail.com
============================================
WARNING: possible recursive locking detected
5.11.0-rc7-syzkaller #0 Not tainted
--------------------------------------------
syz-executor.1/15600 is trying to acquire lock:
ffff888057303220 (sk_lock-AF_INET6){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1598 [inline]
ffff888057303220 (sk_lock-AF_INET6){+.+.}-{0:0}, at: mptcp_push_pending+0x28b/0x650 net/mptcp/protocol.c:1466
but task is already holding lock:
ffff8880285da520 (sk_lock-AF_INET6){+.+.}-{0:0}, at: inet6_sendmsg+0x99/0xe0 net/ipv6/af_inet6.c:638
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(sk_lock-AF_INET6);
lock(sk_lock-AF_INET6);
*** DEADLOCK ***
May be due to missing lock nesting notation
1 lock held by syz-executor.1/15600:
#0: ffff8880285da520 (sk_lock-AF_INET6){+.+.}-{0:0}, at: inet6_sendmsg+0x99/0xe0 net/ipv6/af_inet6.c:638
stack backtrace:
CPU: 1 PID: 15600 Comm: syz-executor.1 Not tainted 5.11.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x107/0x163 lib/dump_stack.c:120
print_deadlock_bug kernel/locking/lockdep.c:2761 [inline]
check_deadlock kernel/locking/lockdep.c:2804 [inline]
validate_chain kernel/locking/lockdep.c:3595 [inline]
__lock_acquire.cold+0x114/0x39e kernel/locking/lockdep.c:4832
lock_acquire kernel/locking/lockdep.c:5442 [inline]
lock_acquire+0x1a8/0x720 kernel/locking/lockdep.c:5407
lock_sock_nested+0xc5/0x110 net/core/sock.c:3071
lock_sock include/net/sock.h:1598 [inline]
mptcp_push_pending+0x28b/0x650 net/mptcp/protocol.c:1466
mptcp_sendmsg+0xde4/0x2830 net/mptcp/protocol.c:1685
inet6_sendmsg+0x99/0xe0 net/ipv6/af_inet6.c:638
sock_sendmsg_nosec net/socket.c:652 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:672
sock_write_iter+0x289/0x3c0 net/socket.c:999
call_write_iter include/linux/fs.h:1901 [inline]
new_sync_write+0x426/0x650 fs/read_write.c:518
vfs_write+0x791/0xa30 fs/read_write.c:605
ksys_write+0x1ee/0x250 fs/read_write.c:658
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x465d99
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0f45e25188 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000000000056c0b0 RCX: 0000000000465d99
RDX: 0000000020000001 RSI: 0000000020000000 RDI: 0000000000000003
RBP: 00000000004bcf27 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c0b0
R13: 00007ffec3fddc7f R14: 00007f0f45e25300 R15: 0000000000022000
general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]
CPU: 0 PID: 15600 Comm: syz-executor.1 Not tainted 5.11.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:mptcp_sendmsg_frag+0xa3f/0x1220 net/mptcp/protocol.c:1330
Code: 80 3c 02 00 0f 85 04 07 00 00 48 8b 04 24 48 8b 98 20 07 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 38 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e d6 04 00 00 48 8d 7d 10 44 8b
RSP: 0018:ffffc900020577e8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000007 RSI: 0000000000000000 RDI: 0000000000000038
RBP: ffff88802b42e610 R08: 0000000000000001 R09: ffff88802b42e610
R10: ffffed1005685cc4 R11: 0000000000000000 R12: ffff8880285da400
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000204
FS: 00007f0f45e25700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055d4b6e570c0 CR3: 000000005c5ae000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
mptcp_push_pending+0x2cc/0x650 net/mptcp/protocol.c:1477
mptcp_sendmsg+0xde4/0x2830 net/mptcp/protocol.c:1685
inet6_sendmsg+0x99/0xe0 net/ipv6/af_inet6.c:638
sock_sendmsg_nosec net/socket.c:652 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:672
sock_write_iter+0x289/0x3c0 net/socket.c:999
call_write_iter include/linux/fs.h:1901 [inline]
new_sync_write+0x426/0x650 fs/read_write.c:518
vfs_write+0x791/0xa30 fs/read_write.c:605
ksys_write+0x1ee/0x250 fs/read_write.c:658
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x465d99
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0f45e25188 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000000000056c0b0 RCX: 0000000000465d99
RDX: 0000000020000001 RSI: 0000000020000000 RDI: 0000000000000003
RBP: 00000000004bcf27 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c0b0
R13: 00007ffec3fddc7f R14: 00007f0f45e25300 R15: 0000000000022000
Modules linked in:
---[ end trace 88e1139d1c953589 ]---
RIP: 0010:mptcp_sendmsg_frag+0xa3f/0x1220 net/mptcp/protocol.c:1330
Code: 80 3c 02 00 0f 85 04 07 00 00 48 8b 04 24 48 8b 98 20 07 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 38 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e d6 04 00 00 48 8d 7d 10 44 8b
RSP: 0018:ffffc900020577e8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000007 RSI: 0000000000000000 RDI: 0000000000000038
RBP: ffff88802b42e610 R08: 0000000000000001 R09: ffff88802b42e610
R10: ffffed1005685cc4 R11: 0000000000000000 R12: ffff8880285da400
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000204
FS: 00007f0f45e25700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f272a496000 CR3: 000000005c5ae000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller(a)googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
1 year, 3 months
insonsistend subflow creation policy ?!?
by Paolo Abeni
Hello,
I just noted that the pm_netlink subflow creation policy is
inconsistent (or perhaps simply different ?!?) between signal and
add_addr subflows.
When the MPTCP socket tries to create additional subflow due an
'subflow' endpoint, it will filter out local addresses already in use
by existing subflow.
When MPTCP tries to create an additional subflow due to an incoming
'ADD_ADDR' option, it will try to create it regardless any existing
subflow using the relevant remote address (and port).
Should we change the above ?!? (e.g. applying some filters even for
ADD_ADDR). Or perhpas add some additional policy flag (like 'unique' or
'none') ?
WDYT?
Thanks!
Paolo
1 year, 3 months
[MPTCP][PATCH mptcp-next] mptcp: drop unused subflow in mptcp_pm_subflow_established
by Geliang Tang
This patch drops the unused parameter subflow in
mptcp_pm_subflow_established().
Signed-off-by: Geliang Tang <geliangtang(a)gmail.com>
---
net/mptcp/options.c | 2 +-
net/mptcp/pm.c | 3 +--
net/mptcp/protocol.h | 3 +--
3 files changed, 3 insertions(+), 5 deletions(-)
diff --git a/net/mptcp/options.c b/net/mptcp/options.c
index ea4cacff0f5f..95d67e2eefeb 100644
--- a/net/mptcp/options.c
+++ b/net/mptcp/options.c
@@ -877,7 +877,7 @@ static bool check_fully_established(struct mptcp_sock *msk, struct sock *ssk,
subflow->pm_notified = 1;
if (subflow->mp_join) {
clear_3rdack_retransmission(ssk);
- mptcp_pm_subflow_established(msk, subflow);
+ mptcp_pm_subflow_established(msk);
} else {
mptcp_pm_fully_established(msk, ssk, GFP_ATOMIC);
}
diff --git a/net/mptcp/pm.c b/net/mptcp/pm.c
index 880c9cffe707..a15ce9704fda 100644
--- a/net/mptcp/pm.c
+++ b/net/mptcp/pm.c
@@ -152,8 +152,7 @@ void mptcp_pm_connection_closed(struct mptcp_sock *msk)
pr_debug("msk=%p", msk);
}
-void mptcp_pm_subflow_established(struct mptcp_sock *msk,
- struct mptcp_subflow_context *subflow)
+void mptcp_pm_subflow_established(struct mptcp_sock *msk)
{
struct mptcp_pm_data *pm = &msk->pm;
diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h
index 593085610971..d24e2829b0cb 100644
--- a/net/mptcp/protocol.h
+++ b/net/mptcp/protocol.h
@@ -642,8 +642,7 @@ void mptcp_pm_new_connection(struct mptcp_sock *msk, const struct sock *ssk, int
void mptcp_pm_fully_established(struct mptcp_sock *msk, const struct sock *ssk, gfp_t gfp);
bool mptcp_pm_allow_new_subflow(struct mptcp_sock *msk);
void mptcp_pm_connection_closed(struct mptcp_sock *msk);
-void mptcp_pm_subflow_established(struct mptcp_sock *msk,
- struct mptcp_subflow_context *subflow);
+void mptcp_pm_subflow_established(struct mptcp_sock *msk);
void mptcp_pm_subflow_closed(struct mptcp_sock *msk, u8 id);
void mptcp_pm_add_addr_received(struct mptcp_sock *msk,
const struct mptcp_addr_info *addr);
--
2.29.2
1 year, 3 months
[PATCH mptcp-net] mptcp: fix DATA_FIN processing for orphaned sockets.
by Paolo Abeni
Currently we move orphaned msk socket directly from FIN_WAIT2
state to close, with the rationale that incoming additional
data could be just dropped by the TCP stack/TW sockets.
Anyhow we miss sending MPTCP-level ack on incoming DATA_FIN,
and that may hang the peers.
Fixes: e16163b6e2b7 ("mptcp: refactor shutdown and close")
Signed-off-by: Paolo Abeni <pabeni(a)redhat.com>
---
I hope nobody is keeping track of nr of follow-ups x commit,
because the referenced one could score a world record :(((
---
net/mptcp/protocol.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
index ee5a2981df6da..f15c79ff6a53c 100644
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -2297,13 +2297,12 @@ static void mptcp_worker(struct work_struct *work)
__mptcp_check_send_data_fin(sk);
mptcp_check_data_fin(sk);
- /* if the msk data is completely acked, or the socket timedout,
- * there is no point in keeping around an orphaned sk
+ /* There is no point in keeping aroud an orphaned sk timedout or closed,
+ * but we need the msk around to reply to incoming DATA_FIN, even if
+ * orphaned and in FIN_WAIT2 state
*/
if (sock_flag(sk, SOCK_DEAD) &&
- (mptcp_check_close_timeout(sk) ||
- (state != sk->sk_state &&
- ((1 << inet_sk_state_load(sk)) & (TCPF_CLOSE | TCPF_FIN_WAIT2))))) {
+ (mptcp_check_close_timeout(sk) || sk->sk_state == TCP_CLOSE)) {
inet_sk_state_store(sk, TCP_CLOSE);
__mptcp_destroy_sock(sk);
goto unlock;
--
2.26.2
1 year, 3 months
[MPTCP][PATCH v2 mptcp-next] Squash to "mptcp: add rm_list in mptcp_out_options"
by Geliang Tang
This patch fixed the following smatch warnings:
net/mptcp/options.c:687 mptcp_established_options_rm_addr() error: uninitialized symbol 'align'.
Reported-by: kernel test robot <lkp(a)intel.com>
Reported-by: Dan Carpenter <dan.carpenter(a)oracle.com>
Signed-off-by: Geliang Tang <geliangtang(a)gmail.com>
---
v2:
- use roundup in mptcp_rm_addr_len
---
net/mptcp/options.c | 14 ++++++--------
net/mptcp/protocol.h | 8 ++++++++
2 files changed, 14 insertions(+), 8 deletions(-)
diff --git a/net/mptcp/options.c b/net/mptcp/options.c
index e41410475f0e..73c712a5c6e6 100644
--- a/net/mptcp/options.c
+++ b/net/mptcp/options.c
@@ -673,21 +673,19 @@ static bool mptcp_established_options_rm_addr(struct sock *sk,
struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk);
struct mptcp_sock *msk = mptcp_sk(subflow->conn);
struct mptcp_rm_list rm_list;
- u8 i, align;
+ int i, len;
if (!mptcp_pm_should_rm_signal(msk) ||
!(mptcp_pm_rm_addr_signal(msk, remaining, &rm_list)))
return false;
- if (rm_list.nr > 1)
- align = 5;
- if (rm_list.nr > 5)
- align = 9;
-
- if (remaining < TCPOLEN_MPTCP_RM_ADDR_BASE + align)
+ len = mptcp_rm_addr_len(rm_list);
+ if (len < 0)
+ return false;
+ if (remaining < len)
return false;
- *size = TCPOLEN_MPTCP_RM_ADDR_BASE + align;
+ *size = len;
opts->suboptions |= OPTION_MPTCP_RM_ADDR;
opts->rm_list = rm_list;
diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h
index dd6bc475f848..3f42b6f55f02 100644
--- a/net/mptcp/protocol.h
+++ b/net/mptcp/protocol.h
@@ -708,6 +708,14 @@ static inline unsigned int mptcp_add_addr_len(int family, bool echo, bool port)
return len;
}
+static inline int mptcp_rm_addr_len(struct mptcp_rm_list rm_list)
+{
+ if (rm_list.nr == 0 || rm_list.nr >= MPTCP_RM_IDS_MAX)
+ return -EINVAL;
+
+ return TCPOLEN_MPTCP_RM_ADDR_BASE + roundup(rm_list.nr - 1, 4) + 1;
+}
+
bool mptcp_pm_add_addr_signal(struct mptcp_sock *msk, unsigned int remaining,
struct mptcp_addr_info *saddr, bool *echo, bool *port);
bool mptcp_pm_rm_addr_signal(struct mptcp_sock *msk, unsigned int remaining,
--
2.29.2
1 year, 3 months
KASAN: use-after-free Read in mptcp_established_options
by syzbot
Hello,
syzbot found the following issue on:
HEAD commit: 966df6de lan743x: sync only the received area of an rx rin..
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=11afe082d00000
kernel config: https://syzkaller.appspot.com/x/.config?x=dbc1ca9e55dc1f9f
dashboard link: https://syzkaller.appspot.com/bug?extid=3c1e5ab4997849b69807
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3c1e5ab4997849b69807(a)syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in mptcp_check_fallback net/mptcp/protocol.h:745 [inline]
BUG: KASAN: use-after-free in mptcp_established_options+0x22cf/0x2780 net/mptcp/options.c:724
Read of size 8 at addr ffff88802bea10a0 by task syz-executor.1/11042
CPU: 1 PID: 11042 Comm: syz-executor.1 Not tainted 5.11.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x107/0x163 lib/dump_stack.c:120
print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:230
__kasan_report mm/kasan/report.c:396 [inline]
kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413
mptcp_check_fallback net/mptcp/protocol.h:745 [inline]
mptcp_established_options+0x22cf/0x2780 net/mptcp/options.c:724
tcp_established_options+0x4ed/0x700 net/ipv4/tcp_output.c:953
tcp_current_mss+0x1d2/0x360 net/ipv4/tcp_output.c:1840
tcp_send_mss+0x28/0x2b0 net/ipv4/tcp.c:943
mptcp_sendmsg_frag+0x13b/0x1220 net/mptcp/protocol.c:1266
mptcp_push_pending+0x2cc/0x650 net/mptcp/protocol.c:1477
mptcp_sendmsg+0xde4/0x2830 net/mptcp/protocol.c:1685
inet6_sendmsg+0x99/0xe0 net/ipv6/af_inet6.c:642
sock_sendmsg_nosec net/socket.c:652 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:672
sock_write_iter+0x289/0x3c0 net/socket.c:999
call_write_iter include/linux/fs.h:1901 [inline]
new_sync_write+0x426/0x650 fs/read_write.c:518
vfs_write+0x791/0xa30 fs/read_write.c:605
ksys_write+0x1ee/0x250 fs/read_write.c:658
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x465d99
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ff231ccc188 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000000000056c008 RCX: 0000000000465d99
RDX: 000000000003f9b4 RSI: 0000000020000000 RDI: 0000000000000004
RBP: 00000000004bcf27 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c008
R13: 00007ffeaa2da27f R14: 00007ff231ccc300 R15: 0000000000022000
Allocated by task 11017:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:401 [inline]
____kasan_kmalloc.constprop.0+0x82/0xa0 mm/kasan/common.c:429
kmalloc include/linux/slab.h:552 [inline]
kzalloc include/linux/slab.h:682 [inline]
subflow_create_ctx+0x82/0x230 net/mptcp/subflow.c:1378
subflow_ulp_init+0x62/0x370 net/mptcp/subflow.c:1459
__tcp_set_ulp net/ipv4/tcp_ulp.c:139 [inline]
tcp_set_ulp+0x27c/0x610 net/ipv4/tcp_ulp.c:160
mptcp_subflow_create_socket+0x5bf/0xe20 net/mptcp/subflow.c:1343
__mptcp_socket_create net/mptcp/protocol.c:110 [inline]
mptcp_init_sock net/mptcp/protocol.c:2365 [inline]
mptcp_init_sock+0x140/0x830 net/mptcp/protocol.c:2350
inet6_create net/ipv6/af_inet6.c:256 [inline]
inet6_create+0xa15/0x1010 net/ipv6/af_inet6.c:110
__sock_create+0x3de/0x780 net/socket.c:1406
sock_create net/socket.c:1457 [inline]
__sys_socket+0xef/0x200 net/socket.c:1499
__do_sys_socket net/socket.c:1508 [inline]
__se_sys_socket net/socket.c:1506 [inline]
__x64_sys_socket+0x6f/0xb0 net/socket.c:1506
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 10650:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:356
____kasan_slab_free+0xe1/0x110 mm/kasan/common.c:362
kasan_slab_free include/linux/kasan.h:192 [inline]
slab_free_hook mm/slub.c:1547 [inline]
slab_free_freelist_hook+0x5d/0x150 mm/slub.c:1580
slab_free mm/slub.c:3143 [inline]
kmem_cache_free_bulk mm/slub.c:3269 [inline]
kmem_cache_free_bulk+0x253/0xc80 mm/slub.c:3256
kfree_bulk include/linux/slab.h:409 [inline]
kfree_rcu_work+0x4cd/0x860 kernel/rcu/tree.c:3226
process_one_work+0x98d/0x15f0 kernel/workqueue.c:2275
worker_thread+0x64c/0x1120 kernel/workqueue.c:2421
kthread+0x3b1/0x4a0 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
The buggy address belongs to the object at ffff88802bea1000
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 160 bytes inside of
256-byte region [ffff88802bea1000, ffff88802bea1100)
The buggy address belongs to the page:
page:0000000026103328 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2bea0
head:0000000026103328 order:1 compound_mapcount:0
flags: 0xfff00000010200(slab|head)
raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010c413c0
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88802bea0f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88802bea1000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88802bea1080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88802bea1100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88802bea1180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller(a)googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
1 year, 3 months
[MPTCP][PATCH mptcp-next] Squash to "mptcp: add rm_list in mptcp_out_options"
by Geliang Tang
This patch fixed the following smatch warnings:
net/mptcp/options.c:687 mptcp_established_options_rm_addr() error: uninitialized symbol 'align'.
Reported-by: kernel test robot <lkp(a)intel.com>
Reported-by: Dan Carpenter <dan.carpenter(a)oracle.com>
Signed-off-by: Geliang Tang <geliangtang(a)gmail.com>
---
net/mptcp/options.c | 14 ++++++--------
net/mptcp/protocol.h | 15 +++++++++++++++
2 files changed, 21 insertions(+), 8 deletions(-)
diff --git a/net/mptcp/options.c b/net/mptcp/options.c
index e41410475f0e..73c712a5c6e6 100644
--- a/net/mptcp/options.c
+++ b/net/mptcp/options.c
@@ -673,21 +673,19 @@ static bool mptcp_established_options_rm_addr(struct sock *sk,
struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk);
struct mptcp_sock *msk = mptcp_sk(subflow->conn);
struct mptcp_rm_list rm_list;
- u8 i, align;
+ int i, len;
if (!mptcp_pm_should_rm_signal(msk) ||
!(mptcp_pm_rm_addr_signal(msk, remaining, &rm_list)))
return false;
- if (rm_list.nr > 1)
- align = 5;
- if (rm_list.nr > 5)
- align = 9;
-
- if (remaining < TCPOLEN_MPTCP_RM_ADDR_BASE + align)
+ len = mptcp_rm_addr_len(rm_list);
+ if (len < 0)
+ return false;
+ if (remaining < len)
return false;
- *size = TCPOLEN_MPTCP_RM_ADDR_BASE + align;
+ *size = len;
opts->suboptions |= OPTION_MPTCP_RM_ADDR;
opts->rm_list = rm_list;
diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h
index dd6bc475f848..c26875a1f192 100644
--- a/net/mptcp/protocol.h
+++ b/net/mptcp/protocol.h
@@ -708,6 +708,21 @@ static inline unsigned int mptcp_add_addr_len(int family, bool echo, bool port)
return len;
}
+static inline int mptcp_rm_addr_len(struct mptcp_rm_list rm_list)
+{
+ u8 align = 1;
+
+ if (rm_list.nr <= 0 || rm_list.nr >= MPTCP_RM_IDS_MAX)
+ return -EINVAL;
+
+ if (rm_list.nr > 1)
+ align = 5;
+ if (rm_list.nr > 5)
+ align = 9;
+
+ return TCPOLEN_MPTCP_RM_ADDR_BASE + align;
+}
+
bool mptcp_pm_add_addr_signal(struct mptcp_sock *msk, unsigned int remaining,
struct mptcp_addr_info *saddr, bool *echo, bool *port);
bool mptcp_pm_rm_addr_signal(struct mptcp_sock *msk, unsigned int remaining,
--
2.29.2
1 year, 3 months
[MPTCP][PATCH net-next] mptcp: free resources when the port number is mismatched
by Geliang Tang
When the port number is mismatched with the announced ones, use
'goto dispose_child' to free the resources instead of using 'goto out'.
This patch also moves the port number checking code in
subflow_syn_recv_sock before the setting of ctx->conn, otherwise
subflow_drop_ctx will fail in dispose_child.
Fixes: 5bc56388c74f ("mptcp: add port number check for MP_JOIN")
Reported-by: Paolo Abeni <pabeni(a)redhat.com>
Signed-off-by: Geliang Tang <geliangtang(a)gmail.com>
---
net/mptcp/subflow.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c
index 280da418d60b..a9c8daf72768 100644
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -692,25 +692,25 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk,
if (!owner)
goto dispose_child;
- /* move the msk reference ownership to the subflow */
- subflow_req->msk = NULL;
- ctx->conn = (struct sock *)owner;
- if (!mptcp_finish_join(child))
- goto dispose_child;
-
- SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINACKRX);
- tcp_rsk(req)->drop_req = true;
-
if (subflow_use_different_sport(owner, sk)) {
pr_debug("ack inet_sport=%d %d",
ntohs(inet_sk(sk)->inet_sport),
ntohs(inet_sk((struct sock *)owner)->inet_sport));
if (!mptcp_pm_sport_in_anno_list(owner, sk)) {
SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_MISMATCHPORTACKRX);
- goto out;
+ goto dispose_child;
}
SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINPORTACKRX);
}
+
+ /* move the msk reference ownership to the subflow */
+ subflow_req->msk = NULL;
+ ctx->conn = (struct sock *)owner;
+ if (!mptcp_finish_join(child))
+ goto dispose_child;
+
+ SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINACKRX);
+ tcp_rsk(req)->drop_req = true;
}
}
--
2.29.2
1 year, 3 months
[Weekly meetings] MoM - 11th of February 2021
by Matthieu Baerts
Hello everyone,
Last Thursday, we had our 135th meeting with Mat and Ossama (Intel),
Christoph (Apple), Paolo, Davide, Florian and Perry Gagne (RedHat),
Geliang (Xiaomi) and myself (Tessares).
Thanks again for this new good meeting!
Here are the minutes of the meeting:
Accepted patches:
- The list of accepted patches can be seen on PatchWork:
https://patchwork.ozlabs.org/project/mptcp/list/?state=3
netdev (if mptcp ML is in cc) (Mat Martineau (commits from Florian
and Geliang)):
1436332 [net-next,2/2] mptcp: pm: add lockdep assertions
1436331 [net-next,1/2] selftests: mptcp: add command line arguments for
mptcp...
our repo (by: Florian Westphal, Geliang Tang, Matthieu Baerts,
Paolo Abeni):
1438957 squashto: mptcp: schedule worker when subflow is closed
1438772 [v7,mptcp-next,11/11] selftests: mptcp: add testcases for
removing ad...
1438771 [v7,mptcp-next,10/11] selftests: mptcp: set addr id for
removing test...
1438770 [v7,mptcp-next,09/11] selftests: mptcp: add invert argument for
chk_r...
1438769 [v7,mptcp-next,08/11] mptcp: remove a list of addrs when flushing
1438768 [v7,mptcp-next,07/11] mptcp: remove multi addresses and
subflows in PM
1438767 [v7,mptcp-next,06/11] mptcp: remove multi subflows in PM
1438766 [v7,mptcp-next,05/11] mptcp: remove multi addresses in PM
1438765 [v7,mptcp-next,04/11] mptcp: add rm_list_rx in mptcp_pm_data
1438764 [v7,mptcp-next,03/11] mptcp: add rm_list in mptcp_options_received
1438763 [v7,mptcp-next,02/11] mptcp: add rm_list_tx in mptcp_pm_data
1438762 [v7,mptcp-next,01/11] mptcp: add rm_list in mptcp_out_options
1438302 [mptcp-next,3/3] mptcp: clean-up the rtx path.
1438301 [mptcp-next,2/3] mptcp: fix race in release_cb
1438300 [mptcp-next,1/3] mptcp: factor out __mptcp_retrans helper()
1437778 [mptcp-next,3/3] selftests: mptcp: fail if not enough SYN/3rd ACK
1437781 [mptcp-next,2/3] selftests: mptcp: display warnings on one line
1437779 [mptcp-next,1/3] selftests: mptcp: fix ACKRX debug message
1436751 [mptcp-net,5/5] selftests: mptcp: dump more info on errors
1436750 [mptcp-net,4/5] mptcp: add a missing retransmission timer
scheduling
1436749 [mptcp-net,3/5] mptcp: better msk receive window updates
1436748 [mptcp-net,2/5] mptcp: init mptcp request socket earlier
1436747 [mptcp-net,1/5] mptcp: fix spurious retransmissions
1435084 [v3,mptcp-next] mptcp: add local addr info in mptcp_info
Pending patches:
- The list of pending patches can be seen on PatchWork:
https://patchwork.ozlabs.org/project/mptcp/list/?state=*
netdev (if mptcp ML is in cc) (by: /):
/
our repo (by: Florian Westphal, Geliang Tang):
1370700: RFC: [RFC,2/4] tcp: move selected mptcp helpers to tcp.h/mptcp.h
1370702: RFC: [RFC,4/4] tcp: parse tcp options contained in reset packets:
- WIP
1375893: RFC: [RFC,mptpcp-next] mptcp: add ooo prune support:
- WIP
1395128: RFC: [1/5] tcp: make two mptcp helpers available to tcp stack
1395131: RFC: [3/5] mptcp: add mptcp reset option support
1395133: RFC: [5/5] mptcp: send fastclose if userspace closes socket
with unread data:
- WIP
1426554: Changes Requested: [PATCHi,iproute2] mptcp: add support for
event monitoring:
- WIP
1431688: Changes Requested: [RFC,mptcp-next,1/6] mptcp: add tracepoints
for data operations
1431689: Changes Requested: [RFC,mptcp-next,2/6] mptcp: add echo field
in mptcp_out_options
1431690: Changes Requested: [RFC,mptcp-next,3/6] mptcp: add tracepoints
for options operations
1431692: Changes Requested: [RFC,mptcp-next,5/6] mptcp: add tracepoints
for PM operations
1431693: Changes Requested: [RFC,mptcp-next,6/6] mptcp: add tracepoints
for subflow operations:
- first reviewed done
- It could be helpful to share on the mailing-list a list of where
the tracepoints are going to be added and with which data:
→ easier with a list (because there are a few trace) and avoid
having to make code
→ @Geliang: may you share a list not to have to code some parts
if it is not needed?
1438436: Changes Requested: [v3,mptcp-next,1/4] mptcp: move to next addr
when subflow creation fail
1438439: Changes Requested: [v3,mptcp-next,4/4] selftests: mptcp: signal
addresses testcases:
- some changes are required, v4 expected
Issues on Github:
https://github.com/multipath-tcp/mptcp_net-next/issues/
Recently opened (latest from last week: 151)
159 [syzkaller] WARNING in __mptcp_destroy_sock [bug] [syzkaller]:
- this is critical, as syzkaller is stuck (→ was a false positive)
158 iproute2: change backup mode (MP_PRIO) for active connections
[enhancement] [iproute2]:
- there is a support in the kernel but not in iproute2: to be
able to use "ip mptcp endpoint *change* (...)" and not only "add" and
"delete"
157 [syzkaller] WARNING in dst_release [bug] [syzkaller]:
- Florian has already a patch for this one
156 [syzkaller] WARNING: refcount bug in __tcp_transmit_skb [bug]
[syzkaller]
155 [syzkaller] BUG: unable to handle kernel NULL pointer
dereference in mptcp_subflow_get_send [bug] [syzkaller]
153 [syzkaller] WARNING: refcount bug in mptcp_incoming_options
[bug] [syzkaller]
152 mptcp_release_cb is racy [bug] @pabeni
- just closed
Bugs (opened, flagged as "bug" and assigned)
152 mptcp_release_cb is racy [bug] @pabeni:
- just closed
151 Only 1 ADD_ADDR has been sent when signalling multi invalid
addresses [bug] @geliangtang:
- related to the two patches above that needs to be modified
149 iproute2: ss wrongly reports MPTCP sockets for kernel 5.7 → 5.9
[bug] [iproute2] @matttbe:
- not possible to use the proto in the reply
- nothing new in procfs related to MPTCP
- maybe OK not to do anything because we should not have iproute2
version > kernel version?
→ TODO: Matth; update the ticket → Done
146 DATA_FIN is not retransmitted on timeout [bug] @mjmartineau :
- could be nice to use delegated actions with the new infrastructure
Bugs (opened and flagged as "bug" and not assigned)
157 [syzkaller] WARNING in dst_release [bug] [syzkaller]
156 [syzkaller] WARNING: refcount bug in __tcp_transmit_skb [bug]
[syzkaller]
155 [syzkaller] BUG: unable to handle kernel NULL pointer
dereference in mptcp_subflow_get_send [bug] [syzkaller]
153 [syzkaller] WARNING: refcount bug in mptcp_incoming_options
[bug] [syzkaller]
137 selftests: simult_flows.sh: unbalanced bwidth tests are unstable
[bug]
136 [syzkaller] WARNING in sk_stream_kill_queues [bug] [syzkaller]
120 [interop] netnext is dropping packets, causing MPTCP-level
retransmissions on mptcp.org [bug]
119 [syzkaller] memory leak in __get_filter [bug] [syzkaller]
110 [syzkaller] memory leak in __ip_mc_join_group [bug] [syzkaller]
107 Review use of WARN_ON() / WARN_ON_ONCE() [bug]
65 clearing properly the status in listen() [bug]
56 msk connection state set without msk lock [bug]
In Progress (opened and assigned)
142 packetdrill: support injecting ADD_ADDR echo bit [enhancement]
[packetdrill] @dcaratti
140 RM_ADDR: remove a list of addresses [enhancement] @geliangtang :
- kernel code OK
- Maybe packetdrill support?
- RM_ADDR with a single address is not supported
- Davide plans to look at the missing features in packetdrill and
open new ticket(s)/PR(s)
- @Davide: please also close this one (and #54) once it is done
134 Checksum support [enhancement] @geliangtang
131 replace some/most pr_debug with trace events [enhancement]
@geliangtang
96 Python: add support for IPPROTO_MPTCP [enhancement] @matttbe
76 [gs]etsockopt per subflow: BPF [enhancement] @matttbe
60 PM: netlink: events per connection [enhancement] @fw-strlen:
- Should we close it? (or assign Ossama?) → Done
54 ADD_ADDR: ports support [enhancement] @geliangtang:
- Packetdrill support in a dedicated story? → Davide will do
that, see #140.
Recently closed (since last week)
154 selftests: mptcp_connect: file received by client does not match
[bug] @pabeni
148 SYNRX: MPTCP -> MPTCP: expect x, got y [bug] @matttbe
147 copyfd_io_poll: poll timed out: race/bug with poll wakeup [bug]
@pabeni
130 [syzkaller] WARNING in mptcp_token_destroy_request [bug]
[syzkaller] @pabeni
126 [syzkaller] WARNING in mptcp_reset_timer [bug] [syzkaller] @pabeni
125 [syzkaller] KASAN: wild-memory-access Write in
subflow_req_destructor [bug] [syzkaller] @pabeni
112 sporadic failure of mptcp_join.sh selftest 13 [bug] @dcaratti
51 MP_PRIO support [enhancement] @geliangtang
FYI: Current Roadmap:
- Bugs: https://github.com/multipath-tcp/mptcp_net-next/projects/2
- Current merge window (5.12):
https://github.com/multipath-tcp/mptcp_net-next/projects/7
- For later: https://github.com/multipath-tcp/mptcp_net-next/projects/4
Patches to send to netdev:
- net:
- 7614b4aedb855 selftests: mptcp: dump more info on errors:
- this one might need some fixes (grammar)
- 5a3b70e209296 mptcp: add a missing retransmission timer
scheduling
- 200b49d901e74 mptcp: better msk receive window updates
- 12ca6e1ef6ad3 mptcp: init mptcp request socket earlier
- 7d4e4a1ebd7c3 mptcp: fix spurious retransmissions
- a5cbae22dc44a mptcp: fix poll after shutdown
- 98e7bdd1f047e mptcp: deliver ssk errors to msk
→ Mat is going to send these ones → Done
- net-next:
- 24c2bb8afbd19 mptcp: clean-up the rtx path:
- has dependences on fixes from -net, we need to wait for
them to be applied on net-next
- 135e92ea4633e mptcp: fix race in release_cb → maybe this one
to -net but not all of them.
- 080f6278e6cea mptcp: factor out __mptcp_retrans helper()
- Above two patches did not apply to net-next, but look ok
for future -net submission
- What's left:
- one patch from Geliang: "mptcp: add local addr info in
mptcp_info" → quite independent from the rest, could be sent in // maybe?
- Florian' series related to MPTCP PM Netlink: events
support → validation is in progress but looks good, could be sent
tomorrow maybe? → Done
- some selftests improvements, should be independent from
the rest (will conflict with "selftests: mptcp: dump more info on
errors"), we can wait if needed. → Done
Extra tests:
- news about Syzkaller? (Christoph):
- Now running without debug kernel, finding new bugs because
the execution is faster
- news about interop with mptcp.org? (Christoph):
- Working on support the latest 5.4.x kernel, easier to test
- news about Intel's kbuild? (Mat):
- 147 issue was reproduced but before the fix was merged
- packetdrill (Davide):
- A new format has been proposed to improve the readability of
these scripts.
- Please follow the new format (see last PR and Readme) for new
scripts.
- See above ↑
- CI (Matth):
- not building in 32-bit: cherry-picked: x86/build: Disable CET
instrumentation in the kernel for 32-bit too
- looking at updating the TG tree with GH Action
Related to:
-
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/tree/...
- the "goto" looks wrong, probably some resources are not freed
- @Geliang: may you have a look at this please? It looks like it is
related to some code you recently modified (Done)
kernel-ci.org:
- build + seltests could be validated there
- similar to kbuild but here the results are published
- → so it looks interesting, we should certainly contact them!
- → maybe it is an issue that our export branch is rebased
regularly (but they can follow for-review branch)
- kcidb: to publish results to a central place:
https://staging.kernelci.org:3000
- → maybe we don't need to publish results from our CI if it is
public? We can check that later
If we need an alternative to GMeet:
- https://meet.kernel.social
Paolo:
- Paolo is looking at connection rate perf tests
- It looks like there are some "room for improvement" to say that
politely :)
- Fallback to TCP: 10% compared to plain TCP
- MPTCP socket stays around for 60 seconds
Perry is looking at perf:
- Perry is working on http://lnst-project.org
- TRex and others doesn't have native MPTCP support → they have a
different network stack, work needed there
- "Workaround" is to use a proxy.
- wrk → to force MPTCP, e.g. with netperf
- adding MPTCP support to existing tools should be "just" modifying
the created sockets to use IPPROTO_MPTCP.
- But support for some [gs]etsockopt's might be missing, could be
blocking
- For just the socket modification (TCP → MPTCP), we can use
LD_PRELOAD but "not nice"
- On top of that, we also have to do:
- ask the client to use multiple subflows → iproute2
- same for the server → iproute2
- routing rules → iproute2
Next meeting:
- On Thursday, the 18th of February.
- Usual UTC time: 16:00 UTC (8am PST, 5pm CET, Midnight CST)
- Still open to everyone!
- https://annuel2.framapad.org/p/mptcp_upstreaming_20210218
Feel free to comment on these points and propose new ones for the next
meeting!
Talk to you on Thursday,
Matt
--
Tessares | Belgium | Hybrid Access Solutions
www.tessares.net
1 year, 3 months