* [PATCH net 0/3] mptcp: Fixes for buffer reclaim and option writing
@ 2022-01-06 22:06 Mat Martineau
2022-01-06 22:06 ` [PATCH net 1/3] mptcp: fix opt size when sending DSS + MP_FAIL Mat Martineau
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Mat Martineau @ 2022-01-06 22:06 UTC (permalink / raw)
To: netdev
Cc: Mat Martineau, davem, kuba, matthieu.baerts, mptcp, pabeni, geliang.tang
Here are three fixes dealing with a syzkaller crash MPTCP triggers in
the memory manager in 5.16-rc8, and some option writing problems.
Patches 1 and 2 fix some corner cases in MPTCP option writing.
Patch 3 addresses a crash that syzkaller found a way to trigger in the mm
subsystem by passing an invalid value to __sk_mem_reduce_allocated().
Geliang Tang (1):
mptcp: fix a DSS option writing error
Mat Martineau (1):
mptcp: Check reclaim amount before reducing allocation
Matthieu Baerts (1):
mptcp: fix opt size when sending DSS + MP_FAIL
net/mptcp/options.c | 10 +++++++---
net/mptcp/protocol.c | 4 +++-
2 files changed, 10 insertions(+), 4 deletions(-)
base-commit: 36595d8ad46d9e4c41cc7c48c4405b7c3322deac
--
2.34.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH net 1/3] mptcp: fix opt size when sending DSS + MP_FAIL
2022-01-06 22:06 [PATCH net 0/3] mptcp: Fixes for buffer reclaim and option writing Mat Martineau
@ 2022-01-06 22:06 ` Mat Martineau
2022-01-06 22:06 ` [PATCH net 2/3] mptcp: fix a DSS option writing error Mat Martineau
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Mat Martineau @ 2022-01-06 22:06 UTC (permalink / raw)
To: netdev
Cc: Matthieu Baerts, davem, kuba, mptcp, pabeni, geliang.tang, Mat Martineau
From: Matthieu Baerts <matthieu.baerts@tessares.net>
When these two options had to be sent -- which is not common -- the DSS
size was not being taken into account in the remaining size.
Additionally in this situation, the reported size was only the one of
the MP_FAIL which can cause issue if at the end, we need to write more
in the TCP options than previously said.
Here we use a dedicated variable for MP_FAIL size to keep the
WARN_ON_ONCE() just after.
Fixes: c25aeb4e0953 ("mptcp: MP_FAIL suboption sending")
Acked-and-tested-by: Geliang Tang <geliang.tang@suse.com>
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
---
net/mptcp/options.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/net/mptcp/options.c b/net/mptcp/options.c
index fe98e4f475ba..96c6efdd48bc 100644
--- a/net/mptcp/options.c
+++ b/net/mptcp/options.c
@@ -821,10 +821,13 @@ bool mptcp_established_options(struct sock *sk, struct sk_buff *skb,
if (mptcp_established_options_mp(sk, skb, snd_data_fin, &opt_size, remaining, opts))
ret = true;
else if (mptcp_established_options_dss(sk, skb, snd_data_fin, &opt_size, remaining, opts)) {
+ unsigned int mp_fail_size;
+
ret = true;
- if (mptcp_established_options_mp_fail(sk, &opt_size, remaining, opts)) {
- *size += opt_size;
- remaining -= opt_size;
+ if (mptcp_established_options_mp_fail(sk, &mp_fail_size,
+ remaining - opt_size, opts)) {
+ *size += opt_size + mp_fail_size;
+ remaining -= opt_size - mp_fail_size;
return true;
}
}
--
2.34.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH net 2/3] mptcp: fix a DSS option writing error
2022-01-06 22:06 [PATCH net 0/3] mptcp: Fixes for buffer reclaim and option writing Mat Martineau
2022-01-06 22:06 ` [PATCH net 1/3] mptcp: fix opt size when sending DSS + MP_FAIL Mat Martineau
@ 2022-01-06 22:06 ` Mat Martineau
2022-01-06 22:06 ` [PATCH net 3/3] mptcp: Check reclaim amount before reducing allocation Mat Martineau
2022-01-07 14:10 ` [PATCH net 0/3] mptcp: Fixes for buffer reclaim and option writing patchwork-bot+netdevbpf
3 siblings, 0 replies; 5+ messages in thread
From: Mat Martineau @ 2022-01-06 22:06 UTC (permalink / raw)
To: netdev
Cc: Geliang Tang, davem, kuba, matthieu.baerts, mptcp, pabeni, Mat Martineau
From: Geliang Tang <geliang.tang@suse.com>
'ptr += 1;' was omitted in the original code.
If the DSS is the last option -- which is what we have most of the
time -- that's not an issue. But it is if we need to send something else
after like a RM_ADDR or an MP_PRIO.
Fixes: 1bff1e43a30e ("mptcp: optimize out option generation")
Reviewed-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Signed-off-by: Geliang Tang <geliang.tang@suse.com>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
---
net/mptcp/options.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/mptcp/options.c b/net/mptcp/options.c
index 96c6efdd48bc..6661b1d6520f 100644
--- a/net/mptcp/options.c
+++ b/net/mptcp/options.c
@@ -1319,6 +1319,7 @@ void mptcp_write_options(__be32 *ptr, const struct tcp_sock *tp,
put_unaligned_be32(mpext->data_len << 16 |
TCPOPT_NOP << 8 | TCPOPT_NOP, ptr);
}
+ ptr += 1;
}
} else if (OPTIONS_MPTCP_MPC & opts->suboptions) {
u8 len, flag = MPTCP_CAP_HMAC_SHA256;
--
2.34.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH net 3/3] mptcp: Check reclaim amount before reducing allocation
2022-01-06 22:06 [PATCH net 0/3] mptcp: Fixes for buffer reclaim and option writing Mat Martineau
2022-01-06 22:06 ` [PATCH net 1/3] mptcp: fix opt size when sending DSS + MP_FAIL Mat Martineau
2022-01-06 22:06 ` [PATCH net 2/3] mptcp: fix a DSS option writing error Mat Martineau
@ 2022-01-06 22:06 ` Mat Martineau
2022-01-07 14:10 ` [PATCH net 0/3] mptcp: Fixes for buffer reclaim and option writing patchwork-bot+netdevbpf
3 siblings, 0 replies; 5+ messages in thread
From: Mat Martineau @ 2022-01-06 22:06 UTC (permalink / raw)
To: netdev
Cc: Mat Martineau, davem, kuba, matthieu.baerts, mptcp, pabeni,
geliang.tang, syzbot+bc9e2d2dbcb347dd215a, Andrew Morton,
Michal Hocko
syzbot found a page counter underflow that was triggered by MPTCP's
reclaim code:
page_counter underflow: -4294964789 nr_pages=4294967295
WARNING: CPU: 2 PID: 3785 at mm/page_counter.c:56 page_counter_cancel+0xcf/0xe0 mm/page_counter.c:56
Modules linked in:
CPU: 2 PID: 3785 Comm: kworker/2:6 Not tainted 5.16.0-rc1-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Workqueue: events mptcp_worker
RIP: 0010:page_counter_cancel+0xcf/0xe0 mm/page_counter.c:56
Code: c7 04 24 00 00 00 00 45 31 f6 eb 97 e8 2a 2b b5 ff 4c 89 ea 48 89 ee 48 c7 c7 00 9e b8 89 c6 05 a0 c1 ba 0b 01 e8 95 e4 4b 07 <0f> 0b eb a8 4c 89 e7 e8 25 5a fb ff eb c7 0f 1f 00 41 56 41 55 49
RSP: 0018:ffffc90002d4f918 EFLAGS: 00010082
RAX: 0000000000000000 RBX: ffff88806a494120 RCX: 0000000000000000
RDX: ffff8880688c41c0 RSI: ffffffff815e8f28 RDI: fffff520005a9f15
RBP: ffffffff000009cb R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff815e2cfe R11: 0000000000000000 R12: ffff88806a494120
R13: 00000000ffffffff R14: 0000000000000000 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff88802cc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2de21000 CR3: 000000005ad59000 CR4: 0000000000150ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
page_counter_uncharge+0x2e/0x60 mm/page_counter.c:160
drain_stock+0xc1/0x180 mm/memcontrol.c:2219
refill_stock+0x139/0x2f0 mm/memcontrol.c:2271
__sk_mem_reduce_allocated+0x24d/0x550 net/core/sock.c:2945
__mptcp_rmem_reclaim net/mptcp/protocol.c:167 [inline]
__mptcp_mem_reclaim_partial+0x124/0x410 net/mptcp/protocol.c:975
mptcp_mem_reclaim_partial net/mptcp/protocol.c:982 [inline]
mptcp_alloc_tx_skb net/mptcp/protocol.c:1212 [inline]
mptcp_sendmsg_frag+0x18c6/0x2190 net/mptcp/protocol.c:1279
__mptcp_push_pending+0x232/0x720 net/mptcp/protocol.c:1545
mptcp_release_cb+0xfe/0x200 net/mptcp/protocol.c:2975
release_sock+0xb4/0x1b0 net/core/sock.c:3306
mptcp_worker+0x51e/0xc10 net/mptcp/protocol.c:2443
process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298
worker_thread+0x658/0x11f0 kernel/workqueue.c:2445
kthread+0x405/0x4f0 kernel/kthread.c:327
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
</TASK>
__mptcp_mem_reclaim_partial() could call __mptcp_rmem_reclaim() with a
negative value, which passed that negative value to
__sk_mem_reduce_allocated() and triggered the splat above.
Check for a reclaim amount that is positive and large enough for
__mptcp_rmem_reclaim() to actually adjust rmem_fwd_alloc (much like
the sk_mem_reclaim_partial() code the function is based on).
v2: Use '>' instead of '>=', since SK_MEM_QUANTUM - 1 would get
right-shifted into nothing by __mptcp_rmem_reclaim.
Fixes: 6511882cdd82 ("mptcp: allocate fwd memory separately on the rx and tx path")
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/252
Reported-and-tested-by: syzbot+bc9e2d2dbcb347dd215a@syzkaller.appspotmail.com
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Michal Hocko <mhocko@suse.com>
Acked-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
---
net/mptcp/protocol.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
index 54613f5b7521..0cd55e4c30fa 100644
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -972,7 +972,9 @@ static void __mptcp_mem_reclaim_partial(struct sock *sk)
lockdep_assert_held_once(&sk->sk_lock.slock);
- __mptcp_rmem_reclaim(sk, reclaimable - 1);
+ if (reclaimable > SK_MEM_QUANTUM)
+ __mptcp_rmem_reclaim(sk, reclaimable - 1);
+
sk_mem_reclaim_partial(sk);
}
--
2.34.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH net 0/3] mptcp: Fixes for buffer reclaim and option writing
2022-01-06 22:06 [PATCH net 0/3] mptcp: Fixes for buffer reclaim and option writing Mat Martineau
` (2 preceding siblings ...)
2022-01-06 22:06 ` [PATCH net 3/3] mptcp: Check reclaim amount before reducing allocation Mat Martineau
@ 2022-01-07 14:10 ` patchwork-bot+netdevbpf
3 siblings, 0 replies; 5+ messages in thread
From: patchwork-bot+netdevbpf @ 2022-01-07 14:10 UTC (permalink / raw)
To: Mat Martineau
Cc: netdev, davem, kuba, matthieu.baerts, mptcp, pabeni, geliang.tang
Hello:
This series was applied to netdev/net.git (master)
by David S. Miller <davem@davemloft.net>:
On Thu, 6 Jan 2022 14:06:35 -0800 you wrote:
> Here are three fixes dealing with a syzkaller crash MPTCP triggers in
> the memory manager in 5.16-rc8, and some option writing problems.
>
> Patches 1 and 2 fix some corner cases in MPTCP option writing.
>
> Patch 3 addresses a crash that syzkaller found a way to trigger in the mm
> subsystem by passing an invalid value to __sk_mem_reduce_allocated().
>
> [...]
Here is the summary with links:
- [net,1/3] mptcp: fix opt size when sending DSS + MP_FAIL
https://git.kernel.org/netdev/net/c/04fac2cae942
- [net,2/3] mptcp: fix a DSS option writing error
https://git.kernel.org/netdev/net/c/110b6d1fe98f
- [net,3/3] mptcp: Check reclaim amount before reducing allocation
https://git.kernel.org/netdev/net/c/269bda9e7da4
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-01-07 14:10 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-06 22:06 [PATCH net 0/3] mptcp: Fixes for buffer reclaim and option writing Mat Martineau
2022-01-06 22:06 ` [PATCH net 1/3] mptcp: fix opt size when sending DSS + MP_FAIL Mat Martineau
2022-01-06 22:06 ` [PATCH net 2/3] mptcp: fix a DSS option writing error Mat Martineau
2022-01-06 22:06 ` [PATCH net 3/3] mptcp: Check reclaim amount before reducing allocation Mat Martineau
2022-01-07 14:10 ` [PATCH net 0/3] mptcp: Fixes for buffer reclaim and option writing patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).