From mboxrd@z Thu Jan 1 00:00:00 1970 From: Neil Horman Subject: Re: [PATCH net] sctp: not allow transport timeout value less than HZ/5 for hb_timer Date: Tue, 5 Jun 2018 06:27:49 -0400 Message-ID: <20180605102749.GA15072@hmswarspite.think-freely.org> References: <97b99fac474db414ea8486a1fbd3a37dacd4b1b1.1528172218.git.lucien.xin@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: network dev , linux-sctp@vger.kernel.org, davem@davemloft.net, Eric Dumazet , Marcelo Ricardo Leitner , Dmitry Vyukov , syzkaller@googlegroups.com To: Xin Long Return-path: Received: from charlotte.tuxdriver.com ([70.61.120.58]:58931 "EHLO smtp.tuxdriver.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751670AbeFEK21 (ORCPT ); Tue, 5 Jun 2018 06:28:27 -0400 Content-Disposition: inline In-Reply-To: <97b99fac474db414ea8486a1fbd3a37dacd4b1b1.1528172218.git.lucien.xin@gmail.com> Sender: netdev-owner@vger.kernel.org List-ID: On Tue, Jun 05, 2018 at 12:16:58PM +0800, Xin Long wrote: > syzbot reported a rcu_sched self-detected stall on CPU which is caused > by too small value set on rto_min with SCTP_RTOINFO sockopt. With this > value, hb_timer will get stuck there, as in its timer handler it starts > this timer again with this value, then goes to the timer handler again. > > This problem is there since very beginning, and thanks to Eric for the > reproducer shared from a syzbot mail. > > This patch fixes it by not allowing sctp_transport_timeout to return a > smaller value than HZ/5 for hb_timer, which is based on TCP's min rto. > > Note that it doesn't fix this issue by limiting rto_min, as some users > are still using small rto and no proper value was found for it yet. > > Reported-by: syzbot+3dcd59a1f907245f891f@syzkaller.appspotmail.com > Suggested-by: Marcelo Ricardo Leitner > Signed-off-by: Xin Long > --- > net/sctp/transport.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/sctp/transport.c b/net/sctp/transport.c > index 47f82bd..03fc2c4 100644 > --- a/net/sctp/transport.c > +++ b/net/sctp/transport.c > @@ -634,7 +634,7 @@ unsigned long sctp_transport_timeout(struct sctp_transport *trans) > trans->state != SCTP_PF) > timeout += trans->hbinterval; > > - return timeout; > + return max_t(unsigned long, timeout, HZ / 5); > } > > /* Reset transport variables to their initial values */ > -- > 2.1.0 > > Acked-by: Neil Horman