* [MPTCP] Re: [MPTCP][PATCH v2 net-next] mptcp: clear use_ack and use_map when dropping other suboptions
@ 2020-12-16 0:02 Mat Martineau
0 siblings, 0 replies; 5+ messages in thread
From: Mat Martineau @ 2020-12-16 0:02 UTC (permalink / raw)
To: mptcp
[-- Attachment #1: Type: text/plain, Size: 8789 bytes --]
On Tue, 15 Dec 2020, Geliang Tang wrote:
> This patch cleared use_ack and use_map when dropping other suboptions to
> fix the following syzkaller BUG:
>
> [ 15.223006] BUG: unable to handle page fault for address: 0000000000223b10
> [ 15.223700] #PF: supervisor read access in kernel mode
> [ 15.224209] #PF: error_code(0x0000) - not-present page
> [ 15.224724] PGD b8d5067 P4D b8d5067 PUD c0a5067 PMD 0
> [ 15.225237] Oops: 0000 [#1] SMP
> [ 15.225556] CPU: 0 PID: 7747 Comm: syz-executor Not tainted 5.10.0-rc6+ #24
> [ 15.226281] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
> [ 15.227292] RIP: 0010:skb_release_data+0x89/0x1e0
> [ 15.227816] Code: 5b 5d 41 5c 41 5d 41 5e 41 5f e9 02 06 8a ff e8 fd 05 8a ff 45 31 ed 80 7d 02 00 4c 8d 65 30 74 55 e8 eb 05 8a ff 49 8b 1c 24 <4c> 8b 7b 08 41 f6 c7 01 0f 85 18 01 00 00 e8 d4 05 8a ff 8b 43 34
> [ 15.229669] RSP: 0018:ffffc900019c7c08 EFLAGS: 00010293
> [ 15.230188] RAX: ffff88800daad900 RBX: 0000000000223b08 RCX: 0000000000000006
> [ 15.230895] RDX: 0000000000000000 RSI: ffffffff818e06c5 RDI: ffff88807f6dc700
> [ 15.231593] RBP: ffff88807f71a4c0 R08: 0000000000000001 R09: 0000000000000001
> [ 15.232299] R10: ffffc900019c7c18 R11: 0000000000000000 R12: ffff88807f71a4f0
> [ 15.233007] R13: 0000000000000000 R14: ffff88807f6dc700 R15: 0000000000000002
> [ 15.233714] FS: 00007f65d9b5f700(0000) GS:ffff88807c400000(0000) knlGS:0000000000000000
> [ 15.234509] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 15.235081] CR2: 0000000000223b10 CR3: 000000000b883000 CR4: 00000000000006f0
> [ 15.235788] Call Trace:
> [ 15.236042] skb_release_all+0x28/0x30
> [ 15.236419] __kfree_skb+0x11/0x20
> [ 15.236768] tcp_data_queue+0x270/0x1240
> [ 15.237161] ? tcp_urg+0x50/0x2a0
> [ 15.237496] tcp_rcv_established+0x39a/0x890
> [ 15.237997] ? mark_held_locks+0x49/0x70
> [ 15.238467] tcp_v4_do_rcv+0xb9/0x270
> [ 15.238915] __release_sock+0x8a/0x160
> [ 15.239365] release_sock+0x32/0xd0
> [ 15.239793] __inet_stream_connect+0x1d2/0x400
> [ 15.240313] ? do_wait_intr_irq+0x80/0x80
> [ 15.240791] inet_stream_connect+0x36/0x50
> [ 15.241275] mptcp_stream_connect+0x69/0x1b0
> [ 15.241787] __sys_connect+0x122/0x140
> [ 15.242236] ? syscall_enter_from_user_mode+0x17/0x50
> [ 15.242836] ? lockdep_hardirqs_on_prepare+0xd4/0x170
> [ 15.243436] __x64_sys_connect+0x1a/0x20
> [ 15.243924] do_syscall_64+0x33/0x40
> [ 15.244313] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> [ 15.244821] RIP: 0033:0x7f65d946e469
> [ 15.245183] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ff 49 2b 00 f7 d8 64 89 01 48
> [ 15.247019] RSP: 002b:00007f65d9b5eda8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
> [ 15.247770] RAX: ffffffffffffffda RBX: 000000000049bf00 RCX: 00007f65d946e469
> [ 15.248471] RDX: 0000000000000010 RSI: 00000000200000c0 RDI: 0000000000000005
> [ 15.249205] RBP: 000000000049bf00 R08: 0000000000000000 R09: 0000000000000000
> [ 15.249908] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000049bf0c
> [ 15.250603] R13: 00007fffe8a25cef R14: 00007f65d9b3f000 R15: 0000000000000003
> [ 15.251312] Modules linked in:
> [ 15.251626] CR2: 0000000000223b10
> [ 15.251965] BUG: kernel NULL pointer dereference, address: 0000000000000048
> [ 15.252005] ---[ end trace f5c51fe19123c773 ]---
> [ 15.252822] #PF: supervisor read access in kernel mode
> [ 15.252823] #PF: error_code(0x0000) - not-present page
> [ 15.252825] PGD c6c6067 P4D c6c6067 PUD c0d8067
> [ 15.253294] RIP: 0010:skb_release_data+0x89/0x1e0
> [ 15.253910] PMD 0
> [ 15.253914] Oops: 0000 [#2] SMP
> [ 15.253917] CPU: 1 PID: 7746 Comm: syz-executor Tainted: G D 5.10.0-rc6+ #24
> [ 15.253920] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
> [ 15.254435] Code: 5b 5d 41 5c 41 5d 41 5e 41 5f e9 02 06 8a ff e8 fd 05 8a ff 45 31 ed 80 7d 02 00 4c 8d 65 30 74 55 e8 eb 05 8a ff 49 8b 1c 24 <4c> 8b 7b 08 41 f6 c7 01 0f 85 18 01 00 00 e8 d4 05 8a ff 8b 43 34
> [ 15.254899] RIP: 0010:skb_release_data+0x89/0x1e0
> [ 15.254902] Code: 5b 5d 41 5c 41 5d 41 5e 41 5f e9 02 06 8a ff e8 fd 05 8a ff 45 31 ed 80 7d 02 00 4c 8d 65 30 74 55 e8 eb 05 8a ff 49 8b 1c 24 <4c> 8b 7b 08 41 f6 c7 01 0f 85 18 01 00 00 e8 d4 05 8a ff 8b 43 34
> [ 15.254905] RSP: 0018:ffffc900019bfc08 EFLAGS: 00010293
> [ 15.255376] RSP: 0018:ffffc900019c7c08 EFLAGS: 00010293
> [ 15.255580]
> [ 15.255583] RAX: ffff888004a7ac80 RBX: 0000000000000040 RCX: 0000000000000000
> [ 15.255912]
> [ 15.256724] RDX: 0000000000000000 RSI: ffffffff818e06c5 RDI: ffff88807f6ddd00
> [ 15.257620] RAX: ffff88800daad900 RBX: 0000000000223b08 RCX: 0000000000000006
> [ 15.259817] RBP: ffff88800e9006c0 R08: 0000000000000000 R09: 0000000000000000
> [ 15.259818] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88800e9006f0
> [ 15.259820] R13: 0000000000000000 R14: ffff88807f6ddd00 R15: 0000000000000002
> [ 15.259822] FS: 00007fae4a60a700(0000) GS:ffff88807c500000(0000) knlGS:0000000000000000
> [ 15.259826] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 15.260296] RDX: 0000000000000000 RSI: ffffffff818e06c5 RDI: ffff88807f6dc700
> [ 15.262514] CR2: 0000000000000048 CR3: 000000000b89c000 CR4: 00000000000006e0
> [ 15.262515] Call Trace:
> [ 15.262519] skb_release_all+0x28/0x30
> [ 15.262523] __kfree_skb+0x11/0x20
> [ 15.263054] RBP: ffff88807f71a4c0 R08: 0000000000000001 R09: 0000000000000001
> [ 15.263680] tcp_data_queue+0x270/0x1240
> [ 15.263843] R10: ffffc900019c7c18 R11: 0000000000000000 R12: ffff88807f71a4f0
> [ 15.264693] ? tcp_urg+0x50/0x2a0
> [ 15.264856] R13: 0000000000000000 R14: ffff88807f6dc700 R15: 0000000000000002
> [ 15.265720] tcp_rcv_established+0x39a/0x890
> [ 15.266438] FS: 00007f65d9b5f700(0000) GS:ffff88807c400000(0000) knlGS:0000000000000000
> [ 15.267283] ? __schedule+0x3fa/0x880
> [ 15.267287] tcp_v4_do_rcv+0xb9/0x270
> [ 15.267290] __release_sock+0x8a/0x160
> [ 15.268049] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 15.268788] release_sock+0x32/0xd0
> [ 15.268791] __inet_stream_connect+0x1d2/0x400
> [ 15.268795] ? do_wait_intr_irq+0x80/0x80
> [ 15.269593] CR2: 0000000000223b10 CR3: 000000000b883000 CR4: 00000000000006f0
> [ 15.270246] inet_stream_connect+0x36/0x50
> [ 15.270250] mptcp_stream_connect+0x69/0x1b0
> [ 15.270253] __sys_connect+0x122/0x140
> [ 15.271097] Kernel panic - not syncing: Fatal exception
> [ 15.271820] ? syscall_enter_from_user_mode+0x17/0x50
> [ 15.283542] ? lockdep_hardirqs_on_prepare+0xd4/0x170
> [ 15.284275] __x64_sys_connect+0x1a/0x20
> [ 15.284853] do_syscall_64+0x33/0x40
> [ 15.285369] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> [ 15.286105] RIP: 0033:0x7fae49f19469
> [ 15.286638] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ff 49 2b 00 f7 d8 64 89 01 48
> [ 15.289295] RSP: 002b:00007fae4a609da8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
> [ 15.290375] RAX: ffffffffffffffda RBX: 000000000049bf00 RCX: 00007fae49f19469
> [ 15.291403] RDX: 0000000000000010 RSI: 00000000200000c0 RDI: 0000000000000005
> [ 15.292437] RBP: 000000000049bf00 R08: 0000000000000000 R09: 0000000000000000
> [ 15.293456] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000049bf0c
> [ 15.294473] R13: 00007fff0004b6bf R14: 00007fae4a5ea000 R15: 0000000000000003
> [ 15.295492] Modules linked in:
> [ 15.295944] CR2: 0000000000000048
> [ 15.296567] Kernel Offset: disabled
> [ 15.296941] ---[ end Kernel panic - not syncing: Fatal exception ]---
>
> Reported-by: Christoph Paasch <cpaasch(a)apple.com>
> Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/104
> Fixes: 84dfe3677a6f (mptcp: send out dedicated ADD_ADDR packet)
> Signed-off-by: Geliang Tang <geliangtang(a)gmail.com>
> ---
> Obsoletes: v1 (mptcp: avoid using the main socket to send ack)
> ---
> net/mptcp/options.c | 2 ++
> 1 file changed, 2 insertions(+)
>
Thanks for the fix!
As Paolo mentioned, please send this to netdev for the -net tree. The -net
branch is now up to date with the net-next branch and Linus' merge of
net-next for 5.11 so thte branch is ready for this fix.
Please add my tag:
Reviewed-by: Mat Martineau <mathew.j.martineau(a)linux.intel.com>
--
Mat Martineau
Intel
^ permalink raw reply [flat|nested] 5+ messages in thread
* [MPTCP] Re: [MPTCP][PATCH v2 net-next] mptcp: clear use_ack and use_map when dropping other suboptions
@ 2020-12-16 2:39 Geliang Tang
0 siblings, 0 replies; 5+ messages in thread
From: Geliang Tang @ 2020-12-16 2:39 UTC (permalink / raw)
To: mptcp
[-- Attachment #1: Type: text/plain, Size: 10016 bytes --]
Hi Paolo,
Paolo Abeni <pabeni(a)redhat.com> 于2020年12月15日周二 下午5:22写道:
>
> On Tue, 2020-12-15 at 13:32 +0800, Geliang Tang wrote:
> > This patch cleared use_ack and use_map when dropping other suboptions to
> > fix the following syzkaller BUG:
> >
> > [ 15.223006] BUG: unable to handle page fault for address: 0000000000223b10
> > [ 15.223700] #PF: supervisor read access in kernel mode
> > [ 15.224209] #PF: error_code(0x0000) - not-present page
> > [ 15.224724] PGD b8d5067 P4D b8d5067 PUD c0a5067 PMD 0
> > [ 15.225237] Oops: 0000 [#1] SMP
> > [ 15.225556] CPU: 0 PID: 7747 Comm: syz-executor Not tainted 5.10.0-rc6+ #24
> > [ 15.226281] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
> > [ 15.227292] RIP: 0010:skb_release_data+0x89/0x1e0
> > [ 15.227816] Code: 5b 5d 41 5c 41 5d 41 5e 41 5f e9 02 06 8a ff e8 fd 05 8a ff 45 31 ed 80 7d 02 00 4c 8d 65 30 74 55 e8 eb 05 8a ff 49 8b 1c 24 <4c> 8b 7b 08 41 f6 c7 01 0f 85 18 01 00 00 e8 d4 05 8a ff 8b 43 34
> > [ 15.229669] RSP: 0018:ffffc900019c7c08 EFLAGS: 00010293
> > [ 15.230188] RAX: ffff88800daad900 RBX: 0000000000223b08 RCX: 0000000000000006
> > [ 15.230895] RDX: 0000000000000000 RSI: ffffffff818e06c5 RDI: ffff88807f6dc700
> > [ 15.231593] RBP: ffff88807f71a4c0 R08: 0000000000000001 R09: 0000000000000001
> > [ 15.232299] R10: ffffc900019c7c18 R11: 0000000000000000 R12: ffff88807f71a4f0
> > [ 15.233007] R13: 0000000000000000 R14: ffff88807f6dc700 R15: 0000000000000002
> > [ 15.233714] FS: 00007f65d9b5f700(0000) GS:ffff88807c400000(0000) knlGS:0000000000000000
> > [ 15.234509] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > [ 15.235081] CR2: 0000000000223b10 CR3: 000000000b883000 CR4: 00000000000006f0
> > [ 15.235788] Call Trace:
> > [ 15.236042] skb_release_all+0x28/0x30
> > [ 15.236419] __kfree_skb+0x11/0x20
> > [ 15.236768] tcp_data_queue+0x270/0x1240
> > [ 15.237161] ? tcp_urg+0x50/0x2a0
> > [ 15.237496] tcp_rcv_established+0x39a/0x890
> > [ 15.237997] ? mark_held_locks+0x49/0x70
> > [ 15.238467] tcp_v4_do_rcv+0xb9/0x270
> > [ 15.238915] __release_sock+0x8a/0x160
> > [ 15.239365] release_sock+0x32/0xd0
> > [ 15.239793] __inet_stream_connect+0x1d2/0x400
> > [ 15.240313] ? do_wait_intr_irq+0x80/0x80
> > [ 15.240791] inet_stream_connect+0x36/0x50
> > [ 15.241275] mptcp_stream_connect+0x69/0x1b0
> > [ 15.241787] __sys_connect+0x122/0x140
> > [ 15.242236] ? syscall_enter_from_user_mode+0x17/0x50
> > [ 15.242836] ? lockdep_hardirqs_on_prepare+0xd4/0x170
> > [ 15.243436] __x64_sys_connect+0x1a/0x20
> > [ 15.243924] do_syscall_64+0x33/0x40
> > [ 15.244313] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> > [ 15.244821] RIP: 0033:0x7f65d946e469
> > [ 15.245183] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ff 49 2b 00 f7 d8 64 89 01 48
> > [ 15.247019] RSP: 002b:00007f65d9b5eda8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
> > [ 15.247770] RAX: ffffffffffffffda RBX: 000000000049bf00 RCX: 00007f65d946e469
> > [ 15.248471] RDX: 0000000000000010 RSI: 00000000200000c0 RDI: 0000000000000005
> > [ 15.249205] RBP: 000000000049bf00 R08: 0000000000000000 R09: 0000000000000000
> > [ 15.249908] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000049bf0c
> > [ 15.250603] R13: 00007fffe8a25cef R14: 00007f65d9b3f000 R15: 0000000000000003
> > [ 15.251312] Modules linked in:
> > [ 15.251626] CR2: 0000000000223b10
> > [ 15.251965] BUG: kernel NULL pointer dereference, address: 0000000000000048
> > [ 15.252005] ---[ end trace f5c51fe19123c773 ]---
> > [ 15.252822] #PF: supervisor read access in kernel mode
> > [ 15.252823] #PF: error_code(0x0000) - not-present page
> > [ 15.252825] PGD c6c6067 P4D c6c6067 PUD c0d8067
> > [ 15.253294] RIP: 0010:skb_release_data+0x89/0x1e0
> > [ 15.253910] PMD 0
> > [ 15.253914] Oops: 0000 [#2] SMP
> > [ 15.253917] CPU: 1 PID: 7746 Comm: syz-executor Tainted: G D 5.10.0-rc6+ #24
> > [ 15.253920] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
> > [ 15.254435] Code: 5b 5d 41 5c 41 5d 41 5e 41 5f e9 02 06 8a ff e8 fd 05 8a ff 45 31 ed 80 7d 02 00 4c 8d 65 30 74 55 e8 eb 05 8a ff 49 8b 1c 24 <4c> 8b 7b 08 41 f6 c7 01 0f 85 18 01 00 00 e8 d4 05 8a ff 8b 43 34
> > [ 15.254899] RIP: 0010:skb_release_data+0x89/0x1e0
> > [ 15.254902] Code: 5b 5d 41 5c 41 5d 41 5e 41 5f e9 02 06 8a ff e8 fd 05 8a ff 45 31 ed 80 7d 02 00 4c 8d 65 30 74 55 e8 eb 05 8a ff 49 8b 1c 24 <4c> 8b 7b 08 41 f6 c7 01 0f 85 18 01 00 00 e8 d4 05 8a ff 8b 43 34
> > [ 15.254905] RSP: 0018:ffffc900019bfc08 EFLAGS: 00010293
> > [ 15.255376] RSP: 0018:ffffc900019c7c08 EFLAGS: 00010293
> > [ 15.255580]
> > [ 15.255583] RAX: ffff888004a7ac80 RBX: 0000000000000040 RCX: 0000000000000000
> > [ 15.255912]
> > [ 15.256724] RDX: 0000000000000000 RSI: ffffffff818e06c5 RDI: ffff88807f6ddd00
> > [ 15.257620] RAX: ffff88800daad900 RBX: 0000000000223b08 RCX: 0000000000000006
> > [ 15.259817] RBP: ffff88800e9006c0 R08: 0000000000000000 R09: 0000000000000000
> > [ 15.259818] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88800e9006f0
> > [ 15.259820] R13: 0000000000000000 R14: ffff88807f6ddd00 R15: 0000000000000002
> > [ 15.259822] FS: 00007fae4a60a700(0000) GS:ffff88807c500000(0000) knlGS:0000000000000000
> > [ 15.259826] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > [ 15.260296] RDX: 0000000000000000 RSI: ffffffff818e06c5 RDI: ffff88807f6dc700
> > [ 15.262514] CR2: 0000000000000048 CR3: 000000000b89c000 CR4: 00000000000006e0
> > [ 15.262515] Call Trace:
> > [ 15.262519] skb_release_all+0x28/0x30
> > [ 15.262523] __kfree_skb+0x11/0x20
> > [ 15.263054] RBP: ffff88807f71a4c0 R08: 0000000000000001 R09: 0000000000000001
> > [ 15.263680] tcp_data_queue+0x270/0x1240
> > [ 15.263843] R10: ffffc900019c7c18 R11: 0000000000000000 R12: ffff88807f71a4f0
> > [ 15.264693] ? tcp_urg+0x50/0x2a0
> > [ 15.264856] R13: 0000000000000000 R14: ffff88807f6dc700 R15: 0000000000000002
> > [ 15.265720] tcp_rcv_established+0x39a/0x890
> > [ 15.266438] FS: 00007f65d9b5f700(0000) GS:ffff88807c400000(0000) knlGS:0000000000000000
> > [ 15.267283] ? __schedule+0x3fa/0x880
> > [ 15.267287] tcp_v4_do_rcv+0xb9/0x270
> > [ 15.267290] __release_sock+0x8a/0x160
> > [ 15.268049] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > [ 15.268788] release_sock+0x32/0xd0
> > [ 15.268791] __inet_stream_connect+0x1d2/0x400
> > [ 15.268795] ? do_wait_intr_irq+0x80/0x80
> > [ 15.269593] CR2: 0000000000223b10 CR3: 000000000b883000 CR4: 00000000000006f0
> > [ 15.270246] inet_stream_connect+0x36/0x50
> > [ 15.270250] mptcp_stream_connect+0x69/0x1b0
> > [ 15.270253] __sys_connect+0x122/0x140
> > [ 15.271097] Kernel panic - not syncing: Fatal exception
> > [ 15.271820] ? syscall_enter_from_user_mode+0x17/0x50
> > [ 15.283542] ? lockdep_hardirqs_on_prepare+0xd4/0x170
> > [ 15.284275] __x64_sys_connect+0x1a/0x20
> > [ 15.284853] do_syscall_64+0x33/0x40
> > [ 15.285369] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> > [ 15.286105] RIP: 0033:0x7fae49f19469
> > [ 15.286638] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ff 49 2b 00 f7 d8 64 89 01 48
> > [ 15.289295] RSP: 002b:00007fae4a609da8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
> > [ 15.290375] RAX: ffffffffffffffda RBX: 000000000049bf00 RCX: 00007fae49f19469
> > [ 15.291403] RDX: 0000000000000010 RSI: 00000000200000c0 RDI: 0000000000000005
> > [ 15.292437] RBP: 000000000049bf00 R08: 0000000000000000 R09: 0000000000000000
> > [ 15.293456] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000049bf0c
> > [ 15.294473] R13: 00007fff0004b6bf R14: 00007fae4a5ea000 R15: 0000000000000003
> > [ 15.295492] Modules linked in:
> > [ 15.295944] CR2: 0000000000000048
> > [ 15.296567] Kernel Offset: disabled
> > [ 15.296941] ---[ end Kernel panic - not syncing: Fatal exception ]---
> >
> > Reported-by: Christoph Paasch <cpaasch(a)apple.com>
> > Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/104
> > Fixes: 84dfe3677a6f (mptcp: send out dedicated ADD_ADDR packet)
> > Signed-off-by: Geliang Tang <geliangtang(a)gmail.com>
> > ---
> > Obsoletes: v1 (mptcp: avoid using the main socket to send ack)
> > ---
> > net/mptcp/options.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/net/mptcp/options.c b/net/mptcp/options.c
> > index 5e7d7755d1a6..f4047ace032d 100644
> > --- a/net/mptcp/options.c
> > +++ b/net/mptcp/options.c
> > @@ -606,6 +606,8 @@ static bool mptcp_established_options_add_addr(struct sock *sk, struct sk_buff *
> > skb && skb_is_tcp_pure_ack(skb)) {
> > pr_debug("drop other suboptions");
> > opts->suboptions = 0;
> > + opts->ext_copy.use_ack = 0;
> > + opts->ext_copy.use_map = 0;
> > remaining += opt_size;
> > drop_other_suboptions = true;
>
> Very good catch! I hope this should also address issue/106.
Yes, this can fix #106 too. I just added a comment on #106 and closed it.
>
> LGTM!
>
> Note: matttbe will possibly be unable to merge this (or any other)
> patch soon, if so I think you can send it upstream to the -net tree, as
> soon as net is rebased on top of current -net-next (or even directly to
> net-next is that is still open).
The original commit 84dfe3677a6f (mptcp: send out dedicated ADD_ADDR packet)
has not been merged to -net yet, so I sent this patch to net-next.
-Geliang
>
> Cheers,
>
> Paolo
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* [MPTCP] Re: [MPTCP][PATCH v2 net-next] mptcp: clear use_ack and use_map when dropping other suboptions
@ 2020-12-16 0:09 Mat Martineau
0 siblings, 0 replies; 5+ messages in thread
From: Mat Martineau @ 2020-12-16 0:09 UTC (permalink / raw)
To: mptcp
[-- Attachment #1: Type: text/plain, Size: 906 bytes --]
On Tue, 15 Dec 2020, Mat Martineau wrote:
>
> On Tue, 15 Dec 2020, Geliang Tang wrote:
>
>> This patch cleared use_ack and use_map when dropping other suboptions to
>> fix the following syzkaller BUG:
>>
...
>> ---
>> net/mptcp/options.c | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>
> Thanks for the fix!
>
> As Paolo mentioned, please send this to netdev for the -net tree. The -net
> branch is now up to date with the net-next branch and Linus' merge of
> net-next for 5.11 so thte branch is ready for this fix.
>
> Please add my tag:
>
> Reviewed-by: Mat Martineau <mathew.j.martineau(a)linux.intel.com>
I hadn't seen that you sent to netdev already - although the patch is
tagged for net-next instead of the net tree. I will reply there and maybe
Jakub or David will apply to net or follow up with a reply or patchwork
status update.
--
Mat Martineau
Intel
^ permalink raw reply [flat|nested] 5+ messages in thread
* [MPTCP] Re: [MPTCP][PATCH v2 net-next] mptcp: clear use_ack and use_map when dropping other suboptions
@ 2020-12-15 9:42 Matthieu Baerts
0 siblings, 0 replies; 5+ messages in thread
From: Matthieu Baerts @ 2020-12-15 9:42 UTC (permalink / raw)
To: mptcp
[-- Attachment #1: Type: text/plain, Size: 915 bytes --]
Hi Geliang, Paolo,
On 15/12/2020 06:32, Geliang Tang wrote:
> This patch cleared use_ack and use_map when dropping other suboptions to
> fix the following syzkaller BUG:
(...)
> Reported-by: Christoph Paasch <cpaasch(a)apple.com>
> Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/104
> Fixes: 84dfe3677a6f (mptcp: send out dedicated ADD_ADDR packet)
> Signed-off-by: Geliang Tang <geliangtang(a)gmail.com>
Good catch, thank you for this fix and the review!
- 281bc5ad92db: mptcp: clear use_ack and use_map when dropping other
suboptions
- Results: 663af8abf571..d73b2c933a85
Tests + export have been queued (sync with net-next job is in progress)
> ---
> Obsoletes: v1 (mptcp: avoid using the main socket to send ack)
Thanks for this note, it is useful for me updating Patchwork!
Cheers,
Matt
--
Tessares | Belgium | Hybrid Access Solutions
www.tessares.net
^ permalink raw reply [flat|nested] 5+ messages in thread
* [MPTCP] Re: [MPTCP][PATCH v2 net-next] mptcp: clear use_ack and use_map when dropping other suboptions
@ 2020-12-15 9:22 Paolo Abeni
0 siblings, 0 replies; 5+ messages in thread
From: Paolo Abeni @ 2020-12-15 9:22 UTC (permalink / raw)
To: mptcp
[-- Attachment #1: Type: text/plain, Size: 9306 bytes --]
On Tue, 2020-12-15 at 13:32 +0800, Geliang Tang wrote:
> This patch cleared use_ack and use_map when dropping other suboptions to
> fix the following syzkaller BUG:
>
> [ 15.223006] BUG: unable to handle page fault for address: 0000000000223b10
> [ 15.223700] #PF: supervisor read access in kernel mode
> [ 15.224209] #PF: error_code(0x0000) - not-present page
> [ 15.224724] PGD b8d5067 P4D b8d5067 PUD c0a5067 PMD 0
> [ 15.225237] Oops: 0000 [#1] SMP
> [ 15.225556] CPU: 0 PID: 7747 Comm: syz-executor Not tainted 5.10.0-rc6+ #24
> [ 15.226281] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
> [ 15.227292] RIP: 0010:skb_release_data+0x89/0x1e0
> [ 15.227816] Code: 5b 5d 41 5c 41 5d 41 5e 41 5f e9 02 06 8a ff e8 fd 05 8a ff 45 31 ed 80 7d 02 00 4c 8d 65 30 74 55 e8 eb 05 8a ff 49 8b 1c 24 <4c> 8b 7b 08 41 f6 c7 01 0f 85 18 01 00 00 e8 d4 05 8a ff 8b 43 34
> [ 15.229669] RSP: 0018:ffffc900019c7c08 EFLAGS: 00010293
> [ 15.230188] RAX: ffff88800daad900 RBX: 0000000000223b08 RCX: 0000000000000006
> [ 15.230895] RDX: 0000000000000000 RSI: ffffffff818e06c5 RDI: ffff88807f6dc700
> [ 15.231593] RBP: ffff88807f71a4c0 R08: 0000000000000001 R09: 0000000000000001
> [ 15.232299] R10: ffffc900019c7c18 R11: 0000000000000000 R12: ffff88807f71a4f0
> [ 15.233007] R13: 0000000000000000 R14: ffff88807f6dc700 R15: 0000000000000002
> [ 15.233714] FS: 00007f65d9b5f700(0000) GS:ffff88807c400000(0000) knlGS:0000000000000000
> [ 15.234509] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 15.235081] CR2: 0000000000223b10 CR3: 000000000b883000 CR4: 00000000000006f0
> [ 15.235788] Call Trace:
> [ 15.236042] skb_release_all+0x28/0x30
> [ 15.236419] __kfree_skb+0x11/0x20
> [ 15.236768] tcp_data_queue+0x270/0x1240
> [ 15.237161] ? tcp_urg+0x50/0x2a0
> [ 15.237496] tcp_rcv_established+0x39a/0x890
> [ 15.237997] ? mark_held_locks+0x49/0x70
> [ 15.238467] tcp_v4_do_rcv+0xb9/0x270
> [ 15.238915] __release_sock+0x8a/0x160
> [ 15.239365] release_sock+0x32/0xd0
> [ 15.239793] __inet_stream_connect+0x1d2/0x400
> [ 15.240313] ? do_wait_intr_irq+0x80/0x80
> [ 15.240791] inet_stream_connect+0x36/0x50
> [ 15.241275] mptcp_stream_connect+0x69/0x1b0
> [ 15.241787] __sys_connect+0x122/0x140
> [ 15.242236] ? syscall_enter_from_user_mode+0x17/0x50
> [ 15.242836] ? lockdep_hardirqs_on_prepare+0xd4/0x170
> [ 15.243436] __x64_sys_connect+0x1a/0x20
> [ 15.243924] do_syscall_64+0x33/0x40
> [ 15.244313] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> [ 15.244821] RIP: 0033:0x7f65d946e469
> [ 15.245183] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ff 49 2b 00 f7 d8 64 89 01 48
> [ 15.247019] RSP: 002b:00007f65d9b5eda8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
> [ 15.247770] RAX: ffffffffffffffda RBX: 000000000049bf00 RCX: 00007f65d946e469
> [ 15.248471] RDX: 0000000000000010 RSI: 00000000200000c0 RDI: 0000000000000005
> [ 15.249205] RBP: 000000000049bf00 R08: 0000000000000000 R09: 0000000000000000
> [ 15.249908] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000049bf0c
> [ 15.250603] R13: 00007fffe8a25cef R14: 00007f65d9b3f000 R15: 0000000000000003
> [ 15.251312] Modules linked in:
> [ 15.251626] CR2: 0000000000223b10
> [ 15.251965] BUG: kernel NULL pointer dereference, address: 0000000000000048
> [ 15.252005] ---[ end trace f5c51fe19123c773 ]---
> [ 15.252822] #PF: supervisor read access in kernel mode
> [ 15.252823] #PF: error_code(0x0000) - not-present page
> [ 15.252825] PGD c6c6067 P4D c6c6067 PUD c0d8067
> [ 15.253294] RIP: 0010:skb_release_data+0x89/0x1e0
> [ 15.253910] PMD 0
> [ 15.253914] Oops: 0000 [#2] SMP
> [ 15.253917] CPU: 1 PID: 7746 Comm: syz-executor Tainted: G D 5.10.0-rc6+ #24
> [ 15.253920] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
> [ 15.254435] Code: 5b 5d 41 5c 41 5d 41 5e 41 5f e9 02 06 8a ff e8 fd 05 8a ff 45 31 ed 80 7d 02 00 4c 8d 65 30 74 55 e8 eb 05 8a ff 49 8b 1c 24 <4c> 8b 7b 08 41 f6 c7 01 0f 85 18 01 00 00 e8 d4 05 8a ff 8b 43 34
> [ 15.254899] RIP: 0010:skb_release_data+0x89/0x1e0
> [ 15.254902] Code: 5b 5d 41 5c 41 5d 41 5e 41 5f e9 02 06 8a ff e8 fd 05 8a ff 45 31 ed 80 7d 02 00 4c 8d 65 30 74 55 e8 eb 05 8a ff 49 8b 1c 24 <4c> 8b 7b 08 41 f6 c7 01 0f 85 18 01 00 00 e8 d4 05 8a ff 8b 43 34
> [ 15.254905] RSP: 0018:ffffc900019bfc08 EFLAGS: 00010293
> [ 15.255376] RSP: 0018:ffffc900019c7c08 EFLAGS: 00010293
> [ 15.255580]
> [ 15.255583] RAX: ffff888004a7ac80 RBX: 0000000000000040 RCX: 0000000000000000
> [ 15.255912]
> [ 15.256724] RDX: 0000000000000000 RSI: ffffffff818e06c5 RDI: ffff88807f6ddd00
> [ 15.257620] RAX: ffff88800daad900 RBX: 0000000000223b08 RCX: 0000000000000006
> [ 15.259817] RBP: ffff88800e9006c0 R08: 0000000000000000 R09: 0000000000000000
> [ 15.259818] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88800e9006f0
> [ 15.259820] R13: 0000000000000000 R14: ffff88807f6ddd00 R15: 0000000000000002
> [ 15.259822] FS: 00007fae4a60a700(0000) GS:ffff88807c500000(0000) knlGS:0000000000000000
> [ 15.259826] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 15.260296] RDX: 0000000000000000 RSI: ffffffff818e06c5 RDI: ffff88807f6dc700
> [ 15.262514] CR2: 0000000000000048 CR3: 000000000b89c000 CR4: 00000000000006e0
> [ 15.262515] Call Trace:
> [ 15.262519] skb_release_all+0x28/0x30
> [ 15.262523] __kfree_skb+0x11/0x20
> [ 15.263054] RBP: ffff88807f71a4c0 R08: 0000000000000001 R09: 0000000000000001
> [ 15.263680] tcp_data_queue+0x270/0x1240
> [ 15.263843] R10: ffffc900019c7c18 R11: 0000000000000000 R12: ffff88807f71a4f0
> [ 15.264693] ? tcp_urg+0x50/0x2a0
> [ 15.264856] R13: 0000000000000000 R14: ffff88807f6dc700 R15: 0000000000000002
> [ 15.265720] tcp_rcv_established+0x39a/0x890
> [ 15.266438] FS: 00007f65d9b5f700(0000) GS:ffff88807c400000(0000) knlGS:0000000000000000
> [ 15.267283] ? __schedule+0x3fa/0x880
> [ 15.267287] tcp_v4_do_rcv+0xb9/0x270
> [ 15.267290] __release_sock+0x8a/0x160
> [ 15.268049] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 15.268788] release_sock+0x32/0xd0
> [ 15.268791] __inet_stream_connect+0x1d2/0x400
> [ 15.268795] ? do_wait_intr_irq+0x80/0x80
> [ 15.269593] CR2: 0000000000223b10 CR3: 000000000b883000 CR4: 00000000000006f0
> [ 15.270246] inet_stream_connect+0x36/0x50
> [ 15.270250] mptcp_stream_connect+0x69/0x1b0
> [ 15.270253] __sys_connect+0x122/0x140
> [ 15.271097] Kernel panic - not syncing: Fatal exception
> [ 15.271820] ? syscall_enter_from_user_mode+0x17/0x50
> [ 15.283542] ? lockdep_hardirqs_on_prepare+0xd4/0x170
> [ 15.284275] __x64_sys_connect+0x1a/0x20
> [ 15.284853] do_syscall_64+0x33/0x40
> [ 15.285369] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> [ 15.286105] RIP: 0033:0x7fae49f19469
> [ 15.286638] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ff 49 2b 00 f7 d8 64 89 01 48
> [ 15.289295] RSP: 002b:00007fae4a609da8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
> [ 15.290375] RAX: ffffffffffffffda RBX: 000000000049bf00 RCX: 00007fae49f19469
> [ 15.291403] RDX: 0000000000000010 RSI: 00000000200000c0 RDI: 0000000000000005
> [ 15.292437] RBP: 000000000049bf00 R08: 0000000000000000 R09: 0000000000000000
> [ 15.293456] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000049bf0c
> [ 15.294473] R13: 00007fff0004b6bf R14: 00007fae4a5ea000 R15: 0000000000000003
> [ 15.295492] Modules linked in:
> [ 15.295944] CR2: 0000000000000048
> [ 15.296567] Kernel Offset: disabled
> [ 15.296941] ---[ end Kernel panic - not syncing: Fatal exception ]---
>
> Reported-by: Christoph Paasch <cpaasch(a)apple.com>
> Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/104
> Fixes: 84dfe3677a6f (mptcp: send out dedicated ADD_ADDR packet)
> Signed-off-by: Geliang Tang <geliangtang(a)gmail.com>
> ---
> Obsoletes: v1 (mptcp: avoid using the main socket to send ack)
> ---
> net/mptcp/options.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/net/mptcp/options.c b/net/mptcp/options.c
> index 5e7d7755d1a6..f4047ace032d 100644
> --- a/net/mptcp/options.c
> +++ b/net/mptcp/options.c
> @@ -606,6 +606,8 @@ static bool mptcp_established_options_add_addr(struct sock *sk, struct sk_buff *
> skb && skb_is_tcp_pure_ack(skb)) {
> pr_debug("drop other suboptions");
> opts->suboptions = 0;
> + opts->ext_copy.use_ack = 0;
> + opts->ext_copy.use_map = 0;
> remaining += opt_size;
> drop_other_suboptions = true;
Very good catch! I hope this should also address issue/106.
LGTM!
Note: matttbe will possibly be unable to merge this (or any other)
patch soon, if so I think you can send it upstream to the -net tree, as
soon as net is rebased on top of current -net-next (or even directly to
net-next is that is still open).
Cheers,
Paolo
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-12-16 2:39 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-16 0:02 [MPTCP] Re: [MPTCP][PATCH v2 net-next] mptcp: clear use_ack and use_map when dropping other suboptions Mat Martineau
-- strict thread matches above, loose matches on Subject: below --
2020-12-16 2:39 Geliang Tang
2020-12-16 0:09 Mat Martineau
2020-12-15 9:42 Matthieu Baerts
2020-12-15 9:22 Paolo Abeni
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.