[PATCH] tcp: Do not reset the icsk_ca_initialized in tcp_init_transfer.

[PATCH] tcp: Do not reset the icsk_ca_initialized in tcp_init_transfer.

[Nguyen Dinh Phi]

icsk_ca_initialized be always set to zero before we examine it in if
block, this makes the congestion control module's initialization be
called even if the CC module was initialized already.
In case the CC module allocates and setups its dynamically allocated
private data in its init() function, e.g, CDG, the memory leak may occur.

Reported-by: syzbot+f1e24a0594d4e3a895d3@syzkaller.appspotmail.com

Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com>
---
 net/ipv4/tcp_input.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 7d5e59f688de..855ada2be25e 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -5922,7 +5922,6 @@ void tcp_init_transfer(struct sock *sk, int bpf_op, struct sk_buff *skb)
 		tp->snd_cwnd = tcp_init_cwnd(tp, __sk_dst_get(sk));
 	tp->snd_cwnd_stamp = tcp_jiffies32;

-	icsk->icsk_ca_initialized = 0;
 	bpf_skops_established(sk, bpf_op, skb);
 	if (!icsk->icsk_ca_initialized)
 		tcp_init_congestion_control(sk);
--
2.25.1

[PATCH] tcp: Do not reset the icsk_ca_initialized in tcp_init_transfer.

[Nguyen Dinh Phi]

icsk_ca_initialized be always set to zero before we examine it in if
block, this makes the congestion control module's initialization be
called even if the CC module was initialized already.
In case the CC module allocates and setups its dynamically allocated
private data in its init() function, e.g, CDG, the memory leak may occur.

Reported-by: syzbot+f1e24a0594d4e3a895d3@syzkaller.appspotmail.com

Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com>
---
 net/ipv4/tcp_input.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 7d5e59f688de..855ada2be25e 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -5922,7 +5922,6 @@ void tcp_init_transfer(struct sock *sk, int bpf_op, struct sk_buff *skb)
 		tp->snd_cwnd = tcp_init_cwnd(tp, __sk_dst_get(sk));
 	tp->snd_cwnd_stamp = tcp_jiffies32;

-	icsk->icsk_ca_initialized = 0;
 	bpf_skops_established(sk, bpf_op, skb);
 	if (!icsk->icsk_ca_initialized)
 		tcp_init_congestion_control(sk);
--
2.25.1

_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

Re: [PATCH] tcp: Do not reset the icsk_ca_initialized in tcp_init_transfer.

[Eric Dumazet]

On Mon, Jun 28, 2021 at 4:49 PM Nguyen Dinh Phi <phind.uet@gmail.com> wrote:
>
> icsk_ca_initialized be always set to zero before we examine it in if
> block, this makes the congestion control module's initialization be
> called even if the CC module was initialized already.
> In case the CC module allocates and setups its dynamically allocated
> private data in its init() function, e.g, CDG, the memory leak may occur.
>
> Reported-by: syzbot+f1e24a0594d4e3a895d3@syzkaller.appspotmail.com
>
> Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com>
> ---
>  net/ipv4/tcp_input.c | 1 -
>  1 file changed, 1 deletion(-)
>
> diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
> index 7d5e59f688de..855ada2be25e 100644
> --- a/net/ipv4/tcp_input.c
> +++ b/net/ipv4/tcp_input.c
> @@ -5922,7 +5922,6 @@ void tcp_init_transfer(struct sock *sk, int bpf_op, struct sk_buff *skb)
>                 tp->snd_cwnd = tcp_init_cwnd(tp, __sk_dst_get(sk));
>         tp->snd_cwnd_stamp = tcp_jiffies32;
>
> -       icsk->icsk_ca_initialized = 0;

Unfortunately this patch might break things.

We keep changing this CC switching, with eBPF being mixed in the equation.

I would suggest you find a Fixes: tag first, so that we can continue
the discussion.

Thank you.

>         bpf_skops_established(sk, bpf_op, skb);
>         if (!icsk->icsk_ca_initialized)
>                 tcp_init_congestion_control(sk);
> --
> 2.25.1
>

Re: [PATCH] tcp: Do not reset the icsk_ca_initialized in tcp_init_transfer.

[Eric Dumazet via Linux-kernel-mentees]

On Mon, Jun 28, 2021 at 4:49 PM Nguyen Dinh Phi <phind.uet@gmail.com> wrote:
>
> icsk_ca_initialized be always set to zero before we examine it in if
> block, this makes the congestion control module's initialization be
> called even if the CC module was initialized already.
> In case the CC module allocates and setups its dynamically allocated
> private data in its init() function, e.g, CDG, the memory leak may occur.
>
> Reported-by: syzbot+f1e24a0594d4e3a895d3@syzkaller.appspotmail.com
>
> Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com>
> ---
>  net/ipv4/tcp_input.c | 1 -
>  1 file changed, 1 deletion(-)
>
> diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
> index 7d5e59f688de..855ada2be25e 100644
> --- a/net/ipv4/tcp_input.c
> +++ b/net/ipv4/tcp_input.c
> @@ -5922,7 +5922,6 @@ void tcp_init_transfer(struct sock *sk, int bpf_op, struct sk_buff *skb)
>                 tp->snd_cwnd = tcp_init_cwnd(tp, __sk_dst_get(sk));
>         tp->snd_cwnd_stamp = tcp_jiffies32;
>
> -       icsk->icsk_ca_initialized = 0;

Unfortunately this patch might break things.

We keep changing this CC switching, with eBPF being mixed in the equation.

I would suggest you find a Fixes: tag first, so that we can continue
the discussion.

Thank you.

>         bpf_skops_established(sk, bpf_op, skb);
>         if (!icsk->icsk_ca_initialized)
>                 tcp_init_congestion_control(sk);
> --
> 2.25.1
>
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

Re: [PATCH] tcp: Do not reset the icsk_ca_initialized in tcp_init_transfer.

[Phi Nguyen]

On 6/28/2021 10:52 PM, Eric Dumazet wrote:

> Unfortunately this patch might break things.
> 
> We keep changing this CC switching, with eBPF being mixed in the equation.
> 
> I would suggest you find a Fixes: tag first, so that we can continue
> the discussion.
> 
> Thank you.

Thank for your feedback. I will resubmit it with a Fixes tag.

Regard.

Re: [PATCH] tcp: Do not reset the icsk_ca_initialized in tcp_init_transfer.

[Phi Nguyen]

On 6/28/2021 10:52 PM, Eric Dumazet wrote:

> Unfortunately this patch might break things.
> 
> We keep changing this CC switching, with eBPF being mixed in the equation.
> 
> I would suggest you find a Fixes: tag first, so that we can continue
> the discussion.
> 
> Thank you.

Thank for your feedback. I will resubmit it with a Fixes tag.

Regard.
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

Re: [PATCH] tcp: Do not reset the icsk_ca_initialized in tcp_init_transfer.

[Neal Cardwell]

On Mon, Jun 28, 2021 at 12:18 PM Phi Nguyen <phind.uet@gmail.com> wrote:
>
> On 6/28/2021 10:52 PM, Eric Dumazet wrote:
>
> > Unfortunately this patch might break things.
> >
> > We keep changing this CC switching, with eBPF being mixed in the equation.
> >
> > I would suggest you find a Fixes: tag first, so that we can continue
> > the discussion.
> >
> > Thank you.
>
> Thank for your feedback. I will resubmit it with a Fixes tag.
>
> Regard.

Thanks.

Can you also please provide a summary of the event sequence that
triggers the bug? Based on your Reported-by tag, I guess this is based
on the syzbot reproducer:

 https://groups.google.com/g/syzkaller-bugs/c/VbHoSsBz0hk/m/cOxOoTgPCAAJ

but perhaps you can give a summary of the event sequence that causes
the bug? Is it that the call:

setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd,
&(0x7f0000000000)='cdg\x00', 0x4)

initializes the CC and happens before the connection is established,
and then when the connection is established, the line that sets:
  icsk->icsk_ca_initialized = 0;
is incorrect, causing the CC to be initialized again without first
calling the cleanup code that deallocates the CDG-allocated memory?

thanks,
neal

Re: [PATCH] tcp: Do not reset the icsk_ca_initialized in tcp_init_transfer.

[Neal Cardwell via Linux-kernel-mentees]

On Mon, Jun 28, 2021 at 12:18 PM Phi Nguyen <phind.uet@gmail.com> wrote:
>
> On 6/28/2021 10:52 PM, Eric Dumazet wrote:
>
> > Unfortunately this patch might break things.
> >
> > We keep changing this CC switching, with eBPF being mixed in the equation.
> >
> > I would suggest you find a Fixes: tag first, so that we can continue
> > the discussion.
> >
> > Thank you.
>
> Thank for your feedback. I will resubmit it with a Fixes tag.
>
> Regard.

Thanks.

Can you also please provide a summary of the event sequence that
triggers the bug? Based on your Reported-by tag, I guess this is based
on the syzbot reproducer:

 https://groups.google.com/g/syzkaller-bugs/c/VbHoSsBz0hk/m/cOxOoTgPCAAJ

but perhaps you can give a summary of the event sequence that causes
the bug? Is it that the call:

setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd,
&(0x7f0000000000)='cdg\x00', 0x4)

initializes the CC and happens before the connection is established,
and then when the connection is established, the line that sets:
  icsk->icsk_ca_initialized = 0;
is incorrect, causing the CC to be initialized again without first
calling the cleanup code that deallocates the CDG-allocated memory?

thanks,
neal
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

Re: [PATCH] tcp: Do not reset the icsk_ca_initialized in tcp_init_transfer.

[Phi Nguyen]

On 6/29/2021 12:24 AM, Neal Cardwell wrote:

> Thanks.
> 
> Can you also please provide a summary of the event sequence that
> triggers the bug? Based on your Reported-by tag, I guess this is based
> on the syzbot reproducer:
> 
>   https://groups.google.com/g/syzkaller-bugs/c/VbHoSsBz0hk/m/cOxOoTgPCAAJ
> 
> but perhaps you can give a summary of the event sequence that causes
> the bug? Is it that the call:
> 
> setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd,
> &(0x7f0000000000)='cdg\x00', 0x4)
> 
> initializes the CC and happens before the connection is established,
> and then when the connection is established, the line that sets:
>    icsk->icsk_ca_initialized = 0;
> is incorrect, causing the CC to be initialized again without first
> calling the cleanup code that deallocates the CDG-allocated memory?
> 
> thanks,
> neal
> 

Hi Neal,

The gdb stack trace that lead to init_transfer_input() is as bellow, the 
current sock state is TCP_SYN_RECV.

#0  tcp_cdg_init (sk=sk@entry=0xffff8880275fa080) at net/ipv4/tcp_cdg.c:380
#1  0xffffffff83a3c129 in tcp_init_congestion_control 
(sk=sk@entry=0xffff8880275fa080) at net/ipv4/tcp_cong.c:183
#2  0xffffffff83a21312 in tcp_init_transfer 
(sk=sk@entry=0xffff8880275fa080, bpf_op=bpf_op@entry=5, 
skb=skb@entry=0xffff888027704400) at net/ipv4/tcp_input.c:5928
#3  0xffffffff83a22a55 in tcp_rcv_state_process 
(sk=sk@entry=0xffff8880275fa080, skb=skb@entry=0xffff888027704400) at 
net/ipv4/tcp_input.c:6416
#4  0xffffffff83a35f8a in tcp_v4_do_rcv (sk=sk@entry=0xffff8880275fa080, 
skb=skb@entry=0xffff888027704400) at net/ipv4/tcp_ipv4.c:1716
#5  0xffffffff83a39300 in tcp_v4_rcv (skb=0xffff888027704400) at 
net/ipv4/tcp_ipv4.c:2087
#6  0xffffffff839eaf57 in ip_protocol_deliver_rcu 
(net=net@entry=0xffff888022858180, skb=skb@entry=0xffff888027704400, 
protocol=<optimized out>) at net/ipv4/ip_input.c:204
#7  0xffffffff839eb266 in ip_local_deliver_finish 
(net=0xffff888022858180, sk=<optimized out>, skb=0xffff888027704400) at 
./include/linux/skbuff.h:2544
#8  0xffffffff839eb34a in NF_HOOK (sk=0x0 <fixed_percpu_data>, pf=2 
'\002', hook=1, in=<optimized out>, out=0x0 <fixed_percpu_data>, 
okfn=0xffffffff839eb1f0 <ip_local_deliver_finish>,
     skb=0xffff888027704400, net=0xffff888022858180) at 
./include/linux/netfilter.h:307
#9  NF_HOOK (pf=2 '\002', sk=0x0 <fixed_percpu_data>, out=0x0 
<fixed_percpu_data>, okfn=0xffffffff839eb1f0 <ip_local_deliver_finish>, 
in=<optimized out>, skb=0xffff888027704400,
     net=0xffff888022858180, hook=1) at ./include/linux/netfilter.h:301
#10 ip_local_deliver (skb=0xffff888027704400) at net/ipv4/ip_input.c:252
#11 0xffffffff839ea58e in dst_input (skb=0xffff888027704400) at 
./include/linux/skbuff.h:980
#12 ip_rcv_finish (net=net@entry=0xffff888022858180, sk=sk@entry=0x0 
<fixed_percpu_data>, skb=skb@entry=0xffff888027704400) at 
net/ipv4/ip_input.c:429
#13 0xffffffff839eb4fa in NF_HOOK (sk=0x0 <fixed_percpu_data>, pf=2 
'\002', hook=0, in=0xffff888022a20000, out=0x0 <fixed_percpu_data>, 
okfn=0xffffffff839ea4b0 <ip_rcv_finish>, skb=0xffff888027704400,
     net=0xffff888022858180) at ./include/linux/netfilter.h:307
#14 NF_HOOK (pf=2 '\002', sk=0x0 <fixed_percpu_data>, out=0x0 
<fixed_percpu_data>, okfn=0xffffffff839ea4b0 <ip_rcv_finish>, 
in=0xffff888022a20000, skb=0xffff888027704400, net=0xffff888022858180,
     hook=0) at ./include/linux/netfilter.h:301
#15 ip_rcv (skb=0xffff888027704400, dev=0xffff888022a20000, 
pt=<optimized out>, orig_dev=<optimized out>) at net/ipv4/ip_input.c:540
#16 0xffffffff83712acf in __netif_receive_skb_one_core (skb=<optimized 
out>, skb@entry=0xffff888027704400, pfmemalloc=pfmemalloc@entry=false) 
at net/core/dev.c:5482
#17 0xffffffff83712b59 in __netif_receive_skb (skb=0xffff888027704400) 
at net/core/dev.c:5596
#18 0xffffffff83712f09 in process_backlog (napi=0xffff88803ec2c8d0, 
quota=64) at net/core/dev.c:6460
#19 0xffffffff837159f2 in __napi_poll (n=n@entry=0xffff88803ec2c8d0, 
repoll=repoll@entry=0xffffc900007b7e0f) at net/core/dev.c:7015
#20 0xffffffff837161b2 in napi_poll (repoll=0xffffc900007b7e20, 
n=0xffff88803ec2c8d0) at net/core/dev.c:7082
#21 net_rx_action (h=<optimized out>) at net/core/dev.c:7169
#22 0xffffffff84600114 in __do_softirq () at kernel/softirq.c:558
#23 0xffffffff81241506 in run_ksoftirqd (cpu=<optimized out>) at 
kernel/softirq.c:920
#24 run_ksoftirqd (cpu=<optimized out>) at kernel/softirq.c:912
#25 0xffffffff8127ec83 in smpboot_thread_fn (data=0xffff888008f70240) at 
kernel/smpboot.c:164
#26 0xffffffff81274475 in kthread (_create=<optimized out>) at 
kernel/kthread.c:319
#27 0xffffffff8100230f in ret_from_fork () at arch/x86/entry/entry_64.S:295
#28 0x0000000000000000 in ?? ()

Best Regards.

Re: [PATCH] tcp: Do not reset the icsk_ca_initialized in tcp_init_transfer.

[Phi Nguyen]

On 6/29/2021 12:24 AM, Neal Cardwell wrote:

> Thanks.
> 
> Can you also please provide a summary of the event sequence that
> triggers the bug? Based on your Reported-by tag, I guess this is based
> on the syzbot reproducer:
> 
>   https://groups.google.com/g/syzkaller-bugs/c/VbHoSsBz0hk/m/cOxOoTgPCAAJ
> 
> but perhaps you can give a summary of the event sequence that causes
> the bug? Is it that the call:
> 
> setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd,
> &(0x7f0000000000)='cdg\x00', 0x4)
> 
> initializes the CC and happens before the connection is established,
> and then when the connection is established, the line that sets:
>    icsk->icsk_ca_initialized = 0;
> is incorrect, causing the CC to be initialized again without first
> calling the cleanup code that deallocates the CDG-allocated memory?
> 
> thanks,
> neal
> 

Hi Neal,

The gdb stack trace that lead to init_transfer_input() is as bellow, the 
current sock state is TCP_SYN_RECV.

#0  tcp_cdg_init (sk=sk@entry=0xffff8880275fa080) at net/ipv4/tcp_cdg.c:380
#1  0xffffffff83a3c129 in tcp_init_congestion_control 
(sk=sk@entry=0xffff8880275fa080) at net/ipv4/tcp_cong.c:183
#2  0xffffffff83a21312 in tcp_init_transfer 
(sk=sk@entry=0xffff8880275fa080, bpf_op=bpf_op@entry=5, 
skb=skb@entry=0xffff888027704400) at net/ipv4/tcp_input.c:5928
#3  0xffffffff83a22a55 in tcp_rcv_state_process 
(sk=sk@entry=0xffff8880275fa080, skb=skb@entry=0xffff888027704400) at 
net/ipv4/tcp_input.c:6416
#4  0xffffffff83a35f8a in tcp_v4_do_rcv (sk=sk@entry=0xffff8880275fa080, 
skb=skb@entry=0xffff888027704400) at net/ipv4/tcp_ipv4.c:1716
#5  0xffffffff83a39300 in tcp_v4_rcv (skb=0xffff888027704400) at 
net/ipv4/tcp_ipv4.c:2087
#6  0xffffffff839eaf57 in ip_protocol_deliver_rcu 
(net=net@entry=0xffff888022858180, skb=skb@entry=0xffff888027704400, 
protocol=<optimized out>) at net/ipv4/ip_input.c:204
#7  0xffffffff839eb266 in ip_local_deliver_finish 
(net=0xffff888022858180, sk=<optimized out>, skb=0xffff888027704400) at 
./include/linux/skbuff.h:2544
#8  0xffffffff839eb34a in NF_HOOK (sk=0x0 <fixed_percpu_data>, pf=2 
'\002', hook=1, in=<optimized out>, out=0x0 <fixed_percpu_data>, 
okfn=0xffffffff839eb1f0 <ip_local_deliver_finish>,
     skb=0xffff888027704400, net=0xffff888022858180) at 
./include/linux/netfilter.h:307
#9  NF_HOOK (pf=2 '\002', sk=0x0 <fixed_percpu_data>, out=0x0 
<fixed_percpu_data>, okfn=0xffffffff839eb1f0 <ip_local_deliver_finish>, 
in=<optimized out>, skb=0xffff888027704400,
     net=0xffff888022858180, hook=1) at ./include/linux/netfilter.h:301
#10 ip_local_deliver (skb=0xffff888027704400) at net/ipv4/ip_input.c:252
#11 0xffffffff839ea58e in dst_input (skb=0xffff888027704400) at 
./include/linux/skbuff.h:980
#12 ip_rcv_finish (net=net@entry=0xffff888022858180, sk=sk@entry=0x0 
<fixed_percpu_data>, skb=skb@entry=0xffff888027704400) at 
net/ipv4/ip_input.c:429
#13 0xffffffff839eb4fa in NF_HOOK (sk=0x0 <fixed_percpu_data>, pf=2 
'\002', hook=0, in=0xffff888022a20000, out=0x0 <fixed_percpu_data>, 
okfn=0xffffffff839ea4b0 <ip_rcv_finish>, skb=0xffff888027704400,
     net=0xffff888022858180) at ./include/linux/netfilter.h:307
#14 NF_HOOK (pf=2 '\002', sk=0x0 <fixed_percpu_data>, out=0x0 
<fixed_percpu_data>, okfn=0xffffffff839ea4b0 <ip_rcv_finish>, 
in=0xffff888022a20000, skb=0xffff888027704400, net=0xffff888022858180,
     hook=0) at ./include/linux/netfilter.h:301
#15 ip_rcv (skb=0xffff888027704400, dev=0xffff888022a20000, 
pt=<optimized out>, orig_dev=<optimized out>) at net/ipv4/ip_input.c:540
#16 0xffffffff83712acf in __netif_receive_skb_one_core (skb=<optimized 
out>, skb@entry=0xffff888027704400, pfmemalloc=pfmemalloc@entry=false) 
at net/core/dev.c:5482
#17 0xffffffff83712b59 in __netif_receive_skb (skb=0xffff888027704400) 
at net/core/dev.c:5596
#18 0xffffffff83712f09 in process_backlog (napi=0xffff88803ec2c8d0, 
quota=64) at net/core/dev.c:6460
#19 0xffffffff837159f2 in __napi_poll (n=n@entry=0xffff88803ec2c8d0, 
repoll=repoll@entry=0xffffc900007b7e0f) at net/core/dev.c:7015
#20 0xffffffff837161b2 in napi_poll (repoll=0xffffc900007b7e20, 
n=0xffff88803ec2c8d0) at net/core/dev.c:7082
#21 net_rx_action (h=<optimized out>) at net/core/dev.c:7169
#22 0xffffffff84600114 in __do_softirq () at kernel/softirq.c:558
#23 0xffffffff81241506 in run_ksoftirqd (cpu=<optimized out>) at 
kernel/softirq.c:920
#24 run_ksoftirqd (cpu=<optimized out>) at kernel/softirq.c:912
#25 0xffffffff8127ec83 in smpboot_thread_fn (data=0xffff888008f70240) at 
kernel/smpboot.c:164
#26 0xffffffff81274475 in kthread (_create=<optimized out>) at 
kernel/kthread.c:319
#27 0xffffffff8100230f in ret_from_fork () at arch/x86/entry/entry_64.S:295
#28 0x0000000000000000 in ?? ()

Best Regards.
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

Re: [PATCH] tcp: Do not reset the icsk_ca_initialized in tcp_init_transfer.

[Neal Cardwell]

)

On Mon, Jun 28, 2021 at 1:15 PM Phi Nguyen <phind.uet@gmail.com> wrote:
>
> On 6/29/2021 12:24 AM, Neal Cardwell wrote:
>
> > Thanks.
> >
> > Can you also please provide a summary of the event sequence that
> > triggers the bug? Based on your Reported-by tag, I guess this is based
> > on the syzbot reproducer:
> >
> >   https://groups.google.com/g/syzkaller-bugs/c/VbHoSsBz0hk/m/cOxOoTgPCAAJ
> >
> > but perhaps you can give a summary of the event sequence that causes
> > the bug? Is it that the call:
> >
> > setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd,
> > &(0x7f0000000000)='cdg\x00', 0x4)
> >
> > initializes the CC and happens before the connection is established,
> > and then when the connection is established, the line that sets:
> >    icsk->icsk_ca_initialized = 0;
> > is incorrect, causing the CC to be initialized again without first
> > calling the cleanup code that deallocates the CDG-allocated memory?
> >
> > thanks,
> > neal
> >
>
> Hi Neal,
>
> The gdb stack trace that lead to init_transfer_input() is as bellow, the
> current sock state is TCP_SYN_RECV.

Thanks. That makes sense as a snapshot of time for
tcp_init_transfer(), but I think what would be more useful would be a
description of the sequence of events, including when the CC was
initialized previous to that point (as noted above, was it that the
setsockopt(TCP_CONGESTION) completed before that point?).

thanks,
neal

Re: [PATCH] tcp: Do not reset the icsk_ca_initialized in tcp_init_transfer.

[Neal Cardwell via Linux-kernel-mentees]

)

On Mon, Jun 28, 2021 at 1:15 PM Phi Nguyen <phind.uet@gmail.com> wrote:
>
> On 6/29/2021 12:24 AM, Neal Cardwell wrote:
>
> > Thanks.
> >
> > Can you also please provide a summary of the event sequence that
> > triggers the bug? Based on your Reported-by tag, I guess this is based
> > on the syzbot reproducer:
> >
> >   https://groups.google.com/g/syzkaller-bugs/c/VbHoSsBz0hk/m/cOxOoTgPCAAJ
> >
> > but perhaps you can give a summary of the event sequence that causes
> > the bug? Is it that the call:
> >
> > setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd,
> > &(0x7f0000000000)='cdg\x00', 0x4)
> >
> > initializes the CC and happens before the connection is established,
> > and then when the connection is established, the line that sets:
> >    icsk->icsk_ca_initialized = 0;
> > is incorrect, causing the CC to be initialized again without first
> > calling the cleanup code that deallocates the CDG-allocated memory?
> >
> > thanks,
> > neal
> >
>
> Hi Neal,
>
> The gdb stack trace that lead to init_transfer_input() is as bellow, the
> current sock state is TCP_SYN_RECV.

Thanks. That makes sense as a snapshot of time for
tcp_init_transfer(), but I think what would be more useful would be a
description of the sequence of events, including when the CC was
initialized previous to that point (as noted above, was it that the
setsockopt(TCP_CONGESTION) completed before that point?).

thanks,
neal
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

Re: [PATCH] tcp: Do not reset the icsk_ca_initialized in tcp_init_transfer.

[Martin KaFai Lau]

On Mon, Jun 28, 2021 at 01:20:19PM -0400, Neal Cardwell wrote:
> )
> 
> On Mon, Jun 28, 2021 at 1:15 PM Phi Nguyen <phind.uet@gmail.com> wrote:
> >
> > On 6/29/2021 12:24 AM, Neal Cardwell wrote:
> >
> > > Thanks.
> > >
> > > Can you also please provide a summary of the event sequence that
> > > triggers the bug? Based on your Reported-by tag, I guess this is based
> > > on the syzbot reproducer:
> > >
> > >   https://groups.google.com/g/syzkaller-bugs/c/VbHoSsBz0hk/m/cOxOoTgPCAAJ 
> > >
> > > but perhaps you can give a summary of the event sequence that causes
> > > the bug? Is it that the call:
> > >
> > > setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd,
> > > &(0x7f0000000000)='cdg\x00', 0x4)
> > >
> > > initializes the CC and happens before the connection is established,
> > > and then when the connection is established, the line that sets:
> > >    icsk->icsk_ca_initialized = 0;
> > > is incorrect, causing the CC to be initialized again without first
> > > calling the cleanup code that deallocates the CDG-allocated memory?
> > >
> > > thanks,
> > > neal
> > >
> >
> > Hi Neal,
> >
> > The gdb stack trace that lead to init_transfer_input() is as bellow, the
> > current sock state is TCP_SYN_RECV.
> 
> Thanks. That makes sense as a snapshot of time for
> tcp_init_transfer(), but I think what would be more useful would be a
> description of the sequence of events, including when the CC was
> initialized previous to that point (as noted above, was it that the
> setsockopt(TCP_CONGESTION) completed before that point?).
+1.  It needs to first explain when was the very first CC initialized.

Re: [PATCH] tcp: Do not reset the icsk_ca_initialized in tcp_init_transfer.

[Martin KaFai Lau via Linux-kernel-mentees]

On Mon, Jun 28, 2021 at 01:20:19PM -0400, Neal Cardwell wrote:
> )
> 
> On Mon, Jun 28, 2021 at 1:15 PM Phi Nguyen <phind.uet@gmail.com> wrote:
> >
> > On 6/29/2021 12:24 AM, Neal Cardwell wrote:
> >
> > > Thanks.
> > >
> > > Can you also please provide a summary of the event sequence that
> > > triggers the bug? Based on your Reported-by tag, I guess this is based
> > > on the syzbot reproducer:
> > >
> > >   https://groups.google.com/g/syzkaller-bugs/c/VbHoSsBz0hk/m/cOxOoTgPCAAJ 
> > >
> > > but perhaps you can give a summary of the event sequence that causes
> > > the bug? Is it that the call:
> > >
> > > setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd,
> > > &(0x7f0000000000)='cdg\x00', 0x4)
> > >
> > > initializes the CC and happens before the connection is established,
> > > and then when the connection is established, the line that sets:
> > >    icsk->icsk_ca_initialized = 0;
> > > is incorrect, causing the CC to be initialized again without first
> > > calling the cleanup code that deallocates the CDG-allocated memory?
> > >
> > > thanks,
> > > neal
> > >
> >
> > Hi Neal,
> >
> > The gdb stack trace that lead to init_transfer_input() is as bellow, the
> > current sock state is TCP_SYN_RECV.
> 
> Thanks. That makes sense as a snapshot of time for
> tcp_init_transfer(), but I think what would be more useful would be a
> description of the sequence of events, including when the CC was
> initialized previous to that point (as noted above, was it that the
> setsockopt(TCP_CONGESTION) completed before that point?).
+1.  It needs to first explain when was the very first CC initialized.
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

Re: [PATCH] tcp: Do not reset the icsk_ca_initialized in tcp_init_transfer.

[Phi Nguyen Dinh]

[-- Attachment #1.1: Type: text/plain, Size: 1744 bytes --]

Yes, the CC had been initialized by setsockopt, after that, it was
intialized again in function tcp_init_transfer() because of
setting icsk_ca_initialized to 0.

Regards,

On Tue, Jun 29, 2021, 01:20 Neal Cardwell <ncardwell@google.com> wrote:

> )
>
> On Mon, Jun 28, 2021 at 1:15 PM Phi Nguyen <phind.uet@gmail.com> wrote:
> >
> > On 6/29/2021 12:24 AM, Neal Cardwell wrote:
> >
> > > Thanks.
> > >
> > > Can you also please provide a summary of the event sequence that
> > > triggers the bug? Based on your Reported-by tag, I guess this is based
> > > on the syzbot reproducer:
> > >
> > >
> https://groups.google.com/g/syzkaller-bugs/c/VbHoSsBz0hk/m/cOxOoTgPCAAJ
> > >
> > > but perhaps you can give a summary of the event sequence that causes
> > > the bug? Is it that the call:
> > >
> > > setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd,
> > > &(0x7f0000000000)='cdg\x00', 0x4)
> > >
> > > initializes the CC and happens before the connection is established,
> > > and then when the connection is established, the line that sets:
> > >    icsk->icsk_ca_initialized = 0;
> > > is incorrect, causing the CC to be initialized again without first
> > > calling the cleanup code that deallocates the CDG-allocated memory?
> > >
> > > thanks,
> > > neal
> > >
> >
> > Hi Neal,
> >
> > The gdb stack trace that lead to init_transfer_input() is as bellow, the
> > current sock state is TCP_SYN_RECV.
>
> Thanks. That makes sense as a snapshot of time for
> tcp_init_transfer(), but I think what would be more useful would be a
> description of the sequence of events, including when the CC was
> initialized previous to that point (as noted above, was it that the
> setsockopt(TCP_CONGESTION) completed before that point?).
>
> thanks,
> neal
>

[-- Attachment #1.2: Type: text/html, Size: 2802 bytes --]

[-- Attachment #2: Type: text/plain, Size: 201 bytes --]

_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

Re: [PATCH] tcp: Do not reset the icsk_ca_initialized in tcp_init_transfer.

[Nguyen Dinh Phi]

On June 29, 2021 1:20:19 AM GMT+08:00, Neal Cardwell <ncardwell@google.com> wrote:
>)
>
>On Mon, Jun 28, 2021 at 1:15 PM Phi Nguyen <phind.uet@gmail.com> wrote:
>>
>> On 6/29/2021 12:24 AM, Neal Cardwell wrote:
>>
>> > Thanks.
>> >
>> > Can you also please provide a summary of the event sequence that
>> > triggers the bug? Based on your Reported-by tag, I guess this is
>based
>> > on the syzbot reproducer:
>> >
>> >  
>https://groups.google.com/g/syzkaller-bugs/c/VbHoSsBz0hk/m/cOxOoTgPCAAJ
>> >
>> > but perhaps you can give a summary of the event sequence that
>causes
>> > the bug? Is it that the call:
>> >
>> > setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd,
>> > &(0x7f0000000000)='cdg\x00', 0x4)
>> >
>> > initializes the CC and happens before the connection is
>established,
>> > and then when the connection is established, the line that sets:
>> >    icsk->icsk_ca_initialized = 0;
>> > is incorrect, causing the CC to be initialized again without first
>> > calling the cleanup code that deallocates the CDG-allocated memory?
>> >
>> > thanks,
>> > neal
>> >
>>
>> Hi Neal,
>>
>> The gdb stack trace that lead to init_transfer_input() is as bellow,
>the
>> current sock state is TCP_SYN_RECV.
>
>Thanks. That makes sense as a snapshot of time for
>tcp_init_transfer(), but I think what would be more useful would be a
>description of the sequence of events, including when the CC was
>initialized previous to that point (as noted above, was it that the
>setsockopt(TCP_CONGESTION) completed before that point?).
>
>thanks,
>neal

I resend my message because I accidently used html format in last one. I am very sorry for the inconvenience caused.
---
Yes, the CC had been initialized by the setsockopt, after that, it was initialized again in function tcp_init_transfer() because of setting isck_ca_initialized to 0.
Regards, 
Phi.

Re: [PATCH] tcp: Do not reset the icsk_ca_initialized in tcp_init_transfer.

[Nguyen Dinh Phi]

On June 29, 2021 1:20:19 AM GMT+08:00, Neal Cardwell <ncardwell@google.com> wrote:
>)
>
>On Mon, Jun 28, 2021 at 1:15 PM Phi Nguyen <phind.uet@gmail.com> wrote:
>>
>> On 6/29/2021 12:24 AM, Neal Cardwell wrote:
>>
>> > Thanks.
>> >
>> > Can you also please provide a summary of the event sequence that
>> > triggers the bug? Based on your Reported-by tag, I guess this is
>based
>> > on the syzbot reproducer:
>> >
>> >  
>https://groups.google.com/g/syzkaller-bugs/c/VbHoSsBz0hk/m/cOxOoTgPCAAJ
>> >
>> > but perhaps you can give a summary of the event sequence that
>causes
>> > the bug? Is it that the call:
>> >
>> > setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd,
>> > &(0x7f0000000000)='cdg\x00', 0x4)
>> >
>> > initializes the CC and happens before the connection is
>established,
>> > and then when the connection is established, the line that sets:
>> >    icsk->icsk_ca_initialized = 0;
>> > is incorrect, causing the CC to be initialized again without first
>> > calling the cleanup code that deallocates the CDG-allocated memory?
>> >
>> > thanks,
>> > neal
>> >
>>
>> Hi Neal,
>>
>> The gdb stack trace that lead to init_transfer_input() is as bellow,
>the
>> current sock state is TCP_SYN_RECV.
>
>Thanks. That makes sense as a snapshot of time for
>tcp_init_transfer(), but I think what would be more useful would be a
>description of the sequence of events, including when the CC was
>initialized previous to that point (as noted above, was it that the
>setsockopt(TCP_CONGESTION) completed before that point?).
>
>thanks,
>neal

I resend my message because I accidently used html format in last one. I am very sorry for the inconvenience caused.
---
Yes, the CC had been initialized by the setsockopt, after that, it was initialized again in function tcp_init_transfer() because of setting isck_ca_initialized to 0.
Regards, 
Phi.
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

Re: [PATCH] tcp: Do not reset the icsk_ca_initialized in tcp_init_transfer.

[Eric Dumazet]

On Tue, Jun 29, 2021 at 9:17 AM Nguyen Dinh Phi <phind.uet@gmail.com> wrote:
>
> On June 29, 2021 1:20:19 AM GMT+08:00, Neal Cardwell <ncardwell@google.com> wrote:
> >)
> >
> >On Mon, Jun 28, 2021 at 1:15 PM Phi Nguyen <phind.uet@gmail.com> wrote:
> >>
> >> On 6/29/2021 12:24 AM, Neal Cardwell wrote:
> >>
> >> > Thanks.
> >> >
> >> > Can you also please provide a summary of the event sequence that
> >> > triggers the bug? Based on your Reported-by tag, I guess this is
> >based
> >> > on the syzbot reproducer:
> >> >
> >> >
> >https://groups.google.com/g/syzkaller-bugs/c/VbHoSsBz0hk/m/cOxOoTgPCAAJ
> >> >
> >> > but perhaps you can give a summary of the event sequence that
> >causes
> >> > the bug? Is it that the call:
> >> >
> >> > setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd,
> >> > &(0x7f0000000000)='cdg\x00', 0x4)
> >> >
> >> > initializes the CC and happens before the connection is
> >established,
> >> > and then when the connection is established, the line that sets:
> >> >    icsk->icsk_ca_initialized = 0;
> >> > is incorrect, causing the CC to be initialized again without first
> >> > calling the cleanup code that deallocates the CDG-allocated memory?
> >> >
> >> > thanks,
> >> > neal
> >> >
> >>
> >> Hi Neal,
> >>
> >> The gdb stack trace that lead to init_transfer_input() is as bellow,
> >the
> >> current sock state is TCP_SYN_RECV.
> >
> >Thanks. That makes sense as a snapshot of time for
> >tcp_init_transfer(), but I think what would be more useful would be a
> >description of the sequence of events, including when the CC was
> >initialized previous to that point (as noted above, was it that the
> >setsockopt(TCP_CONGESTION) completed before that point?).
> >
> >thanks,
> >neal
>
> I resend my message because I accidently used html format in last one. I am very sorry for the inconvenience caused.
> ---
> Yes, the CC had been initialized by the setsockopt, after that, it was initialized again in function tcp_init_transfer() because of setting isck_ca_initialized to 0.

"the setsockopt" is rather vague, sorry.


The hard part is that all scenarios have to be considered.

TCP flows can either be passive and active.

CC can be set :

1) Before the connect() or accept()
2) After the connect() or accept()
3) after the connect() but before 3WHS is completed.

So we need to make sure all cases will still work with any combination
of CDG CC (before/after) in the picture.

Note that a memory leak for a restricted CC (CDG can only be used by
CAP_NET_ADMIN privileged user)
 is a small problem compared to more serious bug that could be added
by an incomplete fix.

I also note that if icsk_ca_priv] was increased from 104 to 120 bytes,
tcp_cdg would no longer need a dynamic memory allocation.

Thank you.

Re: [PATCH] tcp: Do not reset the icsk_ca_initialized in tcp_init_transfer.

[Eric Dumazet via Linux-kernel-mentees]

On Tue, Jun 29, 2021 at 9:17 AM Nguyen Dinh Phi <phind.uet@gmail.com> wrote:
>
> On June 29, 2021 1:20:19 AM GMT+08:00, Neal Cardwell <ncardwell@google.com> wrote:
> >)
> >
> >On Mon, Jun 28, 2021 at 1:15 PM Phi Nguyen <phind.uet@gmail.com> wrote:
> >>
> >> On 6/29/2021 12:24 AM, Neal Cardwell wrote:
> >>
> >> > Thanks.
> >> >
> >> > Can you also please provide a summary of the event sequence that
> >> > triggers the bug? Based on your Reported-by tag, I guess this is
> >based
> >> > on the syzbot reproducer:
> >> >
> >> >
> >https://groups.google.com/g/syzkaller-bugs/c/VbHoSsBz0hk/m/cOxOoTgPCAAJ
> >> >
> >> > but perhaps you can give a summary of the event sequence that
> >causes
> >> > the bug? Is it that the call:
> >> >
> >> > setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd,
> >> > &(0x7f0000000000)='cdg\x00', 0x4)
> >> >
> >> > initializes the CC and happens before the connection is
> >established,
> >> > and then when the connection is established, the line that sets:
> >> >    icsk->icsk_ca_initialized = 0;
> >> > is incorrect, causing the CC to be initialized again without first
> >> > calling the cleanup code that deallocates the CDG-allocated memory?
> >> >
> >> > thanks,
> >> > neal
> >> >
> >>
> >> Hi Neal,
> >>
> >> The gdb stack trace that lead to init_transfer_input() is as bellow,
> >the
> >> current sock state is TCP_SYN_RECV.
> >
> >Thanks. That makes sense as a snapshot of time for
> >tcp_init_transfer(), but I think what would be more useful would be a
> >description of the sequence of events, including when the CC was
> >initialized previous to that point (as noted above, was it that the
> >setsockopt(TCP_CONGESTION) completed before that point?).
> >
> >thanks,
> >neal
>
> I resend my message because I accidently used html format in last one. I am very sorry for the inconvenience caused.
> ---
> Yes, the CC had been initialized by the setsockopt, after that, it was initialized again in function tcp_init_transfer() because of setting isck_ca_initialized to 0.

"the setsockopt" is rather vague, sorry.


The hard part is that all scenarios have to be considered.

TCP flows can either be passive and active.

CC can be set :

1) Before the connect() or accept()
2) After the connect() or accept()
3) after the connect() but before 3WHS is completed.

So we need to make sure all cases will still work with any combination
of CDG CC (before/after) in the picture.

Note that a memory leak for a restricted CC (CDG can only be used by
CAP_NET_ADMIN privileged user)
 is a small problem compared to more serious bug that could be added
by an incomplete fix.

I also note that if icsk_ca_priv] was increased from 104 to 120 bytes,
tcp_cdg would no longer need a dynamic memory allocation.

Thank you.
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

Re: [PATCH] tcp: Do not reset the icsk_ca_initialized in tcp_init_transfer.

[Nguyen Dinh Phi]

On June 29, 2021 4:21:59 PM GMT+08:00, Eric Dumazet <edumazet@google.com> wrote:
>On Tue, Jun 29, 2021 at 9:17 AM Nguyen Dinh Phi <phind.uet@gmail.com>
>wrote:
>>
>> On June 29, 2021 1:20:19 AM GMT+08:00, Neal Cardwell
><ncardwell@google.com> wrote:
>> >)
>> >
>> >On Mon, Jun 28, 2021 at 1:15 PM Phi Nguyen <phind.uet@gmail.com>
>wrote:
>> >>
>> >> On 6/29/2021 12:24 AM, Neal Cardwell wrote:
>> >>
>> >> > Thanks.
>> >> >
>> >> > Can you also please provide a summary of the event sequence that
>> >> > triggers the bug? Based on your Reported-by tag, I guess this is
>> >based
>> >> > on the syzbot reproducer:
>> >> >
>> >> >
>>
>>https://groups.google.com/g/syzkaller-bugs/c/VbHoSsBz0hk/m/cOxOoTgPCAAJ
>> >> >
>> >> > but perhaps you can give a summary of the event sequence that
>> >causes
>> >> > the bug? Is it that the call:
>> >> >
>> >> > setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd,
>> >> > &(0x7f0000000000)='cdg\x00', 0x4)
>> >> >
>> >> > initializes the CC and happens before the connection is
>> >established,
>> >> > and then when the connection is established, the line that sets:
>> >> >    icsk->icsk_ca_initialized = 0;
>> >> > is incorrect, causing the CC to be initialized again without
>first
>> >> > calling the cleanup code that deallocates the CDG-allocated
>memory?
>> >> >
>> >> > thanks,
>> >> > neal
>> >> >
>> >>
>> >> Hi Neal,
>> >>
>> >> The gdb stack trace that lead to init_transfer_input() is as
>bellow,
>> >the
>> >> current sock state is TCP_SYN_RECV.
>> >
>> >Thanks. That makes sense as a snapshot of time for
>> >tcp_init_transfer(), but I think what would be more useful would be
>a
>> >description of the sequence of events, including when the CC was
>> >initialized previous to that point (as noted above, was it that the
>> >setsockopt(TCP_CONGESTION) completed before that point?).
>> >
>> >thanks,
>> >neal
>>
>> I resend my message because I accidently used html format in last
>one. I am very sorry for the inconvenience caused.
>> ---
>> Yes, the CC had been initialized by the setsockopt, after that, it
>was initialized again in function tcp_init_transfer() because of
>setting isck_ca_initialized to 0.
>
>"the setsockopt" is rather vague, sorry.
>
>
>The hard part is that all scenarios have to be considered.
>
>TCP flows can either be passive and active.
>
>CC can be set :
>
>1) Before the connect() or accept()
>2) After the connect() or accept()
>3) after the connect() but before 3WHS is completed.
>
>So we need to make sure all cases will still work with any combination
>of CDG CC (before/after) in the picture.
>
>Note that a memory leak for a restricted CC (CDG can only be used by
>CAP_NET_ADMIN privileged user)
> is a small problem compared to more serious bug that could be added
>by an incomplete fix.
>
>I also note that if icsk_ca_priv] was increased from 104 to 120 bytes,
>tcp_cdg would no longer need a dynamic memory allocation.
>
>Thank you.

Hi, 
I will try to see whether I am able to get the full sequence. I am also affraid of making a change that could affect big part of the kernel.
About CDG, how we can get rid of dynamic allocation by increasing icsk_priv_data to 120? because I see that the window size is a module parameter, so I guess it is not a fixed value. 
Because the problem only happens with CDG, is adding check in its tcp_cdg_init() function Ok? And about  icsk_ca_initialized, Could I expect it to be 0 in CC's init functions?

Thank you.

Re: [PATCH] tcp: Do not reset the icsk_ca_initialized in tcp_init_transfer.

[Nguyen Dinh Phi]

On June 29, 2021 4:21:59 PM GMT+08:00, Eric Dumazet <edumazet@google.com> wrote:
>On Tue, Jun 29, 2021 at 9:17 AM Nguyen Dinh Phi <phind.uet@gmail.com>
>wrote:
>>
>> On June 29, 2021 1:20:19 AM GMT+08:00, Neal Cardwell
><ncardwell@google.com> wrote:
>> >)
>> >
>> >On Mon, Jun 28, 2021 at 1:15 PM Phi Nguyen <phind.uet@gmail.com>
>wrote:
>> >>
>> >> On 6/29/2021 12:24 AM, Neal Cardwell wrote:
>> >>
>> >> > Thanks.
>> >> >
>> >> > Can you also please provide a summary of the event sequence that
>> >> > triggers the bug? Based on your Reported-by tag, I guess this is
>> >based
>> >> > on the syzbot reproducer:
>> >> >
>> >> >
>>
>>https://groups.google.com/g/syzkaller-bugs/c/VbHoSsBz0hk/m/cOxOoTgPCAAJ
>> >> >
>> >> > but perhaps you can give a summary of the event sequence that
>> >causes
>> >> > the bug? Is it that the call:
>> >> >
>> >> > setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd,
>> >> > &(0x7f0000000000)='cdg\x00', 0x4)
>> >> >
>> >> > initializes the CC and happens before the connection is
>> >established,
>> >> > and then when the connection is established, the line that sets:
>> >> >    icsk->icsk_ca_initialized = 0;
>> >> > is incorrect, causing the CC to be initialized again without
>first
>> >> > calling the cleanup code that deallocates the CDG-allocated
>memory?
>> >> >
>> >> > thanks,
>> >> > neal
>> >> >
>> >>
>> >> Hi Neal,
>> >>
>> >> The gdb stack trace that lead to init_transfer_input() is as
>bellow,
>> >the
>> >> current sock state is TCP_SYN_RECV.
>> >
>> >Thanks. That makes sense as a snapshot of time for
>> >tcp_init_transfer(), but I think what would be more useful would be
>a
>> >description of the sequence of events, including when the CC was
>> >initialized previous to that point (as noted above, was it that the
>> >setsockopt(TCP_CONGESTION) completed before that point?).
>> >
>> >thanks,
>> >neal
>>
>> I resend my message because I accidently used html format in last
>one. I am very sorry for the inconvenience caused.
>> ---
>> Yes, the CC had been initialized by the setsockopt, after that, it
>was initialized again in function tcp_init_transfer() because of
>setting isck_ca_initialized to 0.
>
>"the setsockopt" is rather vague, sorry.
>
>
>The hard part is that all scenarios have to be considered.
>
>TCP flows can either be passive and active.
>
>CC can be set :
>
>1) Before the connect() or accept()
>2) After the connect() or accept()
>3) after the connect() but before 3WHS is completed.
>
>So we need to make sure all cases will still work with any combination
>of CDG CC (before/after) in the picture.
>
>Note that a memory leak for a restricted CC (CDG can only be used by
>CAP_NET_ADMIN privileged user)
> is a small problem compared to more serious bug that could be added
>by an incomplete fix.
>
>I also note that if icsk_ca_priv] was increased from 104 to 120 bytes,
>tcp_cdg would no longer need a dynamic memory allocation.
>
>Thank you.

Hi, 
I will try to see whether I am able to get the full sequence. I am also affraid of making a change that could affect big part of the kernel.
About CDG, how we can get rid of dynamic allocation by increasing icsk_priv_data to 120? because I see that the window size is a module parameter, so I guess it is not a fixed value. 
Because the problem only happens with CDG, is adding check in its tcp_cdg_init() function Ok? And about  icsk_ca_initialized, Could I expect it to be 0 in CC's init functions?

Thank you.
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

Re: [PATCH] tcp: Do not reset the icsk_ca_initialized in tcp_init_transfer.

[Eric Dumazet]

On Tue, Jun 29, 2021 at 2:28 PM Nguyen Dinh Phi <phind.uet@gmail.com> wrote:
>
> On June 29, 2021 4:21:59 PM GMT+08:00, Eric Dumazet <edumazet@google.com> wrote:
> >On Tue, Jun 29, 2021 at 9:17 AM Nguyen Dinh Phi <phind.uet@gmail.com>
> >wrote:
> >>
> >> On June 29, 2021 1:20:19 AM GMT+08:00, Neal Cardwell
> ><ncardwell@google.com> wrote:
> >> >)
> >> >
> >> >On Mon, Jun 28, 2021 at 1:15 PM Phi Nguyen <phind.uet@gmail.com>
> >wrote:
> >> >>
> >> >> On 6/29/2021 12:24 AM, Neal Cardwell wrote:
> >> >>
> >> >> > Thanks.
> >> >> >
> >> >> > Can you also please provide a summary of the event sequence that
> >> >> > triggers the bug? Based on your Reported-by tag, I guess this is
> >> >based
> >> >> > on the syzbot reproducer:
> >> >> >
> >> >> >
> >>
> >>https://groups.google.com/g/syzkaller-bugs/c/VbHoSsBz0hk/m/cOxOoTgPCAAJ
> >> >> >
> >> >> > but perhaps you can give a summary of the event sequence that
> >> >causes
> >> >> > the bug? Is it that the call:
> >> >> >
> >> >> > setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd,
> >> >> > &(0x7f0000000000)='cdg\x00', 0x4)
> >> >> >
> >> >> > initializes the CC and happens before the connection is
> >> >established,
> >> >> > and then when the connection is established, the line that sets:
> >> >> >    icsk->icsk_ca_initialized = 0;
> >> >> > is incorrect, causing the CC to be initialized again without
> >first
> >> >> > calling the cleanup code that deallocates the CDG-allocated
> >memory?
> >> >> >
> >> >> > thanks,
> >> >> > neal
> >> >> >
> >> >>
> >> >> Hi Neal,
> >> >>
> >> >> The gdb stack trace that lead to init_transfer_input() is as
> >bellow,
> >> >the
> >> >> current sock state is TCP_SYN_RECV.
> >> >
> >> >Thanks. That makes sense as a snapshot of time for
> >> >tcp_init_transfer(), but I think what would be more useful would be
> >a
> >> >description of the sequence of events, including when the CC was
> >> >initialized previous to that point (as noted above, was it that the
> >> >setsockopt(TCP_CONGESTION) completed before that point?).
> >> >
> >> >thanks,
> >> >neal
> >>
> >> I resend my message because I accidently used html format in last
> >one. I am very sorry for the inconvenience caused.
> >> ---
> >> Yes, the CC had been initialized by the setsockopt, after that, it
> >was initialized again in function tcp_init_transfer() because of
> >setting isck_ca_initialized to 0.
> >
> >"the setsockopt" is rather vague, sorry.
> >
> >
> >The hard part is that all scenarios have to be considered.
> >
> >TCP flows can either be passive and active.
> >
> >CC can be set :
> >
> >1) Before the connect() or accept()
> >2) After the connect() or accept()
> >3) after the connect() but before 3WHS is completed.
> >
> >So we need to make sure all cases will still work with any combination
> >of CDG CC (before/after) in the picture.
> >
> >Note that a memory leak for a restricted CC (CDG can only be used by
> >CAP_NET_ADMIN privileged user)
> > is a small problem compared to more serious bug that could be added
> >by an incomplete fix.
> >
> >I also note that if icsk_ca_priv] was increased from 104 to 120 bytes,
> >tcp_cdg would no longer need a dynamic memory allocation.
> >
> >Thank you.
>
> Hi,
> I will try to see whether I am able to get the full sequence. I am also affraid of making a change that could affect big part of the kernel.
> About CDG, how we can get rid of dynamic allocation by increasing icsk_priv_data to 120? because I see that the window size is a module parameter, so I guess it is not a fixed value.

Given this module parameter is constant, I doubt anyone really uses a
bigger window.
If researchers want to experiment bigger window, they could adjust a
macro and recompile (#define TCP_CDG_WINDOW 8 -> X)

> Because the problem only happens with CDG, is adding check in its tcp_cdg_init() function Ok? And about  icsk_ca_initialized, Could I expect it to be 0 in CC's init functions?

I think icsk_ca_initialized  lost its strong meaning when CDG was
introduced (since this is the only CC allocating memory)

The bug really is that before clearing icsk_ca_initialized we should
call cc->release()

Maybe we missed this cleanup in commit
8919a9b31eb4fb4c0a93e5fb350a626924302aa6 ("tcp: Only init congestion
control if not initialized already")

Although I am not sure what happens at accept() time when the listener
socket is cloned.

If we make any hypothesis, we need to check all CC modules to make
sure they respect it.

>
> Thank you.

Re: [PATCH] tcp: Do not reset the icsk_ca_initialized in tcp_init_transfer.

[Eric Dumazet via Linux-kernel-mentees]

On Tue, Jun 29, 2021 at 2:28 PM Nguyen Dinh Phi <phind.uet@gmail.com> wrote:
>
> On June 29, 2021 4:21:59 PM GMT+08:00, Eric Dumazet <edumazet@google.com> wrote:
> >On Tue, Jun 29, 2021 at 9:17 AM Nguyen Dinh Phi <phind.uet@gmail.com>
> >wrote:
> >>
> >> On June 29, 2021 1:20:19 AM GMT+08:00, Neal Cardwell
> ><ncardwell@google.com> wrote:
> >> >)
> >> >
> >> >On Mon, Jun 28, 2021 at 1:15 PM Phi Nguyen <phind.uet@gmail.com>
> >wrote:
> >> >>
> >> >> On 6/29/2021 12:24 AM, Neal Cardwell wrote:
> >> >>
> >> >> > Thanks.
> >> >> >
> >> >> > Can you also please provide a summary of the event sequence that
> >> >> > triggers the bug? Based on your Reported-by tag, I guess this is
> >> >based
> >> >> > on the syzbot reproducer:
> >> >> >
> >> >> >
> >>
> >>https://groups.google.com/g/syzkaller-bugs/c/VbHoSsBz0hk/m/cOxOoTgPCAAJ
> >> >> >
> >> >> > but perhaps you can give a summary of the event sequence that
> >> >causes
> >> >> > the bug? Is it that the call:
> >> >> >
> >> >> > setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd,
> >> >> > &(0x7f0000000000)='cdg\x00', 0x4)
> >> >> >
> >> >> > initializes the CC and happens before the connection is
> >> >established,
> >> >> > and then when the connection is established, the line that sets:
> >> >> >    icsk->icsk_ca_initialized = 0;
> >> >> > is incorrect, causing the CC to be initialized again without
> >first
> >> >> > calling the cleanup code that deallocates the CDG-allocated
> >memory?
> >> >> >
> >> >> > thanks,
> >> >> > neal
> >> >> >
> >> >>
> >> >> Hi Neal,
> >> >>
> >> >> The gdb stack trace that lead to init_transfer_input() is as
> >bellow,
> >> >the
> >> >> current sock state is TCP_SYN_RECV.
> >> >
> >> >Thanks. That makes sense as a snapshot of time for
> >> >tcp_init_transfer(), but I think what would be more useful would be
> >a
> >> >description of the sequence of events, including when the CC was
> >> >initialized previous to that point (as noted above, was it that the
> >> >setsockopt(TCP_CONGESTION) completed before that point?).
> >> >
> >> >thanks,
> >> >neal
> >>
> >> I resend my message because I accidently used html format in last
> >one. I am very sorry for the inconvenience caused.
> >> ---
> >> Yes, the CC had been initialized by the setsockopt, after that, it
> >was initialized again in function tcp_init_transfer() because of
> >setting isck_ca_initialized to 0.
> >
> >"the setsockopt" is rather vague, sorry.
> >
> >
> >The hard part is that all scenarios have to be considered.
> >
> >TCP flows can either be passive and active.
> >
> >CC can be set :
> >
> >1) Before the connect() or accept()
> >2) After the connect() or accept()
> >3) after the connect() but before 3WHS is completed.
> >
> >So we need to make sure all cases will still work with any combination
> >of CDG CC (before/after) in the picture.
> >
> >Note that a memory leak for a restricted CC (CDG can only be used by
> >CAP_NET_ADMIN privileged user)
> > is a small problem compared to more serious bug that could be added
> >by an incomplete fix.
> >
> >I also note that if icsk_ca_priv] was increased from 104 to 120 bytes,
> >tcp_cdg would no longer need a dynamic memory allocation.
> >
> >Thank you.
>
> Hi,
> I will try to see whether I am able to get the full sequence. I am also affraid of making a change that could affect big part of the kernel.
> About CDG, how we can get rid of dynamic allocation by increasing icsk_priv_data to 120? because I see that the window size is a module parameter, so I guess it is not a fixed value.

Given this module parameter is constant, I doubt anyone really uses a
bigger window.
If researchers want to experiment bigger window, they could adjust a
macro and recompile (#define TCP_CDG_WINDOW 8 -> X)

> Because the problem only happens with CDG, is adding check in its tcp_cdg_init() function Ok? And about  icsk_ca_initialized, Could I expect it to be 0 in CC's init functions?

I think icsk_ca_initialized  lost its strong meaning when CDG was
introduced (since this is the only CC allocating memory)

The bug really is that before clearing icsk_ca_initialized we should
call cc->release()

Maybe we missed this cleanup in commit
8919a9b31eb4fb4c0a93e5fb350a626924302aa6 ("tcp: Only init congestion
control if not initialized already")

Although I am not sure what happens at accept() time when the listener
socket is cloned.

If we make any hypothesis, we need to check all CC modules to make
sure they respect it.

>
> Thank you.
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

Re: [PATCH] tcp: Do not reset the icsk_ca_initialized in tcp_init_transfer.

[Neal Cardwell]

  On Tue, Jun 29, 2021 at 8:58 AM Eric Dumazet <edumazet@google.com> wrote:
> > Because the problem only happens with CDG, is adding check in its tcp_cdg_init() function Ok? And about  icsk_ca_initialized, Could I expect it to be 0 in CC's init functions?
>
> I think icsk_ca_initialized  lost its strong meaning when CDG was
> introduced (since this is the only CC allocating memory)
>
> The bug really is that before clearing icsk_ca_initialized we should
> call cc->release()
>
> Maybe we missed this cleanup in commit
> 8919a9b31eb4fb4c0a93e5fb350a626924302aa6 ("tcp: Only init congestion
> control if not initialized already")

From my perspective, the bug was introduced when that 8919a9b31eb4
commit introduced icsk_ca_initialized and set icsk_ca_initialized to 0
in tcp_init_transfer(), missing the possibility that a process could
call setsockopt(TCP_CONGESTION)  in state TCP_SYN_SENT (i.e. after the
connect() or TFO open sendmsg()), which would call
tcp_init_congestion_control(). The 8919a9b31eb4 commit did not intend
to reset any initialization that the user had already explicitly made;
it just missed the possibility of that particular sequence (which
syzkaller managed to find!).

> Although I am not sure what happens at accept() time when the listener
> socket is cloned.

It seems that for listener sockets, they cannot initialize their CC
module state, because there is no way for them to reach
tcp_init_congestion_control(), since:

(a) tcp_set_congestion_control() -> tcp_reinit_congestion_control()
will not call tcp_init_congestion_control() on a socket in CLOSE or
LISTEN

(b) tcp_init_transfer() -> tcp_init_congestion_control() can only
happen for established sockets and successful TFO SYN_RECV sockets

So it seems my previously suggested change (yesterday in this thread)
to add icsk_ca_initialized=0 in tcp_ca_openreq_child() is not needed.

> If we make any hypothesis, we need to check all CC modules to make
> sure they respect it.

AFAICT the fix is correct; it just needs a Fixes: tag and a more clear
description in the commit message.

I have cherry-picked the patch into our kernel and verified it passes
all of our internal packetdrill tests.

So the diff seems OK, but I would suggest a commit message something
like the following:

--
[PATCH] tcp: fix tcp_init_transfer() to not reset icsk_ca_initialized

This commit fixes a bug (found by syzkaller) that could cause spurious
double-initializations for congestion control modules, which could cause memory
leaks orother problems for congestion control modules (like CDG) that allocate
memory in their init functions.

The buggy scenario constructed by syzkaller was something like:

(1) create a TCP socket
(2) initiate a TFO connect via sendto()
(3) while socket is in TCP_SYN_SENT, call setsockopt(TCP_CONGESTION),
    which calls:
       tcp_set_congestion_control() ->
         tcp_reinit_congestion_control() ->
           tcp_init_congestion_control()
(4) receive ACK, connection is established, call tcp_init_transfer(),
    set icsk_ca_initialized=0 (without first calling cc->release()),
    call tcp_init_congestion_control() again.

Note that in this sequence tcp_init_congestion_control() is called twice
without a cc->release() call in between. Thus, for CC modules that allocate
memory in their init() function, e.g, CDG, a memory leak may occur. The
syzkaller tool managed to find a reproducer that triggered such a leak in CDG.

The bug was introduced when that 8919a9b31eb4 commit introduced
icsk_ca_initialized and set icsk_ca_initialized to 0 in tcp_init_transfer(),
missing the possibility for a sequence like the one above, where a process
could call setsockopt(TCP_CONGESTION) in state TCP_SYN_SENT (i.e. after the
connect() or TFO open sendmsg()), which would call
tcp_init_congestion_control(). The 8919a9b31eb4 commit did not intend to reset
any initialization that the user had already explicitly made; it just missed
the possibility of that particular sequence (which syzkaller managed to find).

Fixes: 8919a9b31eb4 ("tcp: Only init congestion control if not
initialized already")
Reported-by: syzbot+f1e24a0594d4e3a895d3@syzkaller.appspotmail.com
Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com>
--

neal

Re: [PATCH] tcp: Do not reset the icsk_ca_initialized in tcp_init_transfer.

[Neal Cardwell via Linux-kernel-mentees]

  On Tue, Jun 29, 2021 at 8:58 AM Eric Dumazet <edumazet@google.com> wrote:
> > Because the problem only happens with CDG, is adding check in its tcp_cdg_init() function Ok? And about  icsk_ca_initialized, Could I expect it to be 0 in CC's init functions?
>
> I think icsk_ca_initialized  lost its strong meaning when CDG was
> introduced (since this is the only CC allocating memory)
>
> The bug really is that before clearing icsk_ca_initialized we should
> call cc->release()
>
> Maybe we missed this cleanup in commit
> 8919a9b31eb4fb4c0a93e5fb350a626924302aa6 ("tcp: Only init congestion
> control if not initialized already")

From my perspective, the bug was introduced when that 8919a9b31eb4
commit introduced icsk_ca_initialized and set icsk_ca_initialized to 0
in tcp_init_transfer(), missing the possibility that a process could
call setsockopt(TCP_CONGESTION)  in state TCP_SYN_SENT (i.e. after the
connect() or TFO open sendmsg()), which would call
tcp_init_congestion_control(). The 8919a9b31eb4 commit did not intend
to reset any initialization that the user had already explicitly made;
it just missed the possibility of that particular sequence (which
syzkaller managed to find!).

> Although I am not sure what happens at accept() time when the listener
> socket is cloned.

It seems that for listener sockets, they cannot initialize their CC
module state, because there is no way for them to reach
tcp_init_congestion_control(), since:

(a) tcp_set_congestion_control() -> tcp_reinit_congestion_control()
will not call tcp_init_congestion_control() on a socket in CLOSE or
LISTEN

(b) tcp_init_transfer() -> tcp_init_congestion_control() can only
happen for established sockets and successful TFO SYN_RECV sockets

So it seems my previously suggested change (yesterday in this thread)
to add icsk_ca_initialized=0 in tcp_ca_openreq_child() is not needed.

> If we make any hypothesis, we need to check all CC modules to make
> sure they respect it.

AFAICT the fix is correct; it just needs a Fixes: tag and a more clear
description in the commit message.

I have cherry-picked the patch into our kernel and verified it passes
all of our internal packetdrill tests.

So the diff seems OK, but I would suggest a commit message something
like the following:

--
[PATCH] tcp: fix tcp_init_transfer() to not reset icsk_ca_initialized

This commit fixes a bug (found by syzkaller) that could cause spurious
double-initializations for congestion control modules, which could cause memory
leaks orother problems for congestion control modules (like CDG) that allocate
memory in their init functions.

The buggy scenario constructed by syzkaller was something like:

(1) create a TCP socket
(2) initiate a TFO connect via sendto()
(3) while socket is in TCP_SYN_SENT, call setsockopt(TCP_CONGESTION),
    which calls:
       tcp_set_congestion_control() ->
         tcp_reinit_congestion_control() ->
           tcp_init_congestion_control()
(4) receive ACK, connection is established, call tcp_init_transfer(),
    set icsk_ca_initialized=0 (without first calling cc->release()),
    call tcp_init_congestion_control() again.

Note that in this sequence tcp_init_congestion_control() is called twice
without a cc->release() call in between. Thus, for CC modules that allocate
memory in their init() function, e.g, CDG, a memory leak may occur. The
syzkaller tool managed to find a reproducer that triggered such a leak in CDG.

The bug was introduced when that 8919a9b31eb4 commit introduced
icsk_ca_initialized and set icsk_ca_initialized to 0 in tcp_init_transfer(),
missing the possibility for a sequence like the one above, where a process
could call setsockopt(TCP_CONGESTION) in state TCP_SYN_SENT (i.e. after the
connect() or TFO open sendmsg()), which would call
tcp_init_congestion_control(). The 8919a9b31eb4 commit did not intend to reset
any initialization that the user had already explicitly made; it just missed
the possibility of that particular sequence (which syzkaller managed to find).

Fixes: 8919a9b31eb4 ("tcp: Only init congestion control if not
initialized already")
Reported-by: syzbot+f1e24a0594d4e3a895d3@syzkaller.appspotmail.com
Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com>
--

neal
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

Re: [PATCH] tcp: Do not reset the icsk_ca_initialized in tcp_init_transfer.

[Phi Nguyen]

On 6/29/2021 11:59 PM, Neal Cardwell wrote:
>    On Tue, Jun 29, 2021 at 8:58 AM Eric Dumazet <edumazet@google.com> wrote:
>  From my perspective, the bug was introduced when that 8919a9b31eb4
> commit introduced icsk_ca_initialized and set icsk_ca_initialized to 0
> in tcp_init_transfer(), missing the possibility that a process could
> call setsockopt(TCP_CONGESTION)  in state TCP_SYN_SENT (i.e. after the
> connect() or TFO open sendmsg()), which would call
> tcp_init_congestion_control(). The 8919a9b31eb4 commit did not intend
> to reset any initialization that the user had already explicitly made;
> it just missed the possibility of that particular sequence (which
> syzkaller managed to find!).
> 
>> Although I am not sure what happens at accept() time when the listener
>> socket is cloned.
> 
> It seems that for listener sockets, they cannot initialize their CC
> module state, because there is no way for them to reach
> tcp_init_congestion_control(), since:
> 
> (a) tcp_set_congestion_control() -> tcp_reinit_congestion_control()
> will not call tcp_init_congestion_control() on a socket in CLOSE or
> LISTEN
> 
> (b) tcp_init_transfer() -> tcp_init_congestion_control() can only
> happen for established sockets and successful TFO SYN_RECV sockets
Is this what was mentioned in this commit ce69e563b325(tcp: make sure 
listeners don't initialize congestion-control state)

> --
> [PATCH] tcp: fix tcp_init_transfer() to not reset icsk_ca_initialized
> 
> This commit fixes a bug (found by syzkaller) that could cause spurious
> double-initializations for congestion control modules, which could cause memory
> leaks orother problems for congestion control modules (like CDG) that allocate
> memory in their init functions.
> 
> The buggy scenario constructed by syzkaller was something like:
> 
> (1) create a TCP socket
> (2) initiate a TFO connect via sendto()
> (3) while socket is in TCP_SYN_SENT, call setsockopt(TCP_CONGESTION),
>      which calls:
>         tcp_set_congestion_control() ->
>           tcp_reinit_congestion_control() ->
>             tcp_init_congestion_control()
> (4) receive ACK, connection is established, call tcp_init_transfer(),
>      set icsk_ca_initialized=0 (without first calling cc->release()),
>      call tcp_init_congestion_control() again.
> 
> Note that in this sequence tcp_init_congestion_control() is called twice
> without a cc->release() call in between. Thus, for CC modules that allocate
> memory in their init() function, e.g, CDG, a memory leak may occur. The
> syzkaller tool managed to find a reproducer that triggered such a leak in CDG.
> 
> The bug was introduced when that 8919a9b31eb4 commit introduced
> icsk_ca_initialized and set icsk_ca_initialized to 0 in tcp_init_transfer(),
> missing the possibility for a sequence like the one above, where a process
> could call setsockopt(TCP_CONGESTION) in state TCP_SYN_SENT (i.e. after the
> connect() or TFO open sendmsg()), which would call
> tcp_init_congestion_control(). The 8919a9b31eb4 commit did not intend to reset
> any initialization that the user had already explicitly made; it just missed
> the possibility of that particular sequence (which syzkaller managed to find).

Could I use your commit message when I resubmit patch?

Thank you.

Re: [PATCH] tcp: Do not reset the icsk_ca_initialized in tcp_init_transfer.

[Phi Nguyen]

On 6/29/2021 11:59 PM, Neal Cardwell wrote:
>    On Tue, Jun 29, 2021 at 8:58 AM Eric Dumazet <edumazet@google.com> wrote:
>  From my perspective, the bug was introduced when that 8919a9b31eb4
> commit introduced icsk_ca_initialized and set icsk_ca_initialized to 0
> in tcp_init_transfer(), missing the possibility that a process could
> call setsockopt(TCP_CONGESTION)  in state TCP_SYN_SENT (i.e. after the
> connect() or TFO open sendmsg()), which would call
> tcp_init_congestion_control(). The 8919a9b31eb4 commit did not intend
> to reset any initialization that the user had already explicitly made;
> it just missed the possibility of that particular sequence (which
> syzkaller managed to find!).
> 
>> Although I am not sure what happens at accept() time when the listener
>> socket is cloned.
> 
> It seems that for listener sockets, they cannot initialize their CC
> module state, because there is no way for them to reach
> tcp_init_congestion_control(), since:
> 
> (a) tcp_set_congestion_control() -> tcp_reinit_congestion_control()
> will not call tcp_init_congestion_control() on a socket in CLOSE or
> LISTEN
> 
> (b) tcp_init_transfer() -> tcp_init_congestion_control() can only
> happen for established sockets and successful TFO SYN_RECV sockets
Is this what was mentioned in this commit ce69e563b325(tcp: make sure 
listeners don't initialize congestion-control state)

> --
> [PATCH] tcp: fix tcp_init_transfer() to not reset icsk_ca_initialized
> 
> This commit fixes a bug (found by syzkaller) that could cause spurious
> double-initializations for congestion control modules, which could cause memory
> leaks orother problems for congestion control modules (like CDG) that allocate
> memory in their init functions.
> 
> The buggy scenario constructed by syzkaller was something like:
> 
> (1) create a TCP socket
> (2) initiate a TFO connect via sendto()
> (3) while socket is in TCP_SYN_SENT, call setsockopt(TCP_CONGESTION),
>      which calls:
>         tcp_set_congestion_control() ->
>           tcp_reinit_congestion_control() ->
>             tcp_init_congestion_control()
> (4) receive ACK, connection is established, call tcp_init_transfer(),
>      set icsk_ca_initialized=0 (without first calling cc->release()),
>      call tcp_init_congestion_control() again.
> 
> Note that in this sequence tcp_init_congestion_control() is called twice
> without a cc->release() call in between. Thus, for CC modules that allocate
> memory in their init() function, e.g, CDG, a memory leak may occur. The
> syzkaller tool managed to find a reproducer that triggered such a leak in CDG.
> 
> The bug was introduced when that 8919a9b31eb4 commit introduced
> icsk_ca_initialized and set icsk_ca_initialized to 0 in tcp_init_transfer(),
> missing the possibility for a sequence like the one above, where a process
> could call setsockopt(TCP_CONGESTION) in state TCP_SYN_SENT (i.e. after the
> connect() or TFO open sendmsg()), which would call
> tcp_init_congestion_control(). The 8919a9b31eb4 commit did not intend to reset
> any initialization that the user had already explicitly made; it just missed
> the possibility of that particular sequence (which syzkaller managed to find).

Could I use your commit message when I resubmit patch?

Thank you.

_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

Re: [PATCH] tcp: Do not reset the icsk_ca_initialized in tcp_init_transfer.

[Neal Cardwell]

On Wed, Jun 30, 2021 at 2:25 PM Phi Nguyen <phind.uet@gmail.com> wrote:
>
> On 6/29/2021 11:59 PM, Neal Cardwell wrote:
> >    On Tue, Jun 29, 2021 at 8:58 AM Eric Dumazet <edumazet@google.com> wrote:
> >  From my perspective, the bug was introduced when that 8919a9b31eb4
> > commit introduced icsk_ca_initialized and set icsk_ca_initialized to 0
> > in tcp_init_transfer(), missing the possibility that a process could
> > call setsockopt(TCP_CONGESTION)  in state TCP_SYN_SENT (i.e. after the
> > connect() or TFO open sendmsg()), which would call
> > tcp_init_congestion_control(). The 8919a9b31eb4 commit did not intend
> > to reset any initialization that the user had already explicitly made;
> > it just missed the possibility of that particular sequence (which
> > syzkaller managed to find!).
> >
> >> Although I am not sure what happens at accept() time when the listener
> >> socket is cloned.
> >
> > It seems that for listener sockets, they cannot initialize their CC
> > module state, because there is no way for them to reach
> > tcp_init_congestion_control(), since:
> >
> > (a) tcp_set_congestion_control() -> tcp_reinit_congestion_control()
> > will not call tcp_init_congestion_control() on a socket in CLOSE or
> > LISTEN
> >
> > (b) tcp_init_transfer() -> tcp_init_congestion_control() can only
> > happen for established sockets and successful TFO SYN_RECV sockets
> Is this what was mentioned in this commit ce69e563b325(tcp: make sure
> listeners don't initialize congestion-control state)

Yes, exactly.

> > --
> > [PATCH] tcp: fix tcp_init_transfer() to not reset icsk_ca_initialized
> >
> > This commit fixes a bug (found by syzkaller) that could cause spurious
> > double-initializations for congestion control modules, which could cause memory
> > leaks orother problems for congestion control modules (like CDG) that allocate
> > memory in their init functions.
> >
> > The buggy scenario constructed by syzkaller was something like:
> >
> > (1) create a TCP socket
> > (2) initiate a TFO connect via sendto()
> > (3) while socket is in TCP_SYN_SENT, call setsockopt(TCP_CONGESTION),
> >      which calls:
> >         tcp_set_congestion_control() ->
> >           tcp_reinit_congestion_control() ->
> >             tcp_init_congestion_control()
> > (4) receive ACK, connection is established, call tcp_init_transfer(),
> >      set icsk_ca_initialized=0 (without first calling cc->release()),
> >      call tcp_init_congestion_control() again.
> >
> > Note that in this sequence tcp_init_congestion_control() is called twice
> > without a cc->release() call in between. Thus, for CC modules that allocate
> > memory in their init() function, e.g, CDG, a memory leak may occur. The
> > syzkaller tool managed to find a reproducer that triggered such a leak in CDG.
> >
> > The bug was introduced when that 8919a9b31eb4 commit introduced
> > icsk_ca_initialized and set icsk_ca_initialized to 0 in tcp_init_transfer(),
> > missing the possibility for a sequence like the one above, where a process
> > could call setsockopt(TCP_CONGESTION) in state TCP_SYN_SENT (i.e. after the
> > connect() or TFO open sendmsg()), which would call
> > tcp_init_congestion_control(). The 8919a9b31eb4 commit did not intend to reset
> > any initialization that the user had already explicitly made; it just missed
> > the possibility of that particular sequence (which syzkaller managed to find).
>
> Could I use your commit message when I resubmit patch?

Yes, feel free to use that commit message verbatim or modified.

thanks,
neal

Re: [PATCH] tcp: Do not reset the icsk_ca_initialized in tcp_init_transfer.

[Neal Cardwell via Linux-kernel-mentees]

On Wed, Jun 30, 2021 at 2:25 PM Phi Nguyen <phind.uet@gmail.com> wrote:
>
> On 6/29/2021 11:59 PM, Neal Cardwell wrote:
> >    On Tue, Jun 29, 2021 at 8:58 AM Eric Dumazet <edumazet@google.com> wrote:
> >  From my perspective, the bug was introduced when that 8919a9b31eb4
> > commit introduced icsk_ca_initialized and set icsk_ca_initialized to 0
> > in tcp_init_transfer(), missing the possibility that a process could
> > call setsockopt(TCP_CONGESTION)  in state TCP_SYN_SENT (i.e. after the
> > connect() or TFO open sendmsg()), which would call
> > tcp_init_congestion_control(). The 8919a9b31eb4 commit did not intend
> > to reset any initialization that the user had already explicitly made;
> > it just missed the possibility of that particular sequence (which
> > syzkaller managed to find!).
> >
> >> Although I am not sure what happens at accept() time when the listener
> >> socket is cloned.
> >
> > It seems that for listener sockets, they cannot initialize their CC
> > module state, because there is no way for them to reach
> > tcp_init_congestion_control(), since:
> >
> > (a) tcp_set_congestion_control() -> tcp_reinit_congestion_control()
> > will not call tcp_init_congestion_control() on a socket in CLOSE or
> > LISTEN
> >
> > (b) tcp_init_transfer() -> tcp_init_congestion_control() can only
> > happen for established sockets and successful TFO SYN_RECV sockets
> Is this what was mentioned in this commit ce69e563b325(tcp: make sure
> listeners don't initialize congestion-control state)

Yes, exactly.

> > --
> > [PATCH] tcp: fix tcp_init_transfer() to not reset icsk_ca_initialized
> >
> > This commit fixes a bug (found by syzkaller) that could cause spurious
> > double-initializations for congestion control modules, which could cause memory
> > leaks orother problems for congestion control modules (like CDG) that allocate
> > memory in their init functions.
> >
> > The buggy scenario constructed by syzkaller was something like:
> >
> > (1) create a TCP socket
> > (2) initiate a TFO connect via sendto()
> > (3) while socket is in TCP_SYN_SENT, call setsockopt(TCP_CONGESTION),
> >      which calls:
> >         tcp_set_congestion_control() ->
> >           tcp_reinit_congestion_control() ->
> >             tcp_init_congestion_control()
> > (4) receive ACK, connection is established, call tcp_init_transfer(),
> >      set icsk_ca_initialized=0 (without first calling cc->release()),
> >      call tcp_init_congestion_control() again.
> >
> > Note that in this sequence tcp_init_congestion_control() is called twice
> > without a cc->release() call in between. Thus, for CC modules that allocate
> > memory in their init() function, e.g, CDG, a memory leak may occur. The
> > syzkaller tool managed to find a reproducer that triggered such a leak in CDG.
> >
> > The bug was introduced when that 8919a9b31eb4 commit introduced
> > icsk_ca_initialized and set icsk_ca_initialized to 0 in tcp_init_transfer(),
> > missing the possibility for a sequence like the one above, where a process
> > could call setsockopt(TCP_CONGESTION) in state TCP_SYN_SENT (i.e. after the
> > connect() or TFO open sendmsg()), which would call
> > tcp_init_congestion_control(). The 8919a9b31eb4 commit did not intend to reset
> > any initialization that the user had already explicitly made; it just missed
> > the possibility of that particular sequence (which syzkaller managed to find).
>
> Could I use your commit message when I resubmit patch?

Yes, feel free to use that commit message verbatim or modified.

thanks,
neal
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

Re: [PATCH] tcp: Do not reset the icsk_ca_initialized in tcp_init_transfer.

[Neal Cardwell]

On Mon, Jun 28, 2021 at 11:39 AM Nguyen Dinh Phi <phind.uet@gmail.com> wrote:
>
> icsk_ca_initialized be always set to zero before we examine it in if
> block, this makes the congestion control module's initialization be
> called even if the CC module was initialized already.
> In case the CC module allocates and setups its dynamically allocated
> private data in its init() function, e.g, CDG, the memory leak may occur.
>
> Reported-by: syzbot+f1e24a0594d4e3a895d3@syzkaller.appspotmail.com
>
> Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com>
> ---
>  net/ipv4/tcp_input.c | 1 -
>  1 file changed, 1 deletion(-)
>
> diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
> index 7d5e59f688de..855ada2be25e 100644
> --- a/net/ipv4/tcp_input.c
> +++ b/net/ipv4/tcp_input.c
> @@ -5922,7 +5922,6 @@ void tcp_init_transfer(struct sock *sk, int bpf_op, struct sk_buff *skb)
>                 tp->snd_cwnd = tcp_init_cwnd(tp, __sk_dst_get(sk));
>         tp->snd_cwnd_stamp = tcp_jiffies32;
>
> -       icsk->icsk_ca_initialized = 0;

If this patch removes that line, then AFAICT the patch should also
insert a corresponding:

  icsk->icsk_ca_initialized = 0;

in tcp_ca_openreq_child(), so that any non-zero icsk_ca_initialized
value in a listener socket (on which setsockopt(TCP_CONGESTION) was
called)  is not erroneously inherited by a child socket due to the
tcp_create_openreq_child() -> inet_csk_clone_lock() -> sock_copy()
call chain. Something like:

diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index c48d8336f26d..4d6a76dfa1c4 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -446,6 +446,7 @@ void tcp_ca_openreq_child(struct sock *sk, const
struct dst_entry *dst)
        }

        /* If no valid choice made yet, assign current system default ca. */
+       icsk->icsk_ca_initialized = 0;
        if (!ca_got_dst &&
            (!icsk->icsk_ca_setsockopt ||
             !bpf_try_module_get(icsk->icsk_ca_ops, icsk->icsk_ca_ops->owner)))

thanks,
neal

Re: [PATCH] tcp: Do not reset the icsk_ca_initialized in tcp_init_transfer.

[Neal Cardwell via Linux-kernel-mentees]

On Mon, Jun 28, 2021 at 11:39 AM Nguyen Dinh Phi <phind.uet@gmail.com> wrote:
>
> icsk_ca_initialized be always set to zero before we examine it in if
> block, this makes the congestion control module's initialization be
> called even if the CC module was initialized already.
> In case the CC module allocates and setups its dynamically allocated
> private data in its init() function, e.g, CDG, the memory leak may occur.
>
> Reported-by: syzbot+f1e24a0594d4e3a895d3@syzkaller.appspotmail.com
>
> Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com>
> ---
>  net/ipv4/tcp_input.c | 1 -
>  1 file changed, 1 deletion(-)
>
> diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
> index 7d5e59f688de..855ada2be25e 100644
> --- a/net/ipv4/tcp_input.c
> +++ b/net/ipv4/tcp_input.c
> @@ -5922,7 +5922,6 @@ void tcp_init_transfer(struct sock *sk, int bpf_op, struct sk_buff *skb)
>                 tp->snd_cwnd = tcp_init_cwnd(tp, __sk_dst_get(sk));
>         tp->snd_cwnd_stamp = tcp_jiffies32;
>
> -       icsk->icsk_ca_initialized = 0;

If this patch removes that line, then AFAICT the patch should also
insert a corresponding:

  icsk->icsk_ca_initialized = 0;

in tcp_ca_openreq_child(), so that any non-zero icsk_ca_initialized
value in a listener socket (on which setsockopt(TCP_CONGESTION) was
called)  is not erroneously inherited by a child socket due to the
tcp_create_openreq_child() -> inet_csk_clone_lock() -> sock_copy()
call chain. Something like:

diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index c48d8336f26d..4d6a76dfa1c4 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -446,6 +446,7 @@ void tcp_ca_openreq_child(struct sock *sk, const
struct dst_entry *dst)
        }

        /* If no valid choice made yet, assign current system default ca. */
+       icsk->icsk_ca_initialized = 0;
        if (!ca_got_dst &&
            (!icsk->icsk_ca_setsockopt ||
             !bpf_try_module_get(icsk->icsk_ca_ops, icsk->icsk_ca_ops->owner)))

thanks,
neal
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees