* [PATCH v4 net 0/4] dccp/tcp: Fix bhash2 issues related to WARN_ON() in inet_csk_get_port().
@ 2022-11-19 1:49 Kuniyuki Iwashima
2022-11-19 1:49 ` [PATCH v4 net 1/4] dccp/tcp: Reset saddr on failure after inet6?_hash_connect() Kuniyuki Iwashima
` (5 more replies)
0 siblings, 6 replies; 11+ messages in thread
From: Kuniyuki Iwashima @ 2022-11-19 1:49 UTC (permalink / raw)
To: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Hideaki YOSHIFUJI, David Ahern
Cc: Arnaldo Carvalho de Melo, Joanne Koong, Martin KaFai Lau,
Mat Martineau, Ziyang Xuan (William),
Stephen Hemminger, Pengfei Xu, Kuniyuki Iwashima,
Kuniyuki Iwashima, netdev, dccp
syzkaller was hitting a WARN_ON() in inet_csk_get_port() in the 4th patch,
which was because we forgot to fix up bhash2 bucket when connect() for a
socket bound to a wildcard address fails in __inet_stream_connect().
There was a similar report [0], but its repro does not fire the WARN_ON() due
to inconsistent error handling.
When connect() for a socket bound to a wildcard address fails, saddr may or
may not be reset depending on where the failure happens. When we fail in
__inet_stream_connect(), sk->sk_prot->disconnect() resets saddr. OTOH, in
(dccp|tcp)_v[46]_connect(), if we fail after inet_hash6?_connect(), we
forget to reset saddr.
We fix this inconsistent error handling in the 1st patch, and then we'll
fix the bhash2 WARN_ON() issue.
Note that there is still an issue in that we reset saddr without checking
if there are conflicting sockets in bhash and bhash2, but this should be
another series.
See [1][2] for the previous discussion.
[0]: https://lore.kernel.org/netdev/0000000000003f33bc05dfaf44fe@google.com/
[1]: https://lore.kernel.org/netdev/20221029001249.86337-1-kuniyu@amazon.com/
[2]: https://lore.kernel.org/netdev/20221103172419.20977-1-kuniyu@amazon.com/
[3]: https://lore.kernel.org/netdev/20221118081906.053d5231@kernel.org/T/#m00aafedb29ff0b55d5e67aef0252ef1baaf4b6ee
Changes:
v4:
* Patch 3
* Narrow down the bhash lock section (Joanne Koong)
v3: https://lore.kernel.org/netdev/20221118205839.14312-1-kuniyu@amazon.com/
* Patch 3
* Update saddr under the bhash's lock
* Correct Fixes tag
* Change #ifdef in inet_update_saddr() along the recent
discussion [3]
v2: https://lore.kernel.org/netdev/20221116222805.64734-1-kuniyu@amazon.com/
* Add patch 2-4
v1: [2]
Kuniyuki Iwashima (4):
dccp/tcp: Reset saddr on failure after inet6?_hash_connect().
dccp/tcp: Remove NULL check for prev_saddr in
inet_bhash2_update_saddr().
dccp/tcp: Update saddr under bhash's lock.
dccp/tcp: Fixup bhash2 bucket when connect() fails.
include/net/inet_hashtables.h | 3 +-
net/dccp/ipv4.c | 23 +++-------
net/dccp/ipv6.c | 24 +++-------
net/dccp/proto.c | 3 +-
net/ipv4/af_inet.c | 11 +----
net/ipv4/inet_hashtables.c | 84 ++++++++++++++++++++++++++++++-----
net/ipv4/tcp.c | 3 +-
net/ipv4/tcp_ipv4.c | 21 +++------
net/ipv6/tcp_ipv6.c | 20 ++-------
9 files changed, 96 insertions(+), 96 deletions(-)
--
2.30.2
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH v4 net 1/4] dccp/tcp: Reset saddr on failure after inet6?_hash_connect().
2022-11-19 1:49 [PATCH v4 net 0/4] dccp/tcp: Fix bhash2 issues related to WARN_ON() in inet_csk_get_port() Kuniyuki Iwashima
@ 2022-11-19 1:49 ` Kuniyuki Iwashima
2022-11-19 1:49 ` [PATCH v4 net 2/4] dccp/tcp: Remove NULL check for prev_saddr in inet_bhash2_update_saddr() Kuniyuki Iwashima
` (4 subsequent siblings)
5 siblings, 0 replies; 11+ messages in thread
From: Kuniyuki Iwashima @ 2022-11-19 1:49 UTC (permalink / raw)
To: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Hideaki YOSHIFUJI, David Ahern
Cc: Arnaldo Carvalho de Melo, Joanne Koong, Martin KaFai Lau,
Mat Martineau, Ziyang Xuan (William),
Stephen Hemminger, Pengfei Xu, Kuniyuki Iwashima,
Kuniyuki Iwashima, netdev, dccp
When connect() is called on a socket bound to the wildcard address,
we change the socket's saddr to a local address. If the socket
fails to connect() to the destination, we have to reset the saddr.
However, when an error occurs after inet_hash6?_connect() in
(dccp|tcp)_v[46]_conect(), we forget to reset saddr and leave
the socket bound to the address.
From the user's point of view, whether saddr is reset or not varies
with errno. Let's fix this inconsistent behaviour.
Note that after this patch, the repro [0] will trigger the WARN_ON()
in inet_csk_get_port() again, but this patch is not buggy and rather
fixes a bug papering over the bhash2's bug for which we need another
fix.
For the record, the repro causes -EADDRNOTAVAIL in inet_hash6_connect()
by this sequence:
s1 = socket()
s1.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
s1.bind(('127.0.0.1', 10000))
s1.sendto(b'hello', MSG_FASTOPEN, (('127.0.0.1', 10000)))
# or s1.connect(('127.0.0.1', 10000))
s2 = socket()
s2.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
s2.bind(('0.0.0.0', 10000))
s2.connect(('127.0.0.1', 10000)) # -EADDRNOTAVAIL
s2.listen(32) # WARN_ON(inet_csk(sk)->icsk_bind2_hash != tb2);
[0]: https://syzkaller.appspot.com/bug?extid=015d756bbd1f8b5c8f09
Fixes: 3df80d9320bc ("[DCCP]: Introduce DCCPv6")
Fixes: 7c657876b63c ("[DCCP]: Initial implementation")
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Acked-by: Joanne Koong <joannelkoong@gmail.com>
---
net/dccp/ipv4.c | 2 ++
net/dccp/ipv6.c | 2 ++
net/ipv4/tcp_ipv4.c | 2 ++
net/ipv6/tcp_ipv6.c | 2 ++
4 files changed, 8 insertions(+)
diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
index 713b7b8dad7e..40640c26680e 100644
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -157,6 +157,8 @@ int dccp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
* This unhashes the socket and releases the local port, if necessary.
*/
dccp_set_state(sk, DCCP_CLOSED);
+ if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
+ inet_reset_saddr(sk);
ip_rt_put(rt);
sk->sk_route_caps = 0;
inet->inet_dport = 0;
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index e57b43006074..626166cb6d7e 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -985,6 +985,8 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
late_failure:
dccp_set_state(sk, DCCP_CLOSED);
+ if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
+ inet_reset_saddr(sk);
__sk_dst_reset(sk);
failure:
inet->inet_dport = 0;
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 87d440f47a70..6a3a732b584d 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -343,6 +343,8 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
* if necessary.
*/
tcp_set_state(sk, TCP_CLOSE);
+ if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
+ inet_reset_saddr(sk);
ip_rt_put(rt);
sk->sk_route_caps = 0;
inet->inet_dport = 0;
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 2a3f9296df1e..81b396e5cf79 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -359,6 +359,8 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
late_failure:
tcp_set_state(sk, TCP_CLOSE);
+ if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
+ inet_reset_saddr(sk);
failure:
inet->inet_dport = 0;
sk->sk_route_caps = 0;
--
2.30.2
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH v4 net 2/4] dccp/tcp: Remove NULL check for prev_saddr in inet_bhash2_update_saddr().
2022-11-19 1:49 [PATCH v4 net 0/4] dccp/tcp: Fix bhash2 issues related to WARN_ON() in inet_csk_get_port() Kuniyuki Iwashima
2022-11-19 1:49 ` [PATCH v4 net 1/4] dccp/tcp: Reset saddr on failure after inet6?_hash_connect() Kuniyuki Iwashima
@ 2022-11-19 1:49 ` Kuniyuki Iwashima
2022-11-19 1:49 ` [PATCH v4 net 3/4] dccp/tcp: Update saddr under bhash's lock Kuniyuki Iwashima
` (3 subsequent siblings)
5 siblings, 0 replies; 11+ messages in thread
From: Kuniyuki Iwashima @ 2022-11-19 1:49 UTC (permalink / raw)
To: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Hideaki YOSHIFUJI, David Ahern
Cc: Arnaldo Carvalho de Melo, Joanne Koong, Martin KaFai Lau,
Mat Martineau, Ziyang Xuan (William),
Stephen Hemminger, Pengfei Xu, Kuniyuki Iwashima,
Kuniyuki Iwashima, netdev, dccp
When we call inet_bhash2_update_saddr(), prev_saddr is always non-NULL.
Let's remove the unnecessary test.
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Acked-by: Joanne Koong <joannelkoong@gmail.com>
---
net/ipv4/inet_hashtables.c | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)
diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
index 033bf3c2538f..d745f962745e 100644
--- a/net/ipv4/inet_hashtables.c
+++ b/net/ipv4/inet_hashtables.c
@@ -877,13 +877,10 @@ int inet_bhash2_update_saddr(struct inet_bind_hashbucket *prev_saddr, struct soc
head2 = inet_bhashfn_portaddr(hinfo, sk, net, port);
- if (prev_saddr) {
- spin_lock_bh(&prev_saddr->lock);
- __sk_del_bind2_node(sk);
- inet_bind2_bucket_destroy(hinfo->bind2_bucket_cachep,
- inet_csk(sk)->icsk_bind2_hash);
- spin_unlock_bh(&prev_saddr->lock);
- }
+ spin_lock_bh(&prev_saddr->lock);
+ __sk_del_bind2_node(sk);
+ inet_bind2_bucket_destroy(hinfo->bind2_bucket_cachep, inet_csk(sk)->icsk_bind2_hash);
+ spin_unlock_bh(&prev_saddr->lock);
spin_lock_bh(&head2->lock);
tb2 = inet_bind2_bucket_find(head2, net, port, l3mdev, sk);
--
2.30.2
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH v4 net 3/4] dccp/tcp: Update saddr under bhash's lock.
2022-11-19 1:49 [PATCH v4 net 0/4] dccp/tcp: Fix bhash2 issues related to WARN_ON() in inet_csk_get_port() Kuniyuki Iwashima
2022-11-19 1:49 ` [PATCH v4 net 1/4] dccp/tcp: Reset saddr on failure after inet6?_hash_connect() Kuniyuki Iwashima
2022-11-19 1:49 ` [PATCH v4 net 2/4] dccp/tcp: Remove NULL check for prev_saddr in inet_bhash2_update_saddr() Kuniyuki Iwashima
@ 2022-11-19 1:49 ` Kuniyuki Iwashima
2022-11-22 0:11 ` Joanne Koong
2022-11-19 1:49 ` [PATCH v4 net 4/4] dccp/tcp: Fixup bhash2 bucket when connect() fails Kuniyuki Iwashima
` (2 subsequent siblings)
5 siblings, 1 reply; 11+ messages in thread
From: Kuniyuki Iwashima @ 2022-11-19 1:49 UTC (permalink / raw)
To: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Hideaki YOSHIFUJI, David Ahern
Cc: Arnaldo Carvalho de Melo, Joanne Koong, Martin KaFai Lau,
Mat Martineau, Ziyang Xuan (William),
Stephen Hemminger, Pengfei Xu, Kuniyuki Iwashima,
Kuniyuki Iwashima, netdev, dccp
When we call connect() for a socket bound to a wildcard address, we update
saddr locklessly. However, it could result in a data race; another thread
iterating over bhash might see a corrupted address.
Let's update saddr under the bhash bucket's lock.
Fixes: 3df80d9320bc ("[DCCP]: Introduce DCCPv6")
Fixes: 7c657876b63c ("[DCCP]: Initial implementation")
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
---
include/net/inet_hashtables.h | 2 +-
net/dccp/ipv4.c | 22 ++++-------------
net/dccp/ipv6.c | 23 ++++--------------
net/ipv4/af_inet.c | 11 +--------
net/ipv4/inet_hashtables.c | 45 ++++++++++++++++++++++++++++++-----
net/ipv4/tcp_ipv4.c | 20 ++++------------
net/ipv6/tcp_ipv6.c | 19 +++------------
7 files changed, 56 insertions(+), 86 deletions(-)
diff --git a/include/net/inet_hashtables.h b/include/net/inet_hashtables.h
index 3af1e927247d..ba06e8b52264 100644
--- a/include/net/inet_hashtables.h
+++ b/include/net/inet_hashtables.h
@@ -281,7 +281,7 @@ inet_bhash2_addr_any_hashbucket(const struct sock *sk, const struct net *net, in
* sk_v6_rcv_saddr (ipv6) changes after it has been binded. The socket's
* rcv_saddr field should already have been updated when this is called.
*/
-int inet_bhash2_update_saddr(struct inet_bind_hashbucket *prev_saddr, struct sock *sk);
+int inet_bhash2_update_saddr(struct sock *sk, void *saddr, int family);
void inet_bind_hash(struct sock *sk, struct inet_bind_bucket *tb,
struct inet_bind2_bucket *tb2, unsigned short port);
diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
index 40640c26680e..95e376e3b911 100644
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -45,11 +45,10 @@ static unsigned int dccp_v4_pernet_id __read_mostly;
int dccp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
{
const struct sockaddr_in *usin = (struct sockaddr_in *)uaddr;
- struct inet_bind_hashbucket *prev_addr_hashbucket = NULL;
- __be32 daddr, nexthop, prev_sk_rcv_saddr;
struct inet_sock *inet = inet_sk(sk);
struct dccp_sock *dp = dccp_sk(sk);
__be16 orig_sport, orig_dport;
+ __be32 daddr, nexthop;
struct flowi4 *fl4;
struct rtable *rt;
int err;
@@ -91,26 +90,13 @@ int dccp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
daddr = fl4->daddr;
if (inet->inet_saddr == 0) {
- if (inet_csk(sk)->icsk_bind2_hash) {
- prev_addr_hashbucket =
- inet_bhashfn_portaddr(&dccp_hashinfo, sk,
- sock_net(sk),
- inet->inet_num);
- prev_sk_rcv_saddr = sk->sk_rcv_saddr;
- }
- inet->inet_saddr = fl4->saddr;
- }
-
- sk_rcv_saddr_set(sk, inet->inet_saddr);
-
- if (prev_addr_hashbucket) {
- err = inet_bhash2_update_saddr(prev_addr_hashbucket, sk);
+ err = inet_bhash2_update_saddr(sk, &fl4->saddr, AF_INET);
if (err) {
- inet->inet_saddr = 0;
- sk_rcv_saddr_set(sk, prev_sk_rcv_saddr);
ip_rt_put(rt);
return err;
}
+ } else {
+ sk_rcv_saddr_set(sk, inet->inet_saddr);
}
inet->inet_dport = usin->sin_port;
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index 626166cb6d7e..94c101ed57a9 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -934,26 +934,11 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
}
if (saddr == NULL) {
- struct inet_bind_hashbucket *prev_addr_hashbucket = NULL;
- struct in6_addr prev_v6_rcv_saddr;
-
- if (icsk->icsk_bind2_hash) {
- prev_addr_hashbucket = inet_bhashfn_portaddr(&dccp_hashinfo,
- sk, sock_net(sk),
- inet->inet_num);
- prev_v6_rcv_saddr = sk->sk_v6_rcv_saddr;
- }
-
saddr = &fl6.saddr;
- sk->sk_v6_rcv_saddr = *saddr;
-
- if (prev_addr_hashbucket) {
- err = inet_bhash2_update_saddr(prev_addr_hashbucket, sk);
- if (err) {
- sk->sk_v6_rcv_saddr = prev_v6_rcv_saddr;
- goto failure;
- }
- }
+
+ err = inet_bhash2_update_saddr(sk, saddr, AF_INET6);
+ if (err)
+ goto failure;
}
/* set the source address */
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 4728087c42a5..0da679411330 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -1230,7 +1230,6 @@ EXPORT_SYMBOL(inet_unregister_protosw);
static int inet_sk_reselect_saddr(struct sock *sk)
{
- struct inet_bind_hashbucket *prev_addr_hashbucket;
struct inet_sock *inet = inet_sk(sk);
__be32 old_saddr = inet->inet_saddr;
__be32 daddr = inet->inet_daddr;
@@ -1260,16 +1259,8 @@ static int inet_sk_reselect_saddr(struct sock *sk)
return 0;
}
- prev_addr_hashbucket =
- inet_bhashfn_portaddr(tcp_or_dccp_get_hashinfo(sk), sk,
- sock_net(sk), inet->inet_num);
-
- inet->inet_saddr = inet->inet_rcv_saddr = new_saddr;
-
- err = inet_bhash2_update_saddr(prev_addr_hashbucket, sk);
+ err = inet_bhash2_update_saddr(sk, &new_saddr, AF_INET);
if (err) {
- inet->inet_saddr = old_saddr;
- inet->inet_rcv_saddr = old_saddr;
ip_rt_put(rt);
return err;
}
diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
index d745f962745e..18ef370af113 100644
--- a/net/ipv4/inet_hashtables.c
+++ b/net/ipv4/inet_hashtables.c
@@ -858,14 +858,34 @@ inet_bhash2_addr_any_hashbucket(const struct sock *sk, const struct net *net, in
return &hinfo->bhash2[hash & (hinfo->bhash_size - 1)];
}
-int inet_bhash2_update_saddr(struct inet_bind_hashbucket *prev_saddr, struct sock *sk)
+static void inet_update_saddr(struct sock *sk, void *saddr, int family)
+{
+ if (family == AF_INET) {
+ inet_sk(sk)->inet_saddr = *(__be32 *)saddr;
+ sk_rcv_saddr_set(sk, inet_sk(sk)->inet_saddr);
+ }
+#if IS_ENABLED(CONFIG_IPV6)
+ else {
+ sk->sk_v6_rcv_saddr = *(struct in6_addr *)saddr;
+ }
+#endif
+}
+
+int inet_bhash2_update_saddr(struct sock *sk, void *saddr, int family)
{
struct inet_hashinfo *hinfo = tcp_or_dccp_get_hashinfo(sk);
+ struct inet_bind_hashbucket *head, *head2;
struct inet_bind2_bucket *tb2, *new_tb2;
int l3mdev = inet_sk_bound_l3mdev(sk);
- struct inet_bind_hashbucket *head2;
int port = inet_sk(sk)->inet_num;
struct net *net = sock_net(sk);
+ int bhash;
+
+ if (!inet_csk(sk)->icsk_bind2_hash) {
+ /* Not bind()ed before. */
+ inet_update_saddr(sk, saddr, family);
+ return 0;
+ }
/* Allocate a bind2 bucket ahead of time to avoid permanently putting
* the bhash2 table in an inconsistent state if a new tb2 bucket
@@ -875,14 +895,25 @@ int inet_bhash2_update_saddr(struct inet_bind_hashbucket *prev_saddr, struct soc
if (!new_tb2)
return -ENOMEM;
+ bhash = inet_bhashfn(net, port, hinfo->bhash_size);
+ head = &hinfo->bhash[bhash];
head2 = inet_bhashfn_portaddr(hinfo, sk, net, port);
- spin_lock_bh(&prev_saddr->lock);
+ /* If we change saddr locklessly, another thread
+ * iterating over bhash might see corrupted address.
+ */
+ spin_lock_bh(&head->lock);
+
+ spin_lock(&head2->lock);
__sk_del_bind2_node(sk);
inet_bind2_bucket_destroy(hinfo->bind2_bucket_cachep, inet_csk(sk)->icsk_bind2_hash);
- spin_unlock_bh(&prev_saddr->lock);
+ spin_unlock(&head2->lock);
+
+ inet_update_saddr(sk, saddr, family);
- spin_lock_bh(&head2->lock);
+ head2 = inet_bhashfn_portaddr(hinfo, sk, net, port);
+
+ spin_lock(&head2->lock);
tb2 = inet_bind2_bucket_find(head2, net, port, l3mdev, sk);
if (!tb2) {
tb2 = new_tb2;
@@ -890,7 +921,9 @@ int inet_bhash2_update_saddr(struct inet_bind_hashbucket *prev_saddr, struct soc
}
sk_add_bind2_node(sk, &tb2->owners);
inet_csk(sk)->icsk_bind2_hash = tb2;
- spin_unlock_bh(&head2->lock);
+ spin_unlock(&head2->lock);
+
+ spin_unlock_bh(&head->lock);
if (tb2 != new_tb2)
kmem_cache_free(hinfo->bind2_bucket_cachep, new_tb2);
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 6a3a732b584d..23dd7e9df2d5 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -199,15 +199,14 @@ static int tcp_v4_pre_connect(struct sock *sk, struct sockaddr *uaddr,
/* This will initiate an outgoing connection. */
int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
{
- struct inet_bind_hashbucket *prev_addr_hashbucket = NULL;
struct sockaddr_in *usin = (struct sockaddr_in *)uaddr;
struct inet_timewait_death_row *tcp_death_row;
- __be32 daddr, nexthop, prev_sk_rcv_saddr;
struct inet_sock *inet = inet_sk(sk);
struct tcp_sock *tp = tcp_sk(sk);
struct ip_options_rcu *inet_opt;
struct net *net = sock_net(sk);
__be16 orig_sport, orig_dport;
+ __be32 daddr, nexthop;
struct flowi4 *fl4;
struct rtable *rt;
int err;
@@ -251,24 +250,13 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
tcp_death_row = &sock_net(sk)->ipv4.tcp_death_row;
if (!inet->inet_saddr) {
- if (inet_csk(sk)->icsk_bind2_hash) {
- prev_addr_hashbucket = inet_bhashfn_portaddr(tcp_death_row->hashinfo,
- sk, net, inet->inet_num);
- prev_sk_rcv_saddr = sk->sk_rcv_saddr;
- }
- inet->inet_saddr = fl4->saddr;
- }
-
- sk_rcv_saddr_set(sk, inet->inet_saddr);
-
- if (prev_addr_hashbucket) {
- err = inet_bhash2_update_saddr(prev_addr_hashbucket, sk);
+ err = inet_bhash2_update_saddr(sk, &fl4->saddr, AF_INET);
if (err) {
- inet->inet_saddr = 0;
- sk_rcv_saddr_set(sk, prev_sk_rcv_saddr);
ip_rt_put(rt);
return err;
}
+ } else {
+ sk_rcv_saddr_set(sk, inet->inet_saddr);
}
if (tp->rx_opt.ts_recent_stamp && inet->inet_daddr != daddr) {
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 81b396e5cf79..2f3ca3190d26 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -292,24 +292,11 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
tcp_death_row = &sock_net(sk)->ipv4.tcp_death_row;
if (!saddr) {
- struct inet_bind_hashbucket *prev_addr_hashbucket = NULL;
- struct in6_addr prev_v6_rcv_saddr;
-
- if (icsk->icsk_bind2_hash) {
- prev_addr_hashbucket = inet_bhashfn_portaddr(tcp_death_row->hashinfo,
- sk, net, inet->inet_num);
- prev_v6_rcv_saddr = sk->sk_v6_rcv_saddr;
- }
saddr = &fl6.saddr;
- sk->sk_v6_rcv_saddr = *saddr;
- if (prev_addr_hashbucket) {
- err = inet_bhash2_update_saddr(prev_addr_hashbucket, sk);
- if (err) {
- sk->sk_v6_rcv_saddr = prev_v6_rcv_saddr;
- goto failure;
- }
- }
+ err = inet_bhash2_update_saddr(sk, saddr, AF_INET6);
+ if (err)
+ goto failure;
}
/* set the source address */
--
2.30.2
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH v4 net 4/4] dccp/tcp: Fixup bhash2 bucket when connect() fails.
2022-11-19 1:49 [PATCH v4 net 0/4] dccp/tcp: Fix bhash2 issues related to WARN_ON() in inet_csk_get_port() Kuniyuki Iwashima
` (2 preceding siblings ...)
2022-11-19 1:49 ` [PATCH v4 net 3/4] dccp/tcp: Update saddr under bhash's lock Kuniyuki Iwashima
@ 2022-11-19 1:49 ` Kuniyuki Iwashima
2022-11-21 23:41 ` Joanne Koong
2022-11-22 17:54 ` [PATCH v4 net 0/4] dccp/tcp: Fix bhash2 issues related to WARN_ON() in inet_csk_get_port() Eric Dumazet
2022-11-23 5:00 ` patchwork-bot+netdevbpf
5 siblings, 1 reply; 11+ messages in thread
From: Kuniyuki Iwashima @ 2022-11-19 1:49 UTC (permalink / raw)
To: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Hideaki YOSHIFUJI, David Ahern
Cc: Arnaldo Carvalho de Melo, Joanne Koong, Martin KaFai Lau,
Mat Martineau, Ziyang Xuan (William),
Stephen Hemminger, Pengfei Xu, Kuniyuki Iwashima,
Kuniyuki Iwashima, netdev, dccp, syzbot
If a socket bound to a wildcard address fails to connect(), we
only reset saddr and keep the port. Then, we have to fix up the
bhash2 bucket; otherwise, the bucket has an inconsistent address
in the list.
Also, listen() for such a socket will fire the WARN_ON() in
inet_csk_get_port(). [0]
Note that when a system runs out of memory, we give up fixing the
bucket and unlink sk from bhash and bhash2 by inet_put_port().
[0]:
WARNING: CPU: 0 PID: 207 at net/ipv4/inet_connection_sock.c:548 inet_csk_get_port (net/ipv4/inet_connection_sock.c:548 (discriminator 1))
Modules linked in:
CPU: 0 PID: 207 Comm: bhash2_prev_rep Not tainted 6.1.0-rc3-00799-gc8421681c845 #63
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.amzn2022.0.1 04/01/2014
RIP: 0010:inet_csk_get_port (net/ipv4/inet_connection_sock.c:548 (discriminator 1))
Code: 74 a7 eb 93 48 8b 54 24 18 0f b7 cb 4c 89 e6 4c 89 ff e8 48 b2 ff ff 49 8b 87 18 04 00 00 e9 32 ff ff ff 0f 0b e9 34 ff ff ff <0f> 0b e9 42 ff ff ff 41 8b 7f 50 41 8b 4f 54 89 fe 81 f6 00 00 ff
RSP: 0018:ffffc900003d7e50 EFLAGS: 00010202
RAX: ffff8881047fb500 RBX: 0000000000004e20 RCX: 0000000000000000
RDX: 000000000000000a RSI: 00000000fffffe00 RDI: 00000000ffffffff
RBP: ffffffff8324dc00 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000001 R14: 0000000000004e20 R15: ffff8881054e1280
FS: 00007f8ac04dc740(0000) GS:ffff88842fc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020001540 CR3: 00000001055fa003 CR4: 0000000000770ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
inet_csk_listen_start (net/ipv4/inet_connection_sock.c:1205)
inet_listen (net/ipv4/af_inet.c:228)
__sys_listen (net/socket.c:1810)
__x64_sys_listen (net/socket.c:1819 net/socket.c:1817 net/socket.c:1817)
do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
RIP: 0033:0x7f8ac051de5d
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 93 af 1b 00 f7 d8 64 89 01 48
RSP: 002b:00007ffc1c177248 EFLAGS: 00000206 ORIG_RAX: 0000000000000032
RAX: ffffffffffffffda RBX: 0000000020001550 RCX: 00007f8ac051de5d
RDX: ffffffffffffff80 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00007ffc1c177270 R08: 0000000000000018 R09: 0000000000000007
R10: 0000000020001540 R11: 0000000000000206 R12: 00007ffc1c177388
R13: 0000000000401169 R14: 0000000000403e18 R15: 00007f8ac0723000
</TASK>
Fixes: 28044fc1d495 ("net: Add a bhash2 table hashed by port and address")
Reported-by: syzbot <syzkaller@googlegroups.com>
Reported-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
---
include/net/inet_hashtables.h | 1 +
net/dccp/ipv4.c | 3 +--
net/dccp/ipv6.c | 3 +--
net/dccp/proto.c | 3 +--
net/ipv4/inet_hashtables.c | 38 +++++++++++++++++++++++++++++++----
net/ipv4/tcp.c | 3 +--
net/ipv4/tcp_ipv4.c | 3 +--
net/ipv6/tcp_ipv6.c | 3 +--
8 files changed, 41 insertions(+), 16 deletions(-)
diff --git a/include/net/inet_hashtables.h b/include/net/inet_hashtables.h
index ba06e8b52264..69174093078f 100644
--- a/include/net/inet_hashtables.h
+++ b/include/net/inet_hashtables.h
@@ -282,6 +282,7 @@ inet_bhash2_addr_any_hashbucket(const struct sock *sk, const struct net *net, in
* rcv_saddr field should already have been updated when this is called.
*/
int inet_bhash2_update_saddr(struct sock *sk, void *saddr, int family);
+void inet_bhash2_reset_saddr(struct sock *sk);
void inet_bind_hash(struct sock *sk, struct inet_bind_bucket *tb,
struct inet_bind2_bucket *tb2, unsigned short port);
diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
index 95e376e3b911..b780827f5e0a 100644
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -143,8 +143,7 @@ int dccp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
* This unhashes the socket and releases the local port, if necessary.
*/
dccp_set_state(sk, DCCP_CLOSED);
- if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
- inet_reset_saddr(sk);
+ inet_bhash2_reset_saddr(sk);
ip_rt_put(rt);
sk->sk_route_caps = 0;
inet->inet_dport = 0;
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index 94c101ed57a9..602f3432d80b 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -970,8 +970,7 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
late_failure:
dccp_set_state(sk, DCCP_CLOSED);
- if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
- inet_reset_saddr(sk);
+ inet_bhash2_reset_saddr(sk);
__sk_dst_reset(sk);
failure:
inet->inet_dport = 0;
diff --git a/net/dccp/proto.c b/net/dccp/proto.c
index c548ca3e9b0e..85e35c5e8890 100644
--- a/net/dccp/proto.c
+++ b/net/dccp/proto.c
@@ -279,8 +279,7 @@ int dccp_disconnect(struct sock *sk, int flags)
inet->inet_dport = 0;
- if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
- inet_reset_saddr(sk);
+ inet_bhash2_reset_saddr(sk);
sk->sk_shutdown = 0;
sock_reset_flag(sk, SOCK_DONE);
diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
index 18ef370af113..3cec471a2cd2 100644
--- a/net/ipv4/inet_hashtables.c
+++ b/net/ipv4/inet_hashtables.c
@@ -871,7 +871,7 @@ static void inet_update_saddr(struct sock *sk, void *saddr, int family)
#endif
}
-int inet_bhash2_update_saddr(struct sock *sk, void *saddr, int family)
+static int __inet_bhash2_update_saddr(struct sock *sk, void *saddr, int family, bool reset)
{
struct inet_hashinfo *hinfo = tcp_or_dccp_get_hashinfo(sk);
struct inet_bind_hashbucket *head, *head2;
@@ -883,7 +883,11 @@ int inet_bhash2_update_saddr(struct sock *sk, void *saddr, int family)
if (!inet_csk(sk)->icsk_bind2_hash) {
/* Not bind()ed before. */
- inet_update_saddr(sk, saddr, family);
+ if (reset)
+ inet_reset_saddr(sk);
+ else
+ inet_update_saddr(sk, saddr, family);
+
return 0;
}
@@ -892,8 +896,19 @@ int inet_bhash2_update_saddr(struct sock *sk, void *saddr, int family)
* allocation fails.
*/
new_tb2 = kmem_cache_alloc(hinfo->bind2_bucket_cachep, GFP_ATOMIC);
- if (!new_tb2)
+ if (!new_tb2) {
+ if (reset) {
+ /* The (INADDR_ANY, port) bucket might have already
+ * been freed, then we cannot fixup icsk_bind2_hash,
+ * so we give up and unlink sk from bhash/bhash2 not
+ * to leave inconsistency in bhash2.
+ */
+ inet_put_port(sk);
+ inet_reset_saddr(sk);
+ }
+
return -ENOMEM;
+ }
bhash = inet_bhashfn(net, port, hinfo->bhash_size);
head = &hinfo->bhash[bhash];
@@ -909,7 +924,10 @@ int inet_bhash2_update_saddr(struct sock *sk, void *saddr, int family)
inet_bind2_bucket_destroy(hinfo->bind2_bucket_cachep, inet_csk(sk)->icsk_bind2_hash);
spin_unlock(&head2->lock);
- inet_update_saddr(sk, saddr, family);
+ if (reset)
+ inet_reset_saddr(sk);
+ else
+ inet_update_saddr(sk, saddr, family);
head2 = inet_bhashfn_portaddr(hinfo, sk, net, port);
@@ -930,8 +948,20 @@ int inet_bhash2_update_saddr(struct sock *sk, void *saddr, int family)
return 0;
}
+
+int inet_bhash2_update_saddr(struct sock *sk, void *saddr, int family)
+{
+ return __inet_bhash2_update_saddr(sk, saddr, family, false);
+}
EXPORT_SYMBOL_GPL(inet_bhash2_update_saddr);
+void inet_bhash2_reset_saddr(struct sock *sk)
+{
+ if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
+ __inet_bhash2_update_saddr(sk, NULL, 0, true);
+}
+EXPORT_SYMBOL_GPL(inet_bhash2_reset_saddr);
+
/* RFC 6056 3.3.4. Algorithm 4: Double-Hash Port Selection Algorithm
* Note that we use 32bit integers (vs RFC 'short integers')
* because 2^16 is not a multiple of num_ephemeral and this
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 54836a6b81d6..4f2205756cfe 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -3114,8 +3114,7 @@ int tcp_disconnect(struct sock *sk, int flags)
inet->inet_dport = 0;
- if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
- inet_reset_saddr(sk);
+ inet_bhash2_reset_saddr(sk);
sk->sk_shutdown = 0;
sock_reset_flag(sk, SOCK_DONE);
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 23dd7e9df2d5..da46357f501b 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -331,8 +331,7 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
* if necessary.
*/
tcp_set_state(sk, TCP_CLOSE);
- if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
- inet_reset_saddr(sk);
+ inet_bhash2_reset_saddr(sk);
ip_rt_put(rt);
sk->sk_route_caps = 0;
inet->inet_dport = 0;
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 2f3ca3190d26..f0548dbcabd2 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -346,8 +346,7 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
late_failure:
tcp_set_state(sk, TCP_CLOSE);
- if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
- inet_reset_saddr(sk);
+ inet_bhash2_reset_saddr(sk);
failure:
inet->inet_dport = 0;
sk->sk_route_caps = 0;
--
2.30.2
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH v4 net 4/4] dccp/tcp: Fixup bhash2 bucket when connect() fails.
2022-11-19 1:49 ` [PATCH v4 net 4/4] dccp/tcp: Fixup bhash2 bucket when connect() fails Kuniyuki Iwashima
@ 2022-11-21 23:41 ` Joanne Koong
2022-11-22 0:50 ` Kuniyuki Iwashima
0 siblings, 1 reply; 11+ messages in thread
From: Joanne Koong @ 2022-11-21 23:41 UTC (permalink / raw)
To: Kuniyuki Iwashima
Cc: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Hideaki YOSHIFUJI, David Ahern, Arnaldo Carvalho de Melo,
Martin KaFai Lau, Mat Martineau, Ziyang Xuan (William),
Stephen Hemminger, Pengfei Xu, Kuniyuki Iwashima, netdev, dccp,
syzbot
On Fri, Nov 18, 2022 at 5:51 PM Kuniyuki Iwashima <kuniyu@amazon.com> wrote:
>
> If a socket bound to a wildcard address fails to connect(), we
> only reset saddr and keep the port. Then, we have to fix up the
> bhash2 bucket; otherwise, the bucket has an inconsistent address
> in the list.
>
> Also, listen() for such a socket will fire the WARN_ON() in
> inet_csk_get_port(). [0]
>
> Note that when a system runs out of memory, we give up fixing the
> bucket and unlink sk from bhash and bhash2 by inet_put_port().
>
> [0]:
> WARNING: CPU: 0 PID: 207 at net/ipv4/inet_connection_sock.c:548 inet_csk_get_port (net/ipv4/inet_connection_sock.c:548 (discriminator 1))
> Modules linked in:
> CPU: 0 PID: 207 Comm: bhash2_prev_rep Not tainted 6.1.0-rc3-00799-gc8421681c845 #63
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.amzn2022.0.1 04/01/2014
> RIP: 0010:inet_csk_get_port (net/ipv4/inet_connection_sock.c:548 (discriminator 1))
> Code: 74 a7 eb 93 48 8b 54 24 18 0f b7 cb 4c 89 e6 4c 89 ff e8 48 b2 ff ff 49 8b 87 18 04 00 00 e9 32 ff ff ff 0f 0b e9 34 ff ff ff <0f> 0b e9 42 ff ff ff 41 8b 7f 50 41 8b 4f 54 89 fe 81 f6 00 00 ff
> RSP: 0018:ffffc900003d7e50 EFLAGS: 00010202
> RAX: ffff8881047fb500 RBX: 0000000000004e20 RCX: 0000000000000000
> RDX: 000000000000000a RSI: 00000000fffffe00 RDI: 00000000ffffffff
> RBP: ffffffff8324dc00 R08: 0000000000000001 R09: 0000000000000001
> R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000
> R13: 0000000000000001 R14: 0000000000004e20 R15: ffff8881054e1280
> FS: 00007f8ac04dc740(0000) GS:ffff88842fc00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000020001540 CR3: 00000001055fa003 CR4: 0000000000770ef0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> PKRU: 55555554
> Call Trace:
> <TASK>
> inet_csk_listen_start (net/ipv4/inet_connection_sock.c:1205)
> inet_listen (net/ipv4/af_inet.c:228)
> __sys_listen (net/socket.c:1810)
> __x64_sys_listen (net/socket.c:1819 net/socket.c:1817 net/socket.c:1817)
> do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
> RIP: 0033:0x7f8ac051de5d
> Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 93 af 1b 00 f7 d8 64 89 01 48
> RSP: 002b:00007ffc1c177248 EFLAGS: 00000206 ORIG_RAX: 0000000000000032
> RAX: ffffffffffffffda RBX: 0000000020001550 RCX: 00007f8ac051de5d
> RDX: ffffffffffffff80 RSI: 0000000000000000 RDI: 0000000000000004
> RBP: 00007ffc1c177270 R08: 0000000000000018 R09: 0000000000000007
> R10: 0000000020001540 R11: 0000000000000206 R12: 00007ffc1c177388
> R13: 0000000000401169 R14: 0000000000403e18 R15: 00007f8ac0723000
> </TASK>
>
> Fixes: 28044fc1d495 ("net: Add a bhash2 table hashed by port and address")
> Reported-by: syzbot <syzkaller@googlegroups.com>
> Reported-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
> Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Acked-by: Joanne Koong <joannelkoong@gmail.com>
> ---
> include/net/inet_hashtables.h | 1 +
> net/dccp/ipv4.c | 3 +--
> net/dccp/ipv6.c | 3 +--
> net/dccp/proto.c | 3 +--
> net/ipv4/inet_hashtables.c | 38 +++++++++++++++++++++++++++++++----
> net/ipv4/tcp.c | 3 +--
> net/ipv4/tcp_ipv4.c | 3 +--
> net/ipv6/tcp_ipv6.c | 3 +--
> 8 files changed, 41 insertions(+), 16 deletions(-)
>
> diff --git a/include/net/inet_hashtables.h b/include/net/inet_hashtables.h
> index ba06e8b52264..69174093078f 100644
> --- a/include/net/inet_hashtables.h
> +++ b/include/net/inet_hashtables.h
> @@ -282,6 +282,7 @@ inet_bhash2_addr_any_hashbucket(const struct sock *sk, const struct net *net, in
> * rcv_saddr field should already have been updated when this is called.
> */
> int inet_bhash2_update_saddr(struct sock *sk, void *saddr, int family);
> +void inet_bhash2_reset_saddr(struct sock *sk);
>
> void inet_bind_hash(struct sock *sk, struct inet_bind_bucket *tb,
> struct inet_bind2_bucket *tb2, unsigned short port);
> diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
> index 95e376e3b911..b780827f5e0a 100644
> --- a/net/dccp/ipv4.c
> +++ b/net/dccp/ipv4.c
> @@ -143,8 +143,7 @@ int dccp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
> * This unhashes the socket and releases the local port, if necessary.
> */
> dccp_set_state(sk, DCCP_CLOSED);
> - if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
> - inet_reset_saddr(sk);
> + inet_bhash2_reset_saddr(sk);
> ip_rt_put(rt);
> sk->sk_route_caps = 0;
> inet->inet_dport = 0;
> diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
> index 94c101ed57a9..602f3432d80b 100644
> --- a/net/dccp/ipv6.c
> +++ b/net/dccp/ipv6.c
> @@ -970,8 +970,7 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
>
> late_failure:
> dccp_set_state(sk, DCCP_CLOSED);
> - if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
> - inet_reset_saddr(sk);
> + inet_bhash2_reset_saddr(sk);
> __sk_dst_reset(sk);
> failure:
> inet->inet_dport = 0;
> diff --git a/net/dccp/proto.c b/net/dccp/proto.c
> index c548ca3e9b0e..85e35c5e8890 100644
> --- a/net/dccp/proto.c
> +++ b/net/dccp/proto.c
> @@ -279,8 +279,7 @@ int dccp_disconnect(struct sock *sk, int flags)
>
> inet->inet_dport = 0;
>
> - if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
> - inet_reset_saddr(sk);
> + inet_bhash2_reset_saddr(sk);
>
> sk->sk_shutdown = 0;
> sock_reset_flag(sk, SOCK_DONE);
> diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
> index 18ef370af113..3cec471a2cd2 100644
> --- a/net/ipv4/inet_hashtables.c
> +++ b/net/ipv4/inet_hashtables.c
> @@ -871,7 +871,7 @@ static void inet_update_saddr(struct sock *sk, void *saddr, int family)
> #endif
> }
>
> -int inet_bhash2_update_saddr(struct sock *sk, void *saddr, int family)
> +static int __inet_bhash2_update_saddr(struct sock *sk, void *saddr, int family, bool reset)
> {
> struct inet_hashinfo *hinfo = tcp_or_dccp_get_hashinfo(sk);
> struct inet_bind_hashbucket *head, *head2;
> @@ -883,7 +883,11 @@ int inet_bhash2_update_saddr(struct sock *sk, void *saddr, int family)
>
> if (!inet_csk(sk)->icsk_bind2_hash) {
> /* Not bind()ed before. */
> - inet_update_saddr(sk, saddr, family);
> + if (reset)
> + inet_reset_saddr(sk);
> + else
> + inet_update_saddr(sk, saddr, family);
> +
> return 0;
> }
>
> @@ -892,8 +896,19 @@ int inet_bhash2_update_saddr(struct sock *sk, void *saddr, int family)
> * allocation fails.
> */
> new_tb2 = kmem_cache_alloc(hinfo->bind2_bucket_cachep, GFP_ATOMIC);
> - if (!new_tb2)
> + if (!new_tb2) {
> + if (reset) {
> + /* The (INADDR_ANY, port) bucket might have already
> + * been freed, then we cannot fixup icsk_bind2_hash,
> + * so we give up and unlink sk from bhash/bhash2 not
> + * to leave inconsistency in bhash2.
> + */
> + inet_put_port(sk);
> + inet_reset_saddr(sk);
> + }
nit: I think this is better placed in the dccp/tcp_ipv4/6 layer, to
make it clear / more obvious that the sk gets unbinded in this edge
case.
> +
> return -ENOMEM;
> + }
>
> bhash = inet_bhashfn(net, port, hinfo->bhash_size);
> head = &hinfo->bhash[bhash];
> @@ -909,7 +924,10 @@ int inet_bhash2_update_saddr(struct sock *sk, void *saddr, int family)
> inet_bind2_bucket_destroy(hinfo->bind2_bucket_cachep, inet_csk(sk)->icsk_bind2_hash);
> spin_unlock(&head2->lock);
>
> - inet_update_saddr(sk, saddr, family);
> + if (reset)
> + inet_reset_saddr(sk);
> + else
> + inet_update_saddr(sk, saddr, family);
>
> head2 = inet_bhashfn_portaddr(hinfo, sk, net, port);
>
> @@ -930,8 +948,20 @@ int inet_bhash2_update_saddr(struct sock *sk, void *saddr, int family)
>
> return 0;
> }
> +
> +int inet_bhash2_update_saddr(struct sock *sk, void *saddr, int family)
> +{
> + return __inet_bhash2_update_saddr(sk, saddr, family, false);
> +}
> EXPORT_SYMBOL_GPL(inet_bhash2_update_saddr);
>
> +void inet_bhash2_reset_saddr(struct sock *sk)
> +{
> + if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
> + __inet_bhash2_update_saddr(sk, NULL, 0, true);
> +}
> +EXPORT_SYMBOL_GPL(inet_bhash2_reset_saddr);
> +
> /* RFC 6056 3.3.4. Algorithm 4: Double-Hash Port Selection Algorithm
> * Note that we use 32bit integers (vs RFC 'short integers')
> * because 2^16 is not a multiple of num_ephemeral and this
> diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
> index 54836a6b81d6..4f2205756cfe 100644
> --- a/net/ipv4/tcp.c
> +++ b/net/ipv4/tcp.c
> @@ -3114,8 +3114,7 @@ int tcp_disconnect(struct sock *sk, int flags)
>
> inet->inet_dport = 0;
>
> - if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
> - inet_reset_saddr(sk);
> + inet_bhash2_reset_saddr(sk);
>
> sk->sk_shutdown = 0;
> sock_reset_flag(sk, SOCK_DONE);
> diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
> index 23dd7e9df2d5..da46357f501b 100644
> --- a/net/ipv4/tcp_ipv4.c
> +++ b/net/ipv4/tcp_ipv4.c
> @@ -331,8 +331,7 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
> * if necessary.
> */
> tcp_set_state(sk, TCP_CLOSE);
> - if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
> - inet_reset_saddr(sk);
> + inet_bhash2_reset_saddr(sk);
> ip_rt_put(rt);
> sk->sk_route_caps = 0;
> inet->inet_dport = 0;
> diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
> index 2f3ca3190d26..f0548dbcabd2 100644
> --- a/net/ipv6/tcp_ipv6.c
> +++ b/net/ipv6/tcp_ipv6.c
> @@ -346,8 +346,7 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
>
> late_failure:
> tcp_set_state(sk, TCP_CLOSE);
> - if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
> - inet_reset_saddr(sk);
> + inet_bhash2_reset_saddr(sk);
> failure:
> inet->inet_dport = 0;
> sk->sk_route_caps = 0;
> --
> 2.30.2
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v4 net 3/4] dccp/tcp: Update saddr under bhash's lock.
2022-11-19 1:49 ` [PATCH v4 net 3/4] dccp/tcp: Update saddr under bhash's lock Kuniyuki Iwashima
@ 2022-11-22 0:11 ` Joanne Koong
0 siblings, 0 replies; 11+ messages in thread
From: Joanne Koong @ 2022-11-22 0:11 UTC (permalink / raw)
To: Kuniyuki Iwashima
Cc: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Hideaki YOSHIFUJI, David Ahern, Arnaldo Carvalho de Melo,
Martin KaFai Lau, Mat Martineau, Ziyang Xuan (William),
Stephen Hemminger, Pengfei Xu, Kuniyuki Iwashima, netdev, dccp
On Fri, Nov 18, 2022 at 5:50 PM Kuniyuki Iwashima <kuniyu@amazon.com> wrote:
>
> When we call connect() for a socket bound to a wildcard address, we update
> saddr locklessly. However, it could result in a data race; another thread
> iterating over bhash might see a corrupted address.
>
> Let's update saddr under the bhash bucket's lock.
>
> Fixes: 3df80d9320bc ("[DCCP]: Introduce DCCPv6")
> Fixes: 7c657876b63c ("[DCCP]: Initial implementation")
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Acked-by: Joanne Koong <joannelkoong@gmail.com>
> ---
> include/net/inet_hashtables.h | 2 +-
> net/dccp/ipv4.c | 22 ++++-------------
> net/dccp/ipv6.c | 23 ++++--------------
> net/ipv4/af_inet.c | 11 +--------
> net/ipv4/inet_hashtables.c | 45 ++++++++++++++++++++++++++++++-----
> net/ipv4/tcp_ipv4.c | 20 ++++------------
> net/ipv6/tcp_ipv6.c | 19 +++------------
> 7 files changed, 56 insertions(+), 86 deletions(-)
>
> diff --git a/include/net/inet_hashtables.h b/include/net/inet_hashtables.h
> index 3af1e927247d..ba06e8b52264 100644
> --- a/include/net/inet_hashtables.h
> +++ b/include/net/inet_hashtables.h
> @@ -281,7 +281,7 @@ inet_bhash2_addr_any_hashbucket(const struct sock *sk, const struct net *net, in
> * sk_v6_rcv_saddr (ipv6) changes after it has been binded. The socket's
> * rcv_saddr field should already have been updated when this is called.
> */
> -int inet_bhash2_update_saddr(struct inet_bind_hashbucket *prev_saddr, struct sock *sk);
> +int inet_bhash2_update_saddr(struct sock *sk, void *saddr, int family);
>
> void inet_bind_hash(struct sock *sk, struct inet_bind_bucket *tb,
> struct inet_bind2_bucket *tb2, unsigned short port);
> diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
> index 40640c26680e..95e376e3b911 100644
> --- a/net/dccp/ipv4.c
> +++ b/net/dccp/ipv4.c
> @@ -45,11 +45,10 @@ static unsigned int dccp_v4_pernet_id __read_mostly;
> int dccp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
> {
> const struct sockaddr_in *usin = (struct sockaddr_in *)uaddr;
> - struct inet_bind_hashbucket *prev_addr_hashbucket = NULL;
> - __be32 daddr, nexthop, prev_sk_rcv_saddr;
> struct inet_sock *inet = inet_sk(sk);
> struct dccp_sock *dp = dccp_sk(sk);
> __be16 orig_sport, orig_dport;
> + __be32 daddr, nexthop;
> struct flowi4 *fl4;
> struct rtable *rt;
> int err;
> @@ -91,26 +90,13 @@ int dccp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
> daddr = fl4->daddr;
>
> if (inet->inet_saddr == 0) {
> - if (inet_csk(sk)->icsk_bind2_hash) {
> - prev_addr_hashbucket =
> - inet_bhashfn_portaddr(&dccp_hashinfo, sk,
> - sock_net(sk),
> - inet->inet_num);
> - prev_sk_rcv_saddr = sk->sk_rcv_saddr;
> - }
> - inet->inet_saddr = fl4->saddr;
> - }
> -
> - sk_rcv_saddr_set(sk, inet->inet_saddr);
> -
> - if (prev_addr_hashbucket) {
> - err = inet_bhash2_update_saddr(prev_addr_hashbucket, sk);
> + err = inet_bhash2_update_saddr(sk, &fl4->saddr, AF_INET);
> if (err) {
> - inet->inet_saddr = 0;
> - sk_rcv_saddr_set(sk, prev_sk_rcv_saddr);
> ip_rt_put(rt);
> return err;
> }
> + } else {
> + sk_rcv_saddr_set(sk, inet->inet_saddr);
> }
>
> inet->inet_dport = usin->sin_port;
> diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
> index 626166cb6d7e..94c101ed57a9 100644
> --- a/net/dccp/ipv6.c
> +++ b/net/dccp/ipv6.c
> @@ -934,26 +934,11 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
> }
>
> if (saddr == NULL) {
> - struct inet_bind_hashbucket *prev_addr_hashbucket = NULL;
> - struct in6_addr prev_v6_rcv_saddr;
> -
> - if (icsk->icsk_bind2_hash) {
> - prev_addr_hashbucket = inet_bhashfn_portaddr(&dccp_hashinfo,
> - sk, sock_net(sk),
> - inet->inet_num);
> - prev_v6_rcv_saddr = sk->sk_v6_rcv_saddr;
> - }
> -
> saddr = &fl6.saddr;
> - sk->sk_v6_rcv_saddr = *saddr;
> -
> - if (prev_addr_hashbucket) {
> - err = inet_bhash2_update_saddr(prev_addr_hashbucket, sk);
> - if (err) {
> - sk->sk_v6_rcv_saddr = prev_v6_rcv_saddr;
> - goto failure;
> - }
> - }
> +
> + err = inet_bhash2_update_saddr(sk, saddr, AF_INET6);
> + if (err)
> + goto failure;
> }
>
> /* set the source address */
> diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
> index 4728087c42a5..0da679411330 100644
> --- a/net/ipv4/af_inet.c
> +++ b/net/ipv4/af_inet.c
> @@ -1230,7 +1230,6 @@ EXPORT_SYMBOL(inet_unregister_protosw);
>
> static int inet_sk_reselect_saddr(struct sock *sk)
> {
> - struct inet_bind_hashbucket *prev_addr_hashbucket;
> struct inet_sock *inet = inet_sk(sk);
> __be32 old_saddr = inet->inet_saddr;
> __be32 daddr = inet->inet_daddr;
> @@ -1260,16 +1259,8 @@ static int inet_sk_reselect_saddr(struct sock *sk)
> return 0;
> }
>
> - prev_addr_hashbucket =
> - inet_bhashfn_portaddr(tcp_or_dccp_get_hashinfo(sk), sk,
> - sock_net(sk), inet->inet_num);
> -
> - inet->inet_saddr = inet->inet_rcv_saddr = new_saddr;
> -
> - err = inet_bhash2_update_saddr(prev_addr_hashbucket, sk);
> + err = inet_bhash2_update_saddr(sk, &new_saddr, AF_INET);
> if (err) {
> - inet->inet_saddr = old_saddr;
> - inet->inet_rcv_saddr = old_saddr;
> ip_rt_put(rt);
> return err;
> }
> diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
> index d745f962745e..18ef370af113 100644
> --- a/net/ipv4/inet_hashtables.c
> +++ b/net/ipv4/inet_hashtables.c
> @@ -858,14 +858,34 @@ inet_bhash2_addr_any_hashbucket(const struct sock *sk, const struct net *net, in
> return &hinfo->bhash2[hash & (hinfo->bhash_size - 1)];
> }
>
> -int inet_bhash2_update_saddr(struct inet_bind_hashbucket *prev_saddr, struct sock *sk)
> +static void inet_update_saddr(struct sock *sk, void *saddr, int family)
> +{
> + if (family == AF_INET) {
> + inet_sk(sk)->inet_saddr = *(__be32 *)saddr;
> + sk_rcv_saddr_set(sk, inet_sk(sk)->inet_saddr);
> + }
> +#if IS_ENABLED(CONFIG_IPV6)
> + else {
> + sk->sk_v6_rcv_saddr = *(struct in6_addr *)saddr;
> + }
> +#endif
> +}
> +
> +int inet_bhash2_update_saddr(struct sock *sk, void *saddr, int family)
> {
> struct inet_hashinfo *hinfo = tcp_or_dccp_get_hashinfo(sk);
> + struct inet_bind_hashbucket *head, *head2;
> struct inet_bind2_bucket *tb2, *new_tb2;
> int l3mdev = inet_sk_bound_l3mdev(sk);
> - struct inet_bind_hashbucket *head2;
> int port = inet_sk(sk)->inet_num;
> struct net *net = sock_net(sk);
> + int bhash;
> +
> + if (!inet_csk(sk)->icsk_bind2_hash) {
> + /* Not bind()ed before. */
> + inet_update_saddr(sk, saddr, family);
> + return 0;
> + }
>
> /* Allocate a bind2 bucket ahead of time to avoid permanently putting
> * the bhash2 table in an inconsistent state if a new tb2 bucket
> @@ -875,14 +895,25 @@ int inet_bhash2_update_saddr(struct inet_bind_hashbucket *prev_saddr, struct soc
> if (!new_tb2)
> return -ENOMEM;
>
> + bhash = inet_bhashfn(net, port, hinfo->bhash_size);
> + head = &hinfo->bhash[bhash];
> head2 = inet_bhashfn_portaddr(hinfo, sk, net, port);
>
> - spin_lock_bh(&prev_saddr->lock);
> + /* If we change saddr locklessly, another thread
> + * iterating over bhash might see corrupted address.
> + */
> + spin_lock_bh(&head->lock);
> +
> + spin_lock(&head2->lock);
> __sk_del_bind2_node(sk);
> inet_bind2_bucket_destroy(hinfo->bind2_bucket_cachep, inet_csk(sk)->icsk_bind2_hash);
> - spin_unlock_bh(&prev_saddr->lock);
> + spin_unlock(&head2->lock);
> +
> + inet_update_saddr(sk, saddr, family);
>
> - spin_lock_bh(&head2->lock);
> + head2 = inet_bhashfn_portaddr(hinfo, sk, net, port);
> +
> + spin_lock(&head2->lock);
> tb2 = inet_bind2_bucket_find(head2, net, port, l3mdev, sk);
> if (!tb2) {
> tb2 = new_tb2;
> @@ -890,7 +921,9 @@ int inet_bhash2_update_saddr(struct inet_bind_hashbucket *prev_saddr, struct soc
> }
> sk_add_bind2_node(sk, &tb2->owners);
> inet_csk(sk)->icsk_bind2_hash = tb2;
> - spin_unlock_bh(&head2->lock);
> + spin_unlock(&head2->lock);
> +
> + spin_unlock_bh(&head->lock);
>
> if (tb2 != new_tb2)
> kmem_cache_free(hinfo->bind2_bucket_cachep, new_tb2);
> diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
> index 6a3a732b584d..23dd7e9df2d5 100644
> --- a/net/ipv4/tcp_ipv4.c
> +++ b/net/ipv4/tcp_ipv4.c
> @@ -199,15 +199,14 @@ static int tcp_v4_pre_connect(struct sock *sk, struct sockaddr *uaddr,
> /* This will initiate an outgoing connection. */
> int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
> {
> - struct inet_bind_hashbucket *prev_addr_hashbucket = NULL;
> struct sockaddr_in *usin = (struct sockaddr_in *)uaddr;
> struct inet_timewait_death_row *tcp_death_row;
> - __be32 daddr, nexthop, prev_sk_rcv_saddr;
> struct inet_sock *inet = inet_sk(sk);
> struct tcp_sock *tp = tcp_sk(sk);
> struct ip_options_rcu *inet_opt;
> struct net *net = sock_net(sk);
> __be16 orig_sport, orig_dport;
> + __be32 daddr, nexthop;
> struct flowi4 *fl4;
> struct rtable *rt;
> int err;
> @@ -251,24 +250,13 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
> tcp_death_row = &sock_net(sk)->ipv4.tcp_death_row;
>
> if (!inet->inet_saddr) {
> - if (inet_csk(sk)->icsk_bind2_hash) {
> - prev_addr_hashbucket = inet_bhashfn_portaddr(tcp_death_row->hashinfo,
> - sk, net, inet->inet_num);
> - prev_sk_rcv_saddr = sk->sk_rcv_saddr;
> - }
> - inet->inet_saddr = fl4->saddr;
> - }
> -
> - sk_rcv_saddr_set(sk, inet->inet_saddr);
> -
> - if (prev_addr_hashbucket) {
> - err = inet_bhash2_update_saddr(prev_addr_hashbucket, sk);
> + err = inet_bhash2_update_saddr(sk, &fl4->saddr, AF_INET);
> if (err) {
> - inet->inet_saddr = 0;
> - sk_rcv_saddr_set(sk, prev_sk_rcv_saddr);
> ip_rt_put(rt);
> return err;
> }
> + } else {
> + sk_rcv_saddr_set(sk, inet->inet_saddr);
> }
>
> if (tp->rx_opt.ts_recent_stamp && inet->inet_daddr != daddr) {
> diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
> index 81b396e5cf79..2f3ca3190d26 100644
> --- a/net/ipv6/tcp_ipv6.c
> +++ b/net/ipv6/tcp_ipv6.c
> @@ -292,24 +292,11 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
> tcp_death_row = &sock_net(sk)->ipv4.tcp_death_row;
>
> if (!saddr) {
> - struct inet_bind_hashbucket *prev_addr_hashbucket = NULL;
> - struct in6_addr prev_v6_rcv_saddr;
> -
> - if (icsk->icsk_bind2_hash) {
> - prev_addr_hashbucket = inet_bhashfn_portaddr(tcp_death_row->hashinfo,
> - sk, net, inet->inet_num);
> - prev_v6_rcv_saddr = sk->sk_v6_rcv_saddr;
> - }
> saddr = &fl6.saddr;
> - sk->sk_v6_rcv_saddr = *saddr;
>
> - if (prev_addr_hashbucket) {
> - err = inet_bhash2_update_saddr(prev_addr_hashbucket, sk);
> - if (err) {
> - sk->sk_v6_rcv_saddr = prev_v6_rcv_saddr;
> - goto failure;
> - }
> - }
> + err = inet_bhash2_update_saddr(sk, saddr, AF_INET6);
> + if (err)
> + goto failure;
> }
>
> /* set the source address */
> --
> 2.30.2
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v4 net 4/4] dccp/tcp: Fixup bhash2 bucket when connect() fails.
2022-11-21 23:41 ` Joanne Koong
@ 2022-11-22 0:50 ` Kuniyuki Iwashima
2022-11-22 17:54 ` Joanne Koong
0 siblings, 1 reply; 11+ messages in thread
From: Kuniyuki Iwashima @ 2022-11-22 0:50 UTC (permalink / raw)
To: joannelkoong
Cc: acme, davem, dccp, dsahern, edumazet, kuba, kuni1840, kuniyu,
martin.lau, mathew.j.martineau, netdev, pabeni, pengfei.xu,
stephen, syzkaller, william.xuanziyang, yoshfuji
From: Joanne Koong <joannelkoong@gmail.com>
Date: Mon, 21 Nov 2022 15:41:43 -0800
> On Fri, Nov 18, 2022 at 5:51 PM Kuniyuki Iwashima <kuniyu@amazon.com> wrote:
> >
> > If a socket bound to a wildcard address fails to connect(), we
> > only reset saddr and keep the port. Then, we have to fix up the
> > bhash2 bucket; otherwise, the bucket has an inconsistent address
> > in the list.
> >
> > Also, listen() for such a socket will fire the WARN_ON() in
> > inet_csk_get_port(). [0]
> >
> > Note that when a system runs out of memory, we give up fixing the
> > bucket and unlink sk from bhash and bhash2 by inet_put_port().
> >
> > [0]:
> > WARNING: CPU: 0 PID: 207 at net/ipv4/inet_connection_sock.c:548 inet_csk_get_port (net/ipv4/inet_connection_sock.c:548 (discriminator 1))
> > Modules linked in:
> > CPU: 0 PID: 207 Comm: bhash2_prev_rep Not tainted 6.1.0-rc3-00799-gc8421681c845 #63
> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.amzn2022.0.1 04/01/2014
> > RIP: 0010:inet_csk_get_port (net/ipv4/inet_connection_sock.c:548 (discriminator 1))
> > Code: 74 a7 eb 93 48 8b 54 24 18 0f b7 cb 4c 89 e6 4c 89 ff e8 48 b2 ff ff 49 8b 87 18 04 00 00 e9 32 ff ff ff 0f 0b e9 34 ff ff ff <0f> 0b e9 42 ff ff ff 41 8b 7f 50 41 8b 4f 54 89 fe 81 f6 00 00 ff
> > RSP: 0018:ffffc900003d7e50 EFLAGS: 00010202
> > RAX: ffff8881047fb500 RBX: 0000000000004e20 RCX: 0000000000000000
> > RDX: 000000000000000a RSI: 00000000fffffe00 RDI: 00000000ffffffff
> > RBP: ffffffff8324dc00 R08: 0000000000000001 R09: 0000000000000001
> > R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000
> > R13: 0000000000000001 R14: 0000000000004e20 R15: ffff8881054e1280
> > FS: 00007f8ac04dc740(0000) GS:ffff88842fc00000(0000) knlGS:0000000000000000
> > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 0000000020001540 CR3: 00000001055fa003 CR4: 0000000000770ef0
> > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > PKRU: 55555554
> > Call Trace:
> > <TASK>
> > inet_csk_listen_start (net/ipv4/inet_connection_sock.c:1205)
> > inet_listen (net/ipv4/af_inet.c:228)
> > __sys_listen (net/socket.c:1810)
> > __x64_sys_listen (net/socket.c:1819 net/socket.c:1817 net/socket.c:1817)
> > do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
> > entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
> > RIP: 0033:0x7f8ac051de5d
> > Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 93 af 1b 00 f7 d8 64 89 01 48
> > RSP: 002b:00007ffc1c177248 EFLAGS: 00000206 ORIG_RAX: 0000000000000032
> > RAX: ffffffffffffffda RBX: 0000000020001550 RCX: 00007f8ac051de5d
> > RDX: ffffffffffffff80 RSI: 0000000000000000 RDI: 0000000000000004
> > RBP: 00007ffc1c177270 R08: 0000000000000018 R09: 0000000000000007
> > R10: 0000000020001540 R11: 0000000000000206 R12: 00007ffc1c177388
> > R13: 0000000000401169 R14: 0000000000403e18 R15: 00007f8ac0723000
> > </TASK>
> >
> > Fixes: 28044fc1d495 ("net: Add a bhash2 table hashed by port and address")
> > Reported-by: syzbot <syzkaller@googlegroups.com>
> > Reported-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
> > Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
>
> Acked-by: Joanne Koong <joannelkoong@gmail.com>
Thanks for all your help!
> > ---
> > include/net/inet_hashtables.h | 1 +
> > net/dccp/ipv4.c | 3 +--
> > net/dccp/ipv6.c | 3 +--
> > net/dccp/proto.c | 3 +--
> > net/ipv4/inet_hashtables.c | 38 +++++++++++++++++++++++++++++++----
> > net/ipv4/tcp.c | 3 +--
> > net/ipv4/tcp_ipv4.c | 3 +--
> > net/ipv6/tcp_ipv6.c | 3 +--
> > 8 files changed, 41 insertions(+), 16 deletions(-)
> >
> > diff --git a/include/net/inet_hashtables.h b/include/net/inet_hashtables.h
> > index ba06e8b52264..69174093078f 100644
> > --- a/include/net/inet_hashtables.h
> > +++ b/include/net/inet_hashtables.h
> > @@ -282,6 +282,7 @@ inet_bhash2_addr_any_hashbucket(const struct sock *sk, const struct net *net, in
> > * rcv_saddr field should already have been updated when this is called.
> > */
> > int inet_bhash2_update_saddr(struct sock *sk, void *saddr, int family);
> > +void inet_bhash2_reset_saddr(struct sock *sk);
> >
> > void inet_bind_hash(struct sock *sk, struct inet_bind_bucket *tb,
> > struct inet_bind2_bucket *tb2, unsigned short port);
> > diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
> > index 95e376e3b911..b780827f5e0a 100644
> > --- a/net/dccp/ipv4.c
> > +++ b/net/dccp/ipv4.c
> > @@ -143,8 +143,7 @@ int dccp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
> > * This unhashes the socket and releases the local port, if necessary.
> > */
> > dccp_set_state(sk, DCCP_CLOSED);
> > - if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
> > - inet_reset_saddr(sk);
> > + inet_bhash2_reset_saddr(sk);
> > ip_rt_put(rt);
> > sk->sk_route_caps = 0;
> > inet->inet_dport = 0;
> > diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
> > index 94c101ed57a9..602f3432d80b 100644
> > --- a/net/dccp/ipv6.c
> > +++ b/net/dccp/ipv6.c
> > @@ -970,8 +970,7 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
> >
> > late_failure:
> > dccp_set_state(sk, DCCP_CLOSED);
> > - if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
> > - inet_reset_saddr(sk);
> > + inet_bhash2_reset_saddr(sk);
> > __sk_dst_reset(sk);
> > failure:
> > inet->inet_dport = 0;
> > diff --git a/net/dccp/proto.c b/net/dccp/proto.c
> > index c548ca3e9b0e..85e35c5e8890 100644
> > --- a/net/dccp/proto.c
> > +++ b/net/dccp/proto.c
> > @@ -279,8 +279,7 @@ int dccp_disconnect(struct sock *sk, int flags)
> >
> > inet->inet_dport = 0;
> >
> > - if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
> > - inet_reset_saddr(sk);
> > + inet_bhash2_reset_saddr(sk);
> >
> > sk->sk_shutdown = 0;
> > sock_reset_flag(sk, SOCK_DONE);
> > diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
> > index 18ef370af113..3cec471a2cd2 100644
> > --- a/net/ipv4/inet_hashtables.c
> > +++ b/net/ipv4/inet_hashtables.c
> > @@ -871,7 +871,7 @@ static void inet_update_saddr(struct sock *sk, void *saddr, int family)
> > #endif
> > }
> >
> > -int inet_bhash2_update_saddr(struct sock *sk, void *saddr, int family)
> > +static int __inet_bhash2_update_saddr(struct sock *sk, void *saddr, int family, bool reset)
> > {
> > struct inet_hashinfo *hinfo = tcp_or_dccp_get_hashinfo(sk);
> > struct inet_bind_hashbucket *head, *head2;
> > @@ -883,7 +883,11 @@ int inet_bhash2_update_saddr(struct sock *sk, void *saddr, int family)
> >
> > if (!inet_csk(sk)->icsk_bind2_hash) {
> > /* Not bind()ed before. */
> > - inet_update_saddr(sk, saddr, family);
> > + if (reset)
> > + inet_reset_saddr(sk);
> > + else
> > + inet_update_saddr(sk, saddr, family);
> > +
> > return 0;
> > }
> >
> > @@ -892,8 +896,19 @@ int inet_bhash2_update_saddr(struct sock *sk, void *saddr, int family)
> > * allocation fails.
> > */
> > new_tb2 = kmem_cache_alloc(hinfo->bind2_bucket_cachep, GFP_ATOMIC);
> > - if (!new_tb2)
> > + if (!new_tb2) {
> > + if (reset) {
> > + /* The (INADDR_ANY, port) bucket might have already
> > + * been freed, then we cannot fixup icsk_bind2_hash,
> > + * so we give up and unlink sk from bhash/bhash2 not
> > + * to leave inconsistency in bhash2.
> > + */
> > + inet_put_port(sk);
> > + inet_reset_saddr(sk);
> > + }
>
> nit: I think this is better placed in the dccp/tcp_ipv4/6 layer, to
> make it clear / more obvious that the sk gets unbinded in this edge
> case.
But it duplicates 2 calls (and a comment) across 6 places.
or we can move it to inet_bhash2_reset_saddr() like
void inet_bhash2_reset_saddr(struct sock *sk)
{
if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK) &&
__inet_bhash2_update_saddr(sk, NULL, 0, true) {
inet_put_port(sk);
inet_reset_saddr(sk);
}
}
EXPORT_SYMBOL_GPL(inet_bhash2_reset_saddr);
I'm fine with whichever, which do you like ?
Or we can go as is and post a follow-up.
>
> > +
> > return -ENOMEM;
> > + }
> >
> > bhash = inet_bhashfn(net, port, hinfo->bhash_size);
> > head = &hinfo->bhash[bhash];
> > @@ -909,7 +924,10 @@ int inet_bhash2_update_saddr(struct sock *sk, void *saddr, int family)
> > inet_bind2_bucket_destroy(hinfo->bind2_bucket_cachep, inet_csk(sk)->icsk_bind2_hash);
> > spin_unlock(&head2->lock);
> >
> > - inet_update_saddr(sk, saddr, family);
> > + if (reset)
> > + inet_reset_saddr(sk);
> > + else
> > + inet_update_saddr(sk, saddr, family);
> >
> > head2 = inet_bhashfn_portaddr(hinfo, sk, net, port);
> >
> > @@ -930,8 +948,20 @@ int inet_bhash2_update_saddr(struct sock *sk, void *saddr, int family)
> >
> > return 0;
> > }
> > +
> > +int inet_bhash2_update_saddr(struct sock *sk, void *saddr, int family)
> > +{
> > + return __inet_bhash2_update_saddr(sk, saddr, family, false);
> > +}
> > EXPORT_SYMBOL_GPL(inet_bhash2_update_saddr);
> >
> > +void inet_bhash2_reset_saddr(struct sock *sk)
> > +{
> > + if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
> > + __inet_bhash2_update_saddr(sk, NULL, 0, true);
> > +}
> > +EXPORT_SYMBOL_GPL(inet_bhash2_reset_saddr);
>
> > +
> > /* RFC 6056 3.3.4. Algorithm 4: Double-Hash Port Selection Algorithm
> > * Note that we use 32bit integers (vs RFC 'short integers')
> > * because 2^16 is not a multiple of num_ephemeral and this
> > diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
> > index 54836a6b81d6..4f2205756cfe 100644
> > --- a/net/ipv4/tcp.c
> > +++ b/net/ipv4/tcp.c
> > @@ -3114,8 +3114,7 @@ int tcp_disconnect(struct sock *sk, int flags)
> >
> > inet->inet_dport = 0;
> >
> > - if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
> > - inet_reset_saddr(sk);
> > + inet_bhash2_reset_saddr(sk);
> >
> > sk->sk_shutdown = 0;
> > sock_reset_flag(sk, SOCK_DONE);
> > diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
> > index 23dd7e9df2d5..da46357f501b 100644
> > --- a/net/ipv4/tcp_ipv4.c
> > +++ b/net/ipv4/tcp_ipv4.c
> > @@ -331,8 +331,7 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
> > * if necessary.
> > */
> > tcp_set_state(sk, TCP_CLOSE);
> > - if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
> > - inet_reset_saddr(sk);
> > + inet_bhash2_reset_saddr(sk);
> > ip_rt_put(rt);
> > sk->sk_route_caps = 0;
> > inet->inet_dport = 0;
> > diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
> > index 2f3ca3190d26..f0548dbcabd2 100644
> > --- a/net/ipv6/tcp_ipv6.c
> > +++ b/net/ipv6/tcp_ipv6.c
> > @@ -346,8 +346,7 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
> >
> > late_failure:
> > tcp_set_state(sk, TCP_CLOSE);
> > - if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
> > - inet_reset_saddr(sk);
> > + inet_bhash2_reset_saddr(sk);
> > failure:
> > inet->inet_dport = 0;
> > sk->sk_route_caps = 0;
> > --
> > 2.30.2
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v4 net 0/4] dccp/tcp: Fix bhash2 issues related to WARN_ON() in inet_csk_get_port().
2022-11-19 1:49 [PATCH v4 net 0/4] dccp/tcp: Fix bhash2 issues related to WARN_ON() in inet_csk_get_port() Kuniyuki Iwashima
` (3 preceding siblings ...)
2022-11-19 1:49 ` [PATCH v4 net 4/4] dccp/tcp: Fixup bhash2 bucket when connect() fails Kuniyuki Iwashima
@ 2022-11-22 17:54 ` Eric Dumazet
2022-11-23 5:00 ` patchwork-bot+netdevbpf
5 siblings, 0 replies; 11+ messages in thread
From: Eric Dumazet @ 2022-11-22 17:54 UTC (permalink / raw)
To: Kuniyuki Iwashima
Cc: David S. Miller, Jakub Kicinski, Paolo Abeni, Hideaki YOSHIFUJI,
David Ahern, Arnaldo Carvalho de Melo, Joanne Koong,
Martin KaFai Lau, Mat Martineau, Ziyang Xuan (William),
Stephen Hemminger, Pengfei Xu, Kuniyuki Iwashima, netdev, dccp
On Fri, Nov 18, 2022 at 5:49 PM Kuniyuki Iwashima <kuniyu@amazon.com> wrote:
>
> syzkaller was hitting a WARN_ON() in inet_csk_get_port() in the 4th patch,
> which was because we forgot to fix up bhash2 bucket when connect() for a
> socket bound to a wildcard address fails in __inet_stream_connect().
>
> There was a similar report [0], but its repro does not fire the WARN_ON() due
> to inconsistent error handling.
>
> When connect() for a socket bound to a wildcard address fails, saddr may or
> may not be reset depending on where the failure happens. When we fail in
> __inet_stream_connect(), sk->sk_prot->disconnect() resets saddr. OTOH, in
> (dccp|tcp)_v[46]_connect(), if we fail after inet_hash6?_connect(), we
> forget to reset saddr.
>
> We fix this inconsistent error handling in the 1st patch, and then we'll
> fix the bhash2 WARN_ON() issue.
>
> Note that there is still an issue in that we reset saddr without checking
> if there are conflicting sockets in bhash and bhash2, but this should be
> another series.
>
> See [1][2] for the previous discussion.
>
> [0]: https://lore.kernel.org/netdev/0000000000003f33bc05dfaf44fe@google.com/
> [1]: https://lore.kernel.org/netdev/20221029001249.86337-1-kuniyu@amazon.com/
> [2]: https://lore.kernel.org/netdev/20221103172419.20977-1-kuniyu@amazon.com/
> [3]: https://lore.kernel.org/netdev/20221118081906.053d5231@kernel.org/T/#m00aafedb29ff0b55d5e67aef0252ef1baaf4b6ee
>
>
> Changes:
> v4:
> * Patch 3
> * Narrow down the bhash lock section (Joanne Koong)
>
> v3: https://lore.kernel.org/netdev/20221118205839.14312-1-kuniyu@amazon.com/
> * Patch 3
> * Update saddr under the bhash's lock
> * Correct Fixes tag
> * Change #ifdef in inet_update_saddr() along the recent
> discussion [3]
>
> v2: https://lore.kernel.org/netdev/20221116222805.64734-1-kuniyu@amazon.com/
> * Add patch 2-4
>
> v1: [2]
>
>
> Kuniyuki Iwashima (4):
> dccp/tcp: Reset saddr on failure after inet6?_hash_connect().
> dccp/tcp: Remove NULL check for prev_saddr in
> inet_bhash2_update_saddr().
> dccp/tcp: Update saddr under bhash's lock.
> dccp/tcp: Fixup bhash2 bucket when connect() fails.
SGTM, thanks !
Reviewed-by: Eric Dumazet <edumazet@google.com>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v4 net 4/4] dccp/tcp: Fixup bhash2 bucket when connect() fails.
2022-11-22 0:50 ` Kuniyuki Iwashima
@ 2022-11-22 17:54 ` Joanne Koong
0 siblings, 0 replies; 11+ messages in thread
From: Joanne Koong @ 2022-11-22 17:54 UTC (permalink / raw)
To: Kuniyuki Iwashima
Cc: acme, davem, dccp, dsahern, edumazet, kuba, kuni1840, martin.lau,
mathew.j.martineau, netdev, pabeni, pengfei.xu, stephen,
syzkaller, william.xuanziyang, yoshfuji
On Mon, Nov 21, 2022 at 4:51 PM Kuniyuki Iwashima <kuniyu@amazon.com> wrote:
>
> From: Joanne Koong <joannelkoong@gmail.com>
> Date: Mon, 21 Nov 2022 15:41:43 -0800
> > On Fri, Nov 18, 2022 at 5:51 PM Kuniyuki Iwashima <kuniyu@amazon.com> wrote:
> > >
> > > If a socket bound to a wildcard address fails to connect(), we
> > > only reset saddr and keep the port. Then, we have to fix up the
> > > bhash2 bucket; otherwise, the bucket has an inconsistent address
> > > in the list.
> > >
> > > Also, listen() for such a socket will fire the WARN_ON() in
> > > inet_csk_get_port(). [0]
> > >
> > > Note that when a system runs out of memory, we give up fixing the
> > > bucket and unlink sk from bhash and bhash2 by inet_put_port().
> > >
> > > [0]:
> > > WARNING: CPU: 0 PID: 207 at net/ipv4/inet_connection_sock.c:548 inet_csk_get_port (net/ipv4/inet_connection_sock.c:548 (discriminator 1))
> > > Modules linked in:
> > > CPU: 0 PID: 207 Comm: bhash2_prev_rep Not tainted 6.1.0-rc3-00799-gc8421681c845 #63
> > > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.amzn2022.0.1 04/01/2014
> > > RIP: 0010:inet_csk_get_port (net/ipv4/inet_connection_sock.c:548 (discriminator 1))
> > > Code: 74 a7 eb 93 48 8b 54 24 18 0f b7 cb 4c 89 e6 4c 89 ff e8 48 b2 ff ff 49 8b 87 18 04 00 00 e9 32 ff ff ff 0f 0b e9 34 ff ff ff <0f> 0b e9 42 ff ff ff 41 8b 7f 50 41 8b 4f 54 89 fe 81 f6 00 00 ff
> > > RSP: 0018:ffffc900003d7e50 EFLAGS: 00010202
> > > RAX: ffff8881047fb500 RBX: 0000000000004e20 RCX: 0000000000000000
> > > RDX: 000000000000000a RSI: 00000000fffffe00 RDI: 00000000ffffffff
> > > RBP: ffffffff8324dc00 R08: 0000000000000001 R09: 0000000000000001
> > > R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000
> > > R13: 0000000000000001 R14: 0000000000004e20 R15: ffff8881054e1280
> > > FS: 00007f8ac04dc740(0000) GS:ffff88842fc00000(0000) knlGS:0000000000000000
> > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > > CR2: 0000000020001540 CR3: 00000001055fa003 CR4: 0000000000770ef0
> > > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > > PKRU: 55555554
> > > Call Trace:
> > > <TASK>
> > > inet_csk_listen_start (net/ipv4/inet_connection_sock.c:1205)
> > > inet_listen (net/ipv4/af_inet.c:228)
> > > __sys_listen (net/socket.c:1810)
> > > __x64_sys_listen (net/socket.c:1819 net/socket.c:1817 net/socket.c:1817)
> > > do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
> > > entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
> > > RIP: 0033:0x7f8ac051de5d
> > > Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 93 af 1b 00 f7 d8 64 89 01 48
> > > RSP: 002b:00007ffc1c177248 EFLAGS: 00000206 ORIG_RAX: 0000000000000032
> > > RAX: ffffffffffffffda RBX: 0000000020001550 RCX: 00007f8ac051de5d
> > > RDX: ffffffffffffff80 RSI: 0000000000000000 RDI: 0000000000000004
> > > RBP: 00007ffc1c177270 R08: 0000000000000018 R09: 0000000000000007
> > > R10: 0000000020001540 R11: 0000000000000206 R12: 00007ffc1c177388
> > > R13: 0000000000401169 R14: 0000000000403e18 R15: 00007f8ac0723000
> > > </TASK>
> > >
> > > Fixes: 28044fc1d495 ("net: Add a bhash2 table hashed by port and address")
> > > Reported-by: syzbot <syzkaller@googlegroups.com>
> > > Reported-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
> > > Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
> >
> > Acked-by: Joanne Koong <joannelkoong@gmail.com>
>
> Thanks for all your help!
>
>
> > > ---
> > > include/net/inet_hashtables.h | 1 +
> > > net/dccp/ipv4.c | 3 +--
> > > net/dccp/ipv6.c | 3 +--
> > > net/dccp/proto.c | 3 +--
> > > net/ipv4/inet_hashtables.c | 38 +++++++++++++++++++++++++++++++----
> > > net/ipv4/tcp.c | 3 +--
> > > net/ipv4/tcp_ipv4.c | 3 +--
> > > net/ipv6/tcp_ipv6.c | 3 +--
> > > 8 files changed, 41 insertions(+), 16 deletions(-)
> > >
> > > diff --git a/include/net/inet_hashtables.h b/include/net/inet_hashtables.h
> > > index ba06e8b52264..69174093078f 100644
> > > --- a/include/net/inet_hashtables.h
> > > +++ b/include/net/inet_hashtables.h
> > > @@ -282,6 +282,7 @@ inet_bhash2_addr_any_hashbucket(const struct sock *sk, const struct net *net, in
> > > * rcv_saddr field should already have been updated when this is called.
> > > */
> > > int inet_bhash2_update_saddr(struct sock *sk, void *saddr, int family);
> > > +void inet_bhash2_reset_saddr(struct sock *sk);
> > >
> > > void inet_bind_hash(struct sock *sk, struct inet_bind_bucket *tb,
> > > struct inet_bind2_bucket *tb2, unsigned short port);
> > > diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
> > > index 95e376e3b911..b780827f5e0a 100644
> > > --- a/net/dccp/ipv4.c
> > > +++ b/net/dccp/ipv4.c
> > > @@ -143,8 +143,7 @@ int dccp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
> > > * This unhashes the socket and releases the local port, if necessary.
> > > */
> > > dccp_set_state(sk, DCCP_CLOSED);
> > > - if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
> > > - inet_reset_saddr(sk);
> > > + inet_bhash2_reset_saddr(sk);
> > > ip_rt_put(rt);
> > > sk->sk_route_caps = 0;
> > > inet->inet_dport = 0;
> > > diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
> > > index 94c101ed57a9..602f3432d80b 100644
> > > --- a/net/dccp/ipv6.c
> > > +++ b/net/dccp/ipv6.c
> > > @@ -970,8 +970,7 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
> > >
> > > late_failure:
> > > dccp_set_state(sk, DCCP_CLOSED);
> > > - if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
> > > - inet_reset_saddr(sk);
> > > + inet_bhash2_reset_saddr(sk);
> > > __sk_dst_reset(sk);
> > > failure:
> > > inet->inet_dport = 0;
> > > diff --git a/net/dccp/proto.c b/net/dccp/proto.c
> > > index c548ca3e9b0e..85e35c5e8890 100644
> > > --- a/net/dccp/proto.c
> > > +++ b/net/dccp/proto.c
> > > @@ -279,8 +279,7 @@ int dccp_disconnect(struct sock *sk, int flags)
> > >
> > > inet->inet_dport = 0;
> > >
> > > - if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
> > > - inet_reset_saddr(sk);
> > > + inet_bhash2_reset_saddr(sk);
> > >
> > > sk->sk_shutdown = 0;
> > > sock_reset_flag(sk, SOCK_DONE);
> > > diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
> > > index 18ef370af113..3cec471a2cd2 100644
> > > --- a/net/ipv4/inet_hashtables.c
> > > +++ b/net/ipv4/inet_hashtables.c
> > > @@ -871,7 +871,7 @@ static void inet_update_saddr(struct sock *sk, void *saddr, int family)
> > > #endif
> > > }
> > >
> > > -int inet_bhash2_update_saddr(struct sock *sk, void *saddr, int family)
> > > +static int __inet_bhash2_update_saddr(struct sock *sk, void *saddr, int family, bool reset)
> > > {
> > > struct inet_hashinfo *hinfo = tcp_or_dccp_get_hashinfo(sk);
> > > struct inet_bind_hashbucket *head, *head2;
> > > @@ -883,7 +883,11 @@ int inet_bhash2_update_saddr(struct sock *sk, void *saddr, int family)
> > >
> > > if (!inet_csk(sk)->icsk_bind2_hash) {
> > > /* Not bind()ed before. */
> > > - inet_update_saddr(sk, saddr, family);
> > > + if (reset)
> > > + inet_reset_saddr(sk);
> > > + else
> > > + inet_update_saddr(sk, saddr, family);
> > > +
> > > return 0;
> > > }
> > >
> > > @@ -892,8 +896,19 @@ int inet_bhash2_update_saddr(struct sock *sk, void *saddr, int family)
> > > * allocation fails.
> > > */
> > > new_tb2 = kmem_cache_alloc(hinfo->bind2_bucket_cachep, GFP_ATOMIC);
> > > - if (!new_tb2)
> > > + if (!new_tb2) {
> > > + if (reset) {
> > > + /* The (INADDR_ANY, port) bucket might have already
> > > + * been freed, then we cannot fixup icsk_bind2_hash,
> > > + * so we give up and unlink sk from bhash/bhash2 not
> > > + * to leave inconsistency in bhash2.
> > > + */
> > > + inet_put_port(sk);
> > > + inet_reset_saddr(sk);
> > > + }
> >
> > nit: I think this is better placed in the dccp/tcp_ipv4/6 layer, to
> > make it clear / more obvious that the sk gets unbinded in this edge
> > case.
>
> But it duplicates 2 calls (and a comment) across 6 places.
>
> or we can move it to inet_bhash2_reset_saddr() like
>
> void inet_bhash2_reset_saddr(struct sock *sk)
> {
> if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK) &&
> __inet_bhash2_update_saddr(sk, NULL, 0, true) {
> inet_put_port(sk);
> inet_reset_saddr(sk);
> }
> }
> EXPORT_SYMBOL_GPL(inet_bhash2_reset_saddr);
>
> I'm fine with whichever, which do you like ?
>
> Or we can go as is and post a follow-up.
>
I'm fine with whichever too. I think it being in
inet_bhash2_reset_saddr() would be clearer than it being within
__inet_bhash2_update_saddr().
Thanks for your work on this!
>
> >
> > > +
> > > return -ENOMEM;
> > > + }
> > >
> > > bhash = inet_bhashfn(net, port, hinfo->bhash_size);
> > > head = &hinfo->bhash[bhash];
> > > @@ -909,7 +924,10 @@ int inet_bhash2_update_saddr(struct sock *sk, void *saddr, int family)
> > > inet_bind2_bucket_destroy(hinfo->bind2_bucket_cachep, inet_csk(sk)->icsk_bind2_hash);
> > > spin_unlock(&head2->lock);
> > >
> > > - inet_update_saddr(sk, saddr, family);
> > > + if (reset)
> > > + inet_reset_saddr(sk);
> > > + else
> > > + inet_update_saddr(sk, saddr, family);
> > >
> > > head2 = inet_bhashfn_portaddr(hinfo, sk, net, port);
> > >
> > > @@ -930,8 +948,20 @@ int inet_bhash2_update_saddr(struct sock *sk, void *saddr, int family)
> > >
> > > return 0;
> > > }
> > > +
> > > +int inet_bhash2_update_saddr(struct sock *sk, void *saddr, int family)
> > > +{
> > > + return __inet_bhash2_update_saddr(sk, saddr, family, false);
> > > +}
> > > EXPORT_SYMBOL_GPL(inet_bhash2_update_saddr);
> > >
> > > +void inet_bhash2_reset_saddr(struct sock *sk)
> > > +{
> > > + if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
> > > + __inet_bhash2_update_saddr(sk, NULL, 0, true);
> > > +}
> > > +EXPORT_SYMBOL_GPL(inet_bhash2_reset_saddr);
> >
> > > +
> > > /* RFC 6056 3.3.4. Algorithm 4: Double-Hash Port Selection Algorithm
> > > * Note that we use 32bit integers (vs RFC 'short integers')
> > > * because 2^16 is not a multiple of num_ephemeral and this
> > > diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
> > > index 54836a6b81d6..4f2205756cfe 100644
> > > --- a/net/ipv4/tcp.c
> > > +++ b/net/ipv4/tcp.c
> > > @@ -3114,8 +3114,7 @@ int tcp_disconnect(struct sock *sk, int flags)
> > >
> > > inet->inet_dport = 0;
> > >
> > > - if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
> > > - inet_reset_saddr(sk);
> > > + inet_bhash2_reset_saddr(sk);
> > >
> > > sk->sk_shutdown = 0;
> > > sock_reset_flag(sk, SOCK_DONE);
> > > diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
> > > index 23dd7e9df2d5..da46357f501b 100644
> > > --- a/net/ipv4/tcp_ipv4.c
> > > +++ b/net/ipv4/tcp_ipv4.c
> > > @@ -331,8 +331,7 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
> > > * if necessary.
> > > */
> > > tcp_set_state(sk, TCP_CLOSE);
> > > - if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
> > > - inet_reset_saddr(sk);
> > > + inet_bhash2_reset_saddr(sk);
> > > ip_rt_put(rt);
> > > sk->sk_route_caps = 0;
> > > inet->inet_dport = 0;
> > > diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
> > > index 2f3ca3190d26..f0548dbcabd2 100644
> > > --- a/net/ipv6/tcp_ipv6.c
> > > +++ b/net/ipv6/tcp_ipv6.c
> > > @@ -346,8 +346,7 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
> > >
> > > late_failure:
> > > tcp_set_state(sk, TCP_CLOSE);
> > > - if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
> > > - inet_reset_saddr(sk);
> > > + inet_bhash2_reset_saddr(sk);
> > > failure:
> > > inet->inet_dport = 0;
> > > sk->sk_route_caps = 0;
> > > --
> > > 2.30.2
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v4 net 0/4] dccp/tcp: Fix bhash2 issues related to WARN_ON() in inet_csk_get_port().
2022-11-19 1:49 [PATCH v4 net 0/4] dccp/tcp: Fix bhash2 issues related to WARN_ON() in inet_csk_get_port() Kuniyuki Iwashima
` (4 preceding siblings ...)
2022-11-22 17:54 ` [PATCH v4 net 0/4] dccp/tcp: Fix bhash2 issues related to WARN_ON() in inet_csk_get_port() Eric Dumazet
@ 2022-11-23 5:00 ` patchwork-bot+netdevbpf
5 siblings, 0 replies; 11+ messages in thread
From: patchwork-bot+netdevbpf @ 2022-11-23 5:00 UTC (permalink / raw)
To: Kuniyuki Iwashima
Cc: davem, edumazet, kuba, pabeni, yoshfuji, dsahern, acme,
joannelkoong, martin.lau, mathew.j.martineau, william.xuanziyang,
stephen, pengfei.xu, kuni1840, netdev, dccp
Hello:
This series was applied to netdev/net.git (master)
by Jakub Kicinski <kuba@kernel.org>:
On Fri, 18 Nov 2022 17:49:10 -0800 you wrote:
> syzkaller was hitting a WARN_ON() in inet_csk_get_port() in the 4th patch,
> which was because we forgot to fix up bhash2 bucket when connect() for a
> socket bound to a wildcard address fails in __inet_stream_connect().
>
> There was a similar report [0], but its repro does not fire the WARN_ON() due
> to inconsistent error handling.
>
> [...]
Here is the summary with links:
- [v4,net,1/4] dccp/tcp: Reset saddr on failure after inet6?_hash_connect().
https://git.kernel.org/netdev/net/c/77934dc6db0d
- [v4,net,2/4] dccp/tcp: Remove NULL check for prev_saddr in inet_bhash2_update_saddr().
https://git.kernel.org/netdev/net/c/8acdad37cd13
- [v4,net,3/4] dccp/tcp: Update saddr under bhash's lock.
https://git.kernel.org/netdev/net/c/8c5dae4c1a49
- [v4,net,4/4] dccp/tcp: Fixup bhash2 bucket when connect() fails.
https://git.kernel.org/netdev/net/c/e0833d1fedb0
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2022-11-23 5:00 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-11-19 1:49 [PATCH v4 net 0/4] dccp/tcp: Fix bhash2 issues related to WARN_ON() in inet_csk_get_port() Kuniyuki Iwashima
2022-11-19 1:49 ` [PATCH v4 net 1/4] dccp/tcp: Reset saddr on failure after inet6?_hash_connect() Kuniyuki Iwashima
2022-11-19 1:49 ` [PATCH v4 net 2/4] dccp/tcp: Remove NULL check for prev_saddr in inet_bhash2_update_saddr() Kuniyuki Iwashima
2022-11-19 1:49 ` [PATCH v4 net 3/4] dccp/tcp: Update saddr under bhash's lock Kuniyuki Iwashima
2022-11-22 0:11 ` Joanne Koong
2022-11-19 1:49 ` [PATCH v4 net 4/4] dccp/tcp: Fixup bhash2 bucket when connect() fails Kuniyuki Iwashima
2022-11-21 23:41 ` Joanne Koong
2022-11-22 0:50 ` Kuniyuki Iwashima
2022-11-22 17:54 ` Joanne Koong
2022-11-22 17:54 ` [PATCH v4 net 0/4] dccp/tcp: Fix bhash2 issues related to WARN_ON() in inet_csk_get_port() Eric Dumazet
2022-11-23 5:00 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).