From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, syzbot <syzkaller@googlegroups.com>,
Eric Dumazet <edumazet@google.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.9 67/76] tcp: cdg: allow tcp_cdg_release() to be called multiple times
Date: Wed, 23 Nov 2022 09:51:06 +0100 [thread overview]
Message-ID: <20221123084548.946954769@linuxfoundation.org> (raw)
In-Reply-To: <20221123084546.742331901@linuxfoundation.org>
From: Eric Dumazet <edumazet@google.com>
commit 72e560cb8c6f80fc2b4afc5d3634a32465e13a51 upstream.
Apparently, mptcp is able to call tcp_disconnect() on an already
disconnected flow. This is generally fine, unless current congestion
control is CDG, because it might trigger a double-free [1]
Instead of fixing MPTCP, and future bugs, we can make tcp_disconnect()
more resilient.
[1]
BUG: KASAN: double-free in slab_free mm/slub.c:3539 [inline]
BUG: KASAN: double-free in kfree+0xe2/0x580 mm/slub.c:4567
CPU: 0 PID: 3645 Comm: kworker/0:7 Not tainted 6.0.0-syzkaller-02734-g0326074ff465 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
Workqueue: events mptcp_worker
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:317 [inline]
print_report.cold+0x2ba/0x719 mm/kasan/report.c:433
kasan_report_invalid_free+0x81/0x190 mm/kasan/report.c:462
____kasan_slab_free+0x18b/0x1c0 mm/kasan/common.c:356
kasan_slab_free include/linux/kasan.h:200 [inline]
slab_free_hook mm/slub.c:1759 [inline]
slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1785
slab_free mm/slub.c:3539 [inline]
kfree+0xe2/0x580 mm/slub.c:4567
tcp_disconnect+0x980/0x1e20 net/ipv4/tcp.c:3145
__mptcp_close_ssk+0x5ca/0x7e0 net/mptcp/protocol.c:2327
mptcp_do_fastclose net/mptcp/protocol.c:2592 [inline]
mptcp_worker+0x78c/0xff0 net/mptcp/protocol.c:2627
process_one_work+0x991/0x1610 kernel/workqueue.c:2289
worker_thread+0x665/0x1080 kernel/workqueue.c:2436
kthread+0x2e4/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
</TASK>
Allocated by task 3671:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:437 [inline]
____kasan_kmalloc mm/kasan/common.c:516 [inline]
____kasan_kmalloc mm/kasan/common.c:475 [inline]
__kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:525
kmalloc_array include/linux/slab.h:640 [inline]
kcalloc include/linux/slab.h:671 [inline]
tcp_cdg_init+0x10d/0x170 net/ipv4/tcp_cdg.c:380
tcp_init_congestion_control+0xab/0x550 net/ipv4/tcp_cong.c:193
tcp_reinit_congestion_control net/ipv4/tcp_cong.c:217 [inline]
tcp_set_congestion_control+0x96c/0xaa0 net/ipv4/tcp_cong.c:391
do_tcp_setsockopt+0x505/0x2320 net/ipv4/tcp.c:3513
tcp_setsockopt+0xd4/0x100 net/ipv4/tcp.c:3801
mptcp_setsockopt+0x35f/0x2570 net/mptcp/sockopt.c:844
__sys_setsockopt+0x2d6/0x690 net/socket.c:2252
__do_sys_setsockopt net/socket.c:2263 [inline]
__se_sys_setsockopt net/socket.c:2260 [inline]
__x64_sys_setsockopt+0xba/0x150 net/socket.c:2260
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 16:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track+0x21/0x30 mm/kasan/common.c:45
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
____kasan_slab_free mm/kasan/common.c:367 [inline]
____kasan_slab_free+0x166/0x1c0 mm/kasan/common.c:329
kasan_slab_free include/linux/kasan.h:200 [inline]
slab_free_hook mm/slub.c:1759 [inline]
slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1785
slab_free mm/slub.c:3539 [inline]
kfree+0xe2/0x580 mm/slub.c:4567
tcp_cleanup_congestion_control+0x70/0x120 net/ipv4/tcp_cong.c:226
tcp_v4_destroy_sock+0xdd/0x750 net/ipv4/tcp_ipv4.c:2254
tcp_v6_destroy_sock+0x11/0x20 net/ipv6/tcp_ipv6.c:1969
inet_csk_destroy_sock+0x196/0x440 net/ipv4/inet_connection_sock.c:1157
tcp_done+0x23b/0x340 net/ipv4/tcp.c:4649
tcp_rcv_state_process+0x40e7/0x4990 net/ipv4/tcp_input.c:6624
tcp_v6_do_rcv+0x3fc/0x13c0 net/ipv6/tcp_ipv6.c:1525
tcp_v6_rcv+0x2e8e/0x3830 net/ipv6/tcp_ipv6.c:1759
ip6_protocol_deliver_rcu+0x2db/0x1950 net/ipv6/ip6_input.c:439
ip6_input_finish+0x14c/0x2c0 net/ipv6/ip6_input.c:484
NF_HOOK include/linux/netfilter.h:302 [inline]
NF_HOOK include/linux/netfilter.h:296 [inline]
ip6_input+0x9c/0xd0 net/ipv6/ip6_input.c:493
dst_input include/net/dst.h:455 [inline]
ip6_rcv_finish+0x193/0x2c0 net/ipv6/ip6_input.c:79
ip_sabotage_in net/bridge/br_netfilter_hooks.c:874 [inline]
ip_sabotage_in+0x1fa/0x260 net/bridge/br_netfilter_hooks.c:865
nf_hook_entry_hookfn include/linux/netfilter.h:142 [inline]
nf_hook_slow+0xc5/0x1f0 net/netfilter/core.c:614
nf_hook.constprop.0+0x3ac/0x650 include/linux/netfilter.h:257
NF_HOOK include/linux/netfilter.h:300 [inline]
ipv6_rcv+0x9e/0x380 net/ipv6/ip6_input.c:309
__netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5485
__netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5599
netif_receive_skb_internal net/core/dev.c:5685 [inline]
netif_receive_skb+0x12f/0x8d0 net/core/dev.c:5744
NF_HOOK include/linux/netfilter.h:302 [inline]
NF_HOOK include/linux/netfilter.h:296 [inline]
br_pass_frame_up+0x303/0x410 net/bridge/br_input.c:68
br_handle_frame_finish+0x909/0x1aa0 net/bridge/br_input.c:199
br_nf_hook_thresh+0x2f8/0x3d0 net/bridge/br_netfilter_hooks.c:1041
br_nf_pre_routing_finish_ipv6+0x695/0xef0 net/bridge/br_netfilter_ipv6.c:207
NF_HOOK include/linux/netfilter.h:302 [inline]
br_nf_pre_routing_ipv6+0x417/0x7c0 net/bridge/br_netfilter_ipv6.c:237
br_nf_pre_routing+0x1496/0x1fe0 net/bridge/br_netfilter_hooks.c:507
nf_hook_entry_hookfn include/linux/netfilter.h:142 [inline]
nf_hook_bridge_pre net/bridge/br_input.c:255 [inline]
br_handle_frame+0x9c9/0x12d0 net/bridge/br_input.c:399
__netif_receive_skb_core+0x9fe/0x38f0 net/core/dev.c:5379
__netif_receive_skb_one_core+0xae/0x180 net/core/dev.c:5483
__netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5599
process_backlog+0x3a0/0x7c0 net/core/dev.c:5927
__napi_poll+0xb3/0x6d0 net/core/dev.c:6494
napi_poll net/core/dev.c:6561 [inline]
net_rx_action+0x9c1/0xd90 net/core/dev.c:6672
__do_softirq+0x1d0/0x9c8 kernel/softirq.c:571
Fixes: 2b0a8c9eee81 ("tcp: add CDG congestion control")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/tcp_cdg.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/ipv4/tcp_cdg.c
+++ b/net/ipv4/tcp_cdg.c
@@ -382,6 +382,7 @@ static void tcp_cdg_init(struct sock *sk
struct cdg *ca = inet_csk_ca(sk);
struct tcp_sock *tp = tcp_sk(sk);
+ ca->gradients = NULL;
/* We silently fall back to window = 1 if allocation fails. */
if (window > 1)
ca->gradients = kcalloc(window, sizeof(ca->gradients[0]),
@@ -395,6 +396,7 @@ static void tcp_cdg_release(struct sock
struct cdg *ca = inet_csk_ca(sk);
kfree(ca->gradients);
+ ca->gradients = NULL;
}
struct tcp_congestion_ops tcp_cdg __read_mostly = {
next prev parent reply other threads:[~2022-11-23 8:57 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-23 8:49 [PATCH 4.9 00/76] 4.9.334-rc1 review Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 01/76] HID: hyperv: fix possible memory leak in mousevsc_probe() Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 02/76] net: gso: fix panic on frag_list with mixed head alloc types Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 03/76] bnxt_en: fix potentially incorrect return value for ndo_rx_flow_steer Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 04/76] net: fman: Unregister ethernet device on removal Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 05/76] capabilities: fix undefined behavior in bit shift for CAP_TO_MASK Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 06/76] net: lapbether: fix issue of dev reference count leakage in lapbeth_device_event() Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 07/76] hamradio: fix issue of dev reference count leakage in bpq_device_event() Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 08/76] ipv6: addrlabel: fix infoleak when sending struct ifaddrlblmsg to network Greg Kroah-Hartman
2022-11-23 8:54 ` syzbot
2022-11-23 8:50 ` [PATCH 4.9 09/76] tipc: fix the msg->req tlv len check in tipc_nl_compat_name_table_dump_header Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 10/76] dmaengine: mv_xor_v2: Fix a resource leak in mv_xor_v2_remove() Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 11/76] drivers: net: xgene: disable napi when register irq failed in xgene_enet_open() Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 12/76] net: cxgb3_main: disable napi when bind qsets failed in cxgb_up() Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 13/76] ethernet: s2io: disable napi when start nic failed in s2io_card_up() Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 14/76] net: mv643xx_eth: disable napi when init rxq or txq failed in mv643xx_eth_open() Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 15/76] net: macvlan: fix memory leaks of macvlan_common_newlink Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 16/76] ALSA: hda: fix potential memleak in add_widget_node Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 17/76] ALSA: usb-audio: Add quirk entry for M-Audio Micro Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 18/76] nilfs2: fix deadlock in nilfs_count_free_blocks() Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 19/76] platform/x86: hp_wmi: Fix rfkill causing soft blocked wifi Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 20/76] btrfs: selftests: fix wrong error check in btrfs_free_dummy_root() Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 21/76] udf: Fix a slab-out-of-bounds write bug in udf_find_entry() Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 22/76] cert host tools: Stop complaining about deprecated OpenSSL functions Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 23/76] dmaengine: at_hdmac: Fix at_lli struct definition Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 24/76] dmaengine: at_hdmac: Dont start transactions at tx_submit level Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 25/76] dmaengine: at_hdmac: Fix completion of unissued descriptor in case of errors Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 26/76] dmaengine: at_hdmac: Dont allow CPU to reorder channel enable Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 27/76] dmaengine: at_hdmac: Fix impossible condition Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 28/76] dmaengine: at_hdmac: Check return code of dma_async_device_register Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 29/76] x86/cpu: Restore AMDs DE_CFG MSR after resume Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 30/76] rtc: cmos: fix build on non-ACPI platforms Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 31/76] drm/imx: imx-tve: Fix return type of imx_tve_connector_mode_valid Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 32/76] Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 33/76] ASoC: core: Fix use-after-free in snd_soc_exit() Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 34/76] serial: 8250_omap: remove wait loop from Errata i202 workaround Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 35/76] serial: 8250: omap: Flush PM QOS work on remove Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 36/76] tty: n_gsm: fix sleep-in-atomic-context bug in gsm_control_send Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 37/76] ASoC: soc-utils: Remove __exit for snd_soc_util_exit() Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 38/76] parport_pc: Avoid FIFO port location truncation Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 39/76] pinctrl: devicetree: fix null pointer dereferencing in pinctrl_dt_to_map Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 40/76] mISDN: fix possible memory leak in mISDN_dsp_element_register() Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 41/76] mISDN: fix misuse of put_device() in mISDN_register_device() Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 42/76] net: caif: fix double disconnect client in chnl_net_open() Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 43/76] xen/pcpu: fix possible memory leak in register_pcpu() Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 44/76] net/x25: Fix skb leak in x25_lapb_receive_frame() Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 45/76] cifs: Fix wrong return value checking when GETFLAGS Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 46/76] ftrace: Fix the possible incorrect kernel message Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 47/76] ftrace: Optimize the allocation for mcount entries Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 48/76] ring_buffer: Do not deactivate non-existant pages Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 49/76] ALSA: usb-audio: Drop snd_BUG_ON() from snd_usbmidi_output_open() Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 50/76] USB: serial: option: add Sierra Wireless EM9191 Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 51/76] USB: serial: option: remove old LARA-R6 PID Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 52/76] USB: serial: option: add u-blox LARA-R6 00B modem Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 53/76] USB: serial: option: add u-blox LARA-L6 modem Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 54/76] USB: serial: option: add Fibocom FM160 0x0111 composition Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 55/76] usb: add NO_LPM quirk for Realforce 87U Keyboard Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 56/76] usb: chipidea: fix deadlock in ci_otg_del_timer Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 57/76] iio: adc: at91_adc: fix possible memory leak in at91_adc_allocate_trigger() Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 58/76] iio: trigger: sysfs: fix possible memory leak in iio_sysfs_trig_init() Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 59/76] iio: pressure: ms5611: changed hardcoded SPI speed to value limited Greg Kroah-Hartman
2022-11-23 8:50 ` [PATCH 4.9 60/76] dm ioctl: fix misbehavior if list_versions races with module loading Greg Kroah-Hartman
2022-11-23 8:51 ` [PATCH 4.9 61/76] serial: 8250: Fall back to non-DMA Rx if IIR_RDI occurs Greg Kroah-Hartman
2022-11-23 8:51 ` [PATCH 4.9 62/76] serial: 8250_lpss: Configure DMA also w/o DMA filter Greg Kroah-Hartman
2022-11-23 8:51 ` [PATCH 4.9 63/76] mmc: core: properly select voltage range without power cycle Greg Kroah-Hartman
2022-11-23 8:51 ` [PATCH 4.9 64/76] misc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram() Greg Kroah-Hartman
2022-11-23 8:51 ` [PATCH 4.9 65/76] nilfs2: fix use-after-free bug of ns_writer on remount Greg Kroah-Hartman
2022-11-23 8:51 ` [PATCH 4.9 66/76] serial: 8250: Flush DMA Rx on RLSI Greg Kroah-Hartman
2022-11-23 8:51 ` Greg Kroah-Hartman [this message]
2022-11-23 8:51 ` [PATCH 4.9 68/76] kcm: avoid potential race in kcm_tx_work Greg Kroah-Hartman
2022-11-23 8:51 ` [PATCH 4.9 69/76] 9p: trans_fd/p9_conn_cancel: drop client lock earlier Greg Kroah-Hartman
2022-11-23 8:51 ` [PATCH 4.9 70/76] gfs2: Check sb_bsize_shift after reading superblock Greg Kroah-Hartman
2022-11-23 8:51 ` [PATCH 4.9 71/76] gfs2: Switch from strlcpy to strscpy Greg Kroah-Hartman
2022-11-23 8:51 ` [PATCH 4.9 72/76] 9p/trans_fd: always use O_NONBLOCK read/write Greg Kroah-Hartman
2022-11-23 8:51 ` [PATCH 4.9 73/76] mm: fs: initialize fsdata passed to write_begin/write_end interface Greg Kroah-Hartman
2022-11-23 8:51 ` [PATCH 4.9 74/76] ntfs: fix use-after-free in ntfs_attr_find() Greg Kroah-Hartman
2022-11-23 8:51 ` [PATCH 4.9 75/76] ntfs: fix out-of-bounds read " Greg Kroah-Hartman
2022-11-23 8:51 ` [PATCH 4.9 76/76] ntfs: check overflow when iterating ATTR_RECORDs Greg Kroah-Hartman
2022-11-23 11:14 ` [PATCH 4.9 00/76] 4.9.334-rc1 review Pavel Machek
2022-11-23 11:47 ` Pavel Machek
2022-11-24 2:35 ` Guenter Roeck
2022-11-24 13:01 ` Naresh Kamboju
2022-11-28 21:55 ` Florian Fainelli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221123084548.946954769@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).