From patchwork Fri Mar 6 23:08:50 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christoph Paasch X-Patchwork-Id: 1250671 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.01.org (client-ip=198.145.21.10; helo=ml01.01.org; envelope-from=mptcp-bounces@lists.01.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none) header.from=apple.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=apple.com header.i=@apple.com header.a=rsa-sha256 header.s=20180706 header.b=d65k8LsK; dkim-atps=neutral Received: from ml01.01.org (ml01.01.org [198.145.21.10]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 48Z3Gc6Bkjz9sPK for ; Sat, 7 Mar 2020 10:09:26 +1100 (AEDT) Received: from ml01.vlan13.01.org (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 2F76710FC340E; Fri, 6 Mar 2020 15:09:45 -0800 (PST) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=17.171.2.60; helo=ma1-aaemail-dr-lapp01.apple.com; envelope-from=cpaasch@apple.com; receiver= Received: from ma1-aaemail-dr-lapp01.apple.com (ma1-aaemail-dr-lapp01.apple.com [17.171.2.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 0758710FC340B for ; Fri, 6 Mar 2020 15:09:43 -0800 (PST) Received: from pps.filterd (ma1-aaemail-dr-lapp01.apple.com [127.0.0.1]) by ma1-aaemail-dr-lapp01.apple.com (8.16.0.27/8.16.0.27) with SMTP id 026N79fR049618 for ; Fri, 6 Mar 2020 15:08:51 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=sender : date : from : to : subject : message-id : mime-version : content-type; s=20180706; bh=2AdN/W9G7CNYtfH9ZLnCnAK7//B4BF8OgkN45FpAQDI=; b=d65k8LsK3AyFSjb6h28GZj+KFFLUdEGuCo0SKLJUvKESZFN6la8l2HkhyS3f0x455wx7 q45+tnXNRgHvemBdBypFc6MzRKzSYsdGU+CIY/wmg9Ov+HNTM6UlRP/TnojtKJywLqNO acmgOlz0wwcIAPMa89g6N6drM1l+jp+7wb/ckbUEvlAPgr03Lk01kAuzOo0s6fQwHgMH qFJQtxo/f4x2vempGeqbE66l+pzsaSQwhontNNhZH6dOSjNFnlO6ZTz4EBcvmYvL4hrY tF47JJIS9jmzaadq2wInQrLrjTbguwW5OUvFvpHjj+u3Dj/xnkbbpSG9rVEFpqB+V5v6 kg== Received: from rn-mailsvcp-mta-lapp03.rno.apple.com (rn-mailsvcp-mta-lapp03.rno.apple.com [10.225.203.151]) by ma1-aaemail-dr-lapp01.apple.com with ESMTP id 2yfqg8pcx7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Fri, 06 Mar 2020 15:08:51 -0800 Received: from rn-mailsvcp-mmp-lapp01.rno.apple.com (rn-mailsvcp-mmp-lapp01.rno.apple.com [17.179.253.14]) by rn-mailsvcp-mta-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.1.20190704 64bit (built Jul 4 2019)) with ESMTPS id <0Q6S00X9GOAQLM90@rn-mailsvcp-mta-lapp03.rno.apple.com> for mptcp@lists.01.org; Fri, 06 Mar 2020 15:08:50 -0800 (PST) Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp01.rno.apple.com by rn-mailsvcp-mmp-lapp01.rno.apple.com (Oracle Communications Messaging Server 8.1.0.1.20190704 64bit (built Jul 4 2019)) id <0Q6S00Y00O66Z900@rn-mailsvcp-mmp-lapp01.rno.apple.com> for mptcp@lists.01.org; Fri, 06 Mar 2020 15:08:50 -0800 (PST) X-Va-A: X-Va-T-CD: a223c877a3361bd8fff0bdf5c24f2577 X-Va-E-CD: dc587654cd513aea5a1e0f1c2519ca8f X-Va-R-CD: 33edf48a360f23a489eb29f7420f212b X-Va-CD: 0 X-Va-ID: e4e6aaa7-09f6-4d9f-9736-df92b86efb93 X-V-A: X-V-T-CD: a223c877a3361bd8fff0bdf5c24f2577 X-V-E-CD: dc587654cd513aea5a1e0f1c2519ca8f X-V-R-CD: 33edf48a360f23a489eb29f7420f212b X-V-CD: 0 X-V-ID: 17f24b42-13a3-49e2-9f22-a3cb69f936ba X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138, 18.0.572 definitions=2020-03-06_09:2020-03-06,2020-03-06 signatures=0 Received: from localhost ([17.192.155.241]) by rn-mailsvcp-mmp-lapp01.rno.apple.com (Oracle Communications Messaging Server 8.1.0.1.20190704 64bit (built Jul 4 2019)) with ESMTPSA id <0Q6S00P9COAQ1N70@rn-mailsvcp-mmp-lapp01.rno.apple.com> for mptcp@lists.01.org; Fri, 06 Mar 2020 15:08:50 -0800 (PST) Sender: cpaasch@apple.com Date: Fri, 06 Mar 2020 15:08:50 -0800 From: Christoph Paasch To: mptcp Upstreaming Message-id: <20200306230850.GQ33310@MacBook-Pro-64.local> MIME-version: 1.0 Content-disposition: inline User-Agent: Mutt/1.12.2 (2019-09-21) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138, 18.0.572 definitions=2020-03-06_09:2020-03-06,2020-03-06 signatures=0 Message-ID-Hash: JNNC76OE3WQX4WKIILPHD6COIHG5I4FS X-Message-ID-Hash: JNNC76OE3WQX4WKIILPHD6COIHG5I4FS X-MailFrom: cpaasch@apple.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.1.1 Precedence: list Subject: [MPTCP] BUG: KASAN: slab-out-of-bounds in subflow_ulp_init+0xa6/0x190 List-Id: Discussions regarding MPTCP upstreaming Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Hello, I wanted to do some testing on netnext so I did a little hack to force-enable MPTCP without the need for the app to use IPPROTO_MPTCP: Now, when I boot I panic right away because sshd binds a socket: [ 14.759548] ================================================================== [ 14.760746] BUG: KASAN: slab-out-of-bounds in subflow_ulp_init+0xa6/0x190 [ 14.762025] Write of size 1 at addr ffff888114e40f04 by task sshd/1229 [ 14.763222] [ 14.763506] CPU: 3 PID: 1229 Comm: sshd Not tainted 5.6.0-rc3.mptcp #67 [ 14.764546] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 [ 14.766340] Call Trace: [ 14.766716] dump_stack+0x76/0xa0 [ 14.767302] print_address_description.constprop.0+0x36/0x50 [ 14.768309] ? subflow_ulp_init+0xa6/0x190 [ 14.768916] __kasan_report.cold+0x1c/0x3f [ 14.769805] ? subflow_ulp_init+0xa6/0x190 [ 14.770450] ? subflow_ulp_init+0xa6/0x190 [ 14.771014] kasan_report+0xe/0x20 [ 14.771537] subflow_ulp_init+0xa6/0x190 [ 14.772095] tcp_set_ulp+0xeb/0x180 [ 14.772605] mptcp_subflow_create_socket+0x178/0x260 [ 14.773337] ? mptcpv6_handle_mapped+0x90/0x90 [ 14.773965] ? __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 14.774687] ? __might_sleep+0x2c/0xc0 [ 14.775448] ? mptcp_release_cb+0x3b/0x110 [ 14.776030] __mptcp_socket_create+0x11c/0x1e0 [ 14.776685] ? _raw_spin_lock_bh+0x80/0xd0 [ 14.777282] ? mptcp_shutdown+0x150/0x150 [ 14.778136] ? __might_sleep+0x2c/0xc0 [ 14.778912] ? ___might_sleep+0xb5/0xd0 [ 14.779687] mptcp_bind+0x3a/0xc0 [ 14.780350] __sys_bind+0x13b/0x160 [ 14.780886] ? __x64_sys_socketpair+0x60/0x60 [ 14.781565] ? __sys_setsockopt+0x15b/0x170 [ 14.782211] ? __x64_sys_fcntl+0x76c/0x890 [ 14.782870] ? kernel_accept+0x140/0x140 [ 14.783493] ? f_getown+0x70/0x70 [ 14.784017] ? __sys_socket+0xf0/0x160 [ 14.784614] ? move_addr_to_kernel+0x20/0x20 [ 14.785212] __x64_sys_bind+0x39/0x40 [ 14.785732] do_syscall_64+0xbc/0x790 [ 14.786247] ? syscall_return_slowpath+0x320/0x320 [ 14.786924] ? up_read+0x10/0x70 [ 14.787400] ? do_page_fault+0x447/0x5ef [ 14.787960] ? fpregs_assert_state_consistent+0x4d/0x60 [ 14.788690] ? prepare_exit_to_usermode+0xab/0x1c0 [ 14.789391] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 14.790281] RIP: 0033:0x7f420ce3e497 [ 14.790927] Code: ff ff ff ff c3 48 8b 15 f7 09 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb ba 66 2e 0f 1f 84 00 00 00 00 00 90 b8 31 008 [ 14.793565] RSP: 002b:00007ffed3aab688 EFLAGS: 00000206 ORIG_RAX: 0000000000000031 [ 14.793574] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f420ce3e497 [ 14.793575] RDX: 0000000000000010 RSI: 0000559b2d76c720 RDI: 0000000000000003 [ 14.793576] RBP: 00007ffed3aaba70 R08: 0000000000000004 R09: 00007ffed3aaad76 [ 14.793577] R10: 00007ffed3aab664 R11: 0000000000000206 R12: 00007ffed3aabb70 [ 14.793579] R13: 0000559b2d76f410 R14: 0000559b2d76c6f0 R15: 0000559b2d57c5c0 [ 14.793581] [ 14.793586] Allocated by task 0: [ 14.715787] k[ 14.793586] (stack is not available) dump-tools[ 14.793587] [ 14.793590] Freed by task 0: [ 14.793590] (stack is not available) [ 14.793591] [ 14.793593] The buggy address belongs to the object at ffff888114e40d00 [ 14.793593] which belongs to the cache MPTCP of size 1480 [1200]: [ 14.793594] The buggy address is located 516 bytes inside of [ 14.793594] 1480-byte region [ffff888114e40d00, ffff888114e412c8) [ 14.793595] The buggy address belongs to the page: [ 14.793602] page:ffffea0004539000 refcount:1 mapcount:0 mapping:ffff88811a645cc0 index:0x0 compound_mapcount: 0 [ 14.793609] flags: 0x8000000000010200(slab|head) Starting kdump-t[ 14.809675] raw: 8000000000010200 dead000000000100 dead000000000122 ffff88811a645cc0 ools: no crashke[ 14.809677] raw: 0000000000000000 0000000080130013 00000001ffffffff 0000000000000000 rnel= parameter [ 14.809678] page dumped because: kasan: bad access detected in the kernel cm[ 14.809679] dline ... failed[ 14.809679] Memory state around the buggy address: ![ 14.809682] ffff888114e40e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.809683] ffff888114e40e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.809685] >ffff888114e40f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.809686] ^ [ 14.809687] ffff888114e40f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.809689] ffff888114e41000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.809689] ================================================================== Do you think this is just due to me forcing IPPROTO_MPTCP ? Christoph diff --git a/net/socket.c b/net/socket.c index b79a05de7c6e..56c656b4f867 100644 --- a/net/socket.c +++ b/net/socket.c @@ -1374,6 +1374,9 @@ int __sock_create(struct net *net, int family, int type, int protocol, if (type < 0 || type >= SOCK_MAX) return -EINVAL; + if (protocol == IPPROTO_TCP && type == SOCK_STREAM && (family == AF_INET || family == AF_INET6)) + protocol = IPPROTO_MPTCP; + /* Compatibility. This uglymoron is moved from INET layer to here to avoid