From patchwork Tue May 15 04:14:26 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 913418 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.b="ZPH+0OCt"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 40lPNC5sp7z9rvt for ; Tue, 15 May 2018 14:14:35 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752061AbeEOEOd (ORCPT ); Tue, 15 May 2018 00:14:33 -0400 Received: from mail-wr0-f195.google.com ([209.85.128.195]:34463 "EHLO mail-wr0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750759AbeEOEOc (ORCPT ); Tue, 15 May 2018 00:14:32 -0400 Received: by mail-wr0-f195.google.com with SMTP id p18-v6so14407907wrm.1 for ; Mon, 14 May 2018 21:14:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=0BLlbKt7m1XrvQEX6+Mrqrc3v2AiPjnRC5F66WxEflA=; b=ZPH+0OCtI1imS2eiQr8MVLBimhLyaK12yQ6JLBOpwS7y9HnuguKEds1/oMUiNevgiU DmPwLHkoYJMsagfcVRVt7PgjceZE2mKdk72tZhGUmFePT1F77zhjy+CNsmMlO00uroVy dEqOs5WTrXNJT9k8BgLVBUsQOZ+DYz3nB9SECLagDIlMwndTOPvvj/EueNxCHt6opKxR S9Xs5G+aO8o9uZdHfRAmmrCK7cSB3H2POf9yTZ2frALkkgtCNi9z37+9Nd9aG4FIbfOn UvtYQorIvL5N1na/wCviGVepLaSmrxHbTnpdycdWlhRAsiLIco7/EU1kPqmwnrv3/bf8 hh+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=0BLlbKt7m1XrvQEX6+Mrqrc3v2AiPjnRC5F66WxEflA=; b=lSlWdUfAItYG405KtQa/8bvUrISn774pxPFLtwe146KBVaNmOBmZ8FuOB7HMfw/UpE 4jDwPu1LQ7UmfxazWUt37e2g2JeZtLFSknrP7GBNBONJ8EbX/jgBUJPrOGu7V1MJOyTD aFaB+7xpU9MqhwpmmcSRkIZ96SGSyh04Hpto0ne9f7siQBmXIxtlpfEvyer+t2XnTegs 4Gz0kbofDCjbbTQgCxSjKhcnQy5hsF+ONRaqdKnDG3wggG3q/aLT97w7XAsxAOFmHQ6d k6qohnlp0Jkq8olZv4vIJIIBMR26qjLuEx0mYC7sSqeWWTk+DtlkKtoBJMVgwpUwReh5 qyJA== X-Gm-Message-State: ALKqPwdN08hpN1dW5xGuiDWC/yHpgs7seJKgr9u8qKhOhY8c/YKPYbK+ Br1GEbiK3tnoZ/qGcNtdurJAEg== X-Google-Smtp-Source: AB8JxZoJsS93ORXyguDRdB+WHuAwjT+ZHtD7I66dohnSAdPVqFyIVVNQ3/FwaehwM+B/7oFuCzZ47g== X-Received: by 2002:adf:a075:: with SMTP id l50-v6mr9750451wrl.227.1526357670654; Mon, 14 May 2018 21:14:30 -0700 (PDT) Received: from localhost ([2620:15c:2c4:201:f5a:7eca:440a:3ead]) by smtp.gmail.com with ESMTPSA id u36-v6sm14851848wrf.87.2018.05.14.21.14.28 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 14 May 2018 21:14:29 -0700 (PDT) From: Eric Dumazet To: "David S . Miller" Cc: netdev , Eric Dumazet , Eric Dumazet , Yuchung Cheng , Neal Cardwell Subject: [PATCH net] tcp: purge write queue in tcp_connect_init() Date: Mon, 14 May 2018 21:14:26 -0700 Message-Id: <20180515041426.94062-1-edumazet@google.com> X-Mailer: git-send-email 2.17.0.441.gb46fe60e1d-goog Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org syzkaller found a reliable way to crash the host, hitting a BUG() in __tcp_retransmit_skb() Malicous MSG_FASTOPEN is the root cause. We need to purge write queue in tcp_connect_init() at the point we init snd_una/write_seq. This patch also replaces the BUG() by a less intrusive WARN_ON_ONCE() kernel BUG at net/ipv4/tcp_output.c:2837! invalid opcode: 0000 [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 5276 Comm: syz-executor0 Not tainted 4.17.0-rc3+ #51 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__tcp_retransmit_skb+0x2992/0x2eb0 net/ipv4/tcp_output.c:2837 RSP: 0000:ffff8801dae06ff8 EFLAGS: 00010206 RAX: ffff8801b9fe61c0 RBX: 00000000ffc18a16 RCX: ffffffff864e1a49 RDX: 0000000000000100 RSI: ffffffff864e2e12 RDI: 0000000000000005 RBP: ffff8801dae073a0 R08: ffff8801b9fe61c0 R09: ffffed0039c40dd2 R10: ffffed0039c40dd2 R11: ffff8801ce206e93 R12: 00000000421eeaad R13: ffff8801ce206d4e R14: ffff8801ce206cc0 R15: ffff8801cd4f4a80 FS: 0000000000000000(0000) GS:ffff8801dae00000(0063) knlGS:00000000096bc900 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: 0000000020000000 CR3: 00000001c47b6000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: tcp_retransmit_skb+0x2e/0x250 net/ipv4/tcp_output.c:2923 tcp_retransmit_timer+0xc50/0x3060 net/ipv4/tcp_timer.c:488 tcp_write_timer_handler+0x339/0x960 net/ipv4/tcp_timer.c:573 tcp_write_timer+0x111/0x1d0 net/ipv4/tcp_timer.c:593 call_timer_fn+0x230/0x940 kernel/time/timer.c:1326 expire_timers kernel/time/timer.c:1363 [inline] __run_timers+0x79e/0xc50 kernel/time/timer.c:1666 run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692 __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285 invoke_softirq kernel/softirq.c:365 [inline] irq_exit+0x1d1/0x200 kernel/softirq.c:405 exiting_irq arch/x86/include/asm/apic.h:525 [inline] smp_apic_timer_interrupt+0x17e/0x710 arch/x86/kernel/apic/apic.c:1052 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863 Fixes: cf60af03ca4e ("net-tcp: Fast Open client - sendmsg(MSG_FASTOPEN)") Signed-off-by: Eric Dumazet Cc: Yuchung Cheng Cc: Neal Cardwell Reported-by: syzbot Acked-by: Neal Cardwell --- net/ipv4/tcp_output.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index 383cac0ff0ec059ca7dbc1a6304cc7f8183e008d..d07e34f8e3091144976358674b92458076f92bfb 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -2833,8 +2833,10 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb, int segs) return -EBUSY; if (before(TCP_SKB_CB(skb)->seq, tp->snd_una)) { - if (before(TCP_SKB_CB(skb)->end_seq, tp->snd_una)) - BUG(); + if (unlikely(before(TCP_SKB_CB(skb)->end_seq, tp->snd_una))) { + WARN_ON_ONCE(1); + return -EINVAL; + } if (tcp_trim_head(sk, skb, tp->snd_una - TCP_SKB_CB(skb)->seq)) return -ENOMEM; } @@ -3342,6 +3344,7 @@ static void tcp_connect_init(struct sock *sk) sock_reset_flag(sk, SOCK_DONE); tp->snd_wnd = 0; tcp_init_wl(tp, 0); + tcp_write_queue_purge(sk); tp->snd_una = tp->write_seq; tp->snd_sml = tp->write_seq; tp->snd_up = tp->write_seq;