From patchwork Mon Jul 17 17:23:54 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cong Wang X-Patchwork-Id: 789641 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3xB9Br1dq1z9sBR for ; Tue, 18 Jul 2017 03:24:20 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="KomYSCeX"; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751385AbdGQRYR (ORCPT ); Mon, 17 Jul 2017 13:24:17 -0400 Received: from mail-wm0-f51.google.com ([74.125.82.51]:35278 "EHLO mail-wm0-f51.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751291AbdGQRYQ (ORCPT ); Mon, 17 Jul 2017 13:24:16 -0400 Received: by mail-wm0-f51.google.com with SMTP id w126so82712840wme.0 for ; Mon, 17 Jul 2017 10:24:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Ir3ARXZWSw9DXwftbMWSXUUttIIYKYyes3A+g8l5Mzc=; b=KomYSCeXwOSMZWa9Qz/2PjiCHbRLRhsQeTiW2EoySGbJU+QKUs0xx8bx0qzUqc+SRI C4kADOZf6LWEvqknKbuwmkORswvjyHOsW8BIBbXWHdLVzy03v1c/lUaQ8ZewZBbi+jPV 8G/fgR4oVVPcMIRd6gdPv/jgzV3NA/VxnwUIzr/0vOk8eqEZl28o7cqzqENVVv8kyYys KMiWuni5ieidXHALuj3k2hltees3gpjSVUgASGu3yJi32rYTaQGjS7vxnObSbPVD0W2R Ut5pbUu6cuB6nKlkgQ8cgTOIEfI+M0BHFnbbEPFLL2C7sMWsbpuYJj1Va65AAAEYl1bZ ksMg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Ir3ARXZWSw9DXwftbMWSXUUttIIYKYyes3A+g8l5Mzc=; b=gX/Ni7kxOocuwdgdr207cfNc4jESPmW1pbBgfeZ3GzQWmQs+CfJSm57OoEFS1OQAVk mxAt7PkN9lw1cXtIYaSDpu7omP7HT3nRkYkSwxOHNOH7oIJXJebrgHVXo+RqPRJszDpb mRYqKS7kA1441lO1L4BsDwljUVGLnnJDXB9KvzDPtPB8nBf+jjDMWMlRrtEhkoqWh8Ot jQ/RZrc1U5TR9lrCsrNC5d/cwIQMy/AVaHk2FafptWxiMFohHUkRX2z9ebFsUXTMBd/T WbHockfYFTVQGsGcaNMx0KsTTqbaWDoMqwwJonH9i9/GyIVu5+7T5j3dTYFuaFo4cjqB xlEw== X-Gm-Message-State: AIVw111DV6AvYIMGoSaMVvYG73kyQJNPcBr+g9KWVsAVMs0KXD8GMfad k1fFgi1G0HZWrvTwnb715c9GuYp6GQ== X-Received: by 10.80.165.229 with SMTP id b34mr18405396edc.29.1500312255210; Mon, 17 Jul 2017 10:24:15 -0700 (PDT) MIME-Version: 1.0 Received: by 10.80.222.135 with HTTP; Mon, 17 Jul 2017 10:23:54 -0700 (PDT) In-Reply-To: <5d6eb001-2f2b-d9d4-5c5e-a0b22cd53f65@gmail.com> References: <5d6eb001-2f2b-d9d4-5c5e-a0b22cd53f65@gmail.com> From: Cong Wang Date: Mon, 17 Jul 2017 10:23:54 -0700 Message-ID: Subject: Re: BUG triggered in tcp_openreq_init_rwin most likely due to 13d3b1ebe2876 To: David Ahern Cc: Lawrence Brakmo , "netdev@vger.kernel.org" Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On Sun, Jul 16, 2017 at 4:47 PM, David Ahern wrote: > Hi: > > I am getting the following while testing IPv6 changes: > > [ 3904.250981] TCP: request_sock_TCPv6: Possible SYN flooding on port > 12345. Sending cookies. Check SNMP counters. > [ 3904.252862] > ================================================================== > [ 3904.254057] BUG: KASAN: null-ptr-deref in > tcp_openreq_init_rwin+0x1d5/0x2b4 > [ 3904.255113] Read of size 1 at addr 0000000000000012 by task vrf-test/1166 > [ 3904.256149] > [ 3904.256405] CPU: 0 PID: 1166 Comm: vrf-test Not tainted 4.12.0+ #307 > [ 3904.257373] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), > BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 > [ 3904.258899] Call Trace: > [ 3904.259291] > [ 3904.259629] dump_stack+0x81/0xb6 > [ 3904.260167] kasan_report+0x234/0x269 > [ 3904.260688] __asan_load1+0x45/0x47 > [ 3904.261176] tcp_openreq_init_rwin+0x1d5/0x2b4 > [ 3904.261811] tcp_conn_request+0xb1e/0xe11 > [ 3904.262448] tcp_v6_conn_request+0x72/0x85 > [ 3904.263010] ? tcp_v6_conn_request+0x72/0x85 > [ 3904.263605] tcp_rcv_state_process+0xe6/0x1243 > [ 3904.264236] ? lock_release+0x27f/0x444 > [ 3904.264793] tcp_v6_do_rcv+0x321/0x559 > [ 3904.265316] ? tcp_v6_do_rcv+0x321/0x559 > [ 3904.265858] ? tcp_filter+0x82/0x95 > [ 3904.266357] tcp_v6_rcv+0x6c7/0xb33 > [ 3904.266886] ip6_input_finish+0x1de/0x5ca > [ 3904.267471] ip6_input+0x66/0x6c > > > This is enough to prevent the problem the crash which suggest the recent > bpf sock_ops is the culprit: > > diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c > index 0ff83c1637d8..88904882b4ad 100644 > --- a/net/ipv4/tcp_minisocks.c > +++ b/net/ipv4/tcp_minisocks.c > @@ -364,7 +364,7 @@ void tcp_openreq_init_rwin(struct request_sock *req, > (req->rsk_window_clamp > full_space || req->rsk_window_clamp > == 0)) > req->rsk_window_clamp = full_space; > > - rcv_wnd = tcp_rwnd_init_bpf((struct sock *)req); > + rcv_wnd = 0; // tcp_rwnd_init_bpf((struct sock *)req); > if (rcv_wnd == 0) > rcv_wnd = dst_metric(dst, RTAX_INITRWND); > else if (full_space < rcv_wnd * mss) I bet req->rsk_listener is NULL, I guess we need the following fix: Tested-by: David Ahern diff --git a/include/linux/bpf-cgroup.h b/include/linux/bpf-cgroup.h index 360c082e885c..d41d40ac3efd 100644 --- a/include/linux/bpf-cgroup.h +++ b/include/linux/bpf-cgroup.h @@ -85,7 +85,7 @@ int __cgroup_bpf_run_filter_sock_ops(struct sock *sk, int __ret = 0; \ if (cgroup_bpf_enabled && (sock_ops)->sk) { \ typeof(sk) __sk = sk_to_full_sk((sock_ops)->sk); \ - if (sk_fullsock(__sk)) \ + if (__sk && sk_fullsock(__sk)) \ __ret = __cgroup_bpf_run_filter_sock_ops(__sk, \ sock_ops, \ BPF_CGROUP_SOCK_OPS); \