mirror of
				git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
				synced 2025-09-04 20:19:47 +08:00 
			
		
		
		
	 a8d7aa17bb
			
		
	
	
		a8d7aa17bb
		
	
	
	
	
		
			
			syzbot reported a crash in tasklet_action_common() caused by dccp.
dccp needs to make sure socket wont disappear before tasklet handler
has completed.
This patch takes a reference on the socket when arming the tasklet,
and moves the sock_put() from dccp_write_xmit_timer() to dccp_write_xmitlet()
kernel BUG at kernel/softirq.c:514!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 17 Comm: ksoftirqd/1 Not tainted 4.17.0-rc3+ #30
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:tasklet_action_common.isra.19+0x6db/0x700 kernel/softirq.c:515
RSP: 0018:ffff8801d9b3faf8 EFLAGS: 00010246
dccp_close: ABORT with 65423 bytes unread
RAX: 1ffff1003b367f6b RBX: ffff8801daf1f3f0 RCX: 0000000000000000
RDX: ffff8801cf895498 RSI: 0000000000000004 RDI: 0000000000000000
RBP: ffff8801d9b3fc40 R08: ffffed0039f12a95 R09: ffffed0039f12a94
dccp_close: ABORT with 65423 bytes unread
R10: ffffed0039f12a94 R11: ffff8801cf8954a3 R12: 0000000000000000
R13: ffff8801d9b3fc18 R14: dffffc0000000000 R15: ffff8801cf895490
FS:  0000000000000000(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2bc28000 CR3: 00000001a08a9000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 tasklet_action+0x1d/0x20 kernel/softirq.c:533
 __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
dccp_close: ABORT with 65423 bytes unread
 run_ksoftirqd+0x86/0x100 kernel/softirq.c:646
 smpboot_thread_fn+0x417/0x870 kernel/smpboot.c:164
 kthread+0x345/0x410 kernel/kthread.c:238
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
Code: 48 8b 85 e8 fe ff ff 48 8b 95 f0 fe ff ff e9 94 fb ff ff 48 89 95 f0 fe ff ff e8 81 53 6e 00 48 8b 95 f0 fe ff ff e9 62 fb ff ff <0f> 0b 48 89 cf 48 89 8d e8 fe ff ff e8 64 53 6e 00 48 8b 8d e8
RIP: tasklet_action_common.isra.19+0x6db/0x700 kernel/softirq.c:515 RSP: ffff8801d9b3faf8
Fixes: dc841e30ea ("dccp: Extend CCID packet dequeueing interface")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Cc: dccp@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
		
	
			
		
			
				
	
	
		
			276 lines
		
	
	
		
			7.3 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			276 lines
		
	
	
		
			7.3 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| /*
 | |
|  *  net/dccp/timer.c
 | |
|  *
 | |
|  *  An implementation of the DCCP protocol
 | |
|  *  Arnaldo Carvalho de Melo <acme@conectiva.com.br>
 | |
|  *
 | |
|  *	This program is free software; you can redistribute it and/or
 | |
|  *	modify it under the terms of the GNU General Public License
 | |
|  *	as published by the Free Software Foundation; either version
 | |
|  *	2 of the License, or (at your option) any later version.
 | |
|  */
 | |
| 
 | |
| #include <linux/dccp.h>
 | |
| #include <linux/skbuff.h>
 | |
| #include <linux/export.h>
 | |
| 
 | |
| #include "dccp.h"
 | |
| 
 | |
| /* sysctl variables governing numbers of retransmission attempts */
 | |
| int  sysctl_dccp_request_retries	__read_mostly = TCP_SYN_RETRIES;
 | |
| int  sysctl_dccp_retries1		__read_mostly = TCP_RETR1;
 | |
| int  sysctl_dccp_retries2		__read_mostly = TCP_RETR2;
 | |
| 
 | |
| static void dccp_write_err(struct sock *sk)
 | |
| {
 | |
| 	sk->sk_err = sk->sk_err_soft ? : ETIMEDOUT;
 | |
| 	sk->sk_error_report(sk);
 | |
| 
 | |
| 	dccp_send_reset(sk, DCCP_RESET_CODE_ABORTED);
 | |
| 	dccp_done(sk);
 | |
| 	__DCCP_INC_STATS(DCCP_MIB_ABORTONTIMEOUT);
 | |
| }
 | |
| 
 | |
| /* A write timeout has occurred. Process the after effects. */
 | |
| static int dccp_write_timeout(struct sock *sk)
 | |
| {
 | |
| 	const struct inet_connection_sock *icsk = inet_csk(sk);
 | |
| 	int retry_until;
 | |
| 
 | |
| 	if (sk->sk_state == DCCP_REQUESTING || sk->sk_state == DCCP_PARTOPEN) {
 | |
| 		if (icsk->icsk_retransmits != 0)
 | |
| 			dst_negative_advice(sk);
 | |
| 		retry_until = icsk->icsk_syn_retries ?
 | |
| 			    : sysctl_dccp_request_retries;
 | |
| 	} else {
 | |
| 		if (icsk->icsk_retransmits >= sysctl_dccp_retries1) {
 | |
| 			/* NOTE. draft-ietf-tcpimpl-pmtud-01.txt requires pmtu
 | |
| 			   black hole detection. :-(
 | |
| 
 | |
| 			   It is place to make it. It is not made. I do not want
 | |
| 			   to make it. It is disguisting. It does not work in any
 | |
| 			   case. Let me to cite the same draft, which requires for
 | |
| 			   us to implement this:
 | |
| 
 | |
|    "The one security concern raised by this memo is that ICMP black holes
 | |
|    are often caused by over-zealous security administrators who block
 | |
|    all ICMP messages.  It is vitally important that those who design and
 | |
|    deploy security systems understand the impact of strict filtering on
 | |
|    upper-layer protocols.  The safest web site in the world is worthless
 | |
|    if most TCP implementations cannot transfer data from it.  It would
 | |
|    be far nicer to have all of the black holes fixed rather than fixing
 | |
|    all of the TCP implementations."
 | |
| 
 | |
| 			   Golden words :-).
 | |
| 		   */
 | |
| 
 | |
| 			dst_negative_advice(sk);
 | |
| 		}
 | |
| 
 | |
| 		retry_until = sysctl_dccp_retries2;
 | |
| 		/*
 | |
| 		 * FIXME: see tcp_write_timout and tcp_out_of_resources
 | |
| 		 */
 | |
| 	}
 | |
| 
 | |
| 	if (icsk->icsk_retransmits >= retry_until) {
 | |
| 		/* Has it gone just too far? */
 | |
| 		dccp_write_err(sk);
 | |
| 		return 1;
 | |
| 	}
 | |
| 	return 0;
 | |
| }
 | |
| 
 | |
| /*
 | |
|  *	The DCCP retransmit timer.
 | |
|  */
 | |
| static void dccp_retransmit_timer(struct sock *sk)
 | |
| {
 | |
| 	struct inet_connection_sock *icsk = inet_csk(sk);
 | |
| 
 | |
| 	/*
 | |
| 	 * More than than 4MSL (8 minutes) has passed, a RESET(aborted) was
 | |
| 	 * sent, no need to retransmit, this sock is dead.
 | |
| 	 */
 | |
| 	if (dccp_write_timeout(sk))
 | |
| 		return;
 | |
| 
 | |
| 	/*
 | |
| 	 * We want to know the number of packets retransmitted, not the
 | |
| 	 * total number of retransmissions of clones of original packets.
 | |
| 	 */
 | |
| 	if (icsk->icsk_retransmits == 0)
 | |
| 		__DCCP_INC_STATS(DCCP_MIB_TIMEOUTS);
 | |
| 
 | |
| 	if (dccp_retransmit_skb(sk) != 0) {
 | |
| 		/*
 | |
| 		 * Retransmission failed because of local congestion,
 | |
| 		 * do not backoff.
 | |
| 		 */
 | |
| 		if (--icsk->icsk_retransmits == 0)
 | |
| 			icsk->icsk_retransmits = 1;
 | |
| 		inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS,
 | |
| 					  min(icsk->icsk_rto,
 | |
| 					      TCP_RESOURCE_PROBE_INTERVAL),
 | |
| 					  DCCP_RTO_MAX);
 | |
| 		return;
 | |
| 	}
 | |
| 
 | |
| 	icsk->icsk_backoff++;
 | |
| 
 | |
| 	icsk->icsk_rto = min(icsk->icsk_rto << 1, DCCP_RTO_MAX);
 | |
| 	inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS, icsk->icsk_rto,
 | |
| 				  DCCP_RTO_MAX);
 | |
| 	if (icsk->icsk_retransmits > sysctl_dccp_retries1)
 | |
| 		__sk_dst_reset(sk);
 | |
| }
 | |
| 
 | |
| static void dccp_write_timer(struct timer_list *t)
 | |
| {
 | |
| 	struct inet_connection_sock *icsk =
 | |
| 			from_timer(icsk, t, icsk_retransmit_timer);
 | |
| 	struct sock *sk = &icsk->icsk_inet.sk;
 | |
| 	int event = 0;
 | |
| 
 | |
| 	bh_lock_sock(sk);
 | |
| 	if (sock_owned_by_user(sk)) {
 | |
| 		/* Try again later */
 | |
| 		sk_reset_timer(sk, &icsk->icsk_retransmit_timer,
 | |
| 			       jiffies + (HZ / 20));
 | |
| 		goto out;
 | |
| 	}
 | |
| 
 | |
| 	if (sk->sk_state == DCCP_CLOSED || !icsk->icsk_pending)
 | |
| 		goto out;
 | |
| 
 | |
| 	if (time_after(icsk->icsk_timeout, jiffies)) {
 | |
| 		sk_reset_timer(sk, &icsk->icsk_retransmit_timer,
 | |
| 			       icsk->icsk_timeout);
 | |
| 		goto out;
 | |
| 	}
 | |
| 
 | |
| 	event = icsk->icsk_pending;
 | |
| 	icsk->icsk_pending = 0;
 | |
| 
 | |
| 	switch (event) {
 | |
| 	case ICSK_TIME_RETRANS:
 | |
| 		dccp_retransmit_timer(sk);
 | |
| 		break;
 | |
| 	}
 | |
| out:
 | |
| 	bh_unlock_sock(sk);
 | |
| 	sock_put(sk);
 | |
| }
 | |
| 
 | |
| static void dccp_keepalive_timer(struct timer_list *t)
 | |
| {
 | |
| 	struct sock *sk = from_timer(sk, t, sk_timer);
 | |
| 
 | |
| 	pr_err("dccp should not use a keepalive timer !\n");
 | |
| 	sock_put(sk);
 | |
| }
 | |
| 
 | |
| /* This is the same as tcp_delack_timer, sans prequeue & mem_reclaim stuff */
 | |
| static void dccp_delack_timer(struct timer_list *t)
 | |
| {
 | |
| 	struct inet_connection_sock *icsk =
 | |
| 			from_timer(icsk, t, icsk_delack_timer);
 | |
| 	struct sock *sk = &icsk->icsk_inet.sk;
 | |
| 
 | |
| 	bh_lock_sock(sk);
 | |
| 	if (sock_owned_by_user(sk)) {
 | |
| 		/* Try again later. */
 | |
| 		icsk->icsk_ack.blocked = 1;
 | |
| 		__NET_INC_STATS(sock_net(sk), LINUX_MIB_DELAYEDACKLOCKED);
 | |
| 		sk_reset_timer(sk, &icsk->icsk_delack_timer,
 | |
| 			       jiffies + TCP_DELACK_MIN);
 | |
| 		goto out;
 | |
| 	}
 | |
| 
 | |
| 	if (sk->sk_state == DCCP_CLOSED ||
 | |
| 	    !(icsk->icsk_ack.pending & ICSK_ACK_TIMER))
 | |
| 		goto out;
 | |
| 	if (time_after(icsk->icsk_ack.timeout, jiffies)) {
 | |
| 		sk_reset_timer(sk, &icsk->icsk_delack_timer,
 | |
| 			       icsk->icsk_ack.timeout);
 | |
| 		goto out;
 | |
| 	}
 | |
| 
 | |
| 	icsk->icsk_ack.pending &= ~ICSK_ACK_TIMER;
 | |
| 
 | |
| 	if (inet_csk_ack_scheduled(sk)) {
 | |
| 		if (!icsk->icsk_ack.pingpong) {
 | |
| 			/* Delayed ACK missed: inflate ATO. */
 | |
| 			icsk->icsk_ack.ato = min(icsk->icsk_ack.ato << 1,
 | |
| 						 icsk->icsk_rto);
 | |
| 		} else {
 | |
| 			/* Delayed ACK missed: leave pingpong mode and
 | |
| 			 * deflate ATO.
 | |
| 			 */
 | |
| 			icsk->icsk_ack.pingpong = 0;
 | |
| 			icsk->icsk_ack.ato = TCP_ATO_MIN;
 | |
| 		}
 | |
| 		dccp_send_ack(sk);
 | |
| 		__NET_INC_STATS(sock_net(sk), LINUX_MIB_DELAYEDACKS);
 | |
| 	}
 | |
| out:
 | |
| 	bh_unlock_sock(sk);
 | |
| 	sock_put(sk);
 | |
| }
 | |
| 
 | |
| /**
 | |
|  * dccp_write_xmitlet  -  Workhorse for CCID packet dequeueing interface
 | |
|  * See the comments above %ccid_dequeueing_decision for supported modes.
 | |
|  */
 | |
| static void dccp_write_xmitlet(unsigned long data)
 | |
| {
 | |
| 	struct sock *sk = (struct sock *)data;
 | |
| 
 | |
| 	bh_lock_sock(sk);
 | |
| 	if (sock_owned_by_user(sk))
 | |
| 		sk_reset_timer(sk, &dccp_sk(sk)->dccps_xmit_timer, jiffies + 1);
 | |
| 	else
 | |
| 		dccp_write_xmit(sk);
 | |
| 	bh_unlock_sock(sk);
 | |
| 	sock_put(sk);
 | |
| }
 | |
| 
 | |
| static void dccp_write_xmit_timer(struct timer_list *t)
 | |
| {
 | |
| 	struct dccp_sock *dp = from_timer(dp, t, dccps_xmit_timer);
 | |
| 	struct sock *sk = &dp->dccps_inet_connection.icsk_inet.sk;
 | |
| 
 | |
| 	dccp_write_xmitlet((unsigned long)sk);
 | |
| }
 | |
| 
 | |
| void dccp_init_xmit_timers(struct sock *sk)
 | |
| {
 | |
| 	struct dccp_sock *dp = dccp_sk(sk);
 | |
| 
 | |
| 	tasklet_init(&dp->dccps_xmitlet, dccp_write_xmitlet, (unsigned long)sk);
 | |
| 	timer_setup(&dp->dccps_xmit_timer, dccp_write_xmit_timer, 0);
 | |
| 	inet_csk_init_xmit_timers(sk, &dccp_write_timer, &dccp_delack_timer,
 | |
| 				  &dccp_keepalive_timer);
 | |
| }
 | |
| 
 | |
| static ktime_t dccp_timestamp_seed;
 | |
| /**
 | |
|  * dccp_timestamp  -  10s of microseconds time source
 | |
|  * Returns the number of 10s of microseconds since loading DCCP. This is native
 | |
|  * DCCP time difference format (RFC 4340, sec. 13).
 | |
|  * Please note: This will wrap around about circa every 11.9 hours.
 | |
|  */
 | |
| u32 dccp_timestamp(void)
 | |
| {
 | |
| 	u64 delta = (u64)ktime_us_delta(ktime_get_real(), dccp_timestamp_seed);
 | |
| 
 | |
| 	do_div(delta, 10);
 | |
| 	return delta;
 | |
| }
 | |
| EXPORT_SYMBOL_GPL(dccp_timestamp);
 | |
| 
 | |
| void __init dccp_timestamping_init(void)
 | |
| {
 | |
| 	dccp_timestamp_seed = ktime_get_real();
 | |
| }
 |