mirror of
https://github.com/FEX-Emu/linux.git
synced 2025-01-07 18:14:04 +00:00
a8d7aa17bb
syzbot reported a crash in tasklet_action_common() caused by dccp.
dccp needs to make sure socket wont disappear before tasklet handler
has completed.
This patch takes a reference on the socket when arming the tasklet,
and moves the sock_put() from dccp_write_xmit_timer() to dccp_write_xmitlet()
kernel BUG at kernel/softirq.c:514!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 17 Comm: ksoftirqd/1 Not tainted 4.17.0-rc3+ #30
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:tasklet_action_common.isra.19+0x6db/0x700 kernel/softirq.c:515
RSP: 0018:ffff8801d9b3faf8 EFLAGS: 00010246
dccp_close: ABORT with 65423 bytes unread
RAX: 1ffff1003b367f6b RBX: ffff8801daf1f3f0 RCX: 0000000000000000
RDX: ffff8801cf895498 RSI: 0000000000000004 RDI: 0000000000000000
RBP: ffff8801d9b3fc40 R08: ffffed0039f12a95 R09: ffffed0039f12a94
dccp_close: ABORT with 65423 bytes unread
R10: ffffed0039f12a94 R11: ffff8801cf8954a3 R12: 0000000000000000
R13: ffff8801d9b3fc18 R14: dffffc0000000000 R15: ffff8801cf895490
FS: 0000000000000000(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2bc28000 CR3: 00000001a08a9000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
tasklet_action+0x1d/0x20 kernel/softirq.c:533
__do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
dccp_close: ABORT with 65423 bytes unread
run_ksoftirqd+0x86/0x100 kernel/softirq.c:646
smpboot_thread_fn+0x417/0x870 kernel/smpboot.c:164
kthread+0x345/0x410 kernel/kthread.c:238
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
Code: 48 8b 85 e8 fe ff ff 48 8b 95 f0 fe ff ff e9 94 fb ff ff 48 89 95 f0 fe ff ff e8 81 53 6e 00 48 8b 95 f0 fe ff ff e9 62 fb ff ff <0f> 0b 48 89 cf 48 89 8d e8 fe ff ff e8 64 53 6e 00 48 8b 8d e8
RIP: tasklet_action_common.isra.19+0x6db/0x700 kernel/softirq.c:515 RSP: ffff8801d9b3faf8
Fixes: dc841e30ea
("dccp: Extend CCID packet dequeueing interface")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Cc: dccp@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
276 lines
7.3 KiB
C
276 lines
7.3 KiB
C
/*
|
|
* net/dccp/timer.c
|
|
*
|
|
* An implementation of the DCCP protocol
|
|
* Arnaldo Carvalho de Melo <acme@conectiva.com.br>
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License
|
|
* as published by the Free Software Foundation; either version
|
|
* 2 of the License, or (at your option) any later version.
|
|
*/
|
|
|
|
#include <linux/dccp.h>
|
|
#include <linux/skbuff.h>
|
|
#include <linux/export.h>
|
|
|
|
#include "dccp.h"
|
|
|
|
/* sysctl variables governing numbers of retransmission attempts */
|
|
int sysctl_dccp_request_retries __read_mostly = TCP_SYN_RETRIES;
|
|
int sysctl_dccp_retries1 __read_mostly = TCP_RETR1;
|
|
int sysctl_dccp_retries2 __read_mostly = TCP_RETR2;
|
|
|
|
static void dccp_write_err(struct sock *sk)
|
|
{
|
|
sk->sk_err = sk->sk_err_soft ? : ETIMEDOUT;
|
|
sk->sk_error_report(sk);
|
|
|
|
dccp_send_reset(sk, DCCP_RESET_CODE_ABORTED);
|
|
dccp_done(sk);
|
|
__DCCP_INC_STATS(DCCP_MIB_ABORTONTIMEOUT);
|
|
}
|
|
|
|
/* A write timeout has occurred. Process the after effects. */
|
|
static int dccp_write_timeout(struct sock *sk)
|
|
{
|
|
const struct inet_connection_sock *icsk = inet_csk(sk);
|
|
int retry_until;
|
|
|
|
if (sk->sk_state == DCCP_REQUESTING || sk->sk_state == DCCP_PARTOPEN) {
|
|
if (icsk->icsk_retransmits != 0)
|
|
dst_negative_advice(sk);
|
|
retry_until = icsk->icsk_syn_retries ?
|
|
: sysctl_dccp_request_retries;
|
|
} else {
|
|
if (icsk->icsk_retransmits >= sysctl_dccp_retries1) {
|
|
/* NOTE. draft-ietf-tcpimpl-pmtud-01.txt requires pmtu
|
|
black hole detection. :-(
|
|
|
|
It is place to make it. It is not made. I do not want
|
|
to make it. It is disguisting. It does not work in any
|
|
case. Let me to cite the same draft, which requires for
|
|
us to implement this:
|
|
|
|
"The one security concern raised by this memo is that ICMP black holes
|
|
are often caused by over-zealous security administrators who block
|
|
all ICMP messages. It is vitally important that those who design and
|
|
deploy security systems understand the impact of strict filtering on
|
|
upper-layer protocols. The safest web site in the world is worthless
|
|
if most TCP implementations cannot transfer data from it. It would
|
|
be far nicer to have all of the black holes fixed rather than fixing
|
|
all of the TCP implementations."
|
|
|
|
Golden words :-).
|
|
*/
|
|
|
|
dst_negative_advice(sk);
|
|
}
|
|
|
|
retry_until = sysctl_dccp_retries2;
|
|
/*
|
|
* FIXME: see tcp_write_timout and tcp_out_of_resources
|
|
*/
|
|
}
|
|
|
|
if (icsk->icsk_retransmits >= retry_until) {
|
|
/* Has it gone just too far? */
|
|
dccp_write_err(sk);
|
|
return 1;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* The DCCP retransmit timer.
|
|
*/
|
|
static void dccp_retransmit_timer(struct sock *sk)
|
|
{
|
|
struct inet_connection_sock *icsk = inet_csk(sk);
|
|
|
|
/*
|
|
* More than than 4MSL (8 minutes) has passed, a RESET(aborted) was
|
|
* sent, no need to retransmit, this sock is dead.
|
|
*/
|
|
if (dccp_write_timeout(sk))
|
|
return;
|
|
|
|
/*
|
|
* We want to know the number of packets retransmitted, not the
|
|
* total number of retransmissions of clones of original packets.
|
|
*/
|
|
if (icsk->icsk_retransmits == 0)
|
|
__DCCP_INC_STATS(DCCP_MIB_TIMEOUTS);
|
|
|
|
if (dccp_retransmit_skb(sk) != 0) {
|
|
/*
|
|
* Retransmission failed because of local congestion,
|
|
* do not backoff.
|
|
*/
|
|
if (--icsk->icsk_retransmits == 0)
|
|
icsk->icsk_retransmits = 1;
|
|
inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS,
|
|
min(icsk->icsk_rto,
|
|
TCP_RESOURCE_PROBE_INTERVAL),
|
|
DCCP_RTO_MAX);
|
|
return;
|
|
}
|
|
|
|
icsk->icsk_backoff++;
|
|
|
|
icsk->icsk_rto = min(icsk->icsk_rto << 1, DCCP_RTO_MAX);
|
|
inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS, icsk->icsk_rto,
|
|
DCCP_RTO_MAX);
|
|
if (icsk->icsk_retransmits > sysctl_dccp_retries1)
|
|
__sk_dst_reset(sk);
|
|
}
|
|
|
|
static void dccp_write_timer(struct timer_list *t)
|
|
{
|
|
struct inet_connection_sock *icsk =
|
|
from_timer(icsk, t, icsk_retransmit_timer);
|
|
struct sock *sk = &icsk->icsk_inet.sk;
|
|
int event = 0;
|
|
|
|
bh_lock_sock(sk);
|
|
if (sock_owned_by_user(sk)) {
|
|
/* Try again later */
|
|
sk_reset_timer(sk, &icsk->icsk_retransmit_timer,
|
|
jiffies + (HZ / 20));
|
|
goto out;
|
|
}
|
|
|
|
if (sk->sk_state == DCCP_CLOSED || !icsk->icsk_pending)
|
|
goto out;
|
|
|
|
if (time_after(icsk->icsk_timeout, jiffies)) {
|
|
sk_reset_timer(sk, &icsk->icsk_retransmit_timer,
|
|
icsk->icsk_timeout);
|
|
goto out;
|
|
}
|
|
|
|
event = icsk->icsk_pending;
|
|
icsk->icsk_pending = 0;
|
|
|
|
switch (event) {
|
|
case ICSK_TIME_RETRANS:
|
|
dccp_retransmit_timer(sk);
|
|
break;
|
|
}
|
|
out:
|
|
bh_unlock_sock(sk);
|
|
sock_put(sk);
|
|
}
|
|
|
|
static void dccp_keepalive_timer(struct timer_list *t)
|
|
{
|
|
struct sock *sk = from_timer(sk, t, sk_timer);
|
|
|
|
pr_err("dccp should not use a keepalive timer !\n");
|
|
sock_put(sk);
|
|
}
|
|
|
|
/* This is the same as tcp_delack_timer, sans prequeue & mem_reclaim stuff */
|
|
static void dccp_delack_timer(struct timer_list *t)
|
|
{
|
|
struct inet_connection_sock *icsk =
|
|
from_timer(icsk, t, icsk_delack_timer);
|
|
struct sock *sk = &icsk->icsk_inet.sk;
|
|
|
|
bh_lock_sock(sk);
|
|
if (sock_owned_by_user(sk)) {
|
|
/* Try again later. */
|
|
icsk->icsk_ack.blocked = 1;
|
|
__NET_INC_STATS(sock_net(sk), LINUX_MIB_DELAYEDACKLOCKED);
|
|
sk_reset_timer(sk, &icsk->icsk_delack_timer,
|
|
jiffies + TCP_DELACK_MIN);
|
|
goto out;
|
|
}
|
|
|
|
if (sk->sk_state == DCCP_CLOSED ||
|
|
!(icsk->icsk_ack.pending & ICSK_ACK_TIMER))
|
|
goto out;
|
|
if (time_after(icsk->icsk_ack.timeout, jiffies)) {
|
|
sk_reset_timer(sk, &icsk->icsk_delack_timer,
|
|
icsk->icsk_ack.timeout);
|
|
goto out;
|
|
}
|
|
|
|
icsk->icsk_ack.pending &= ~ICSK_ACK_TIMER;
|
|
|
|
if (inet_csk_ack_scheduled(sk)) {
|
|
if (!icsk->icsk_ack.pingpong) {
|
|
/* Delayed ACK missed: inflate ATO. */
|
|
icsk->icsk_ack.ato = min(icsk->icsk_ack.ato << 1,
|
|
icsk->icsk_rto);
|
|
} else {
|
|
/* Delayed ACK missed: leave pingpong mode and
|
|
* deflate ATO.
|
|
*/
|
|
icsk->icsk_ack.pingpong = 0;
|
|
icsk->icsk_ack.ato = TCP_ATO_MIN;
|
|
}
|
|
dccp_send_ack(sk);
|
|
__NET_INC_STATS(sock_net(sk), LINUX_MIB_DELAYEDACKS);
|
|
}
|
|
out:
|
|
bh_unlock_sock(sk);
|
|
sock_put(sk);
|
|
}
|
|
|
|
/**
|
|
* dccp_write_xmitlet - Workhorse for CCID packet dequeueing interface
|
|
* See the comments above %ccid_dequeueing_decision for supported modes.
|
|
*/
|
|
static void dccp_write_xmitlet(unsigned long data)
|
|
{
|
|
struct sock *sk = (struct sock *)data;
|
|
|
|
bh_lock_sock(sk);
|
|
if (sock_owned_by_user(sk))
|
|
sk_reset_timer(sk, &dccp_sk(sk)->dccps_xmit_timer, jiffies + 1);
|
|
else
|
|
dccp_write_xmit(sk);
|
|
bh_unlock_sock(sk);
|
|
sock_put(sk);
|
|
}
|
|
|
|
static void dccp_write_xmit_timer(struct timer_list *t)
|
|
{
|
|
struct dccp_sock *dp = from_timer(dp, t, dccps_xmit_timer);
|
|
struct sock *sk = &dp->dccps_inet_connection.icsk_inet.sk;
|
|
|
|
dccp_write_xmitlet((unsigned long)sk);
|
|
}
|
|
|
|
void dccp_init_xmit_timers(struct sock *sk)
|
|
{
|
|
struct dccp_sock *dp = dccp_sk(sk);
|
|
|
|
tasklet_init(&dp->dccps_xmitlet, dccp_write_xmitlet, (unsigned long)sk);
|
|
timer_setup(&dp->dccps_xmit_timer, dccp_write_xmit_timer, 0);
|
|
inet_csk_init_xmit_timers(sk, &dccp_write_timer, &dccp_delack_timer,
|
|
&dccp_keepalive_timer);
|
|
}
|
|
|
|
static ktime_t dccp_timestamp_seed;
|
|
/**
|
|
* dccp_timestamp - 10s of microseconds time source
|
|
* Returns the number of 10s of microseconds since loading DCCP. This is native
|
|
* DCCP time difference format (RFC 4340, sec. 13).
|
|
* Please note: This will wrap around about circa every 11.9 hours.
|
|
*/
|
|
u32 dccp_timestamp(void)
|
|
{
|
|
u64 delta = (u64)ktime_us_delta(ktime_get_real(), dccp_timestamp_seed);
|
|
|
|
do_div(delta, 10);
|
|
return delta;
|
|
}
|
|
EXPORT_SYMBOL_GPL(dccp_timestamp);
|
|
|
|
void __init dccp_timestamping_init(void)
|
|
{
|
|
dccp_timestamp_seed = ktime_get_real();
|
|
}
|