leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
2dda640040876cd8ae646408b69eea40c24f9ae9
linux/net/ipv4
History
Eric Dumazet 2dda640040 net: fix keepalive code vs TCP_FASTOPEN_CONNECT 
syzkaller was able to trigger a divide by 0 in TCP stack [1]

Issue here is that keepalive timer needs to be updated to not attempt
to send a probe if the connection setup was deferred using
TCP_FASTOPEN_CONNECT socket option added in linux-4.11

[1]
 divide error: 0000 [#1] SMP
 CPU: 18 PID: 0 Comm: swapper/18 Not tainted
 task: ffff986f62f4b040 ti: ffff986f62fa2000 task.ti: ffff986f62fa2000
 RIP: 0010:[<ffffffff8409cc0d>]  [<ffffffff8409cc0d>] __tcp_select_window+0x8d/0x160
 Call Trace:
  <IRQ>
  [<ffffffff8409d951>] tcp_transmit_skb+0x11/0x20
  [<ffffffff8409da21>] tcp_xmit_probe_skb+0xc1/0xe0
  [<ffffffff840a0ee8>] tcp_write_wakeup+0x68/0x160
  [<ffffffff840a151b>] tcp_keepalive_timer+0x17b/0x230
  [<ffffffff83b3f799>] call_timer_fn+0x39/0xf0
  [<ffffffff83b40797>] run_timer_softirq+0x1d7/0x280
  [<ffffffff83a04ddb>] __do_softirq+0xcb/0x257
  [<ffffffff83ae03ac>] irq_exit+0x9c/0xb0
  [<ffffffff83a04c1a>] smp_apic_timer_interrupt+0x6a/0x80
  [<ffffffff83a03eaf>] apic_timer_interrupt+0x7f/0x90
  <EOI>
  [<ffffffff83fed2ea>] ? cpuidle_enter_state+0x13a/0x3b0
  [<ffffffff83fed2cd>] ? cpuidle_enter_state+0x11d/0x3b0

Tested:

Following packetdrill no longer crashes the kernel

`echo 0 >/proc/sys/net/ipv4/tcp_timestamps`

// Cache warmup: send a Fast Open cookie request
    0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
   +0 fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
   +0 setsockopt(3, SOL_TCP, TCP_FASTOPEN_CONNECT, [1], 4) = 0
   +0 connect(3, ..., ...) = -1 EINPROGRESS (Operation is now in progress)
   +0 > S 0:0(0) <mss 1460,nop,nop,sackOK,nop,wscale 8,FO,nop,nop>
 +.01 < S. 123:123(0) ack 1 win 14600 <mss 1460,nop,nop,sackOK,nop,wscale 6,FO abcd1234,nop,nop>
   +0 > . 1:1(0) ack 1
   +0 close(3) = 0
   +0 > F. 1:1(0) ack 1
   +0 < F. 1:1(0) ack 2 win 92
   +0 > .  2:2(0) ack 2

   +0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 4
   +0 fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK) = 0
   +0 setsockopt(4, SOL_TCP, TCP_FASTOPEN_CONNECT, [1], 4) = 0
   +0 setsockopt(4, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
 +.01 connect(4, ..., ...) = 0
   +0 setsockopt(4, SOL_TCP, TCP_KEEPIDLE, [5], 4) = 0
   +10 close(4) = 0

`echo 1 >/proc/sys/net/ipv4/tcp_timestamps`

Fixes: 19f6d3f3c8 ("net/tcp-fastopen: Add new API support")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Wei Wang <weiwan@google.com>
Cc: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-08-03 09:34:51 -07:00
..
netfilter
netfilter: nf_tables: only allow in/output for arp packets
2017-07-17 17:02:44 +02:00
af_inet.c
net: convert sock.sk_wmem_alloc from atomic_t to refcount_t
2017-07-01 07:39:08 -07:00
ah4.c
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next
2017-06-23 14:17:31 -04:00
arp.c
networking: make skb_put & friends return void pointers
2017-06-16 11:48:39 -04:00
cipso_ipv4.c
Cipso: cipso_v4_optptr enter infinite loop
2017-08-01 15:31:23 -07:00
datagram.c
devinet.c
net: convert in_device.refcnt from atomic_t to refcount_t
2017-07-01 07:39:08 -07:00
esp4_offload.c
esp4/6: Fix GSO path for non-GSO SW-crypto packets
2017-04-19 07:48:57 +02:00
esp4.c
net: convert sock.sk_wmem_alloc from atomic_t to refcount_t
2017-07-01 07:39:08 -07:00
fib_frontend.c
ipv4: initialize fib_trie prior to register_netdev_notifier call.
2017-07-20 15:24:45 -07:00
fib_lookup.h
net: add extack arg to lwtunnel build state
2017-05-30 11:55:32 -04:00
fib_notifier.c
ipv4: fib: Remove redundant argument
2017-03-10 09:45:09 -08:00
fib_rules.c
ipv4: fib_rules: Dump FIB rules when registering FIB notifier
2017-03-16 10:18:34 -07:00
fib_semantics.c
ipv4: fib: Fix NULL pointer deref during fib_sync_down_dev()
2017-07-31 17:51:11 -07:00
fib_trie.c
net, ipv4: convert fib_info.fib_clntref from atomic_t to refcount_t
2017-07-04 01:29:04 -07:00
fou.c
gue: fix remcsum when GRO on and CHECKSUM_PARTIAL boundary is outer UDP
2017-08-01 16:09:14 -07:00
gre_demux.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2016-06-30 05:03:36 -04:00
gre_offload.c
net: add recursion limit to GRO
2016-10-20 14:32:22 -04:00
icmp.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2017-06-15 11:59:32 -04:00
igmp.c
net: convert ip_mc_list.refcnt from atomic_t to refcount_t
2017-07-01 07:39:08 -07:00
inet_connection_sock.c
net: convert sock.sk_refcnt from atomic_t to refcount_t
2017-07-01 07:39:08 -07:00
inet_diag.c
tcp: remove early retransmit
2017-01-13 22:37:16 -05:00
inet_fragment.c
net: convert inet_frag_queue.refcnt from atomic_t to refcount_t
2017-07-01 07:39:09 -07:00
inet_hashtables.c
net: make sk_ehashfn() static
2017-07-03 03:29:14 -07:00
inet_timewait_sock.c
net: convert sock.sk_refcnt from atomic_t to refcount_t
2017-07-01 07:39:08 -07:00
inetpeer.c
net: convert inet_peer.refcnt from atomic_t to refcount_t
2017-07-01 07:39:07 -07:00
ip_forward.c
ipv4: allow local fragmentation in ip_finish_output_gso()
2016-11-03 16:10:26 -04:00
ip_fragment.c
net: convert inet_frag_queue.refcnt from atomic_t to refcount_t
2017-07-01 07:39:09 -07:00
ip_gre.c
net: add netlink_ext_ack argument to rtnl_link_ops.validate
2017-06-26 23:13:22 -04:00
ip_input.c
net: Add sysctl to toggle early demux for tcp and udp
2017-03-24 13:17:07 -07:00
ip_options.c
Replace <asm/uaccess.h> with <linux/uaccess.h> globally
2016-12-24 11:46:01 -08:00
ip_output.c
ipv4: ip_do_fragment: fix headroom tests
2017-07-15 14:38:31 -07:00
ip_sockglue.c
do_ip_setsockopt(): don't open-code memdup_user()
2017-06-30 02:04:09 -04:00
ip_tunnel_core.c
net: store port/representator id in metadata_dst
2017-06-25 11:42:01 -04:00
ip_tunnel.c
ip_tunnel: fix potential issue in ip_tunnel_rcv
2017-06-16 12:01:29 -04:00
ip_vti.c
net: add netlink_ext_ack argument to rtnl_link_ops.validate
2017-06-26 23:13:22 -04:00
ipcomp.c
ipconfig.c
networking: convert many more places to skb_put_zero()
2017-06-16 11:48:35 -04:00
ipip.c
net: add netlink_ext_ack argument to rtnl_link_ops.validate
2017-06-26 23:13:22 -04:00
ipmr.c
net: ipmr: ipmr_get_table() returns NULL
2017-07-12 08:18:46 -07:00
Kconfig
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next
2017-02-16 21:25:49 -05:00
Makefile
tcp: ULP infrastructure
2017-06-15 12:12:40 -04:00
netfilter.c
netfilter: use skb_to_full_sk in ip_route_me_harder
2017-02-28 12:49:36 +01:00
ping.c
net: convert sock.sk_refcnt from atomic_t to refcount_t
2017-07-01 07:39:08 -07:00
proc.c
tcp: add TCPMemoryPressuresChrono counter
2017-06-08 11:26:19 -04:00
protocol.c
net: Add sysctl to toggle early demux for tcp and udp
2017-03-24 13:17:07 -07:00
raw_diag.c
net: ip, raw_diag -- Use jump for exiting from nested loop
2016-11-03 15:25:26 -04:00
raw.c
net: convert sock.sk_refcnt from atomic_t to refcount_t
2017-07-01 07:39:08 -07:00
route.c
Merge tag 'random_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/random
2017-07-15 12:44:02 -07:00
syncookies.c
ipv4: ipv6: initialize treq->txhash in cookie_v[46]_check()
2017-07-18 11:22:51 -07:00
sysctl_net_ipv4.c
tcp: ULP infrastructure
2017-06-15 12:12:40 -04:00
tcp_bbr.c
tcp_bbr: init pacing rate on first RTT sample
2017-07-15 14:43:29 -07:00
tcp_bic.c
tcp: bic, cubic: use tcp_jiffies32 instead of tcp_time_stamp
2017-05-17 16:06:01 -04:00
tcp_cdg.c
sched/headers: Prepare for new header dependencies before moving code to <linux/sched/clock.h>
2017-03-02 08:42:27 +01:00
tcp_cong.c
bpf: Add support for changing congestion control
2017-07-01 16:15:14 -07:00
tcp_cubic.c
tcp: bic, cubic: use tcp_jiffies32 instead of tcp_time_stamp
2017-05-17 16:06:01 -04:00
tcp_dctcp.c
Revert "dctcp: update cwnd on congestion event"
2016-12-06 11:34:24 -05:00
tcp_diag.c
net: diag: Fix refcnt leak in error path destroying socket
2016-08-23 23:11:36 -07:00
tcp_fastopen.c
bpf: Add TCP connection BPF callbacks
2017-07-01 16:15:14 -07:00
tcp_highspeed.c
tcp: add cwnd_undo functions to various tcp cc algorithms
2016-11-21 13:20:17 -05:00
tcp_htcp.c
tcp: replace misc tcp_time_stamp to tcp_jiffies32
2017-05-17 16:06:01 -04:00
tcp_hybla.c
tcp: make undo_cwnd mandatory for congestion modules
2016-11-21 13:20:17 -05:00
tcp_illinois.c
tcp: add cwnd_undo functions to various tcp cc algorithms
2016-11-21 13:20:17 -05:00
tcp_input.c
tcp: avoid setting cwnd to invalid ssthresh after cwnd reduction states
2017-08-02 10:51:07 -07:00
tcp_ipv4.c
tcp: md5: tcp_md5_do_lookup_exact() can be static
2017-07-06 10:54:15 +01:00
tcp_lp.c
tcp: switch TCP TS option (RFC 7323) to 1ms clock
2017-05-17 16:06:01 -04:00
tcp_metrics.c
tcp: use tcp_jiffies32 to feed tp->snd_cwnd_stamp
2017-05-17 16:06:01 -04:00
tcp_minisocks.c
bpf: Support for setting initial receive window
2017-07-01 16:15:13 -07:00
tcp_nv.c
tcpnv: do not export local function
2017-05-21 13:42:36 -04:00
tcp_offload.c
net: convert sock.sk_wmem_alloc from atomic_t to refcount_t
2017-07-01 07:39:08 -07:00
tcp_output.c
tcp: avoid bogus gcc-7 array-bounds warning
2017-07-29 23:26:29 -07:00
tcp_probe.c
tcp: Revert "tcp: tcp_probe: use spin_lock_bh()"
2017-02-21 13:26:03 -05:00
tcp_rate.c
tcp: export do_tcp_sendpages and tcp_rate_check_app_limited functions
2017-06-15 12:12:40 -04:00
tcp_recovery.c
tcp: switch TCP TS option (RFC 7323) to 1ms clock
2017-05-17 16:06:01 -04:00
tcp_scalable.c
tcp: add cwnd_undo functions to various tcp cc algorithms
2016-11-21 13:20:17 -05:00
tcp_timer.c
net: fix keepalive code vs TCP_FASTOPEN_CONNECT
2017-08-03 09:34:51 -07:00
tcp_ulp.c
tcp: fix out-of-bounds access in ULP sysctl
2017-06-23 14:10:05 -04:00
tcp_vegas.c
tcp: make undo_cwnd mandatory for congestion modules
2016-11-21 13:20:17 -05:00
tcp_vegas.h
tcp_veno.c
tcp: add cwnd_undo functions to various tcp cc algorithms
2016-11-21 13:20:17 -05:00
tcp_westwood.c
tcp_westwood: use tcp_jiffies32 instead of tcp_time_stamp
2017-05-17 16:06:01 -04:00
tcp_yeah.c
tcp: add cwnd_undo functions to various tcp cc algorithms
2016-11-21 13:20:17 -05:00
tcp.c
bpf: Add support for changing congestion control
2017-07-01 16:15:14 -07:00
tunnel4.c
tunnels: correct conditional build of MPLS and IPv6
2016-07-11 13:27:06 -07:00
udp_diag.c
net: convert sock.sk_refcnt from atomic_t to refcount_t
2017-07-01 07:39:08 -07:00
udp_impl.h
udp: make *udp*_queue_rcv_skb() functions static
2017-05-18 10:23:33 -04:00
udp_offload.c
udp: disable inner UDP checksum offloads in IPsec case
2017-04-24 13:48:54 -04:00
udp_tunnel.c
net: Remove deprecated tunnel specific UDP offload functions
2016-06-17 20:23:32 -07:00
udp.c
udp6: fix socket leak on early demux
2017-07-29 14:19:03 -07:00
udplite.c
udplite: call proper backlog handlers
2016-11-24 15:32:14 -05:00
xfrm4_input.c
esp: Add a software GRO codepath
2017-02-15 11:04:11 +01:00
xfrm4_mode_beet.c
networking: make skb_pull & friends return void pointers
2017-06-16 11:48:39 -04:00
xfrm4_mode_transport.c
xfrm: Add encapsulation header offsets while SKB is not encrypted
2017-04-14 10:07:39 +02:00
xfrm4_mode_tunnel.c
xfrm: Add encapsulation header offsets while SKB is not encrypted
2017-04-14 10:07:39 +02:00
xfrm4_output.c
xfrm: Add an IPsec hardware offloading API
2017-04-14 10:06:10 +02:00
xfrm4_policy.c
xfrm: policy: make policy backend const
2017-02-09 10:22:19 +01:00
xfrm4_protocol.c
xfrm: input: constify xfrm_input_afinfo
2017-02-09 10:22:17 +01:00
xfrm4_state.c
xfrm: remove unused function
2017-01-10 10:57:12 +01:00
xfrm4_tunnel.c