1. 23 Nov, 2022 5 commits
    • Jakub Kicinski's avatar
      Merge branch 'dccp-tcp-fix-bhash2-issues-related-to-warn_on-in-inet_csk_get_port' · 0972457f
      Jakub Kicinski authored
      Kuniyuki Iwashima says:
      
      ====================
      dccp/tcp: Fix bhash2 issues related to WARN_ON() in inet_csk_get_port().
      
      syzkaller was hitting a WARN_ON() in inet_csk_get_port() in the 4th patch,
      which was because we forgot to fix up bhash2 bucket when connect() for a
      socket bound to a wildcard address fails in __inet_stream_connect().
      
      There was a similar report [0], but its repro does not fire the WARN_ON() due
      to inconsistent error handling.
      
      When connect() for a socket bound to a wildcard address fails, saddr may or
      may not be reset depending on where the failure happens.  When we fail in
      __inet_stream_connect(), sk->sk_prot->disconnect() resets saddr.  OTOH, in
      (dccp|tcp)_v[46]_connect(), if we fail after inet_hash6?_connect(), we
      forget to reset saddr.
      
      We fix this inconsistent error handling in the 1st patch, and then we'll
      fix the bhash2 WARN_ON() issue.
      
      Note that there is still an issue in that we reset saddr without checking
      if there are conflicting sockets in bhash and bhash2, but this should be
      another series.
      
      See [1][2] for the previous discussion.
      
      [0]: https://lore.kernel.org/netdev/0000000000003f33bc05dfaf44fe@google.com/
      [1]: https://lore.kernel.org/netdev/20221029001249.86337-1-kuniyu@amazon.com/
      [2]: https://lore.kernel.org/netdev/20221103172419.20977-1-kuniyu@amazon.com/
      [3]: https://lore.kernel.org/netdev/20221118081906.053d5231@kernel.org/T/#m00aafedb29ff0b55d5e67aef0252ef1baaf4b6ee
      ====================
      
      Link: https://lore.kernel.org/r/20221119014914.31792-1-kuniyu@amazon.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      0972457f
    • Kuniyuki Iwashima's avatar
      dccp/tcp: Fixup bhash2 bucket when connect() fails. · e0833d1f
      Kuniyuki Iwashima authored
      If a socket bound to a wildcard address fails to connect(), we
      only reset saddr and keep the port.  Then, we have to fix up the
      bhash2 bucket; otherwise, the bucket has an inconsistent address
      in the list.
      
      Also, listen() for such a socket will fire the WARN_ON() in
      inet_csk_get_port(). [0]
      
      Note that when a system runs out of memory, we give up fixing the
      bucket and unlink sk from bhash and bhash2 by inet_put_port().
      
      [0]:
      WARNING: CPU: 0 PID: 207 at net/ipv4/inet_connection_sock.c:548 inet_csk_get_port (net/ipv4/inet_connection_sock.c:548 (discriminator 1))
      Modules linked in:
      CPU: 0 PID: 207 Comm: bhash2_prev_rep Not tainted 6.1.0-rc3-00799-gc8421681c845 #63
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.amzn2022.0.1 04/01/2014
      RIP: 0010:inet_csk_get_port (net/ipv4/inet_connection_sock.c:548 (discriminator 1))
      Code: 74 a7 eb 93 48 8b 54 24 18 0f b7 cb 4c 89 e6 4c 89 ff e8 48 b2 ff ff 49 8b 87 18 04 00 00 e9 32 ff ff ff 0f 0b e9 34 ff ff ff <0f> 0b e9 42 ff ff ff 41 8b 7f 50 41 8b 4f 54 89 fe 81 f6 00 00 ff
      RSP: 0018:ffffc900003d7e50 EFLAGS: 00010202
      RAX: ffff8881047fb500 RBX: 0000000000004e20 RCX: 0000000000000000
      RDX: 000000000000000a RSI: 00000000fffffe00 RDI: 00000000ffffffff
      RBP: ffffffff8324dc00 R08: 0000000000000001 R09: 0000000000000001
      R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000
      R13: 0000000000000001 R14: 0000000000004e20 R15: ffff8881054e1280
      FS:  00007f8ac04dc740(0000) GS:ffff88842fc00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000020001540 CR3: 00000001055fa003 CR4: 0000000000770ef0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      PKRU: 55555554
      Call Trace:
       <TASK>
       inet_csk_listen_start (net/ipv4/inet_connection_sock.c:1205)
       inet_listen (net/ipv4/af_inet.c:228)
       __sys_listen (net/socket.c:1810)
       __x64_sys_listen (net/socket.c:1819 net/socket.c:1817 net/socket.c:1817)
       do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
       entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
      RIP: 0033:0x7f8ac051de5d
      Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 93 af 1b 00 f7 d8 64 89 01 48
      RSP: 002b:00007ffc1c177248 EFLAGS: 00000206 ORIG_RAX: 0000000000000032
      RAX: ffffffffffffffda RBX: 0000000020001550 RCX: 00007f8ac051de5d
      RDX: ffffffffffffff80 RSI: 0000000000000000 RDI: 0000000000000004
      RBP: 00007ffc1c177270 R08: 0000000000000018 R09: 0000000000000007
      R10: 0000000020001540 R11: 0000000000000206 R12: 00007ffc1c177388
      R13: 0000000000401169 R14: 0000000000403e18 R15: 00007f8ac0723000
       </TASK>
      
      Fixes: 28044fc1 ("net: Add a bhash2 table hashed by port and address")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Reported-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Acked-by: default avatarJoanne Koong <joannelkoong@gmail.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e0833d1f
    • Kuniyuki Iwashima's avatar
      dccp/tcp: Update saddr under bhash's lock. · 8c5dae4c
      Kuniyuki Iwashima authored
      When we call connect() for a socket bound to a wildcard address, we update
      saddr locklessly.  However, it could result in a data race; another thread
      iterating over bhash might see a corrupted address.
      
      Let's update saddr under the bhash bucket's lock.
      
      Fixes: 3df80d93 ("[DCCP]: Introduce DCCPv6")
      Fixes: 7c657876 ("[DCCP]: Initial implementation")
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Acked-by: default avatarJoanne Koong <joannelkoong@gmail.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      8c5dae4c
    • Kuniyuki Iwashima's avatar
      dccp/tcp: Remove NULL check for prev_saddr in inet_bhash2_update_saddr(). · 8acdad37
      Kuniyuki Iwashima authored
      When we call inet_bhash2_update_saddr(), prev_saddr is always non-NULL.
      Let's remove the unnecessary test.
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Acked-by: default avatarJoanne Koong <joannelkoong@gmail.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      8acdad37
    • Kuniyuki Iwashima's avatar
      dccp/tcp: Reset saddr on failure after inet6?_hash_connect(). · 77934dc6
      Kuniyuki Iwashima authored
      When connect() is called on a socket bound to the wildcard address,
      we change the socket's saddr to a local address.  If the socket
      fails to connect() to the destination, we have to reset the saddr.
      
      However, when an error occurs after inet_hash6?_connect() in
      (dccp|tcp)_v[46]_conect(), we forget to reset saddr and leave
      the socket bound to the address.
      
      From the user's point of view, whether saddr is reset or not varies
      with errno.  Let's fix this inconsistent behaviour.
      
      Note that after this patch, the repro [0] will trigger the WARN_ON()
      in inet_csk_get_port() again, but this patch is not buggy and rather
      fixes a bug papering over the bhash2's bug for which we need another
      fix.
      
      For the record, the repro causes -EADDRNOTAVAIL in inet_hash6_connect()
      by this sequence:
      
        s1 = socket()
        s1.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
        s1.bind(('127.0.0.1', 10000))
        s1.sendto(b'hello', MSG_FASTOPEN, (('127.0.0.1', 10000)))
        # or s1.connect(('127.0.0.1', 10000))
      
        s2 = socket()
        s2.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
        s2.bind(('0.0.0.0', 10000))
        s2.connect(('127.0.0.1', 10000))  # -EADDRNOTAVAIL
      
        s2.listen(32)  # WARN_ON(inet_csk(sk)->icsk_bind2_hash != tb2);
      
      [0]: https://syzkaller.appspot.com/bug?extid=015d756bbd1f8b5c8f09
      
      Fixes: 3df80d93 ("[DCCP]: Introduce DCCPv6")
      Fixes: 7c657876 ("[DCCP]: Initial implementation")
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Acked-by: default avatarJoanne Koong <joannelkoong@gmail.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      77934dc6
  2. 22 Nov, 2022 15 commits
  3. 21 Nov, 2022 9 commits
  4. 19 Nov, 2022 11 commits