[PATCH 4.4 09/28] tcp: fix various issues for sockets morphing to listen state

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
	Dmitry Vyukov <dvyukov@google.com>,
	"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.4 09/28] tcp: fix various issues for sockets morphing to listen state
Date: Mon, 20 Mar 2017 18:49:04 +0100	[thread overview]
Message-ID: <20170320174719.360154574@linuxfoundation.org> (raw)
In-Reply-To: <20170320174718.794407270@linuxfoundation.org>

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>


[ Upstream commit 02b2faaf0af1d85585f6d6980e286d53612acfc2 ]

Dmitry Vyukov reported a divide by 0 triggered by syzkaller, exploiting
tcp_disconnect() path that was never really considered and/or used
before syzkaller ;)

I was not able to reproduce the bug, but it seems issues here are the
three possible actions that assumed they would never trigger on a
listener.

1) tcp_write_timer_handler
2) tcp_delack_timer_handler
3) MTU reduction

Only IPv6 MTU reduction was properly testing TCP_CLOSE and TCP_LISTEN
 states from tcp_v6_mtu_reduced()

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/tcp_ipv4.c  |    7 +++++--
 net/ipv4/tcp_timer.c |    6 ++++--
 2 files changed, 9 insertions(+), 4 deletions(-)

--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -271,10 +271,13 @@ EXPORT_SYMBOL(tcp_v4_connect);
  */
 void tcp_v4_mtu_reduced(struct sock *sk)
 {
-	struct dst_entry *dst;
 	struct inet_sock *inet = inet_sk(sk);
-	u32 mtu = tcp_sk(sk)->mtu_info;
+	struct dst_entry *dst;
+	u32 mtu;
 
+	if ((1 << sk->sk_state) & (TCPF_LISTEN | TCPF_CLOSE))
+		return;
+	mtu = tcp_sk(sk)->mtu_info;
 	dst = inet_csk_update_pmtu(sk, mtu);
 	if (!dst)
 		return;
--- a/net/ipv4/tcp_timer.c
+++ b/net/ipv4/tcp_timer.c
@@ -223,7 +223,8 @@ void tcp_delack_timer_handler(struct soc
 
 	sk_mem_reclaim_partial(sk);
 
-	if (sk->sk_state == TCP_CLOSE || !(icsk->icsk_ack.pending & ICSK_ACK_TIMER))
+	if (((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)) ||
+	    !(icsk->icsk_ack.pending & ICSK_ACK_TIMER))
 		goto out;
 
 	if (time_after(icsk->icsk_ack.timeout, jiffies)) {
@@ -504,7 +505,8 @@ void tcp_write_timer_handler(struct sock
 	struct inet_connection_sock *icsk = inet_csk(sk);
 	int event;
 
-	if (sk->sk_state == TCP_CLOSE || !icsk->icsk_pending)
+	if (((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)) ||
+	    !icsk->icsk_pending)
 		goto out;
 
 	if (time_after(icsk->icsk_timeout, jiffies)) {

next prev parent reply	other threads:[~2017-03-20 17:53 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-03-20 17:48 [PATCH 4.4 00/28] 4.4.56-stable review Greg Kroah-Hartman
2017-03-20 17:48 ` [PATCH 4.4 01/28] netlink: remove mmapped netlink support Greg Kroah-Hartman
2017-03-20 17:48 ` [PATCH 4.4 02/28] [PATCH 04/41] vxlan: correctly validate VXLAN ID against VXLAN_N_VID Greg Kroah-Hartman
2017-03-20 17:48 ` [PATCH 4.4 03/28] [PATCH 05/41] vti6: return GRE_KEY for vti6 Greg Kroah-Hartman
2017-03-20 17:48 ` [PATCH 4.4 04/28] ipv4: mask tos for input route Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 06/28] net: dont call strlen() on the user buffer in packet_bind_spkt() Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 07/28] net: net_enable_timestamp() can be called from irq contexts Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 08/28] dccp: Unlock sock before calling sk_free() Greg Kroah-Hartman
2017-03-20 17:49 ` Greg Kroah-Hartman [this message]
2017-03-20 17:49 ` [PATCH 4.4 10/28] net: fix socket refcounting in skb_complete_wifi_ack() Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 11/28] net: fix socket refcounting in skb_complete_tx_timestamp() Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 12/28] dccp: fix use-after-free in dccp_feat_activate_values Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 13/28] vrf: Fix use-after-free in vrf_xmit Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 14/28] uapi: fix linux/packet_diag.h userspace compilation error Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 16/28] mpls: Send route delete notifications when router module is unloaded Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 17/28] ipv6: make ECMP route replacement less greedy Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 18/28] ipv6: avoid write to a possibly cloned skb Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 19/28] bridge: drop netfilter fake rtable unconditionally Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 21/28] dccp: fix memory leak during tear-down of unsuccessful connection request Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 22/28] net sched actions: decrement module reference count after table flush Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 23/28] fscrypt: fix renaming and linking special files Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 24/28] fscrypto: lock inode while setting encryption policy Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 25/28] x86/kasan: Fix boot with KASAN=y and PROFILE_ANNOTATED_BRANCHES=y Greg Kroah-Hartman
2017-03-20 17:49   ` Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 26/28] x86/perf: Fix CR4.PCE propagation to use active_mm instead of mm Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 27/28] futex: Fix potential use-after-free in FUTEX_REQUEUE_PI Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 28/28] futex: Add missing error handling to FUTEX_REQUEUE_PI Greg Kroah-Hartman
2017-03-21  0:11 ` [PATCH 4.4 00/28] 4.4.56-stable review Shuah Khan
2017-03-21  2:13 ` Guenter Roeck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170320174719.360154574@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=davem@davemloft.net \
    --cc=dvyukov@google.com \
    --cc=edumazet@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.