From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: dccp@vger.kernel.org
Subject: [PATCH 4.9 03/33] dccp: fix tasklet usage
Date: Fri, 18 May 2018 08:15:42 +0000 [thread overview]
Message-ID: <20180518081535.234591426@linuxfoundation.org> (raw)
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit a8d7aa17bbc970971ccdf71988ea19230ab368b1 ]
syzbot reported a crash in tasklet_action_common() caused by dccp.
dccp needs to make sure socket wont disappear before tasklet handler
has completed.
This patch takes a reference on the socket when arming the tasklet,
and moves the sock_put() from dccp_write_xmit_timer() to dccp_write_xmitlet()
kernel BUG at kernel/softirq.c:514!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 17 Comm: ksoftirqd/1 Not tainted 4.17.0-rc3+ #30
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:tasklet_action_common.isra.19+0x6db/0x700 kernel/softirq.c:515
RSP: 0018:ffff8801d9b3faf8 EFLAGS: 00010246
dccp_close: ABORT with 65423 bytes unread
RAX: 1ffff1003b367f6b RBX: ffff8801daf1f3f0 RCX: 0000000000000000
RDX: ffff8801cf895498 RSI: 0000000000000004 RDI: 0000000000000000
RBP: ffff8801d9b3fc40 R08: ffffed0039f12a95 R09: ffffed0039f12a94
dccp_close: ABORT with 65423 bytes unread
R10: ffffed0039f12a94 R11: ffff8801cf8954a3 R12: 0000000000000000
R13: ffff8801d9b3fc18 R14: dffffc0000000000 R15: ffff8801cf895490
FS: 0000000000000000(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2bc28000 CR3: 00000001a08a9000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
tasklet_action+0x1d/0x20 kernel/softirq.c:533
__do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
dccp_close: ABORT with 65423 bytes unread
run_ksoftirqd+0x86/0x100 kernel/softirq.c:646
smpboot_thread_fn+0x417/0x870 kernel/smpboot.c:164
kthread+0x345/0x410 kernel/kthread.c:238
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
Code: 48 8b 85 e8 fe ff ff 48 8b 95 f0 fe ff ff e9 94 fb ff ff 48 89 95 f0 fe ff ff e8 81 53 6e 00 48 8b 95 f0 fe ff ff e9 62 fb ff ff <0f> 0b 48 89 cf 48 89 8d e8 fe ff ff e8 64 53 6e 00 48 8b 8d e8
RIP: tasklet_action_common.isra.19+0x6db/0x700 kernel/softirq.c:515 RSP: ffff8801d9b3faf8
Fixes: dc841e30eaea ("dccp: Extend CCID packet dequeueing interface")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Cc: dccp@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/dccp/ccids/ccid2.c | 14 ++++++++++++--
net/dccp/timer.c | 2 +-
2 files changed, 13 insertions(+), 3 deletions(-)
--- a/net/dccp/ccids/ccid2.c
+++ b/net/dccp/ccids/ccid2.c
@@ -126,6 +126,16 @@ static void ccid2_change_l_seq_window(st
DCCPF_SEQ_WMAX));
}
+static void dccp_tasklet_schedule(struct sock *sk)
+{
+ struct tasklet_struct *t = &dccp_sk(sk)->dccps_xmitlet;
+
+ if (!test_and_set_bit(TASKLET_STATE_SCHED, &t->state)) {
+ sock_hold(sk);
+ __tasklet_schedule(t);
+ }
+}
+
static void ccid2_hc_tx_rto_expire(unsigned long data)
{
struct sock *sk = (struct sock *)data;
@@ -166,7 +176,7 @@ static void ccid2_hc_tx_rto_expire(unsig
/* if we were blocked before, we may now send cwnd=1 packet */
if (sender_was_blocked)
- tasklet_schedule(&dccp_sk(sk)->dccps_xmitlet);
+ dccp_tasklet_schedule(sk);
/* restart backed-off timer */
sk_reset_timer(sk, &hc->tx_rtotimer, jiffies + hc->tx_rto);
out:
@@ -706,7 +716,7 @@ static void ccid2_hc_tx_packet_recv(stru
done:
/* check if incoming Acks allow pending packets to be sent */
if (sender_was_blocked && !ccid2_cwnd_network_limited(hc))
- tasklet_schedule(&dccp_sk(sk)->dccps_xmitlet);
+ dccp_tasklet_schedule(sk);
dccp_ackvec_parsed_cleanup(&hc->tx_av_chunks);
}
--- a/net/dccp/timer.c
+++ b/net/dccp/timer.c
@@ -230,12 +230,12 @@ static void dccp_write_xmitlet(unsigned
else
dccp_write_xmit(sk);
bh_unlock_sock(sk);
+ sock_put(sk);
}
static void dccp_write_xmit_timer(unsigned long data)
{
dccp_write_xmitlet(data);
- sock_put((struct sock *)data);
}
void dccp_init_xmit_timers(struct sock *sk)
WARNING: multiple messages have this Message-ID (diff)
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
syzbot <syzkaller@googlegroups.com>,
Gerrit Renker <gerrit@erg.abdn.ac.uk>,
dccp@vger.kernel.org, "David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.9 03/33] dccp: fix tasklet usage
Date: Fri, 18 May 2018 10:15:42 +0200 [thread overview]
Message-ID: <20180518081535.234591426@linuxfoundation.org> (raw)
In-Reply-To: <20180518081535.096308218@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit a8d7aa17bbc970971ccdf71988ea19230ab368b1 ]
syzbot reported a crash in tasklet_action_common() caused by dccp.
dccp needs to make sure socket wont disappear before tasklet handler
has completed.
This patch takes a reference on the socket when arming the tasklet,
and moves the sock_put() from dccp_write_xmit_timer() to dccp_write_xmitlet()
kernel BUG at kernel/softirq.c:514!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 17 Comm: ksoftirqd/1 Not tainted 4.17.0-rc3+ #30
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:tasklet_action_common.isra.19+0x6db/0x700 kernel/softirq.c:515
RSP: 0018:ffff8801d9b3faf8 EFLAGS: 00010246
dccp_close: ABORT with 65423 bytes unread
RAX: 1ffff1003b367f6b RBX: ffff8801daf1f3f0 RCX: 0000000000000000
RDX: ffff8801cf895498 RSI: 0000000000000004 RDI: 0000000000000000
RBP: ffff8801d9b3fc40 R08: ffffed0039f12a95 R09: ffffed0039f12a94
dccp_close: ABORT with 65423 bytes unread
R10: ffffed0039f12a94 R11: ffff8801cf8954a3 R12: 0000000000000000
R13: ffff8801d9b3fc18 R14: dffffc0000000000 R15: ffff8801cf895490
FS: 0000000000000000(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2bc28000 CR3: 00000001a08a9000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
tasklet_action+0x1d/0x20 kernel/softirq.c:533
__do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
dccp_close: ABORT with 65423 bytes unread
run_ksoftirqd+0x86/0x100 kernel/softirq.c:646
smpboot_thread_fn+0x417/0x870 kernel/smpboot.c:164
kthread+0x345/0x410 kernel/kthread.c:238
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
Code: 48 8b 85 e8 fe ff ff 48 8b 95 f0 fe ff ff e9 94 fb ff ff 48 89 95 f0 fe ff ff e8 81 53 6e 00 48 8b 95 f0 fe ff ff e9 62 fb ff ff <0f> 0b 48 89 cf 48 89 8d e8 fe ff ff e8 64 53 6e 00 48 8b 8d e8
RIP: tasklet_action_common.isra.19+0x6db/0x700 kernel/softirq.c:515 RSP: ffff8801d9b3faf8
Fixes: dc841e30eaea ("dccp: Extend CCID packet dequeueing interface")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Cc: dccp@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/dccp/ccids/ccid2.c | 14 ++++++++++++--
net/dccp/timer.c | 2 +-
2 files changed, 13 insertions(+), 3 deletions(-)
--- a/net/dccp/ccids/ccid2.c
+++ b/net/dccp/ccids/ccid2.c
@@ -126,6 +126,16 @@ static void ccid2_change_l_seq_window(st
DCCPF_SEQ_WMAX));
}
+static void dccp_tasklet_schedule(struct sock *sk)
+{
+ struct tasklet_struct *t = &dccp_sk(sk)->dccps_xmitlet;
+
+ if (!test_and_set_bit(TASKLET_STATE_SCHED, &t->state)) {
+ sock_hold(sk);
+ __tasklet_schedule(t);
+ }
+}
+
static void ccid2_hc_tx_rto_expire(unsigned long data)
{
struct sock *sk = (struct sock *)data;
@@ -166,7 +176,7 @@ static void ccid2_hc_tx_rto_expire(unsig
/* if we were blocked before, we may now send cwnd=1 packet */
if (sender_was_blocked)
- tasklet_schedule(&dccp_sk(sk)->dccps_xmitlet);
+ dccp_tasklet_schedule(sk);
/* restart backed-off timer */
sk_reset_timer(sk, &hc->tx_rtotimer, jiffies + hc->tx_rto);
out:
@@ -706,7 +716,7 @@ static void ccid2_hc_tx_packet_recv(stru
done:
/* check if incoming Acks allow pending packets to be sent */
if (sender_was_blocked && !ccid2_cwnd_network_limited(hc))
- tasklet_schedule(&dccp_sk(sk)->dccps_xmitlet);
+ dccp_tasklet_schedule(sk);
dccp_ackvec_parsed_cleanup(&hc->tx_av_chunks);
}
--- a/net/dccp/timer.c
+++ b/net/dccp/timer.c
@@ -230,12 +230,12 @@ static void dccp_write_xmitlet(unsigned
else
dccp_write_xmit(sk);
bh_unlock_sock(sk);
+ sock_put(sk);
}
static void dccp_write_xmit_timer(unsigned long data)
{
dccp_write_xmitlet(data);
- sock_put((struct sock *)data);
}
void dccp_init_xmit_timers(struct sock *sk)
next reply other threads:[~2018-05-18 8:15 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-18 8:15 Greg Kroah-Hartman [this message]
2018-05-18 8:15 ` [PATCH 4.9 03/33] dccp: fix tasklet usage Greg Kroah-Hartman
-- strict thread matches above, loose matches on Subject: below --
2018-05-18 8:15 [PATCH 4.9 00/33] 4.9.101-stable review Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 01/33] 8139too: Use disable_irq_nosync() in rtl8139_poll_controller() Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 02/33] bridge: check iface upper dev when setting master via ioctl Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 04/33] ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 05/33] llc: better deal with too small mtu Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 06/33] net: ethernet: sun: niu set correct packet size in skb Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 07/33] net: ethernet: ti: cpsw: fix packet leaking in dual_mac mode Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 08/33] net/mlx4_en: Verify coalescing parameters are in range Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 09/33] net/mlx5: E-Switch, Include VF RDMA stats in vport statistics Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 10/33] net_sched: fq: take care of throttled flows before reuse Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 11/33] net: support compat 64-bit time in {s,g}etsockopt Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 12/33] openvswitch: Dont swap table in nlattr_set() after OVS_ATTR_NESTED is found Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 13/33] qmi_wwan: do not steal interfaces from class drivers Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 14/33] r8169: fix powering up RTL8168h Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 15/33] sctp: handle two v4 addrs comparison in sctp_inet6_cmp_addr Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 16/33] sctp: remove sctp_chunk_put from fail_mark err path in sctp_ulpevent_make_rcvmsg Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 17/33] sctp: use the old asoc when making the cookie-ack chunk in dupcook_d Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 18/33] tcp_bbr: fix to zero idle_restart only upon S/ACKed data Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 19/33] tg3: Fix vunmap() BUG_ON() triggered from tg3_free_consistent() Greg Kroah-Hartman
2018-05-18 8:15 ` [PATCH 4.9 20/33] bonding: do not allow rlb updates to invalid mac Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 21/33] net/mlx5: Avoid cleaning flow steering table twice during error flow Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 22/33] bonding: send learning packets for vlans on slave Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 23/33] tcp: ignore Fast Open on repair mode Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 24/33] sctp: fix the issue that the cookie-ack with auth cant get processed Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 25/33] sctp: delay the authentication for the duplicated cookie-echo chunk Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 26/33] serial: sccnxp: Fix error handling in sccnxp_probe() Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 27/33] futex: Remove duplicated code and fix undefined behaviour Greg Kroah-Hartman
2018-05-18 8:16 ` Greg Kroah-Hartman
2018-05-18 8:16 ` [OpenRISC] " Greg Kroah-Hartman
2018-05-18 8:16 ` Greg Kroah-Hartman
2018-05-18 8:16 ` Greg Kroah-Hartman
2018-05-18 8:16 ` Greg Kroah-Hartman
2018-05-18 8:16 ` Greg Kroah-Hartman
2018-05-18 8:16 ` Greg Kroah-Hartman
2018-05-18 8:30 ` Jiri Slaby
2018-05-18 8:30 ` Jiri Slaby
2018-05-18 8:30 ` [OpenRISC] " Jiri Slaby
2018-05-18 8:30 ` Jiri Slaby
2018-05-18 8:30 ` Jiri Slaby
2018-05-18 8:30 ` Jiri Slaby
2018-05-18 8:30 ` Jiri Slaby
2018-05-18 9:01 ` Greg Kroah-Hartman
2018-05-18 9:01 ` Greg Kroah-Hartman
2018-05-18 9:01 ` [OpenRISC] " Greg Kroah-Hartman
2018-05-18 9:01 ` Greg Kroah-Hartman
2018-05-18 9:01 ` Greg Kroah-Hartman
2018-05-18 9:01 ` Greg Kroah-Hartman
2018-05-18 9:01 ` Greg Kroah-Hartman
2018-05-18 9:01 ` Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 28/33] xfrm: fix xfrm_do_migrate() with AEAD e.g(AES-GCM) Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 29/33] lockd: lost rollback of set_grace_period() in lockd_down_net() Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 30/33] Revert "ARM: dts: imx6qdl-wandboard: Fix audio channel swap" Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 31/33] l2tp: revert "l2tp: fix missing print session offset info" Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 32/33] nfp: TX time stamp packets before HW doorbell is rung Greg Kroah-Hartman
2018-05-18 8:16 ` [PATCH 4.9 33/33] proc: do not access cmdline nor environ from file-backed areas Greg Kroah-Hartman
2018-05-18 13:20 ` [PATCH 4.9 00/33] 4.9.101-stable review Guenter Roeck
2018-05-18 14:05 ` kernelci.org bot
2018-05-18 19:02 ` Naresh Kamboju
2018-05-18 20:47 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180518081535.234591426@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dccp@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.