From: Al Viro <viro@zeniv.linux.org.uk>
To: Eric Dumazet <edumazet@google.com>
Cc: Matthieu Baerts <matttbe@kernel.org>,
davem@davemloft.net, geliang@kernel.org, horms@kernel.org,
kuba@kernel.org, linux-kernel@vger.kernel.org,
martineau@kernel.org, mptcp@lists.linux.dev,
netdev@vger.kernel.org, pabeni@redhat.com,
syzkaller-bugs@googlegroups.com,
syzbot <syzbot+e364f774c6f57f2c86d1@syzkaller.appspotmail.com>
Subject: Re: [syzbot] [mptcp?] general protection fault in proc_scheduler
Date: Sun, 5 Jan 2025 21:11:58 +0000 [thread overview]
Message-ID: <20250105211158.GL1977892@ZenIV> (raw)
In-Reply-To: <20250105205056.GK1977892@ZenIV>
On Sun, Jan 05, 2025 at 08:50:56PM +0000, Al Viro wrote:
> has max taken from ctl->extra2, which is &net->sctp.rto_max of the
> opener's netns, but the value capped by that in stored into
> net->sctp.rto_min of *writer's* netns. So the logics that is supposed
> to prevent rto_min > rto_max can be bypassed; no idea how much can that
> escalate to, but it's clearly not what the code intends.
Speaking of which, the logics that tries to maintain rto_min <= rto_max is
broken in another way. There's no exclusion in those suckers. IOW, if
we have set rto_min to 1 and rto_max to 10000, two processes can try to
write 1000 to rto_min and 10 to rto_max resp., with successful validations
done against the original state in both, followed by actual stores.
Result is rto_min == 1000 and rto_max == 10, which is probably not what
one wants there...
IOW, the validation and stores should be atomic; the same goes for another
pair (pf_retrans <= ps_retrans). Again, I've no idea how severe it is,
but result seems to be at least contrary to expectation of the code
authors...
next prev parent reply other threads:[~2025-01-05 21:12 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-02 14:12 [syzbot] [mptcp?] general protection fault in proc_scheduler syzbot
2025-01-02 15:21 ` Eric Dumazet
2025-01-04 18:38 ` Matthieu Baerts
2025-01-04 18:53 ` Eric Dumazet
2025-01-04 19:00 ` Al Viro
2025-01-04 19:11 ` Matthieu Baerts
2025-01-04 20:21 ` Al Viro
2025-01-05 8:32 ` Eric Dumazet
2025-01-05 11:29 ` Al Viro
2025-01-05 16:52 ` Eric Dumazet
2025-01-05 17:03 ` Matthieu Baerts
2025-01-05 19:54 ` Al Viro
2025-01-05 20:50 ` Al Viro
2025-01-05 21:11 ` Al Viro [this message]
2025-01-05 17:03 ` Matthieu Baerts
2025-01-04 19:11 ` Matthieu Baerts
2025-01-06 13:32 ` Joel Granados
2025-01-06 14:27 ` Matthieu Baerts
2025-01-06 15:27 ` Eric Dumazet
2025-01-06 15:34 ` Matthieu Baerts
2025-01-08 14:37 ` Joel Granados
2025-01-04 20:09 ` Al Viro
2025-01-03 10:32 ` Hillf Danton
2025-01-03 10:52 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250105211158.GL1977892@ZenIV \
--to=viro@zeniv.linux.org.uk \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=geliang@kernel.org \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martineau@kernel.org \
--cc=matttbe@kernel.org \
--cc=mptcp@lists.linux.dev \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzbot+e364f774c6f57f2c86d1@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.