evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/net/ipv4
History
Eric Dumazet 5bbe138a25 tcp: purge write queue in tcp_connect_init() 
[ Upstream commit 7f582b248d0a86bae5788c548d7bb5bca6f7691a ]

syzkaller found a reliable way to crash the host, hitting a BUG()
in __tcp_retransmit_skb()

Malicous MSG_FASTOPEN is the root cause. We need to purge write queue
in tcp_connect_init() at the point we init snd_una/write_seq.

This patch also replaces the BUG() by a less intrusive WARN_ON_ONCE()

kernel BUG at net/ipv4/tcp_output.c:2837!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 5276 Comm: syz-executor0 Not tainted 4.17.0-rc3+ #51
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__tcp_retransmit_skb+0x2992/0x2eb0 net/ipv4/tcp_output.c:2837
RSP: 0000:ffff8801dae06ff8 EFLAGS: 00010206
RAX: ffff8801b9fe61c0 RBX: 00000000ffc18a16 RCX: ffffffff864e1a49
RDX: 0000000000000100 RSI: ffffffff864e2e12 RDI: 0000000000000005
RBP: ffff8801dae073a0 R08: ffff8801b9fe61c0 R09: ffffed0039c40dd2
R10: ffffed0039c40dd2 R11: ffff8801ce206e93 R12: 00000000421eeaad
R13: ffff8801ce206d4e R14: ffff8801ce206cc0 R15: ffff8801cd4f4a80
FS:  0000000000000000(0000) GS:ffff8801dae00000(0063) knlGS:00000000096bc900
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 0000000020000000 CR3: 00000001c47b6000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 tcp_retransmit_skb+0x2e/0x250 net/ipv4/tcp_output.c:2923
 tcp_retransmit_timer+0xc50/0x3060 net/ipv4/tcp_timer.c:488
 tcp_write_timer_handler+0x339/0x960 net/ipv4/tcp_timer.c:573
 tcp_write_timer+0x111/0x1d0 net/ipv4/tcp_timer.c:593
 call_timer_fn+0x230/0x940 kernel/time/timer.c:1326
 expire_timers kernel/time/timer.c:1363 [inline]
 __run_timers+0x79e/0xc50 kernel/time/timer.c:1666
 run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692
 __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
 invoke_softirq kernel/softirq.c:365 [inline]
 irq_exit+0x1d1/0x200 kernel/softirq.c:405
 exiting_irq arch/x86/include/asm/apic.h:525 [inline]
 smp_apic_timer_interrupt+0x17e/0x710 arch/x86/kernel/apic/apic.c:1052
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863

Fixes: cf60af03ca ("net-tcp: Fast Open client - sendmsg(MSG_FASTOPEN)")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-05-26 08:48:58 +02:00
..
netfilter netfilter: nf_nat_h323: fix logical-not-parentheses warning 2018-04-08 11:51:57 +02:00
af_inet.c net: ping: do not abuse udp_poll() 2017-06-14 13:16:19 +02:00
ah4.c ipsec: check return value of skb_to_sgvec always 2018-04-13 19:50:23 +02:00
arp.c arp: fix arp_filter on l3slave devices 2018-04-13 19:50:24 +02:00
cipso_ipv4.c tcp/dccp: fix ireq->opt races 2017-11-18 11:11:06 +01:00
datagram.c net: Set sk_txhash from a random number 2015-07-29 22:44:04 -07:00
devinet.c ipv4: igmp: guard against silly MTU values 2018-01-02 20:33:24 +01:00
esp4.c ipsec: check return value of skb_to_sgvec always 2018-04-13 19:50:23 +02:00
fib_frontend.c ipv4: Fix use-after-free when flushing FIB tables 2018-01-02 20:33:26 +01:00
fib_lookup.h ipv4: consider TOS in fib_select_default 2015-07-24 22:46:11 -07:00
fib_rules.c net: ipv6: use common fib_default_rule_pref 2015-09-09 14:19:50 -07:00
fib_semantics.c fib_semantics: Don't match route with mismatching tclassid 2018-03-11 16:19:45 +01:00
fib_trie.c net: Improve handling of failures on link and route dumps 2017-06-07 12:05:58 +02:00
fou.c net: add recursion limit to GRO 2016-11-15 07:46:38 +01:00
gre_demux.c gre: Remove support for sharing GRE protocol hook. 2015-08-10 14:03:54 -07:00
gre_offload.c net: add recursion limit to GRO 2016-11-15 07:46:38 +01:00
icmp.c Revert "ipv4/icmp: redirect messages can use the ingress daddr as source" 2015-10-14 06:01:07 -07:00
igmp.c net: igmp: add a missing rcu locking section 2018-02-16 20:09:37 +01:00
inet_connection_sock.c tcp/dccp: fix other lockdep splats accessing ireq_opt 2017-11-18 11:11:07 +01:00
inet_diag.c tcp/dccp: install syn_recv requests into ehash table 2015-10-03 04:32:41 -07:00
inet_fragment.c net: Fix hlist corruptions in inet_evict_bucket() 2018-03-31 18:12:33 +02:00
inet_hashtables.c tcp/dccp: fix hashdance race for passive sessions 2015-10-23 05:42:21 -07:00
inet_lro.c
inet_timewait_sock.c soreuseport: initialise timewait reuseport field 2018-05-16 10:06:50 +02:00
inetpeer.c net: Add helper function to compare inetpeer addresses 2015-08-28 13:32:36 -07:00
ip_forward.c net: Pass net into dst_output and remove dst_output_okfn 2015-10-08 04:26:54 -07:00
ip_fragment.c inet: frag: release spinlock before calling icmp_send() 2017-12-25 14:22:11 +01:00
ip_gre.c vxlan, gre, geneve: Set a large MTU on ovs-created tunnel devices 2016-06-24 10:18:18 -07:00
ip_input.c ipv4: Pass struct net into ip_defrag and ip_check_defrag 2015-10-12 19:44:16 -07:00
ip_options.c ipv4: coding style: comparison for inequality with NULL 2015-04-03 12:11:15 -04:00
ip_output.c net: test tailroom before appending to linear skb 2018-05-26 08:48:57 +02:00
ip_sockglue.c net: Only honor ifindex in IP_PKTINFO if non-0 2018-03-31 18:12:33 +02:00
ip_tunnel.c ip_tunnel: better validate user provided tunnel names 2018-04-13 19:50:26 +02:00
ip_tunnel_core.c tunnels: Remove encapsulation offloads on decap. 2016-10-31 04:13:59 -06:00
ip_vti.c vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit 2017-10-21 17:09:02 +02:00
ipcomp.c ipv4: coding style: comparison for equality with NULL 2015-04-03 12:11:15 -04:00
ipconfig.c ipv4: ipconfig: avoid unused ic_proto_used symbol 2018-02-25 11:03:47 +01:00
ipip.c ipip: only increase err_count for some certain type icmp in ipip_err 2017-11-18 11:11:06 +01:00
ipmr.c ipmr, ip6mr: fix scheduling while atomic and a deadlock with ipmr_get_route 2016-11-15 07:46:37 +01:00
Kconfig ip_tunnel: replace dst_cache with generic implementation 2018-02-28 10:17:21 +01:00
Makefile tcp: track the packet timings in RACK 2015-10-21 07:00:48 -07:00
netfilter.c netfilter: use skb_to_full_sk in ip_route_me_harder 2018-03-18 11:17:51 +01:00
ping.c ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg 2018-05-26 08:48:46 +02:00
proc.c net: track success and failure of TCP PMTU probing 2015-07-21 22:36:33 -07:00
protocol.c net: Export inet_offloads and inet6_offloads 2014-09-19 17:15:31 -04:00
raw.c net: ipv4: fix for a race condition in raw_sendmsg 2018-01-02 20:33:25 +01:00
route.c net: ipv4: don't allow setting net.ipv4.route.min_pmtu below 68 2018-03-11 16:19:46 +01:00
syncookies.c tcp/dccp: fix ireq->opt races 2017-11-18 11:11:06 +01:00
sysctl_net_ipv4.c ipv4: use the right lock for ping_group_range 2016-11-15 07:46:38 +01:00
tcp.c tcp: ignore Fast Open on repair mode 2018-05-26 08:48:48 +02:00
tcp_bic.c tcp: add tcp_in_slow_start helper 2015-07-09 14:22:52 -07:00
tcp_cdg.c tcp: do not slow start when cwnd equals ssthresh 2015-07-09 14:22:52 -07:00
tcp_cong.c tcp: disallow cwnd undo when switching congestion control 2017-06-14 13:16:19 +02:00
tcp_cubic.c tcp_cubic: do not set epoch_start in the future 2015-09-17 22:35:07 -07:00
tcp_dctcp.c dctcp: avoid bogus doubling of cwnd after loss 2016-11-21 10:06:39 +01:00
tcp_diag.c tcp: ensure proper barriers in lockless contexts 2015-11-15 18:36:38 -05:00
tcp_fastopen.c tcp: initialize max window for a new fastopen socket 2017-02-04 09:45:09 +01:00
tcp_highspeed.c tcp: add tcp_in_slow_start helper 2015-07-09 14:22:52 -07:00
tcp_htcp.c tcp: add tcp_in_slow_start helper 2015-07-09 14:22:52 -07:00
tcp_hybla.c tcp: do not slow start when cwnd equals ssthresh 2015-07-09 14:22:52 -07:00
tcp_illinois.c tcp: add tcp_in_slow_start helper 2015-07-09 14:22:52 -07:00
tcp_input.c tcp: don't read out-of-bounds opsize 2018-04-29 07:50:05 +02:00
tcp_ipv4.c tcp md5sig: Use skb's saddr when replying to an incoming segment 2018-01-02 20:33:25 +01:00
tcp_lp.c tcp: fix wraparound issue in tcp_lp 2017-05-14 13:32:58 +02:00
tcp_memcontrol.c memcg: cleanup static keys decrement 2015-02-12 18:54:10 -08:00
tcp_metrics.c tcp: convert cached rtt from usec to jiffies when feeding initial rto 2016-04-20 15:41:56 +09:00
tcp_minisocks.c tcp: do not inherit fastopen_req from parent 2017-05-14 13:32:58 +02:00
tcp_offload.c tcp: reserve tcp_skb_mss() to tcp stack 2015-06-11 16:33:10 -07:00
tcp_output.c tcp: purge write queue in tcp_connect_init() 2018-05-26 08:48:58 +02:00
tcp_probe.c tcp: whitespace fixes 2014-09-01 18:12:45 -07:00
tcp_recovery.c tcp: use RACK to detect losses 2015-10-21 07:00:53 -07:00
tcp_scalable.c tcp: add tcp_in_slow_start helper 2015-07-09 14:22:52 -07:00
tcp_timer.c net: tcp: close sock if net namespace is exiting 2018-01-31 12:06:14 +01:00
tcp_vegas.c tcp: fix under-evaluated ssthresh in TCP Vegas 2017-12-25 14:22:15 +01:00
tcp_vegas.h tcp: prepare CC get_info() access from getsockopt() 2015-04-29 17:10:38 -04:00
tcp_veno.c tcp: add tcp_in_slow_start helper 2015-07-09 14:22:52 -07:00
tcp_westwood.c tcp_westwood: fix tcp_westwood_info() 2015-05-05 19:50:09 -04:00
tcp_yeah.c tcp: cwnd does not increase in TCP YeAH 2016-09-30 10:18:34 +02:00
tunnel4.c
udp.c ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg 2018-05-26 08:48:46 +02:00
udp_diag.c sock_diag: specify info_size per inet protocol 2015-06-15 19:49:22 -07:00
udp_impl.h net: Remove iocb argument from sendmsg and recvmsg 2015-03-02 13:06:31 -05:00
udp_offload.c net: avoid skb_warn_bad_offload false positives on UFO 2017-08-12 19:29:08 -07:00
udp_tunnel.c tunnel: Clear IPCB(skb)->opt before dst_link_failure called 2016-04-20 15:41:56 +09:00
udplite.c net: Eliminate no_check from protosw 2014-05-23 16:28:53 -04:00
xfrm4_input.c netfilter: Pass net into okfn 2015-09-17 17:18:37 -07:00
xfrm4_mode_beet.c
xfrm4_mode_transport.c
xfrm4_mode_tunnel.c ipv4: hash net ptr into fragmentation bucket selection 2015-03-25 14:07:04 -04:00
xfrm4_output.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-10-24 06:54:12 -07:00
xfrm4_policy.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 2015-12-22 16:26:31 -05:00
xfrm4_protocol.c xfrm4: Remove duplicate semicolon 2014-06-30 07:49:47 +02:00
xfrm4_state.c
xfrm4_tunnel.c