linux

iv/linux

History

Eric Dumazet 7f582b248d tcp: purge write queue in tcp_connect_init()

syzkaller found a reliable way to crash the host, hitting a BUG()
in __tcp_retransmit_skb()

Malicous MSG_FASTOPEN is the root cause. We need to purge write queue
in tcp_connect_init() at the point we init snd_una/write_seq.

This patch also replaces the BUG() by a less intrusive WARN_ON_ONCE()

kernel BUG at net/ipv4/tcp_output.c:2837!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 5276 Comm: syz-executor0 Not tainted 4.17.0-rc3+ #51
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__tcp_retransmit_skb+0x2992/0x2eb0 net/ipv4/tcp_output.c:2837
RSP: 0000:ffff8801dae06ff8 EFLAGS: 00010206
RAX: ffff8801b9fe61c0 RBX: 00000000ffc18a16 RCX: ffffffff864e1a49
RDX: 0000000000000100 RSI: ffffffff864e2e12 RDI: 0000000000000005
RBP: ffff8801dae073a0 R08: ffff8801b9fe61c0 R09: ffffed0039c40dd2
R10: ffffed0039c40dd2 R11: ffff8801ce206e93 R12: 00000000421eeaad
R13: ffff8801ce206d4e R14: ffff8801ce206cc0 R15: ffff8801cd4f4a80
FS:  0000000000000000(0000) GS:ffff8801dae00000(0063) knlGS:00000000096bc900
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 0000000020000000 CR3: 00000001c47b6000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 tcp_retransmit_skb+0x2e/0x250 net/ipv4/tcp_output.c:2923
 tcp_retransmit_timer+0xc50/0x3060 net/ipv4/tcp_timer.c:488
 tcp_write_timer_handler+0x339/0x960 net/ipv4/tcp_timer.c:573
 tcp_write_timer+0x111/0x1d0 net/ipv4/tcp_timer.c:593
 call_timer_fn+0x230/0x940 kernel/time/timer.c:1326
 expire_timers kernel/time/timer.c:1363 [inline]
 __run_timers+0x79e/0xc50 kernel/time/timer.c:1666
 run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692
 __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
 invoke_softirq kernel/softirq.c:365 [inline]
 irq_exit+0x1d1/0x200 kernel/softirq.c:405
 exiting_irq arch/x86/include/asm/apic.h:525 [inline]
 smp_apic_timer_interrupt+0x17e/0x710 arch/x86/kernel/apic/apic.c:1052
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863

Fixes: cf60af03ca4e ("net-tcp: Fast Open client - sendmsg(MSG_FASTOPEN)")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

2018-05-16 12:18:00 -04:00

netfilter

netfilter: x_tables: add module alias for icmp matches

2018-05-08 14:15:32 +02:00

af_inet.c

Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next

2018-03-31 23:33:04 -04:00

ah4.c

net: use -ENOSPC for transient busy indication

2017-11-03 22:11:17 +08:00

arp.c

arp: fix arp_filter on l3slave devices

2018-04-05 22:05:03 -04:00

cipso_ipv4.c

tcp/dccp: fix ireq->opt races

2017-10-21 01:33:19 +01:00

datagram.c

…

devinet.c

net: Drop pernet_operations::async

2018-03-27 13:18:09 -04:00

esp4_offload.c

esp: check the NETIF_F_HW_ESP_TX_CSUM bit before segmenting

2018-02-27 10:46:01 +01:00

esp4.c

esp4: remove redundant initialization of pointer esph

2018-02-13 13:59:03 +01:00

fib_frontend.c

net: Drop pernet_operations::async

2018-03-27 13:18:09 -04:00

fib_lookup.h

License cleanup: add SPDX GPL-2.0 license identifier to files with no license

2017-11-02 11:10:55 +01:00

fib_notifier.c

License cleanup: add SPDX GPL-2.0 license identifier to files with no license

2017-11-02 11:10:55 +01:00

fib_rules.c

ipv6: route: dissect flow in input path if fib rules need it

2018-02-28 22:44:44 -05:00

fib_semantics.c

route: check sysctl_fib_multipath_use_neigh earlier than hash

2018-04-01 20:57:39 -04:00

fib_trie.c

net/ipv4: Allow notifier to fail route replace

2018-03-29 14:10:30 -04:00

fou.c

net: Drop pernet_operations::async

2018-03-27 13:18:09 -04:00

gre_demux.c

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

2016-06-30 05:03:36 -04:00

gre_offload.c

gso: fix payload length when gso_size is zero

2017-10-08 10:12:15 -07:00

icmp.c

net: Drop pernet_operations::async

2018-03-27 13:18:09 -04:00

igmp.c

net: Drop pernet_operations::async

2018-03-27 13:18:09 -04:00

inet_connection_sock.c

Revert "defer call to mem_cgroup_sk_alloc()"

2018-02-02 19:49:31 -05:00

inet_diag.c

sock_diag: request _diag module only when the family or proto has been registered

2018-03-12 11:03:42 -04:00

inet_fragment.c

inet: frags: remove inet_frag_maybe_warn_overflow()

2018-03-31 23:25:39 -04:00

inet_hashtables.c

inet: Avoid unitialized variable warning in inet_unhash()

2018-02-01 09:48:42 -05:00

inet_timewait_sock.c

soreuseport: initialise timewait reuseport field

2018-04-07 22:32:32 -04:00

inetpeer.c

inetpeer: fix uninit-value in inet_getpeer

2018-04-09 10:57:35 -04:00

ip_forward.c

net: rename skb_gso_validate_mtu -> skb_gso_validate_network_len

2018-03-04 17:49:17 -05:00

ip_fragment.c

inet: frags: fix ip6frag_low_thresh boundary

2018-04-04 12:04:59 -04:00

ip_gre.c

ip_gre: clear feature flags when incompatible o_flags are set

2018-04-10 11:03:32 -04:00

ip_input.c

net: Make ip_ra_chain per struct net

2018-03-22 15:12:56 -04:00

ip_options.c

License cleanup: add SPDX GPL-2.0 license identifier to files with no license

2017-11-02 11:10:55 +01:00

ip_output.c

net: Fix one possible memleak in ip_setup_cork

2018-04-16 12:57:06 -04:00

ip_sockglue.c

net: Replace ip_ra_lock with per-net mutex

2018-03-22 15:12:56 -04:00

ip_tunnel_core.c

net: store port/representator id in metadata_dst

2017-06-25 11:42:01 -04:00

ip_tunnel.c

ip_tunnel: better validate user provided tunnel names

2018-04-05 15:16:15 -04:00

ip_vti.c

net: Drop pernet_operations::async

2018-03-27 13:18:09 -04:00

ipcomp.c

…

ipconfig.c

net: Use octal not symbolic permissions

2018-03-26 12:07:48 -04:00

ipip.c

net: Drop pernet_operations::async

2018-03-27 13:18:09 -04:00

ipmr_base.c

ipmr: Make ipmr_dump() common

2018-03-26 13:14:43 -04:00

ipmr.c

net: Drop pernet_operations::async

2018-03-27 13:18:09 -04:00

Kconfig

ipmr,ipmr6: Define a uniform vif_device

2018-03-01 13:13:23 -05:00

Makefile

ipmr,ipmr6: Define a uniform vif_device

2018-03-01 13:13:23 -05:00

netfilter.c

netfilter: remove struct nf_afinfo and its helper functions

2018-01-08 18:11:02 +01:00

ping.c

ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg

2018-05-11 12:00:58 -04:00

proc.c

inet: frags: break the 2GB limit for frags storage

2018-03-31 23:25:39 -04:00

protocol.c

net: Add sysctl to toggle early demux for tcp and udp

2017-03-24 13:17:07 -07:00

raw_diag.c

net: ipv6: add second dif to raw socket lookups

2017-08-07 11:39:22 -07:00

raw.c

net: Drop pernet_operations::async

2018-03-27 13:18:09 -04:00

route.c

ipv4: reset fnhe_mtu_locked after cache route flushed

2018-05-10 15:40:52 -04:00

syncookies.c

net/ipv4: disable SMC TCP option with SYN Cookies

2018-03-25 20:53:54 -04:00

sysctl_net_ipv4.c

net: Drop pernet_operations::async

2018-03-27 13:18:09 -04:00

tcp_bbr.c

tcp_bbr: fix to zero idle_restart only upon S/ACKed data

2018-05-02 11:12:32 -04:00

tcp_bic.c

tcp: consolidate congestion control undo functions

2017-08-06 21:25:10 -07:00

tcp_cdg.c

tcp: cdg: make struct tcp_cdg static

2017-10-16 21:24:25 +01:00

tcp_cong.c

tcp: Namespace-ify sysctl_tcp_default_congestion_control

2017-11-15 14:09:52 +09:00

tcp_cubic.c

tcp: consolidate congestion control undo functions

2017-08-06 21:25:10 -07:00

tcp_dctcp.c

Revert "dctcp: update cwnd on congestion event"

2016-12-06 11:34:24 -05:00

tcp_diag.c

net: sock: replace sk_state_load with inet_sk_state_load and remove sk_state_store

2017-12-20 14:00:25 -05:00

tcp_fastopen.c

tcp: pause Fast Open globally after third consecutive timeout

2017-12-13 15:51:12 -05:00

tcp_highspeed.c

tcp: consolidate congestion control undo functions

2017-08-06 21:25:10 -07:00

tcp_htcp.c

tcp: fix cwnd undo in Reno and HTCP congestion controls

2017-08-06 21:25:10 -07:00

tcp_hybla.c

tcp: make undo_cwnd mandatory for congestion modules

2016-11-21 13:20:17 -05:00

tcp_illinois.c

net/tcp/illinois: replace broken algorithm reference link

2018-02-28 12:03:47 -05:00

tcp_input.c

tcp: don't read out-of-bounds opsize

2018-04-23 09:51:06 -04:00

tcp_ipv4.c

Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next

2018-03-31 23:33:04 -04:00

tcp_lp.c

tcp: switch TCP TS option (RFC 7323) to 1ms clock

2017-05-17 16:06:01 -04:00

tcp_metrics.c

net: Drop pernet_operations::async

2018-03-27 13:18:09 -04:00

tcp_minisocks.c

crypto : chtls - CPL handler definition

2018-03-31 23:37:32 -04:00

tcp_nv.c

tcp_nv: fix potential integer overflow in tcpnv_acked

2018-01-31 10:26:30 -05:00

tcp_offload.c

gso: validate gso_type in GSO handlers

2018-01-22 16:01:30 -05:00

tcp_output.c

tcp: purge write queue in tcp_connect_init()

2018-05-16 12:18:00 -04:00

tcp_rate.c

tcp: invalidate rate samples during SACK reneging

2017-12-08 10:07:02 -05:00

tcp_recovery.c

tcp: evaluate packet losses upon RTT change

2017-12-08 14:14:11 -05:00

tcp_scalable.c

tcp: consolidate congestion control undo functions

2017-08-06 21:25:10 -07:00

tcp_timer.c

tcp: purge write queue upon aborting the connection

2018-03-07 15:01:03 -05:00

tcp_ulp.c

net: add a UID to use for ULP socket assignment

2018-02-06 11:39:31 +01:00

tcp_vegas.c

tcp: fix under-evaluated ssthresh in TCP Vegas

2017-09-29 06:07:00 +01:00

tcp_vegas.h

License cleanup: add SPDX GPL-2.0 license identifier to files with no license

2017-11-02 11:10:55 +01:00

tcp_veno.c

tcp: consolidate congestion control undo functions

2017-08-06 21:25:10 -07:00

tcp_westwood.c

tcp: Revert "tcp: remove CA_ACK_SLOWPATH"

2017-08-30 11:20:08 -07:00

tcp_yeah.c

tcp: consolidate congestion control undo functions

2017-08-06 21:25:10 -07:00

tcp.c

tcp: restore autocorking

2018-05-03 11:28:50 -04:00

tunnel4.c

inet: whitespace cleanup

2018-02-28 11:43:28 -05:00

udp_diag.c

net: ipv6: add second dif to udp socket lookups

2017-08-07 11:39:22 -07:00

udp_impl.h

License cleanup: add SPDX GPL-2.0 license identifier to files with no license

2017-11-02 11:10:55 +01:00

udp_offload.c

gso: validate gso_type in GSO handlers

2018-01-22 16:01:30 -05:00

udp_tunnel.c

net: add infrastructure to un-offload UDP tunnel port

2017-07-24 13:52:59 -07:00

udp.c

ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg

2018-05-11 12:00:58 -04:00

udplite.c

net: Drop pernet_operations::async

2018-03-27 13:18:09 -04:00

xfrm4_input.c

xfrm: Reinject transport-mode packets through tasklet

2017-12-19 08:23:21 +01:00

xfrm4_mode_beet.c

networking: make skb_pull & friends return void pointers

2017-06-16 11:48:39 -04:00

xfrm4_mode_transport.c

xfrm: Add encapsulation header offsets while SKB is not encrypted

2017-04-14 10:07:39 +02:00

xfrm4_mode_tunnel.c

xfrm: Verify MAC header exists before overwriting eth_hdr(skb)->h_proto

2018-03-07 10:54:29 +01:00

xfrm4_output.c

net: xfrm: use skb_gso_validate_network_len() to check gso sizes

2018-03-04 17:49:17 -05:00

xfrm4_policy.c

net: Drop pernet_operations::async

2018-03-27 13:18:09 -04:00

xfrm4_protocol.c

xfrm: input: constify xfrm_input_afinfo

2017-02-09 10:22:17 +01:00

xfrm4_state.c

License cleanup: add SPDX GPL-2.0 license identifier to files with no license

2017-11-02 11:10:55 +01:00

xfrm4_tunnel.c

…