Re: [MPTCP][PATCH net-next] mptcp: clear use_ack and use_map when dropping other suboptions
On Tue, 15 Dec 2020 16:11:52 -0800 (PST) Mat Martineau wrote: > On Tue, 15 Dec 2020, Geliang Tang wrote: > > > This patch cleared use_ack and use_map when dropping other suboptions to > > fix the following syzkaller BUG: > > Reported-by: Christoph Paasch > > Fixes: 84dfe3677a6f (mptcp: send out dedicated ADD_ADDR packet) > > Signed-off-by: Geliang Tang > > --- > > net/mptcp/options.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > David or Jakub, this patch is intended for the -net tree (not net-next as > labeled in the subject line). If you can apply it to -net, that's great, > otherwise it can be resubmitted as [PATCH net]. > > In any case, the content is good: Should matter all that much other than for build testing. > Reviewed-by: Mat Martineau Applied, thanks!
Re: [MPTCP][PATCH net-next] mptcp: clear use_ack and use_map when dropping other suboptions
On Tue, 15 Dec 2020, Geliang Tang wrote: This patch cleared use_ack and use_map when dropping other suboptions to fix the following syzkaller BUG: [ 15.223006] BUG: unable to handle page fault for address: 00223b10 [ 15.223700] #PF: supervisor read access in kernel mode [ 15.224209] #PF: error_code(0x) - not-present page [ 15.224724] PGD b8d5067 P4D b8d5067 PUD c0a5067 PMD 0 [ 15.225237] Oops: [#1] SMP [ 15.225556] CPU: 0 PID: 7747 Comm: syz-executor Not tainted 5.10.0-rc6+ #24 [ 15.226281] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 [ 15.227292] RIP: 0010:skb_release_data+0x89/0x1e0 [ 15.227816] Code: 5b 5d 41 5c 41 5d 41 5e 41 5f e9 02 06 8a ff e8 fd 05 8a ff 45 31 ed 80 7d 02 00 4c 8d 65 30 74 55 e8 eb 05 8a ff 49 8b 1c 24 <4c> 8b 7b 08 41 f6 c7 01 0f 85 18 01 00 00 e8 d4 05 8a ff 8b 43 34 [ 15.229669] RSP: 0018:c900019c7c08 EFLAGS: 00010293 [ 15.230188] RAX: 88800daad900 RBX: 00223b08 RCX: 0006 [ 15.230895] RDX: RSI: 818e06c5 RDI: 88807f6dc700 [ 15.231593] RBP: 88807f71a4c0 R08: 0001 R09: 0001 [ 15.232299] R10: c900019c7c18 R11: R12: 88807f71a4f0 [ 15.233007] R13: R14: 88807f6dc700 R15: 0002 [ 15.233714] FS: 7f65d9b5f700() GS:88807c40() knlGS: [ 15.234509] CS: 0010 DS: ES: CR0: 80050033 [ 15.235081] CR2: 00223b10 CR3: 0b883000 CR4: 06f0 [ 15.235788] Call Trace: [ 15.236042] skb_release_all+0x28/0x30 [ 15.236419] __kfree_skb+0x11/0x20 [ 15.236768] tcp_data_queue+0x270/0x1240 [ 15.237161] ? tcp_urg+0x50/0x2a0 [ 15.237496] tcp_rcv_established+0x39a/0x890 [ 15.237997] ? mark_held_locks+0x49/0x70 [ 15.238467] tcp_v4_do_rcv+0xb9/0x270 [ 15.238915] __release_sock+0x8a/0x160 [ 15.239365] release_sock+0x32/0xd0 [ 15.239793] __inet_stream_connect+0x1d2/0x400 [ 15.240313] ? do_wait_intr_irq+0x80/0x80 [ 15.240791] inet_stream_connect+0x36/0x50 [ 15.241275] mptcp_stream_connect+0x69/0x1b0 [ 15.241787] __sys_connect+0x122/0x140 [ 15.242236] ? syscall_enter_from_user_mode+0x17/0x50 [ 15.242836] ? lockdep_hardirqs_on_prepare+0xd4/0x170 [ 15.243436] __x64_sys_connect+0x1a/0x20 [ 15.243924] do_syscall_64+0x33/0x40 [ 15.244313] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 15.244821] RIP: 0033:0x7f65d946e469 [ 15.245183] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ff 49 2b 00 f7 d8 64 89 01 48 [ 15.247019] RSP: 002b:7f65d9b5eda8 EFLAGS: 0246 ORIG_RAX: 002a [ 15.247770] RAX: ffda RBX: 0049bf00 RCX: 7f65d946e469 [ 15.248471] RDX: 0010 RSI: 20c0 RDI: 0005 [ 15.249205] RBP: 0049bf00 R08: R09: [ 15.249908] R10: R11: 0246 R12: 0049bf0c [ 15.250603] R13: 7fffe8a25cef R14: 7f65d9b3f000 R15: 0003 [ 15.251312] Modules linked in: [ 15.251626] CR2: 00223b10 [ 15.251965] BUG: kernel NULL pointer dereference, address: 0048 [ 15.252005] ---[ end trace f5c51fe19123c773 ]--- [ 15.252822] #PF: supervisor read access in kernel mode [ 15.252823] #PF: error_code(0x) - not-present page [ 15.252825] PGD c6c6067 P4D c6c6067 PUD c0d8067 [ 15.253294] RIP: 0010:skb_release_data+0x89/0x1e0 [ 15.253910] PMD 0 [ 15.253914] Oops: [#2] SMP [ 15.253917] CPU: 1 PID: 7746 Comm: syz-executor Tainted: G D 5.10.0-rc6+ #24 [ 15.253920] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 [ 15.254435] Code: 5b 5d 41 5c 41 5d 41 5e 41 5f e9 02 06 8a ff e8 fd 05 8a ff 45 31 ed 80 7d 02 00 4c 8d 65 30 74 55 e8 eb 05 8a ff 49 8b 1c 24 <4c> 8b 7b 08 41 f6 c7 01 0f 85 18 01 00 00 e8 d4 05 8a ff 8b 43 34 [ 15.254899] RIP: 0010:skb_release_data+0x89/0x1e0 [ 15.254902] Code: 5b 5d 41 5c 41 5d 41 5e 41 5f e9 02 06 8a ff e8 fd 05 8a ff 45 31 ed 80 7d 02 00 4c 8d 65 30 74 55 e8 eb 05 8a ff 49 8b 1c 24 <4c> 8b 7b 08 41 f6 c7 01 0f 85 18 01 00 00 e8 d4 05 8a ff 8b 43 34 [ 15.254905] RSP: 0018:c900019bfc08 EFLAGS: 00010293 [ 15.255376] RSP: 0018:c900019c7c08 EFLAGS: 00010293 [ 15.255580] [ 15.255583] RAX: 888004a7ac80 RBX: 0040 RCX: [ 15.255912] [ 15.256724] RDX: RSI: 818e06c5 RDI: 88807f6ddd00 [ 15.257620] RAX: 88800daad900 RBX: 00223b08 RCX: 0006 [ 15.259817] RBP: 88800e9006c0 R08: R09: [ 15.259818] R10: R11: R12: 88800e9006f0 [ 15.259820] R13: R14:
[MPTCP][PATCH net-next] mptcp: clear use_ack and use_map when dropping other suboptions
This patch cleared use_ack and use_map when dropping other suboptions to fix the following syzkaller BUG: [ 15.223006] BUG: unable to handle page fault for address: 00223b10 [ 15.223700] #PF: supervisor read access in kernel mode [ 15.224209] #PF: error_code(0x) - not-present page [ 15.224724] PGD b8d5067 P4D b8d5067 PUD c0a5067 PMD 0 [ 15.225237] Oops: [#1] SMP [ 15.225556] CPU: 0 PID: 7747 Comm: syz-executor Not tainted 5.10.0-rc6+ #24 [ 15.226281] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 [ 15.227292] RIP: 0010:skb_release_data+0x89/0x1e0 [ 15.227816] Code: 5b 5d 41 5c 41 5d 41 5e 41 5f e9 02 06 8a ff e8 fd 05 8a ff 45 31 ed 80 7d 02 00 4c 8d 65 30 74 55 e8 eb 05 8a ff 49 8b 1c 24 <4c> 8b 7b 08 41 f6 c7 01 0f 85 18 01 00 00 e8 d4 05 8a ff 8b 43 34 [ 15.229669] RSP: 0018:c900019c7c08 EFLAGS: 00010293 [ 15.230188] RAX: 88800daad900 RBX: 00223b08 RCX: 0006 [ 15.230895] RDX: RSI: 818e06c5 RDI: 88807f6dc700 [ 15.231593] RBP: 88807f71a4c0 R08: 0001 R09: 0001 [ 15.232299] R10: c900019c7c18 R11: R12: 88807f71a4f0 [ 15.233007] R13: R14: 88807f6dc700 R15: 0002 [ 15.233714] FS: 7f65d9b5f700() GS:88807c40() knlGS: [ 15.234509] CS: 0010 DS: ES: CR0: 80050033 [ 15.235081] CR2: 00223b10 CR3: 0b883000 CR4: 06f0 [ 15.235788] Call Trace: [ 15.236042] skb_release_all+0x28/0x30 [ 15.236419] __kfree_skb+0x11/0x20 [ 15.236768] tcp_data_queue+0x270/0x1240 [ 15.237161] ? tcp_urg+0x50/0x2a0 [ 15.237496] tcp_rcv_established+0x39a/0x890 [ 15.237997] ? mark_held_locks+0x49/0x70 [ 15.238467] tcp_v4_do_rcv+0xb9/0x270 [ 15.238915] __release_sock+0x8a/0x160 [ 15.239365] release_sock+0x32/0xd0 [ 15.239793] __inet_stream_connect+0x1d2/0x400 [ 15.240313] ? do_wait_intr_irq+0x80/0x80 [ 15.240791] inet_stream_connect+0x36/0x50 [ 15.241275] mptcp_stream_connect+0x69/0x1b0 [ 15.241787] __sys_connect+0x122/0x140 [ 15.242236] ? syscall_enter_from_user_mode+0x17/0x50 [ 15.242836] ? lockdep_hardirqs_on_prepare+0xd4/0x170 [ 15.243436] __x64_sys_connect+0x1a/0x20 [ 15.243924] do_syscall_64+0x33/0x40 [ 15.244313] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 15.244821] RIP: 0033:0x7f65d946e469 [ 15.245183] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ff 49 2b 00 f7 d8 64 89 01 48 [ 15.247019] RSP: 002b:7f65d9b5eda8 EFLAGS: 0246 ORIG_RAX: 002a [ 15.247770] RAX: ffda RBX: 0049bf00 RCX: 7f65d946e469 [ 15.248471] RDX: 0010 RSI: 20c0 RDI: 0005 [ 15.249205] RBP: 0049bf00 R08: R09: [ 15.249908] R10: R11: 0246 R12: 0049bf0c [ 15.250603] R13: 7fffe8a25cef R14: 7f65d9b3f000 R15: 0003 [ 15.251312] Modules linked in: [ 15.251626] CR2: 00223b10 [ 15.251965] BUG: kernel NULL pointer dereference, address: 0048 [ 15.252005] ---[ end trace f5c51fe19123c773 ]--- [ 15.252822] #PF: supervisor read access in kernel mode [ 15.252823] #PF: error_code(0x) - not-present page [ 15.252825] PGD c6c6067 P4D c6c6067 PUD c0d8067 [ 15.253294] RIP: 0010:skb_release_data+0x89/0x1e0 [ 15.253910] PMD 0 [ 15.253914] Oops: [#2] SMP [ 15.253917] CPU: 1 PID: 7746 Comm: syz-executor Tainted: G D 5.10.0-rc6+ #24 [ 15.253920] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 [ 15.254435] Code: 5b 5d 41 5c 41 5d 41 5e 41 5f e9 02 06 8a ff e8 fd 05 8a ff 45 31 ed 80 7d 02 00 4c 8d 65 30 74 55 e8 eb 05 8a ff 49 8b 1c 24 <4c> 8b 7b 08 41 f6 c7 01 0f 85 18 01 00 00 e8 d4 05 8a ff 8b 43 34 [ 15.254899] RIP: 0010:skb_release_data+0x89/0x1e0 [ 15.254902] Code: 5b 5d 41 5c 41 5d 41 5e 41 5f e9 02 06 8a ff e8 fd 05 8a ff 45 31 ed 80 7d 02 00 4c 8d 65 30 74 55 e8 eb 05 8a ff 49 8b 1c 24 <4c> 8b 7b 08 41 f6 c7 01 0f 85 18 01 00 00 e8 d4 05 8a ff 8b 43 34 [ 15.254905] RSP: 0018:c900019bfc08 EFLAGS: 00010293 [ 15.255376] RSP: 0018:c900019c7c08 EFLAGS: 00010293 [ 15.255580] [ 15.255583] RAX: 888004a7ac80 RBX: 0040 RCX: [ 15.255912] [ 15.256724] RDX: RSI: 818e06c5 RDI: 88807f6ddd00 [ 15.257620] RAX: 88800daad900 RBX: 00223b08 RCX: 0006 [ 15.259817] RBP: 88800e9006c0 R08: R09: [ 15.259818] R10: R11: R12: 88800e9006f0 [ 15.259820] R13: R14: 88807f6ddd00 R15: 0002 [ 15.259822]