Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp4209744pxv; Tue, 29 Jun 2021 01:23:37 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwBoTg7SGScXsgM2gyLtjenQchF5u6XJkqbq8Ji4RkmjxE0EmdZI20Rzv1v/ZI2e7kpSDbr X-Received: by 2002:a6b:f704:: with SMTP id k4mr2999060iog.191.1624955017691; Tue, 29 Jun 2021 01:23:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1624955017; cv=none; d=google.com; s=arc-20160816; b=W+pXoj8HBkEZxXQ3Ob2QycjiRsh+ssXNyIems1E7OxrmkSJVgefZUz432+vjiQfWDe XSzdddfX4zj9Kwt7xncMNZxegdtUcwbZVREL3HLAnlvOyxwrh9O8CtZb2JzHYY5AY8xY dZO4FYcTtKPZC2cmJNmYfZoLI411nAi1jVUDIB2vTr1QlRNPO93zDP55xfS/kzLc6HMM ANixJ+FE2OInLZ+xkzShn4Rkwhb7NzqkJx+Ga/yTfCkJ/oO0ncCcFbSoI5zba2eIDvy4 Ia2j7BGZFCHtPGOKUMhkIYX4u0OaB5QU79BzLRSLZ0J6xCTTP7X86EL4QvSutmQPxjfJ HHyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=b86U7qOD9Go7UjAxHqjyMo73nkm6a/V5QTpw7IQUw/0=; b=xwaojfH3QRC9cv6bbZzn+cxjsRLduIZQgJy+dGuaPJGN8ZQ9xqP+qyALUN8IGljbV+ fC6z24RU9bSdan8X/HJa3SgdlvW7WlWqoNWsazceQG5f84mT1yK/EtjK83c36HdRV6oC DTA0xRIoB5H5TuLHODhnucmuLg8VOPMUljNxuumoANrNnIgHpT0oyrhY+hZrlb0F0X6s D97tHT01aV1vw3/t4xnBFZnePXDzJnxYCZDkWWI7q299hPEBDlizkNO4PCoywNS9NhWU KSQ/8HaoItH64T6XC8DqvW+bzgyYCxEoDJBe0m4tFExd7djkfYem2OSPS5pQypF4+ci4 WLXw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=SiX9r9dg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h15si10352449ili.7.2021.06.29.01.23.26; Tue, 29 Jun 2021 01:23:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=SiX9r9dg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232529AbhF2IYv (ORCPT + 99 others); Tue, 29 Jun 2021 04:24:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48190 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232565AbhF2IYj (ORCPT ); Tue, 29 Jun 2021 04:24:39 -0400 Received: from mail-yb1-xb2d.google.com (mail-yb1-xb2d.google.com [IPv6:2607:f8b0:4864:20::b2d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 36400C061766 for ; Tue, 29 Jun 2021 01:22:12 -0700 (PDT) Received: by mail-yb1-xb2d.google.com with SMTP id c8so23164581ybq.1 for ; Tue, 29 Jun 2021 01:22:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=b86U7qOD9Go7UjAxHqjyMo73nkm6a/V5QTpw7IQUw/0=; b=SiX9r9dgg6r6z6VL+6XFCBA8PtLqqP8EjVjknH/LRrL0MsSzgzW6NoXOwoh0xQNgPV 6zIu/InaqEx5zmydhC+QuLMT+UMrbsEXBw2JBgAPME4uXG67oygSZzmwUNSox69rlWOl MX8DDVzp8OTnMDPgbU3dYgjX+GSSPjCuZ14XCNAxPWIgvPccT/Hzd3IOYj+o0/eUUvdb Xp+he1Qspq+Fdop1raUQPjpzigswTnTn1q2/UJAdIYap8JNAzHw0+GAejHDASg54Q5bo S4TvOHlDZq/nWPxwgJroeOGnUqlY5YSG7WsfshaVlEH555kOnVTzX/B0chf7qEMnaXED hqOg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=b86U7qOD9Go7UjAxHqjyMo73nkm6a/V5QTpw7IQUw/0=; b=J5Ucw+IiagAuUQaVW7v2SOPa1h5EQiC89+9qVvOgx3/ZsQEuirfBYVNBOQPtHzvBBr u+MhQx1bC3L+s1cUhB8rz9H4xRQGvoNh0Bw3WyGwOGBNuUmUVvhPs4bXyQCnsOJfypI5 0e0lZqO3s4rL17M2tZtAaD39ydXg6hGKrz57n9rh6DW+CmmZIR2YaUOuLGkMNuHrCOqb lfV9X9tFOSSpVlznVUtFE+45P8+lAoViXJM6x+05D9zfhM1U7J3sGExACQ/i+A/CFUBz IC+S8eYsl4JlA+Mb3zIPwlzsozlwlkm89o1m1gZ5Opig/KQht0/+AXEUgIjtHC6G9dae zJBw== X-Gm-Message-State: AOAM5306wq4wBgz0XRZtnZIJSWZWL9+d7p+K7Ny+4aFT1HdgKxd7HQl3 KByEOHVJsDlrhNH0xXi7GyHHvBhAs0VybpkHpxfOyQ== X-Received: by 2002:a25:f0b:: with SMTP id 11mr21678043ybp.518.1624954930973; Tue, 29 Jun 2021 01:22:10 -0700 (PDT) MIME-Version: 1.0 References: <20210628144908.881499-1-phind.uet@gmail.com> <79490158-e6d1-aabf-64aa-154b71205c74@gmail.com> <205F52AB-4A5B-4953-B97E-17E7CACBBCD8@gmail.com> In-Reply-To: <205F52AB-4A5B-4953-B97E-17E7CACBBCD8@gmail.com> From: Eric Dumazet Date: Tue, 29 Jun 2021 10:21:59 +0200 Message-ID: Subject: Re: [PATCH] tcp: Do not reset the icsk_ca_initialized in tcp_init_transfer. To: Nguyen Dinh Phi Cc: Neal Cardwell , David Miller , Hideaki YOSHIFUJI , David Ahern , Jakub Kicinski , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , John Fastabend , kpsingh@kernel.org, netdev , LKML , bpf , linux-kernel-mentees@lists.linuxfoundation.org, syzbot+f1e24a0594d4e3a895d3@syzkaller.appspotmail.com, Yuchung Cheng Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jun 29, 2021 at 9:17 AM Nguyen Dinh Phi wrote: > > On June 29, 2021 1:20:19 AM GMT+08:00, Neal Cardwell wrote: > >) > > > >On Mon, Jun 28, 2021 at 1:15 PM Phi Nguyen wrote: > >> > >> On 6/29/2021 12:24 AM, Neal Cardwell wrote: > >> > >> > Thanks. > >> > > >> > Can you also please provide a summary of the event sequence that > >> > triggers the bug? Based on your Reported-by tag, I guess this is > >based > >> > on the syzbot reproducer: > >> > > >> > > >https://groups.google.com/g/syzkaller-bugs/c/VbHoSsBz0hk/m/cOxOoTgPCAAJ > >> > > >> > but perhaps you can give a summary of the event sequence that > >causes > >> > the bug? Is it that the call: > >> > > >> > setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd, > >> > &(0x7f0000000000)='cdg\x00', 0x4) > >> > > >> > initializes the CC and happens before the connection is > >established, > >> > and then when the connection is established, the line that sets: > >> > icsk->icsk_ca_initialized = 0; > >> > is incorrect, causing the CC to be initialized again without first > >> > calling the cleanup code that deallocates the CDG-allocated memory? > >> > > >> > thanks, > >> > neal > >> > > >> > >> Hi Neal, > >> > >> The gdb stack trace that lead to init_transfer_input() is as bellow, > >the > >> current sock state is TCP_SYN_RECV. > > > >Thanks. That makes sense as a snapshot of time for > >tcp_init_transfer(), but I think what would be more useful would be a > >description of the sequence of events, including when the CC was > >initialized previous to that point (as noted above, was it that the > >setsockopt(TCP_CONGESTION) completed before that point?). > > > >thanks, > >neal > > I resend my message because I accidently used html format in last one. I am very sorry for the inconvenience caused. > --- > Yes, the CC had been initialized by the setsockopt, after that, it was initialized again in function tcp_init_transfer() because of setting isck_ca_initialized to 0. "the setsockopt" is rather vague, sorry. The hard part is that all scenarios have to be considered. TCP flows can either be passive and active. CC can be set : 1) Before the connect() or accept() 2) After the connect() or accept() 3) after the connect() but before 3WHS is completed. So we need to make sure all cases will still work with any combination of CDG CC (before/after) in the picture. Note that a memory leak for a restricted CC (CDG can only be used by CAP_NET_ADMIN privileged user) is a small problem compared to more serious bug that could be added by an incomplete fix. I also note that if icsk_ca_priv] was increased from 104 to 120 bytes, tcp_cdg would no longer need a dynamic memory allocation. Thank you.