Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp4724330pxv; Tue, 6 Jul 2021 07:43:40 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx7eRIu2s9Q493NsC4GmGu2aDpihtn985NQkbakbjqSdqWd7bLn6OfuIsJK+zbLmFyMVubk X-Received: by 2002:aa7:c996:: with SMTP id c22mr23634573edt.374.1625582620099; Tue, 06 Jul 2021 07:43:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1625582620; cv=none; d=google.com; s=arc-20160816; b=xyYlIqc9yRh8FZdtBe3THTYGd/79Fm1WONfqJFpw6t2iXpojnw5EUHlkzsAPtlSAAG lXiFmM33CiGD93duy97k4ZBNUsmVLKsYb6SPsDqUEWItZ0R6UW9TCBZAsSyh6jYq2C6c BS4X2OHRfhNiFQRvGgUbfVQ0e57qnpwREuD7nb+4Z34FIu5un+lyIcOb4qhNnhhKN1RJ tha4enEVMel0y8odpT5IcPvNeuZc0Wc1heVZdgqloSfPZfqWCtm2aXGlCiX+8bbWabR2 iVaJmLzJ8YDZOqgbghueqfpkq43GL1zyOP6D+5x5ZwQMMKLrJJaZbsg9Fyk74KMmqSM4 3fYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=JTSN/TsZ42ihyFJIr7SrTpDTYHBxd5pPWJlGP+shcyw=; b=OOjzEv4tLElE37krI+H5wO/ocj3I1cKLJ8nvqfCui+BSSDpgLiA/wiVxllJMDTK6fi R4n3P+ElqtOkr7zkELoC0FkTGhq3hXB4m/4pCHhGisp8/DF4/nKTwBJxcNgGzfM6LnEA V3Q0sCL/EErn352VzArjefwoS139YX7s3SLtk+/eKkyspy1p84fw9ydZNRmvW7NkIg6f YepZq318wjEgo8yy5YoN3ksExU8AGe/yF8qUjt5wB0GOHZtlvrbWz6j+bnqaBFxIJ3Hp ZJnno0aAD119BwvZRx1WN2fh2C7s0w6Q66aZkyfmigPxvifuLv1TPMMA/wHdndubl4By NPMQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=YAK+YCFd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g18si4715720edw.9.2021.07.06.07.43.16; Tue, 06 Jul 2021 07:43:40 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=YAK+YCFd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232533AbhGFOoG (ORCPT + 99 others); Tue, 6 Jul 2021 10:44:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33784 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232000AbhGFOnx (ORCPT ); Tue, 6 Jul 2021 10:43:53 -0400 Received: from mail-vs1-xe36.google.com (mail-vs1-xe36.google.com [IPv6:2607:f8b0:4864:20::e36]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 392F8C08EC37 for ; Tue, 6 Jul 2021 07:41:14 -0700 (PDT) Received: by mail-vs1-xe36.google.com with SMTP id az11so1712418vsb.1 for ; Tue, 06 Jul 2021 07:41:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=JTSN/TsZ42ihyFJIr7SrTpDTYHBxd5pPWJlGP+shcyw=; b=YAK+YCFdhvDT27LvdTUG0jEZsORIgDDD1T1cNq5wMoOogkZ4FrhJge5A4Cx5NHW/j/ tlnqS8u76bv04yyu8b0Fo0rTNn4lNJShq1gtKsW6bWGNUb7+jqDauxhVpZ8eO38MCRkS o+4DqskC3HE8YdB0nYrwkUiQafHsLRRB+2IogRDM7saPS3ZijLB6rkRyyY5PF2VjMiCC N67du1djLw4xcL7Y50ia2FC51dcVvA3ePfTMX2YefWPQ80hqprwq5Fh3aPO7EUvW8OD0 jFe8zRKSO8/OAw/VE8I0DIEOpQYGapTdX2vzo+qN5lUFUxb0HUukDPDIGyYyQWAhm66s P1tw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JTSN/TsZ42ihyFJIr7SrTpDTYHBxd5pPWJlGP+shcyw=; b=DZUfpV6FU1WdP+zyYzPkqgw7C2shJQKnd1EHdxmJ/vwmtOgsxYhGnEs5PbHu/Ur/C/ wn4Q8QunKbuTfGczBHkQ+YwdAqoT+GUvsLYcu1iJh9v3ZP3WF4wE53O6A3oEGvgvFPNR pkxfZI3uHmUaehpi+CXLrUi4AI7OTa31uPel2/SsdrOm4EHjjXk5AimakGcg+Qhc2icN cLSjkXOsNCBbZp4gyQ0akO8i6HHT8nIOxIedMNtM9wJziudhaFsbxVKzl8bm/F4VgEFk iLu/5kK9gufr8GE6S9ENoaeI9oK8VHjbnLlyEzEhdYWfZ7IwAe85ZAN5VvsnC0UeIEb5 EYEA== X-Gm-Message-State: AOAM533zGLLnhRMY1vUPHEmeJ9aWF9uEZx9lfwXRk1IE2ACAKiL3N01A P5cEtuKxo2JrwYIMRhFJN8wXw5BCNOSj+bacF4yxxg== X-Received: by 2002:a67:f7c8:: with SMTP id a8mr9683316vsp.16.1625582473140; Tue, 06 Jul 2021 07:41:13 -0700 (PDT) MIME-Version: 1.0 References: <20210705231912.532186-1-phind.uet@gmail.com> In-Reply-To: <20210705231912.532186-1-phind.uet@gmail.com> From: Neal Cardwell Date: Tue, 6 Jul 2021 10:40:56 -0400 Message-ID: Subject: Re: [PATCH v6] tcp: fix tcp_init_transfer() to not reset icsk_ca_initialized To: Nguyen Dinh Phi Cc: yhs@fb.com, edumazet@google.com, davem@davemloft.net, yoshfuji@linux-ipv6.org, dsahern@kernel.org, kuba@kernel.org, ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, kafai@fb.com, songliubraving@fb.com, john.fastabend@gmail.com, kpsingh@kernel.org, ycheng@google.com, yyd@google.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, bpf@vger.kernel.org, linux-kernel-mentees@lists.linuxfoundation.org, syzbot+f1e24a0594d4e3a895d3@syzkaller.appspotmail.com Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jul 5, 2021 at 7:19 PM Nguyen Dinh Phi wrote: > > This commit fixes a bug (found by syzkaller) that could cause spurious > double-initializations for congestion control modules, which could cause > memory leaks or other problems for congestion control modules (like CDG) > that allocate memory in their init functions. > > The buggy scenario constructed by syzkaller was something like: > > (1) create a TCP socket > (2) initiate a TFO connect via sendto() > (3) while socket is in TCP_SYN_SENT, call setsockopt(TCP_CONGESTION), > which calls: > tcp_set_congestion_control() -> > tcp_reinit_congestion_control() -> > tcp_init_congestion_control() > (4) receive ACK, connection is established, call tcp_init_transfer(), > set icsk_ca_initialized=0 (without first calling cc->release()), > call tcp_init_congestion_control() again. > > Note that in this sequence tcp_init_congestion_control() is called > twice without a cc->release() call in between. Thus, for CC modules > that allocate memory in their init() function, e.g, CDG, a memory leak > may occur. The syzkaller tool managed to find a reproducer that > triggered such a leak in CDG. > > The bug was introduced when that commit 8919a9b31eb4 ("tcp: Only init > congestion control if not initialized already") > introduced icsk_ca_initialized and set icsk_ca_initialized to 0 in > tcp_init_transfer(), missing the possibility for a sequence like the > one above, where a process could call setsockopt(TCP_CONGESTION) in > state TCP_SYN_SENT (i.e. after the connect() or TFO open sendmsg()), > which would call tcp_init_congestion_control(). It did not intend to > reset any initialization that the user had already explicitly made; > it just missed the possibility of that particular sequence (which > syzkaller managed to find). > > Fixes: 8919a9b31eb4 ("tcp: Only init congestion control if not initialized already") > Reported-by: syzbot+f1e24a0594d4e3a895d3@syzkaller.appspotmail.com > Signed-off-by: Nguyen Dinh Phi > --- > V2: - Modify the Subject line. > - Adjust the commit message. > - Add Fixes: tag. > V3: - Fix netdev/verify_fixes format error. > V4: - Add blamed authors to receiver list. > V5: - Add comment about the congestion control initialization. > V6: - Fix typo in commit message. > net/ipv4/tcp_input.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c > index 7d5e59f688de..84c70843b404 100644 > --- a/net/ipv4/tcp_input.c > +++ b/net/ipv4/tcp_input.c > @@ -5922,8 +5922,8 @@ void tcp_init_transfer(struct sock *sk, int bpf_op, struct sk_buff *skb) > tp->snd_cwnd = tcp_init_cwnd(tp, __sk_dst_get(sk)); > tp->snd_cwnd_stamp = tcp_jiffies32; > > - icsk->icsk_ca_initialized = 0; > bpf_skops_established(sk, bpf_op, skb); > + /* Initialize congestion control unless BPF initialized it already: */ > if (!icsk->icsk_ca_initialized) > tcp_init_congestion_control(sk); > tcp_init_buffer_space(sk); > -- Acked-by: Neal Cardwell Tested-by: Neal Cardwell Looks good to me. Thanks for the fix! neal