Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[5.10] mptcp: put subflow sock on connect error #175

Closed
matttbe opened this issue Mar 24, 2021 · 2 comments
Closed

[5.10] mptcp: put subflow sock on connect error #175

matttbe opened this issue Mar 24, 2021 · 2 comments
Labels
bug
Projects
MPTCP Bugs

Comments

@matttbe
Copy link
Member

matttbe commented Mar 24, 2021

An issue only visible in v5.10 kernel had just been reported on netdev by Naresh Kamboju: https://lore.kernel.org/netdev/CA+G9fYvRM+9DmGuKM0ErDnrYBOmZ6zzmMkrWevMJqOzhejWwZg@mail.gmail.com/T/#u

From Naresh:

I have reported the following warnings and kernel crash on 5.10.26-rc2 [1]
The bisect reported that issue pointing out to this commit.

commit 460916534896e6d4f80a37152e0948db33376873
mptcp: put subflow sock on connect error

This problem is specific to 5.10.26-rc2.

Warning:

[ 1040.114695] refcount_t: addition on 0; use-after-free.
[ 1040.119857] WARNING: CPU: 3 PID: 31925 at
/usr/src/kernel/lib/refcount.c:25 refcount_warn_saturate+0xd7/0x100
[ 1040.129769] Modules linked in: act_mirred cls_u32 sch_netem sch_etf
ip6table_nat xt_nat iptable_nat nf_nat ip6table_filter xt_conntrack
nf_conntrack nf_defrag_ipv4 libcrc32c ip6_tables nf_defrag_ipv6 sch_fq
iptable_filter xt_mark ip_tables cls_bpf sch_ingress algif_hash
x86_pkg_temp_thermal fuse [last unloaded: test_blackhole_dev]
[ 1040.159030] CPU: 3 PID: 31925 Comm: mptcp_connect Tainted: G
W     K   5.10.26-rc2 #1
[ 1040.167459] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS
2.2 05/23/2018
[ 1040.174851] RIP: 0010:refcount_warn_saturate+0xd7/0x100

And

Kernel Panic:

[ 1069.557485] BUG: kernel NULL pointer dereference, address: 0000000000000010
[ 1069.564446] #PF: supervisor read access in kernel mode
[ 1069.569583] #PF: error_code(0x0000) - not-present page
[ 1069.574714] PGD 0 P4D 0
[ 1069.577246] Oops: 0000 [#1] SMP PTI
[ 1069.580730] CPU: 1 PID: 17 Comm: ksoftirqd/1 Tainted: G        W
 K   5.10.26-rc2 #1
[ 1069.588719] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS
2.2 05/23/2018
[ 1069.596106] RIP: 0010:selinux_socket_sock_rcv_skb+0x3f/0x290
...
[ 1069.961697] Kernel panic - not syncing: Fatal exception in interrupt
[ 1069.968083] Kernel Offset: 0x18600000 from 0xffffffff81000000
(relocation range: 0xffffffff80000000-0xffffffffbfffffff)

steps to reproduce:

      - cd /opt/kselftests/mainline/net/mptcp
      - ./mptcp_join.sh  || true

Reported-by: Naresh Kamboju @linaro.org

crash test link:
https://lkft.validation.linaro.org/scheduler/job/2436164

Revert this commit and test job:
https://lkft.validation.linaro.org/scheduler/job/2437401#L1207
@matttbe matttbe added the bug label Mar 24, 2021
@matttbe matttbe added this to the v5.10.y milestone Mar 24, 2021
@matttbe matttbe added this to Needs triage in MPTCP Bugs via automation Mar 24, 2021
@matttbe
Copy link
Member Author

matttbe commented Mar 24, 2021

As mentioned by Florian, the commit that is being backported is fixing another that is not in v5.10: 5b950ff ("mptcp: link MPC subflow into msk only after accept")

@matttbe
Copy link
Member Author

matttbe commented Mar 24, 2021

It was confirmed to be a backport issue.

@matttbe matttbe closed this as completed Mar 24, 2021
MPTCP Bugs automation moved this from Needs triage to Closed Mar 24, 2021
jenkins-tessares pushed a commit that referenced this issue Feb 10, 2023
@mpe
powerpc/64s/radix: Fix RWX mapping with relocated kernel
111bcb3 
If a relocatable kernel is loaded at a non-zero address and told not to
relocate to zero (kdump or RELOCATABLE_TEST), the mapping of the
interrupt code at zero is left with RWX permissions.

That is a security weakness, and leads to a warning at boot if
CONFIG_DEBUG_WX is enabled:

  powerpc/mm: Found insecure W+X mapping at address 00000000056435bc/0xc000000000000000
  WARNING: CPU: 1 PID: 1 at arch/powerpc/mm/ptdump/ptdump.c:193 note_page+0x484/0x4c0
  CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.2.0-rc1-00001-g8ae8e98aea82-dirty #175
  Hardware name: IBM pSeries (emulated by qemu) POWER9 (raw) 0x4e1202 0xf000005 of:SLOF,git-dd0dca hv:linux,kvm pSeries
  NIP:  c0000000004a1c34 LR: c0000000004a1c30 CTR: 0000000000000000
  REGS: c000000003503770 TRAP: 0700   Not tainted  (6.2.0-rc1-00001-g8ae8e98aea82-dirty)
  MSR:  8000000002029033 <SF,VEC,EE,ME,IR,DR,RI,LE>  CR: 24000220  XER: 00000000
  CFAR: c000000000545a58 IRQMASK: 0
  ...
  NIP note_page+0x484/0x4c0
  LR  note_page+0x480/0x4c0
  Call Trace:
    note_page+0x480/0x4c0 (unreliable)
    ptdump_pmd_entry+0xc8/0x100
    walk_pgd_range+0x618/0xab0
    walk_page_range_novma+0x74/0xc0
    ptdump_walk_pgd+0x98/0x170
    ptdump_check_wx+0x94/0x100
    mark_rodata_ro+0x30/0x70
    kernel_init+0x78/0x1a0
    ret_from_kernel_thread+0x5c/0x64

The fix has two parts. Firstly the pages from zero up to the end of
interrupts need to be marked read-only, so that they are left with R-X
permissions. Secondly the mapping logic needs to be taught to ensure
there is a page boundary at the end of the interrupt region, so that the
permission change only applies to the interrupt text, and not the region
following it.

Fixes: c55d7b5 ("powerpc: Remove STRICT_KERNEL_RWX incompatibility with RELOCATABLE")
Reported-by: Sachin Sant <sachinp@linux.ibm.com>
Tested-by: Sachin Sant <sachinp@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20230110124753.1325426-2-mpe@ellerman.id.au
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
No open projects
MPTCP Bugs
  
Closed
Milestone
No milestone
Development

No branches or pull requests
1 participant
@matttbe