Gh0st
/
linux
mirror of https://github.com/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux/net/ipv4
History
Kuniyuki Iwashima 45c8a6cc2b tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). 
syzbot reported the splat below where a socket had tcp_sk(sk)->fastopen_rsk
in the TCP_ESTABLISHED state. [0]

syzbot reused the server-side TCP Fast Open socket as a new client before
the TFO socket completes 3WHS:

  1. accept()
  2. connect(AF_UNSPEC)
  3. connect() to another destination

As of accept(), sk->sk_state is TCP_SYN_RECV, and tcp_disconnect() changes
it to TCP_CLOSE and makes connect() possible, which restarts timers.

Since tcp_disconnect() forgot to clear tcp_sk(sk)->fastopen_rsk, the
retransmit timer triggered the warning and the intended packet was not
retransmitted.

Let's call reqsk_fastopen_remove() in tcp_disconnect().

[0]:
WARNING: CPU: 2 PID: 0 at net/ipv4/tcp_timer.c:542 tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7))
Modules linked in:
CPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.17.0-rc5-g201825fb4278 #62 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7))
Code: 41 55 41 54 55 53 48 8b af b8 08 00 00 48 89 fb 48 85 ed 0f 84 55 01 00 00 0f b6 47 12 3c 03 74 0c 0f b6 47 12 3c 04 74 04 90 <0f> 0b 90 48 8b 85 c0 00 00 00 48 89 ef 48 8b 40 30 e8 6a 4f 06 3e
RSP: 0018:ffffc900002f8d40 EFLAGS: 00010293
RAX: 0000000000000002 RBX: ffff888106911400 RCX: 0000000000000017
RDX: 0000000002517619 RSI: ffffffff83764080 RDI: ffff888106911400
RBP: ffff888106d5c000 R08: 0000000000000001 R09: ffffc900002f8de8
R10: 00000000000000c2 R11: ffffc900002f8ff8 R12: ffff888106911540
R13: ffff888106911480 R14: ffff888106911840 R15: ffffc900002f8de0
FS:  0000000000000000(0000) GS:ffff88907b768000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8044d69d90 CR3: 0000000002c30003 CR4: 0000000000370ef0
Call Trace:
 <IRQ>
 tcp_write_timer (net/ipv4/tcp_timer.c:738)
 call_timer_fn (kernel/time/timer.c:1747)
 __run_timers (kernel/time/timer.c:1799 kernel/time/timer.c:2372)
 timer_expire_remote (kernel/time/timer.c:2385 kernel/time/timer.c:2376 kernel/time/timer.c:2135)
 tmigr_handle_remote_up (kernel/time/timer_migration.c:944 kernel/time/timer_migration.c:1035)
 __walk_groups.isra.0 (kernel/time/timer_migration.c:533 (discriminator 1))
 tmigr_handle_remote (kernel/time/timer_migration.c:1096)
 handle_softirqs (./arch/x86/include/asm/jump_label.h:36 ./include/trace/events/irq.h:142 kernel/softirq.c:580)
 irq_exit_rcu (kernel/softirq.c:614 kernel/softirq.c:453 kernel/softirq.c:680 kernel/softirq.c:696)
 sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1050 (discriminator 35) arch/x86/kernel/apic/apic.c:1050 (discriminator 35))
 </IRQ>

Fixes: 8336886f78 ("tcp: TCP Fast Open Server - support TFO listeners")
Reported-by: syzkaller <syzkaller@googlegroups.com>
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20250915175800.118793-2-kuniyu@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
 		2025-09-17 16:01:52 -07:00
..
netfilter netfilter: nf_reject: don't leak dst refcount for loopback packets 2025-08-21 10:02:00 -07:00
Kconfig net: Retire DCCP socket. 2025-04-11 18:58:10 -07:00
Makefile
af_inet.c net: Retire DCCP socket. 2025-04-11 18:58:10 -07:00
ah4.c
arp.c neighbour: Update pneigh_entry in pneigh_create(). 2025-07-17 16:25:22 -07:00
bpf_tcp_ca.c tcp: Pass flags to __tcp_send_ack 2025-03-17 13:56:38 +00:00
cipso_ipv4.c move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
datagram.c net: dst: annotate data-races around dst->obsolete 2025-07-02 14:32:29 -07:00
devinet.c ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init() 2025-09-03 16:58:44 -07:00
esp4.c espintcp: remove encap socket caching to avoid reference leak 2025-04-14 11:59:17 +02:00
esp4_offload.c xfrm: Add an inbound percpu state cache. 2024-10-29 11:56:18 +01:00
fib_frontend.c net: s/dev_get_flags/netif_get_flags/ 2025-07-18 17:27:47 -07:00
fib_lookup.h
fib_notifier.c net: do not acquire rtnl in fib_seq_sum() 2024-10-11 15:35:05 -07:00
fib_rules.c ipv4: fib_rules: Add DSCP mask matching 2025-02-21 16:08:47 -08:00
fib_semantics.c net: s/dev_get_flags/netif_get_flags/ 2025-07-18 17:27:47 -07:00
fib_trie.c ipv4: fib: Move fib_valid_key_len() to rtm_to_fib_config(). 2025-03-03 15:04:11 -08:00
fou_bpf.c
fou_core.c fou: fix initialization of grc 2024-09-09 17:21:47 -07:00
fou_nl.c tools: ynl-gen: use big-endian netlink attribute types 2024-10-22 15:33:24 +02:00
fou_nl.h
gre_demux.c net: ip_gre: Fix spelling mistake "demultiplexor" -> "demultiplexer" 2025-04-24 18:20:40 -07:00
gre_offload.c
icmp.c icmp: fix icmp_ndo_send address translation for reply direction 2025-09-01 12:54:41 -07:00
igmp.c ipv4: adopt dst_dev, skb_dst_dev and skb_dst_dev_net[_rcu] 2025-07-02 14:32:30 -07:00
igmp_internal.h netlink: support dumping IPv4 multicast addresses 2025-02-11 11:26:53 +01:00
inet_connection_sock.c tcp: remove inet_rtx_syn_ack() 2025-06-27 15:34:19 -07:00
inet_diag.c net: remove sock_i_uid() 2025-06-23 17:04:03 -07:00
inet_fragment.c treewide: Switch/rename to timer_delete[_sync]() 2025-04-05 10:30:12 +02:00
inet_hashtables.c net: remove sock_i_uid() 2025-06-23 17:04:03 -07:00
inet_timewait_sock.c treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
inetpeer.c inetpeer: use EXPORT_IPV6_MOD[_GPL]() 2025-02-14 13:09:39 -08:00
ip_forward.c
ip_fragment.c ipv4: adopt dst_dev, skb_dst_dev and skb_dst_dev_net[_rcu] 2025-07-02 14:32:30 -07:00
ip_gre.c ipv4: ip_tunnel: Convert ip_tunnel_delete_nets() callers to ->exit_rtnl(). 2025-04-14 17:08:42 -07:00
ip_input.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-07-04 08:03:18 +02:00
ip_options.c net: ip: make ip_route_input() return drop reasons 2024-11-12 11:24:51 +01:00
ip_output.c net: Add locking to protect skb->dev access in ip_output 2025-08-01 15:17:52 -07:00
ip_sockglue.c Networking changes for 6.14. 2025-01-22 08:28:57 -08:00
ip_tunnel.c net: ipv4: Add a flags argument to iptunnel_xmit(), udp_tunnel_xmit_skb() 2025-06-17 18:18:44 -07:00
ip_tunnel_core.c tunnels: reset the GSO metadata before reusing the skb 2025-09-09 13:03:33 +02:00
ip_vti.c ipv4: adopt dst_dev, skb_dst_dev and skb_dst_dev_net[_rcu] 2025-07-02 14:32:30 -07:00
ipcomp.c xfrm: delete x->tunnel as we delete x 2025-07-08 13:28:27 +02:00
ipconfig.c net: ipconfig: convert timeouts to secs_to_jiffies() 2025-07-09 19:25:01 -07:00
ipip.c ipv4: ip_tunnel: Convert ip_tunnel_delete_nets() callers to ->exit_rtnl(). 2025-04-14 17:08:42 -07:00
ipmr.c net: s/dev_get_port_parent_id/netif_get_port_parent_id/ 2025-07-18 17:27:46 -07:00
ipmr_base.c ipmr: do not call mr_mfc_uses_dev() for unres entries 2025-01-23 07:08:13 -08:00
metrics.c
netfilter.c ipv4: adopt dst_dev, skb_dst_dev and skb_dst_dev_net[_rcu] 2025-07-02 14:32:30 -07:00
netlink.c
nexthop.c net: s/dev_get_flags/netif_get_flags/ 2025-07-18 17:27:47 -07:00
ping.c net: remove sock_i_uid() 2025-06-23 17:04:03 -07:00
proc.c tcp: add LINUX_MIB_BEYOND_WINDOW 2025-07-14 18:41:42 -07:00
protocol.c
raw.c net: remove sock_i_uid() 2025-06-23 17:04:03 -07:00
raw_diag.c
route.c net: ipv4: fix regression in local-broadcast routes 2025-08-28 10:52:30 +02:00
syncookies.c net: annotate races around sk->sk_uid 2025-06-23 17:04:03 -07:00
sysctl_net_ipv4.c tcp: add tcp_rto_max_ms sysctl 2025-02-11 13:08:00 +01:00
tcp.c tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). 2025-09-17 16:01:52 -07:00
tcp_ao.c net/tcp: Fix a NULL pointer dereference when using TCP-AO with TCP_REPAIR 2025-09-14 12:49:53 -07:00
tcp_bbr.c
tcp_bic.c
tcp_bpf.c tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork. 2025-09-10 06:53:56 -07:00
tcp_cdg.c
tcp_cong.c tcp: only release congestion control if it has been initialized 2024-10-31 18:22:48 -07:00
tcp_cubic.c tcp_cubic: fix incorrect HyStart round start detection 2025-01-20 12:26:41 +00:00
tcp_dctcp.c tcp: helpers for ECN mode handling 2025-03-17 13:54:11 +00:00
tcp_dctcp.h tcp: Pass flags to __tcp_send_ack 2025-03-17 13:56:38 +00:00
tcp_diag.c tcp: ulp: diag: more info without CAP_NET_ADMIN 2025-03-07 19:39:53 -08:00
tcp_fastopen.c ipv4: adopt dst_dev, skb_dst_dev and skb_dst_dev_net[_rcu] 2025-07-02 14:32:30 -07:00
tcp_highspeed.c
tcp_htcp.c
tcp_hybla.c
tcp_illinois.c
tcp_input.c tcp: do not increment BeyondWindow MIB for old seq 2025-07-22 18:21:15 -07:00
tcp_ipv4.c net: track pfmemalloc drops via SKB_DROP_REASON_PFMEMALLOC 2025-07-18 16:59:05 -07:00
tcp_lp.c
tcp_metrics.c ipv4: adopt dst_dev, skb_dst_dev and skb_dst_dev_net[_rcu] 2025-07-02 14:32:30 -07:00
tcp_minisocks.c tcp: remove inet_rtx_syn_ack() 2025-06-27 15:34:19 -07:00
tcp_nv.c
tcp_offload.c net: fix segmentation after TCP/UDP fraglist GRO 2025-07-17 10:01:02 +02:00
tcp_output.c tcp: trace retransmit failures in tcp_retransmit_skb 2025-07-22 18:19:11 -07:00
tcp_plb.c
tcp_rate.c
tcp_recovery.c tcp: update the outdated ref draft-ietf-tcpm-rack 2025-07-08 09:01:52 -07:00
tcp_scalable.c
tcp_sigpool.c
tcp_timer.c tcp: remove inet_rtx_syn_ack() 2025-06-27 15:34:19 -07:00
tcp_ulp.c
tcp_vegas.c
tcp_vegas.h
tcp_veno.c
tcp_westwood.c
tcp_yeah.c
tunnel4.c
udp.c net: track pfmemalloc drops via SKB_DROP_REASON_PFMEMALLOC 2025-07-18 16:59:05 -07:00
udp_bpf.c
udp_diag.c
udp_impl.h udp: move udp_memory_allocated into net_aligned_data 2025-07-02 14:22:02 -07:00
udp_offload.c udp: also consider secpath when evaluating ipsec use for checksumming 2025-08-07 08:07:15 +02:00
udp_tunnel_core.c udp_tunnel: remove rtnl_lock dependency 2025-06-18 18:53:51 -07:00
udp_tunnel_nic.c udp_tunnel: remove rtnl_lock dependency 2025-06-18 18:53:51 -07:00
udp_tunnel_stub.c
udplite.c udp: move udp_memory_allocated into net_aligned_data 2025-07-02 14:22:02 -07:00
xfrm4_input.c xfrm: Set transport header to fix UDP GRO handling 2025-07-02 09:19:56 +02:00
xfrm4_output.c ipv4: adopt dst_dev, skb_dst_dev and skb_dst_dev_net[_rcu] 2025-07-02 14:32:30 -07:00
xfrm4_policy.c xfrm: Convert struct xfrm_dst_lookup_params -> tos to dscp_t. 2024-11-06 12:42:51 +01:00
xfrm4_protocol.c ipv4: Convert ip_route_input_noref() to dscp_t. 2024-10-03 16:21:21 -07:00
xfrm4_state.c
xfrm4_tunnel.c