From nobody Sat Apr 20 01:38:52 2024
Delivered-To: wpasupplicant.patchew@gmail.com
Received: by 2002:a05:6638:38c:0:0:0:0 with SMTP id y12csp975485jap;
        Wed, 5 Jan 2022 17:15:25 -0800 (PST)
X-Google-Smtp-Source: 
 ABdhPJyFkp0OgyBWVkbUnRCfIs0b39YprudJ15RoBBJ7JDHNLBZ+KaJK/1EKuOxntX9vtVI4ebXK
X-Received: by 2002:a5b:590:: with SMTP id l16mr67311051ybp.629.1641431725679;
        Wed, 05 Jan 2022 17:15:25 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1641431725; cv=none;
        d=google.com; s=arc-20160816;
        b=m50rY3k+KBDCJ9wTCSKR9StxCEN25IBrIjCVNja2f0lWnFtiL2xJzDMNyqYpxGngCC
         7dGBTLf68uvCwCYn2HTOqtUpbnGZPPS6byFzKvG7I4hJCdmgwq2llNkY2GVynurw8HSO
         P0mLbBOlpGTi3k2CZ0ifmh2rUkGBWiP08QnWBjcUcWB2O4BZdLdR0KEqLUTQfFiMVDnj
         U9xldK1AJCVERxTn7POdQOTTewrc3K2ygCEAbCG4YPt5BQaIR4thFTL/WEhYe3KmBaJX
         DN+EHW4H31N6cp6DLVkiEqA8Y5EG4w3Vlh1yzFmBdkZOBJP8Bgzl5OUj0y3s1clfHz8m
         SKzw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=/aO0/sgd3bcCiXztu3VIjMGn+ux0MxfNS6uouIaa6D8=;
        b=SzHE/fflDKFY4b6PwX83ijZ7o2aQTRImrnRrZ+lo5jFVzIXUaDd+XcCchPysvTX/Mx
         KuHd7vdPxtVrMqbOMPqqcCL0eLwq4vGCYTAN/OF1XrM9BHXWG73BKgwRZWN9o6RhF04M
         di1eOeuOkXm6Sp9F1MT6RNcIdtRTmhUlolBdusN9SXGwvRk212bFSO22CmZGgfmv9Ts4
         RklalJPlU/uF6mfCzty05WF3BAo72LP9yrBR9N6zLM5ByI7XiDHH31jTGrk6p1Xl3x2L
         Ua9Iz7qVht5cyk5ktUUvQ4/O9dzgw0tK2UCzxGM8j7bYpbsmGMwH2QDRnkp68AFjDDaG
         Bbzw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@intel.com header.s=Intel header.b=K0aTLTof;
       spf=pass (google.com: domain of
 mptcp+bounces-2924-wpasupplicant.patchew=gmail.com@lists.linux.dev designates
 147.75.197.195 as permitted sender)
 smtp.mailfrom="mptcp+bounces-2924-wpasupplicant.patchew=gmail.com@lists.linux.dev";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: 
 <mptcp+bounces-2924-wpasupplicant.patchew=gmail.com@lists.linux.dev>
Received: from ewr.edge.kernel.org (ewr.edge.kernel.org. [147.75.197.195])
        by mx.google.com with ESMTPS id w5si647017ybt.93.2022.01.05.17.15.25
        for <wpasupplicant.patchew@gmail.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 05 Jan 2022 17:15:25 -0800 (PST)
Received-SPF: pass (google.com: domain of
 mptcp+bounces-2924-wpasupplicant.patchew=gmail.com@lists.linux.dev designates
 147.75.197.195 as permitted sender) client-ip=147.75.197.195;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@intel.com header.s=Intel header.b=K0aTLTof;
       spf=pass (google.com: domain of
 mptcp+bounces-2924-wpasupplicant.patchew=gmail.com@lists.linux.dev designates
 147.75.197.195 as permitted sender)
 smtp.mailfrom="mptcp+bounces-2924-wpasupplicant.patchew=gmail.com@lists.linux.dev";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ewr.edge.kernel.org (Postfix) with ESMTPS id E1B9C1C0A90
	for <wpasupplicant.patchew@gmail.com>; Thu,  6 Jan 2022 01:15:24 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id BDEA12C9C;
	Thu,  6 Jan 2022 01:15:23 +0000 (UTC)
X-Original-To: mptcp@lists.linux.dev
Received: from mga02.intel.com (mga02.intel.com [134.134.136.20])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 55573173
	for <mptcp@lists.linux.dev>; Thu,  6 Jan 2022 01:15:22 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1641431722; x=1672967722;
  h=from:to:cc:subject:date:message-id:mime-version:
   content-transfer-encoding;
  bh=1KC9bUAjoksLKgkEKrA8cswjZiYTEhASFEw8nMy8dGo=;
  b=K0aTLTofPzXVbQF0b01Rmwl+c7Kc1yyEVdFf4T0o0zm4tcJvdvVEmODM
   PbMDIMWSGL+FtXhQ66l2ezcdIRyTgYyU7EKHwbNrIWDWoprUnDY7n/da0
   ZPNyRUo85ZjMto4r29uHXcVOofvY2PfyTrKTNEo5DAzKXBCcf2UUdEFCv
   qsJrO19+gqep7YMjPO2qkJMgl6Rh+7UsF/hjAOPNCCF10uQ2EXWD4mBok
   gffpoy1OhNqxOIi1s1Qx9Zrbob6iFTvOFapN1G2VWSm6TMcMM68tsCzAh
   OP5GVzPGfkkG35T0F1rqs33TnpHwrufE47viZj6s3p6lL1t3WjeYD8k/h
   Q==;
X-IronPort-AV: E=McAfee;i="6200,9189,10217"; a="229890828"
X-IronPort-AV: E=Sophos;i="5.88,265,1635231600";
   d="scan'208";a="229890828"
Received: from fmsmga004.fm.intel.com ([10.253.24.48])
  by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 05 Jan 2022 17:15:21 -0800
X-IronPort-AV: E=Sophos;i="5.88,265,1635231600";
   d="scan'208";a="591225633"
Received: from mjmartin-desk2.amr.corp.intel.com (HELO
 mjmartin-desk2.intel.com) ([10.212.230.182])
  by fmsmga004-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 05 Jan 2022 17:15:21 -0800
From: Mat Martineau <mathew.j.martineau@linux.intel.com>
To: mptcp@lists.linux.dev
Cc: Mat Martineau <mathew.j.martineau@linux.intel.com>,
	pabeni@redhat.com,
	syzbot+bc9e2d2dbcb347dd215a@syzkaller.appspotmail.com
Subject: [PATCH mptcp-net] mptcp: Check reclaim amount before reducing
 allocation
Date: Wed,  5 Jan 2022 17:15:06 -0800
Message-Id: <20220106011506.151063-1-mathew.j.martineau@linux.intel.com>
X-Mailer: git-send-email 2.34.1
Precedence: bulk
X-Mailing-List: mptcp@lists.linux.dev
List-Id: <mptcp.lists.linux.dev>
List-Subscribe: <mailto:mptcp+subscribe@lists.linux.dev>
List-Unsubscribe: <mailto:mptcp+unsubscribe@lists.linux.dev>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

syzbot found a page counter underflow that was triggered by MPTCP's
reclaim code:

page_counter underflow: -4294964789 nr_pages=3D4294967295
WARNING: CPU: 2 PID: 3785 at mm/page_counter.c:56 page_counter_cancel+0xcf/=
0xe0 mm/page_counter.c:56
Modules linked in:
CPU: 2 PID: 3785 Comm: kworker/2:6 Not tainted 5.16.0-rc1-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Workqueue: events mptcp_worker

RIP: 0010:page_counter_cancel+0xcf/0xe0 mm/page_counter.c:56
Code: c7 04 24 00 00 00 00 45 31 f6 eb 97 e8 2a 2b b5 ff 4c 89 ea 48 89 ee =
48 c7 c7 00 9e b8 89 c6 05 a0 c1 ba 0b 01 e8 95 e4 4b 07 <0f> 0b eb a8 4c 8=
9 e7 e8 25 5a fb ff eb c7 0f 1f 00 41 56 41 55 49
RSP: 0018:ffffc90002d4f918 EFLAGS: 00010082

RAX: 0000000000000000 RBX: ffff88806a494120 RCX: 0000000000000000
RDX: ffff8880688c41c0 RSI: ffffffff815e8f28 RDI: fffff520005a9f15
RBP: ffffffff000009cb R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff815e2cfe R11: 0000000000000000 R12: ffff88806a494120
R13: 00000000ffffffff R14: 0000000000000000 R15: 0000000000000001
FS:  0000000000000000(0000) GS:ffff88802cc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2de21000 CR3: 000000005ad59000 CR4: 0000000000150ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 page_counter_uncharge+0x2e/0x60 mm/page_counter.c:160
 drain_stock+0xc1/0x180 mm/memcontrol.c:2219
 refill_stock+0x139/0x2f0 mm/memcontrol.c:2271
 __sk_mem_reduce_allocated+0x24d/0x550 net/core/sock.c:2945
 __mptcp_rmem_reclaim net/mptcp/protocol.c:167 [inline]
 __mptcp_mem_reclaim_partial+0x124/0x410 net/mptcp/protocol.c:975
 mptcp_mem_reclaim_partial net/mptcp/protocol.c:982 [inline]
 mptcp_alloc_tx_skb net/mptcp/protocol.c:1212 [inline]
 mptcp_sendmsg_frag+0x18c6/0x2190 net/mptcp/protocol.c:1279
 __mptcp_push_pending+0x232/0x720 net/mptcp/protocol.c:1545
 mptcp_release_cb+0xfe/0x200 net/mptcp/protocol.c:2975
 release_sock+0xb4/0x1b0 net/core/sock.c:3306
 mptcp_worker+0x51e/0xc10 net/mptcp/protocol.c:2443
 process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2445
 kthread+0x405/0x4f0 kernel/kthread.c:327
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>

__mptcp_mem_reclaim_partial() could call __mptcp_rmem_reclaim() with a
negative value, which passed that negative value to
__sk_mem_reduce_allocated() and triggered the splat above.

Check for a reclaim amount that is positive and large enough for
__mptcp_rmem_reclaim() to actually adjust rmem_fwd_alloc (much like
the sk_mem_reclaim_partial() code the function is based on).

Fixes: 6511882cdd82 ("mptcp: allocate fwd memory separately on the rx and t=
x path")
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/252
Cc: pabeni@redhat.com
Reported-and-tested-by: syzbot+bc9e2d2dbcb347dd215a@syzkaller.appspotmail.c=
om
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
---
 net/mptcp/protocol.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
index fccfa65517da..98a173e40561 100644
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -967,7 +967,9 @@ static void __mptcp_mem_reclaim_partial(struct sock *sk)
=20
 	lockdep_assert_held_once(&sk->sk_lock.slock);
=20
-	__mptcp_rmem_reclaim(sk, reclaimable - 1);
+	if (reclaimable >=3D SK_MEM_QUANTUM)
+		__mptcp_rmem_reclaim(sk, reclaimable - 1);
+
 	sk_mem_reclaim_partial(sk);
 }
=20

base-commit: 9478f9d57df23cfa5caa4317e75a6efe6e782ab3
--=20
2.34.1