From nobody Fri May 3 18:45:36 2024 Delivered-To: wpasupplicant.patchew@gmail.com Received: by 2002:a02:9f92:0:0:0:0:0 with SMTP id a18csp4409586jam; Fri, 11 Feb 2022 17:04:56 -0800 (PST) X-Google-Smtp-Source: ABdhPJxCYkdSlWaxev1TRBRG/7RfKnpkqIpQIIr1YI/XWGelQyecn3J/g0cGkfaOwmFM/3qxQnaZ X-Received: by 2002:a17:90b:4c08:: with SMTP id na8mr3073070pjb.90.1644627896300; Fri, 11 Feb 2022 17:04:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644627896; cv=none; d=google.com; s=arc-20160816; b=VgKmRPm5dLxyExPCqQKwGRvEY93QGXok40ltbM+F/w8FVk7VC6RvlF4DhHy44bOiLb 1D6QTotMjDF8lWvaFg9MsXgGjHdFJQC34ZJm1Zs6vaQJYyCQAEGaZkYwxkZ4gHP5BLyt VEWn7JljnQqq22eQbnC4B533sUwx5s3HZkk09SrBPT9tuM7CHr/trshVU9qItIXsPwQQ zTsX2ozLSzJceC7Ptvsxd1vqNAepNHtOjvH3NO3rcvDv40eS+zMIOo4CJwLN40+7OYtJ nKKu81FZZNc+puXPm9LAw3kyAPXmEkyCuPLnZ3Gl/awG48IwP3sg0Y3Z0XXQT2QfVxOr iZJQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:cc:to :from:dkim-signature; bh=t6Wc1Chq799rUVTMO5TrxeKv15H6FXRPrbMOM2xROV8=; b=ckmRtFvy5/dK9asR4o4TPpUgVRAoTXSZinM3ENbiczoeeqWFQsdvtYjJgUkOw26VFT mow6vqmT1YYWq6ASgsb2PF05CpyGn6aoUnFEdnupvls3erldh8b+a15bzmB3UULACYGR G449K3/G0/guvaqnSJdatNz6PcuEXKhfGw+/hQhGiJJWEzOZA0DOv/498+iiW9UjfbZn d1ylnphpeRJ99DeHOUoxN9ztXPLAKprv/JirZtlw1sNAKJsa2IP+OHl+58e+0Jyw6xVI cx0RJVju639w4R92FK+b7cFsGzxXOOA/rwH8XQXWn0kPz3G96NgM64WbnHe4yfzTR/yA 9iuA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b="mQR/0MsG"; spf=pass (google.com: domain of mptcp+bounces-3692-wpasupplicant.patchew=gmail.com@lists.linux.dev designates 2604:1380:1000:8100::1 as permitted sender) smtp.mailfrom="mptcp+bounces-3692-wpasupplicant.patchew=gmail.com@lists.linux.dev"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from sjc.edge.kernel.org (sjc.edge.kernel.org. [2604:1380:1000:8100::1]) by mx.google.com with ESMTPS id i10si24050445pgt.437.2022.02.11.17.04.56 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 11 Feb 2022 17:04:56 -0800 (PST) Received-SPF: pass (google.com: domain of mptcp+bounces-3692-wpasupplicant.patchew=gmail.com@lists.linux.dev designates 2604:1380:1000:8100::1 as permitted sender) client-ip=2604:1380:1000:8100::1; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b="mQR/0MsG"; spf=pass (google.com: domain of mptcp+bounces-3692-wpasupplicant.patchew=gmail.com@lists.linux.dev designates 2604:1380:1000:8100::1 as permitted sender) smtp.mailfrom="mptcp+bounces-3692-wpasupplicant.patchew=gmail.com@lists.linux.dev"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sjc.edge.kernel.org (Postfix) with ESMTPS id C52FD3E104C for ; Sat, 12 Feb 2022 01:04:55 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id C0AD720EB; Sat, 12 Feb 2022 01:04:54 +0000 (UTC) X-Original-To: mptcp@lists.linux.dev Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0DC3820E8 for ; Sat, 12 Feb 2022 01:04:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1644627893; x=1676163893; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=GAmZYaR0P1bqh3KwvQo/X6/Itxs4eteqmJdYgJ1ryzU=; b=mQR/0MsG4WmE3y6feKrBiHRMCpwil3Lgi+4Hm6ukSGvcGSF8g7M4EiFq YTUPjiRlf7n6+Po4qbTKwjb3ZHbU8zqXgbWCEtboGkoNLR3Zz/0Opzpyx 6U+lsJQ+TMLLk7Gk44gumbqWimHWnbMX0XmVnvUnyPGtA1r2n4Vag/J+4 y5thZXQqwIHAiwOB+GHZf7NBwV9ZJ48up3XbIl9w73J/lAdghZoRI5L3W mAmfBSxnFJT88wQnjVGIfYZuaCb/NalxmNu3PN4QJv7YjRW19wh2D4MW1 132OmTiHQTC0pq6onVk1edTugFtElqax/nKeGsNFSVLq/tRqKqibj5BID g==; X-IronPort-AV: E=McAfee;i="6200,9189,10255"; a="274401050" X-IronPort-AV: E=Sophos;i="5.88,361,1635231600"; d="scan'208";a="274401050" Received: from orsmga003.jf.intel.com ([10.7.209.27]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Feb 2022 17:04:52 -0800 X-IronPort-AV: E=Sophos;i="5.88,361,1635231600"; d="scan'208";a="483773263" Received: from mjmartin-desk2.amr.corp.intel.com (HELO mjmartin-desk2.intel.com) ([10.212.245.164]) by orsmga003-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Feb 2022 17:04:52 -0800 From: Mat Martineau To: mptcp@lists.linux.dev Cc: Mat Martineau , Paolo Abeni Subject: [PATCH mptcp-net] mptcp: Correctly set DATA_FIN timeout when number of retransmits is large Date: Fri, 11 Feb 2022 17:04:47 -0800 Message-Id: <20220212010447.119486-1-mathew.j.martineau@linux.intel.com> X-Mailer: git-send-email 2.35.1 Precedence: bulk X-Mailing-List: mptcp@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Syzkaller with UBSAN uncovered a scenario where a large number of DATA_FIN retransmits caused a shift-out-of-bounds in the DATA_FIN timeout calculation: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D UBSAN: shift-out-of-bounds in net/mptcp/protocol.c:470:29 shift exponent 32 is too large for 32-bit type 'unsigned int' CPU: 1 PID: 13059 Comm: kworker/1:0 Not tainted 5.17.0-rc2-00630-g5fbf21c90= c60 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1= .1 04/01/2014 Workqueue: events mptcp_worker Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 ubsan_epilogue+0xb/0x5a lib/ubsan.c:151 __ubsan_handle_shift_out_of_bounds.cold+0xb2/0x20e lib/ubsan.c:330 mptcp_set_datafin_timeout net/mptcp/protocol.c:470 [inline] __mptcp_retrans.cold+0x72/0x77 net/mptcp/protocol.c:2445 mptcp_worker+0x58a/0xa70 net/mptcp/protocol.c:2528 process_one_work+0x9df/0x16d0 kernel/workqueue.c:2307 worker_thread+0x95/0xe10 kernel/workqueue.c:2454 kthread+0x2f4/0x3b0 kernel/kthread.c:377 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D This change limits the maximum timeout by limiting the size of the shift, which keeps all intermediate values in-bounds. Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/259 Fixes: 6477dd39e62c ("mptcp: Retransmit DATA_FIN") Suggested-by: Paolo Abeni Signed-off-by: Mat Martineau Acked-by: Paolo Abeni --- net/mptcp/protocol.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index 3324e1c61576..a4171236091a 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -466,9 +466,12 @@ static bool mptcp_pending_data_fin(struct sock *sk, u6= 4 *seq) static void mptcp_set_datafin_timeout(const struct sock *sk) { struct inet_connection_sock *icsk =3D inet_csk(sk); + u32 retransmits; =20 - mptcp_sk(sk)->timer_ival =3D min(TCP_RTO_MAX, - TCP_RTO_MIN << icsk->icsk_retransmits); + retransmits =3D min_t(u32, icsk->icsk_retransmits, + ilog2(TCP_RTO_MAX / TCP_RTO_MIN)); + + mptcp_sk(sk)->timer_ival =3D TCP_RTO_MIN << retransmits; } =20 static void __mptcp_set_timeout(struct sock *sk, long tout) base-commit: d53f81f7e645a73fae92f7d44076cdd6b7f8501c --=20 2.35.1