Skip to content
This repository has been archived by the owner on Apr 18, 2024. It is now read-only.

Commit

Permalink
mptcp: Don't allow TCP_REPAIR on MPTCP-sockets
Browse files Browse the repository at this point in the history 
Otherwise, we will panic:
[   92.129564] kasan: CONFIG_KASAN_INLINE enabled
[   92.130159] kasan: GPF could be caused by NULL-ptr deref or user memory access
[   92.131089] general protection fault: 0000 [#1] SMP KASAN PTI
[   92.132131] Modules linked in:
[   92.132674] CPU: 1 PID: 1908 Comm: test Not tainted 4.14.104 #22
[   92.133419] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.5.1 01/01/2011
[   92.134378] task: ffff88806bb32b00 task.stack: ffff8880694c8000
[   92.135083] RIP: 0010:mptcp_established_options+0x12d/0x15e0
[   92.135729] RSP: 0018:ffff8880694cf9a0 EFLAGS: 00010203
[   92.136380] RAX: ffff88806bb32b00 RBX: ffff88805ff7d440 RCX: 0000000000000010
[   92.137198] RDX: dffffc0000000000 RSI: ffff88806b55ec40 RDI: 0000000000000086
[   92.137998] RBP: ffff8880694cfba8 R08: ffffed100d299f84 R09: ffff8880694cfba8
[   92.138814] R10: 000000000000000f R11: ffffed100d299f83 R12: ffff8880694cfa28
[   92.139665] R13: ffff888061fd7840 R14: ffff88806b55ec40 R15: 0000000000000000
[   92.140512] FS:  00007f1708632440(0000) GS:ffff88806d080000(0000) knlGS:0000000000000000
[   92.141465] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   92.142117] CR2: 0000000020000000 CR3: 000000005fd1e000 CR4: 00000000000006e0
[   92.142927] Call Trace:
[   92.143258]  ? deactivate_slab.isra.58+0xd0/0x3b0
[   92.143817]  tcp_established_options+0x39a/0x550
[   92.144400]  ? tcp_fragment_tstamp+0x330/0x330
[   92.144900]  ? __alloc_skb+0xd6/0x500
[   92.145380]  ? init_object+0x34/0x90
[   92.145787]  __tcp_transmit_skb+0x29d/0x2a70
[   92.146302]  ? ___slab_alloc+0x464/0x4a0
[   92.146772]  ? tcp_make_synack+0x1000/0x1000
[   92.147285]  ? kasan_kmalloc+0xa0/0xd0
[   92.147728]  ? __kmalloc_node_track_caller+0x195/0x2d0
[   92.148359]  ? __alloc_skb+0xd6/0x500
[   92.148766]  ? __kmalloc_reserve.isra.41+0x79/0xd0
[   92.149373]  tcp_xmit_probe_skb+0x2f1/0x3a0
[   92.149857]  tcp_send_window_probe+0x113/0x140
[   92.150421]  do_tcp_setsockopt.isra.34+0x102a/0x21e0
[   92.150963]  ? tcp_get_info+0x1940/0x1940
[   92.151478]  ? selinux_netlbl_socket_setsockopt+0xf8/0x300
[   92.152099]  ? selinux_netlbl_sock_rcv_skb+0x3f0/0x3f0
[   92.152680]  ? SYSC_connect+0x1a1/0x290
[   92.153139]  tcp_setsockopt+0xaa/0xc0
[   92.153575]  SyS_setsockopt+0x126/0x200
[   92.153986]  ? SyS_recv+0x40/0x40
[   92.154445]  ? __do_page_fault+0x354/0xb00
[   92.154881]  ? mm_fault_error+0x2b0/0x2b0
[   92.155408]  ? SyS_recv+0x40/0x40
[   92.155766]  do_syscall_64+0x194/0x490
[   92.156215]  ? do_page_fault+0x2e/0x230
[   92.156677]  ? prepare_exit_to_usermode+0xbc/0x150
[   92.157235]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2

Let's just disable it for now.

This is probably there since the initial merge that added TCP_REPAIR.

Fixes: d5a6537 ("Merge tag 'v3.5' into mptcp_trunk_3.5")
Signed-off-by: Christoph Paasch <cpaasch@apple.com>
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
  • Loading branch information
@cpaasch @matttbe
cpaasch authored and matttbe committed Mar 8, 2019
1 parent 7454ef5 commit 04a77b0
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion net/ipv4/tcp.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2707,7 +2707,7 @@ EXPORT_SYMBOL(tcp_disconnect);
static inline bool tcp_can_repair_sock(const struct sock *sk)
{
return ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN) &&
(sk->sk_state != TCP_LISTEN);
(sk->sk_state != TCP_LISTEN) && !sock_flag(sk, SOCK_MPTCP);
}

static int tcp_repair_set_window(struct tcp_sock *tp, char __user *optbuf, int len)
Expand Down

0 comments on commit 04a77b0

Please sign in to comment.