Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[syzkaller] WARNING in mptcp_token_destroy_request #130

Closed
cpaasch opened this issue Dec 14, 2020 · 6 comments
Closed

[syzkaller] WARNING in mptcp_token_destroy_request #130

cpaasch opened this issue Dec 14, 2020 · 6 comments
Assignees
@pabeni
Labels
bug syzkaller

Comments

@cpaasch
Copy link
Member

cpaasch commented Dec 14, 2020 

TCP: request_sock_subflow: Possible SYN flooding on port 20000. Sending cookies.  Check SNMP counters.
------------[ cut here ]------------
WARNING: CPU: 1 PID: 16156 at net/mptcp/token.c:354 mptcp_token_destroy_request+0x2cb/0x360 net/mptcp/token.c:354
Modules linked in:
CPU: 1 PID: 16156 Comm: syz-executor.7 Not tainted 5.10.0-rc6 #52
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:mptcp_token_destroy_request+0x2cb/0x360 net/mptcp/token.c:354
Code: 04 01 e8 38 80 85 fe 4c 89 ff e8 20 83 0d 00 5b 5d 41 5c 41 5d 41 5e 41 5f e9 21 80 85 fe 31 db e9 a8 fe ff ff e8 15 80 85 fe <0f> 0b eb d4 48 89 ef e8 e9 10 ad fe e9 93 fd ff ff 48 89 ef e8 dc
RSP: 0018:ffffc90000140710 EFLAGS: 00010246
RAX: ffff8880162b2ac0 RBX: 0000000000000000 RCX: ffffffff82afa2b6
RDX: 0000000000000000 RSI: ffffffff82afa48b RDI: 0000000000000005
RBP: 0000000000000001 R08: ffff8880162b2ac0 R09: fffff520000280d8
R10: 0000000000000003 R11: fffff520000280d7 R12: 0000000000831500
R13: dffffc0000000000 R14: ffff8881068d6d80 R15: ffff888101ac7800
FS:  00007f5db4503700(0000) GS:ffff88811b500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000040 CR3: 000000003a637005 CR4: 0000000000170ee0
Call Trace:
 <IRQ>
 subflow_req_destructor+0xa7/0x120 net/mptcp/subflow.c:42
 __reqsk_free include/net/request_sock.h:117 [inline]
 tcp_conn_request+0x2480/0x2df0 net/ipv4/tcp_input.c:6883
 subflow_v4_conn_request net/mptcp/subflow.c:418 [inline]
 subflow_v4_conn_request+0x9b/0x150 net/mptcp/subflow.c:408
 tcp_rcv_state_process+0x9e9/0x4ba0 net/ipv4/tcp_input.c:6332
 tcp_v4_do_rcv+0x343/0x8b0 net/ipv4/tcp_ipv4.c:1695
 tcp_v4_rcv+0x2667/0x2e60 net/ipv4/tcp_ipv4.c:2043
 ip_protocol_deliver_rcu+0x2b/0x200 net/ipv4/ip_input.c:204
 ip_local_deliver_finish net/ipv4/ip_input.c:231 [inline]
 NF_HOOK include/linux/netfilter.h:409 [inline]
 ip_local_deliver+0x2da/0x390 net/ipv4/ip_input.c:252
 dst_input include/net/dst.h:447 [inline]
 ip_rcv_finish net/ipv4/ip_input.c:428 [inline]
 ip_rcv_finish net/ipv4/ip_input.c:414 [inline]
 NF_HOOK include/linux/netfilter.h:409 [inline]
 ip_rcv+0xef/0x140 net/ipv4/ip_input.c:539
 __netif_receive_skb_one_core+0x197/0x1e0 net/core/dev.c:5305
 __netif_receive_skb+0x27/0x1c0 net/core/dev.c:5419
 process_backlog+0x1e5/0x6e0 net/core/dev.c:6309
 napi_poll net/core/dev.c:6787 [inline]
 net_rx_action+0x3fa/0xe30 net/core/dev.c:6870
 __do_softirq+0x187/0x585 kernel/softirq.c:298
 asm_call_irq_on_stack+0x12/0x20
 </IRQ>
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
 do_softirq_own_stack+0x32/0x40 arch/x86/kernel/irq_64.c:77
 do_softirq.part.0+0x26/0x30 kernel/softirq.c:343
 do_softirq arch/x86/include/asm/preempt.h:26 [inline]
 __local_bh_enable_ip+0x46/0x50 kernel/softirq.c:195
 local_bh_enable include/linux/bottom_half.h:32 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:730 [inline]
 ip_finish_output2+0x71e/0x17e0 net/ipv4/ip_output.c:231
 __ip_finish_output+0x516/0x880 net/ipv4/ip_output.c:308
 dst_output include/net/dst.h:441 [inline]
 ip_local_out+0x18a/0x1f0 net/ipv4/ip_output.c:126
 __ip_queue_xmit+0x77c/0x1500 net/ipv4/ip_output.c:532
 __tcp_transmit_skb+0x2bed/0x36a0 net/ipv4/tcp_output.c:1405
 tcp_transmit_skb net/ipv4/tcp_output.c:1423 [inline]
 tcp_connect+0x24e9/0x3510 net/ipv4/tcp_output.c:3853
 tcp_v4_connect+0x1461/0x1ba0 net/ipv4/tcp_ipv4.c:312
 __inet_stream_connect+0x812/0xd50 net/ipv4/af_inet.c:664
 inet_stream_connect+0x53/0xa0 net/ipv4/af_inet.c:728
 mptcp_stream_connect+0x161/0x790 net/mptcp/protocol.c:3188
 __sys_connect_file net/socket.c:1830 [inline]
 __sys_connect+0x268/0x2f0 net/socket.c:1847
 __do_sys_connect net/socket.c:1857 [inline]
 __se_sys_connect net/socket.c:1854 [inline]
 __x64_sys_connect+0x6f/0xb0 net/socket.c:1854
 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f5db3e12469
Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ff 49 2b 00 f7 d8 64 89 01 48
RSP: 002b:00007f5db4502dc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 000000000069bf40 RCX: 00007f5db3e12469
RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000004
RBP: 000000000069bf40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000069bf4c
R13: 00007ffcadca9cef R14: 000000000041556d R15: 0000000000000003

HEAD is at:
05cb27b ("DO-NOT-MERGE: mptcp: enabled by default") (HEAD, tag: export/20201209T060936, mptcp_net-next/export) (12 hours ago)
525593c ("DO-NOT-MERGE: mptcp: add GitHub Actions") (12 hours ago)
6aa8731 ("DO-NOT-MERGE: mptcp: use kmalloc on kasan build") (12 hours ago)
2227bfd ("mptcp: let MPTCP create max size skbs") (12 hours ago)
908c632 ("mptcp: pm: simplify select_local_address()") (12 hours ago)
a771b76 ("mptcp: parse and act on incoming FASTCLOSE option") (12 hours ago)
7dbc6b7 ("tcp: parse mptcp options contained in reset packets") (12 hours ago)
4598a67 ("mptcp: hold mptcp socket before calling tcp_done") (12 hours ago)
3630500 ("mptcp: use MPTCPOPT_HMAC_LEN macro") (12 hours ago)
905c00c ("selftests: mptcp: add the flush addrs testcase") (12 hours ago)
2d0de9b ("mptcp: remove address when netlink flushes addrs") (12 hours ago)
389cb8d ("mptcp: use the variable sk instead of open-coding") (12 hours ago)
62ad6da ("mptcp: rename add_addr_signal and mptcp_add_addr_status") (12 hours ago)
56607a9 ("mptcp: drop rm_addr_signal flag") (12 hours ago)
f561498 ("mptcp: print out port and ahmac when receiving ADD_ADDR") (12 hours ago)
faec918 ("mptcp: add port parameter for mptcp_pm_announce_addr") (12 hours ago)
1bab32f ("mptcp: send out dedicated packet for ADD_ADDR using port") (12 hours ago)
a7429bb ("mptcp: add the outgoing ADD_ADDR port support") (12 hours ago)
a8787a8 ("mptcp: use adding up size to get ADD_ADDR length") (12 hours ago)
1690597 ("mptcp: add port support for ADD_ADDR suboption writing") (12 hours ago)
4021cd8 ("mptcp: unify ADD_ADDR and ADD_ADDR6 suboptions writing") (12 hours ago)
0b86309 ("mptcp: unify ADD_ADDR and echo suboptions writing") (12 hours ago)
c855f89 ("bpf:selftests: add bpf_mptcp_sock() verifier tests") (12 hours ago)
0eaea54 ("bpf:selftests: add MPTCP test base") (12 hours ago)
eed59ab ("bpf: add 'bpf_mptcp_sock' structure and helper") (12 hours ago)
6dd1da9 ("mptcp: attach subflow socket to parent cgroup") (12 hours ago)
58a4d0c ("bpf: expose is_mptcp flag to bpf_tcp_sock") (12 hours ago)
d188dfe ("mptcp: be careful on subflows shutdown") (12 hours ago)
9910201 ("mptcp: plug subflow context memory leak") (12 hours ago)
ae1cd5e ("mptcp: link MPC subflow into msk only after accept") (12 hours ago)
afae3cc ("net: atheros: simplify the return expression of atl2_phy_setup_autoneg_adv()") (mptcp_net-next/net-next) (18 hours ago)

kernel-config:
CONFIG.txt
@cpaasch
Copy link
Member Author

cpaasch commented Jan 21, 2021

Last seen on 01/14/2021. Keeping open for now.

@cpaasch
Copy link
Member Author

cpaasch commented Jan 28, 2021

Closing.

@cpaasch cpaasch closed this as completed Jan 28, 2021
jenkins-tessares pushed a commit that referenced this issue Jan 29, 2021
@arndb
ia64: fix timer cleanup regression
796130b 
A cleanup patch from my legacy timer series broke ia64 and led
to RCU stall errors and a fast system clock:

[  909.360108] INFO: task systemd-sysv-ge:200 blocked for more than 127 seconds.
[  909.360108]       Not tainted 5.10.0+ #130
[  909.360108] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[  909.360108] task:systemd-sysv-ge state:D stack:    0 pid:  200 ppid:   189 flags:0x00000000
[  909.364108]
[  909.364108] Call Trace:
[  909.364423]  [<a00000010109b210>] __schedule+0x890/0x21e0
[  909.364423]                                 sp=e0000100487d7b70 bsp=e0000100487d1748
[  909.368423]  [<a00000010109cc00>] schedule+0xa0/0x240
[  909.368423]                                 sp=e0000100487d7b90 bsp=e0000100487d16e0
[  909.368558]  [<a00000010109ce70>] io_schedule+0x70/0xa0
[  909.368558]                                 sp=e0000100487d7b90 bsp=e0000100487d16c0
[  909.372290]  [<a00000010109e1c0>] bit_wait_io+0x20/0xe0
[  909.372290]                                 sp=e0000100487d7b90 bsp=e0000100487d1698
[  909.374168] rcu: INFO: rcu_sched detected stalls on CPUs/tasks:
[  909.376290]  [<a00000010109d860>] __wait_on_bit+0xc0/0x1c0
[  909.376290]                                 sp=e0000100487d7b90 bsp=e0000100487d1648
[  909.374168] rcu:     3-....: (2 ticks this GP) idle=19e/1/0x4000000000000002 softirq=1581/1581 fqs=2
[  909.374168]  (detected by 0, t=5661 jiffies, g=1089, q=3)
[  909.376290]  [<a00000010109da80>] out_of_line_wait_on_bit+0x120/0x140
[  909.376290]                                 sp=e0000100487d7b90 bsp=e0000100487d1610
[  909.374168] Task dump for CPU 3:
[  909.374168] task:khungtaskd      state:R  running task

Revert most of my patch to make this work again, including the extra
update_process_times()/profile_tick() and the local_irq_enable() in the
loop that I expected not to be needed here.

I have not found out exactly what goes wrong, and would suggest that
someone with hardware access tries to convert this code into a singleshot
clockevent driver, which should give better behavior in all cases.

Reported-by: John Paul Adrian Glaubitz <[email protected]>
Fixes: 2b49ddc ("ia64: convert to legacy_timer_tick")
Cc: John Stultz <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Cc: Stephen Boyd <[email protected]>
Cc: Frederic Weisbecker <[email protected]>
Signed-off-by: Arnd Bergmann <[email protected]>
@cpaasch
Copy link
Member Author

cpaasch commented Feb 3, 2021

Came back as well...

TCP: request_sock_subflow: Possible SYN flooding on port 20000. Sending cookies.  Check SNMP counters.
------------[ cut here ]------------
WARNING: CPU: 1 PID: 22387 at net/mptcp/token.c:354 mptcp_token_destroy_request+0x2b0/0x330 net/mptcp/token.c:354
Modules linked in:
CPU: 1 PID: 22387 Comm: syz-executor.2 Not tainted 5.11.0-rc5d82d76887ec676c2e37b496f1e7d094f3f2507d6 #68
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:mptcp_token_destroy_request+0x2b0/0x330 net/mptcp/token.c:354
Code: 04 01 e8 b3 4a 80 fe 4c 89 ff e8 db 1d 0e 00 5b 5d 41 5c 41 5d 41 5e 41 5f e9 9c 4a 80 fe 31 db e9 c3 fe ff ff e8 90 4a 80 fe <0f> 0b eb d4 48 89 ef e8 44 18 a8 fe e9 ae fd ff ff 48 89 ef e8 37
RSP: 0018:ffffc900001406c0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000100
RDX: ffff8881001cbb00 RSI: ffffffff82b59a10 RDI: 0000000000000003
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000003
R10: ffffffff82b59856 R11: 0000000000000001 R12: 00000000005c5300
R13: dffffc0000000000 R14: ffff888043ff8000 R15: ffff888101944800
FS:  00007fe2bf228700(0000) GS:ffff88811b500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000080 CR3: 00000000282f4001 CR4: 0000000000170ee0
Call Trace:
 <IRQ>
 subflow_req_destructor+0xa7/0x120 net/mptcp/subflow.c:45
 __reqsk_free include/net/request_sock.h:117 [inline]
 tcp_conn_request+0x22a5/0x2e20 net/ipv4/tcp_input.c:6901
 subflow_v4_conn_request net/mptcp/subflow.c:462 [inline]
 subflow_v4_conn_request+0x9b/0x150 net/mptcp/subflow.c:452
 tcp_rcv_state_process+0x9bf/0x48f0 net/ipv4/tcp_input.c:6350
 tcp_v4_do_rcv+0x30e/0x860 net/ipv4/tcp_ipv4.c:1698
 tcp_v4_rcv+0x2490/0x2b40 net/ipv4/tcp_ipv4.c:2047
 ip_protocol_deliver_rcu+0x2b/0x200 net/ipv4/ip_input.c:204
 ip_local_deliver_finish net/ipv4/ip_input.c:231 [inline]
 NF_HOOK include/linux/netfilter.h:409 [inline]
 ip_local_deliver+0x2bf/0x370 net/ipv4/ip_input.c:252
 dst_input include/net/dst.h:447 [inline]
 ip_rcv_finish net/ipv4/ip_input.c:428 [inline]
 ip_rcv_finish net/ipv4/ip_input.c:414 [inline]
 NF_HOOK include/linux/netfilter.h:409 [inline]
 ip_rcv+0xeb/0x140 net/ipv4/ip_input.c:539
 __netif_receive_skb_one_core+0x197/0x1e0 net/core/dev.c:5332
 __netif_receive_skb+0x27/0x1c0 net/core/dev.c:5446
 process_backlog+0x1ad/0x560 net/core/dev.c:6325
 napi_poll net/core/dev.c:6803 [inline]
 net_rx_action+0x3d6/0xe90 net/core/dev.c:6886
 __do_softirq+0x183/0x56f kernel/softirq.c:343
 asm_call_irq_on_stack+0x12/0x20
 </IRQ>
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
 do_softirq_own_stack+0x32/0x40 arch/x86/kernel/irq_64.c:77
 do_softirq kernel/softirq.c:246 [inline]
 do_softirq+0x5f/0x80 kernel/softirq.c:233
 __local_bh_enable_ip+0x46/0x50 kernel/softirq.c:196
 local_bh_enable include/linux/bottom_half.h:32 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:737 [inline]
 ip_finish_output2+0x6d0/0x16f0 net/ipv4/ip_output.c:231
 __ip_finish_output+0x3bb/0x7c0 net/ipv4/ip_output.c:308
 dst_output include/net/dst.h:441 [inline]
 ip_local_out+0x184/0x1e0 net/ipv4/ip_output.c:126
 __ip_queue_xmit+0x77a/0x1500 net/ipv4/ip_output.c:532
 __tcp_transmit_skb+0x2a65/0x35e0 net/ipv4/tcp_output.c:1405
 tcp_transmit_skb net/ipv4/tcp_output.c:1423 [inline]
 tcp_connect+0x2a0b/0x3c20 net/ipv4/tcp_output.c:3856
 tcp_v4_connect+0x1437/0x1b90 net/ipv4/tcp_ipv4.c:312
 __inet_stream_connect+0x860/0xd90 net/ipv4/af_inet.c:664
 inet_stream_connect+0x53/0xa0 net/ipv4/af_inet.c:728
 mptcp_stream_connect+0x161/0x790 net/mptcp/protocol.c:3200
 __sys_connect_file net/socket.c:1835 [inline]
 __sys_connect+0x276/0x2f0 net/socket.c:1852
 __do_sys_connect net/socket.c:1862 [inline]
 __se_sys_connect net/socket.c:1859 [inline]
 __x64_sys_connect+0x6e/0xb0 net/socket.c:1859
 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7fe2beb37469
Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ff 49 2b 00 f7 d8 64 89 01 48
RSP: 002b:00007fe2bf227da8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 000000000000002a RCX: 00007fe2beb37469
RDX: 0000000000000010 RSI: 0000000020000080 RDI: 0000000000000004
RBP: 000000000000002a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000069bf6c
R13: 00007ffc4317a31f R14: 00007fe2bf208000 R15: 0000000000000003

d82d76887ec6 ("mptcp: fix spurious retransmissions") (HEAD) (8 hours ago)
9c23f272d8c2 ("Eric's fix") (8 hours ago)
e2fe949 ("DO-NOT-MERGE: mptcp: enabled by default") (tag: export/20210202T061758, mptcp_net-next/export) (18 hours ago)
13b4d63 ("DO-NOT-MERGE: mptcp: add GitHub Actions") (18 hours ago)
c2c6844 ("DO-NOT-MERGE: mptcp: use kmalloc on kasan build") (18 hours ago)
6399d64 ("mptcp: add netlink event support") (18 hours ago)
cf6cac4 ("genetlink: add CAP_NET_ADMIN test for multicast bind") (18 hours ago)
875cda9 ("mptcp: avoid lock_fast usage in accept path") (18 hours ago)
d30f162 ("mptcp: pass subflow socket to a few helpers") (18 hours ago)
5ee34d5 ("mptcp: split __mptcp_close_ssk helper") (18 hours ago)
fbc8817 ("mptcp: move pm netlink work into pm_netlink") (18 hours ago)
77a274c ("mptcp: pm: add lockdep assertions") (18 hours ago)
e75bbfc ("selftests: mptcp: add command line arguments for mptcp_join.sh") (18 hours ago)
7b74dee ("selftests: mptcp: add testcases for ADD_ADDR with port") (18 hours ago)
7dad582 ("mptcp: add the mibs for ADD_ADDR with port") (18 hours ago)
fc67ce1 ("selftests: mptcp: add port argument for pm_nl_ctl") (18 hours ago)
4864e76 ("mptcp: deal with MPTCP_PM_ADDR_ATTR_PORT in PM netlink") (18 hours ago)
b99b4c0 ("mptcp: enable use_port when invoke addresses_equal") (18 hours ago)
6f9d0f9 ("mptcp: add port number check for MP_JOIN") (18 hours ago)
6f2398c ("mptcp: add a new helper subflow_req_create_thmac") (18 hours ago)
28985de ("mptcp: drop unused skb in subflow_token_join_request") (18 hours ago)
47c71c6 ("mptcp: create the listening socket for new port") (18 hours ago)
b8a22e0 ("selftests: mptcp: add testcases for newly added addresses") (18 hours ago)
5978f84 ("selftests: mptcp: use minus values for removing address numbers") (18 hours ago)
b8cda5a ("mptcp: send ack for every add_addr") (18 hours ago)
8333d08 ("mptcp: create subflow or signal addr for newly added address") (18 hours ago)
1031d4b ("mptcp: drop *_max fields in mptcp_pm_data") (18 hours ago)
bb2d333 ("mptcp: use WRITE_ONCE/READ_ONCE for the pernet *_max") (18 hours ago)
e2868c0 ("bpf:selftests: add bpf_mptcp_sock() verifier tests") (18 hours ago)
c681345 ("bpf:selftests: add MPTCP test base") (18 hours ago)
0bb29bf ("bpf: add 'bpf_mptcp_sock' structure and helper") (18 hours ago)
bc464f0 ("bpf: expose is_mptcp flag to bpf_tcp_sock") (18 hours ago)
d4a677f ("linux: handle MPTCP consistently with TCP") (18 hours ago)
2c87774 ("mptcp: fix length of MP_PRIO suboption") (18 hours ago)
9ae4bdc ("Merge branch 'rework-the-memory-barrier-for-scrq-entry'") (mptcp_net-next/net-next) (20 hours ago)

CONFIG:
CONFIG.txt

@cpaasch cpaasch reopened this Feb 3, 2021
@matttbe
Copy link
Member

matttbe commented Feb 6, 2021

Should be fixed by a patch from @pabeni , see the ML

@cpaasch
Copy link
Member Author

cpaasch commented Feb 8, 2021

Yes - closing.

@cpaasch cpaasch closed this as completed Feb 8, 2021
@matttbe
Copy link
Member

matttbe commented Feb 8, 2021

Patch ref: 2195b45: mptcp: init mptcp request socket earlier

jenkins-tessares pushed a commit that referenced this issue Aug 14, 2023
@pv @Vudentz
Bluetooth: ISO: do not emit new LE Create CIS if previous is pending
7f74563 
LE Create CIS command shall not be sent before all CIS Established
events from its previous invocation have been processed. Currently it is
sent via hci_sync but that only waits for the first event, but there can
be multiple.

Make it wait for all events, and simplify the CIS creation as follows:

Add new flag HCI_CONN_CREATE_CIS, which is set if Create CIS has been
sent for the connection but it is not yet completed.

Make BT_CONNECT state to mean the connection wants Create CIS.

On events after which new Create CIS may need to be sent, send it if
possible and some connections need it. These events are:
hci_connect_cis, iso_connect_cfm, hci_cs_le_create_cis,
hci_le_cis_estabilished_evt.

The Create CIS status/completion events shall queue new Create CIS only
if at least one of the connections transitions away from BT_CONNECT, so
that we don't loop if controller is sending bogus events.

This fixes sending multiple CIS Create for the same CIS in the
"ISO AC 6(i) - Success" BlueZ test case:

< HCI Command: LE Create Co.. (0x08|0x0064) plen 9  #129 [hci0]
        Number of CIS: 2
        CIS Handle: 257
        ACL Handle: 42
        CIS Handle: 258
        ACL Handle: 42
> HCI Event: Command Status (0x0f) plen 4           #130 [hci0]
      LE Create Connected Isochronous Stream (0x08|0x0064) ncmd 1
        Status: Success (0x00)
> HCI Event: LE Meta Event (0x3e) plen 29           #131 [hci0]
      LE Connected Isochronous Stream Established (0x19)
        Status: Success (0x00)
        Connection Handle: 257
        ...
< HCI Command: LE Setup Is.. (0x08|0x006e) plen 13  #132 [hci0]
        ...
> HCI Event: Command Complete (0x0e) plen 6         #133 [hci0]
      LE Setup Isochronous Data Path (0x08|0x006e) ncmd 1
        ...
< HCI Command: LE Create Co.. (0x08|0x0064) plen 5  #134 [hci0]
        Number of CIS: 1
        CIS Handle: 258
        ACL Handle: 42
> HCI Event: Command Status (0x0f) plen 4           #135 [hci0]
      LE Create Connected Isochronous Stream (0x08|0x0064) ncmd 1
        Status: ACL Connection Already Exists (0x0b)
> HCI Event: LE Meta Event (0x3e) plen 29           #136 [hci0]
      LE Connected Isochronous Stream Established (0x19)
        Status: Success (0x00)
        Connection Handle: 258
        ...

Fixes: c09b80b ("Bluetooth: hci_conn: Fix not waiting for HCI_EVT_LE_CIS_ESTABLISHED")
Signed-off-by: Pauli Virtanen <[email protected]>
Signed-off-by: Luiz Augusto von Dentz <[email protected]>
matttbe pushed a commit that referenced this issue Jan 26, 2024
@chenhengqi @chenhuacai
LoongArch: BPF: Support 64-bit pointers to kfuncs
21c5ae5 
Like commit 1cf3bfc ("bpf: Support 64-bit pointers to kfuncs")
for s390x, add support for 64-bit pointers to kfuncs for LoongArch.
Since the infrastructure is already implemented in BPF core, the only
thing need to be done is to override bpf_jit_supports_far_kfunc_call().

Before this change, several test_verifier tests failed:

  # ./test_verifier | grep # | grep FAIL
  #119/p calls: invalid kfunc call: ptr_to_mem to struct with non-scalar FAIL
  #120/p calls: invalid kfunc call: ptr_to_mem to struct with nesting depth > 4 FAIL
  #121/p calls: invalid kfunc call: ptr_to_mem to struct with FAM FAIL
  #122/p calls: invalid kfunc call: reg->type != PTR_TO_CTX FAIL
  #123/p calls: invalid kfunc call: void * not allowed in func proto without mem size arg FAIL
  #124/p calls: trigger reg2btf_ids[reg->type] for reg->type > __BPF_REG_TYPE_MAX FAIL
  #125/p calls: invalid kfunc call: reg->off must be zero when passed to release kfunc FAIL
  #126/p calls: invalid kfunc call: don't match first member type when passed to release kfunc FAIL
  #127/p calls: invalid kfunc call: PTR_TO_BTF_ID with negative offset FAIL
  #128/p calls: invalid kfunc call: PTR_TO_BTF_ID with variable offset FAIL
  #129/p calls: invalid kfunc call: referenced arg needs refcounted PTR_TO_BTF_ID FAIL
  #130/p calls: valid kfunc call: referenced arg needs refcounted PTR_TO_BTF_ID FAIL
  #486/p map_kptr: ref: reference state created and released on xchg FAIL

This is because the kfuncs in the loaded module are far away from
__bpf_call_base:

  ffff800002009440 t bpf_kfunc_call_test_fail1    [bpf_testmod]
  9000000002e128d8 T __bpf_call_base

The offset relative to __bpf_call_base does NOT fit in s32, which breaks
the assumption in BPF core. Enable bpf_jit_supports_far_kfunc_call() lifts
this limit.

Note that to reproduce the above result, tools/testing/selftests/bpf/config
should be applied, and run the test with JIT enabled, unpriv BPF enabled.

With this change, the test_verifier tests now all passed:

  # ./test_verifier
  ...
  Summary: 777 PASSED, 0 SKIPPED, 0 FAILED

Tested-by: Tiezhu Yang <[email protected]>
Signed-off-by: Hengqi Chen <[email protected]>
Signed-off-by: Huacai Chen <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pabeni pabeni

Labels
bug syzkaller
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cpaasch @matttbe @pabeni