Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
mptcp/fullmesh: Fix null-pointer dereference to sk_socket
One may encounter the following panic: [144721.501011] ================================================================== [144721.502551] Disabling lock debugging due to kernel taint [144721.504498] ================================================================== [144721.504528] BUG: unable to handle kernel NULL pointer dereference at (null) [144721.504534] IP: [<ffffffff817ea7c6>] mptcp_init4_subsockets+0x76/0x5b0 [144721.504540] PGD 72dbe2067 PUD 72f6d2067 PMD 0 [144721.504546] Oops: 0000 [#1] SMP KASAN [144721.504607] Modules linked in: ipt_MASQUERADE nf_nat_masquerade_ipv4 xt_nat xt_tcpudp xt_conntrack iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat iptable_filter ip_tables x_tables tun binfmt_misc ip_vs nf_conntrack libcrc32c crc32c_generic nfsd auth_rpcgss oid_registry nfs_acl nfs lockd grace fscache sunrpc intel_rapl iosf_mbi x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel sha256_ssse3 sch_fq sha256_generic hmac drbg ansi_cprng ast snd_pcm ttm drm_kms_helper aesni_intel snd_timer aes_x86_64 lrw gf128mul glue_helper ablk_helper snd cryptd drm soundcore pcspkr mptcp_olia cdc_ether mptcp_balia usbnet iTCO_wdt mei_me iTCO_vendor_support joydev ipmi_watchdog evdev r8152 mii mei shpchp battery 8250_fintek video tpm_tis [144721.504623] tpm acpi_power_meter acpi_pad button processor ipmi_si ipmi_poweroff ipmi_devintf ipmi_msghandler autofs4 ext4 crc16 mbcache jbd2 raid1 md_mod sg sd_mod hid_generic usbhid crc32c_intel ahci libahci libata i2c_i801 xhci_pci xhci_hcd scsi_mod igb usbcore usb_common i2c_algo_bit dca ptp pps_core fan thermal i2c_hid hid [144721.504626] CPU: 4 PID: 2471 Comm: kworker/u16:2 Tainted: G B 4.4.70+ #2 [144721.504629] Hardware name: Supermicro Super Server/X11SSM-F, BIOS 1.0b 12/29/2015 [144721.504631] Workqueue: mptcp_wq create_subflow_worker [144721.504633] task: ffff880749498000 ti: ffff88070e350000 task.ti: ffff88070e350000 [144721.504637] RIP: 0010:[<ffffffff817ea7c6>] [<ffffffff817ea7c6>] mptcp_init4_subsockets+0x76/0x5b0 [144721.504638] RSP: 0018:ffff88070e357a18 EFLAGS: 00010246 [144721.504639] RAX: ffffed00e1c6af95 RBX: ffff88072ec98000 RCX: 000000000000004a [144721.504641] RDX: ffffed00e1c6af95 RSI: 0000000000000000 RDI: ffff88070e357a58 [144721.504642] RBP: 0000000000000000 R08: 0000000000000005 R09: ffffed00e1c6af94 [144721.504644] R10: ffff88070e357ca7 R11: ffffed00e1c6af95 R12: ffff88070e357d48 [144721.504645] R13: ffff88072ec98000 R14: ffff88070e357d40 R15: ffff880078e0f960 [144721.504647] FS: 0000000000000000(0000) GS:ffff880756300000(0000) knlGS:0000000000000000 [144721.504651] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [144721.504654] CR2: 0000000000000000 CR3: 0000000875804000 CR4: 00000000003406e0 [144721.504658] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [144721.504661] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [144721.504662] Stack: [144721.504672] ffff88070e357f58 ffff88070e357f58 ffffffffffff8000 ffff88072ec98248 [144721.504680] ffffffff81a03440 0000000000000000 ffffffff811526e1 ffffffff811947a4 [144721.504690] ffff88070e357f58 0000000000000000 ffffffffffff8000 ffffffff810ca43e [144721.504692] Call Trace: [144721.504697] [<ffffffff811526e1>] ? __module_text_address+0x11/0xa0 [144721.504701] [<ffffffff811947a4>] ? is_ftrace_trampoline+0x54/0x80 [144721.504705] [<ffffffff810ca43e>] ? __kernel_text_address+0x5e/0x80 [144721.504710] [<ffffffff81023835>] ? print_context_stack+0x55/0xf0 [144721.504714] [<ffffffff81022c60>] ? dump_trace+0x110/0x2a0 [144721.504720] [<ffffffff8143cb01>] ? __list_add+0x71/0xf0 [144721.504725] [<ffffffff81265bbd>] ? deactivate_slab+0x13d/0x3e0 [144721.504729] [<ffffffff81032bed>] ? save_stack_trace+0x3d/0x80 [144721.504732] [<ffffffff817fdc1f>] ? create_subflow_worker+0x9f/0x7d0 [144721.504736] [<ffffffff8126334e>] ? set_track+0x6e/0x120 [144721.504740] [<ffffffff81266868>] ? ___slab_alloc+0x138/0x440 [144721.504744] [<ffffffff817fdc1f>] ? create_subflow_worker+0x9f/0x7d0 [144721.504750] [<ffffffff8110079c>] ? autoremove_wake_function+0x3c/0x50 The reason is that we check for sock_orphan after the while-loop to create the additional subflows for the first pair. We have to move the checks a bit higher before attempting to create new subflows. Github-issue: multipath-tcp/mptcp#191 Reported-by: https://github.com/jarmediagmbh Fixes: d0f3a6d (mptcp: fullmesh path manager extension (creation of multiple subflows per pair of IPs)) Signed-off-by: Christoph Paasch <[email protected]> Signed-off-by: Matthieu Baerts <[email protected]> (cherry picked from commit 5b19eb9) Signed-off-by: Matthieu Baerts <[email protected]>
- Loading branch information