lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 2 Apr 2007 11:38:51 +0300 (EEST) From: "Ilpo Järvinen" <ilpo.jarvinen@...sinki.fi> To: David Miller <davem@...emloft.net> cc: "akpm@...ux-foundation.org" <akpm@...ux-foundation.org>, tgraf@...g.ch, netdev@...r.kernel.org Subject: Re: tcp crash in net-2.6 tree On Sat, 31 Mar 2007, ijjarvin@...helsinki.fi wrote: > On 3/31/2007, "David Miller" <davem@...emloft.net> wrote: > > From: Thomas Graf <tgraf@...g.ch> > > Date: Sat, 31 Mar 2007 00:10:54 +0200 > > > > > * David Miller <davem@...emloft.net> 2007-03-30 14:43 > > > > Let's not speculate, let's find out for sure if snd_una is > > > > surpassing high_seq while we're in this state. > > > > > > > > Andrew please give this debugging patch a spin, and also what > > > > is your workload? I'd like to play with it too. > > > > > > > > I've tried to code this patch so that if the bug triggers your > > > > machine shouldn't crash and burn completely, just spit out the > > > > log message. > > > > > > I'm running into the same bug as Andew, i was able to reproduce > > > using Dave's patch within minutes: > > > > > > TCP BUG: high_seq==NULL [c3c9cc54] q[c3c94edc] t[c3c9cc54] > > > > > > The after(snd_una, high_seq) check is not triggered. > > > > So tp->high_seq points to the tail packet end sequence. > > > > Ilpo does this clear things up? > > Thanks for the info. > > I think that the if condition before the write_queue_find should check if > skb is valid before doing after(TCP_SKB_CB(skb)->seq, tp->high_seq), it > is pointing to sk_write_queue rather than a valid skb when the previous > loop exits (there might be a similar problem later in the code too). I > apologize I cannot provide a good patch at this point of time because I > moved on Thursday and the ISP hasn't yet activated the access link > (writing this from a library machine). So here it is, finally, I'm sorry for the delay (the length of the lines this fix is causing does not please me though)...: [PATCH] [TCP]: Fix invalid skb referencing in LOST marker code The after() referenced an invalid skb if loop exited when skb had reached sk_write_queue. I chose to move this part inside the loop where the skb is valid (so no need to check for that like I first suggested), which also allows dropping of couple of conditions from the if. Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@...sinki.fi> --- net/ipv4/tcp_input.c | 25 ++++++++++++------------- 1 files changed, 12 insertions(+), 13 deletions(-) diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index ea196de..211bb1f 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -1933,26 +1933,25 @@ static void tcp_update_scoreboard_fack(s if (IsFack(tp) || (TCP_SKB_CB(skb)->sacked & TCPCB_SACKED_ACKED)) reord_count += tcp_skb_pcount(skb); - if (reord_count > tp->reordering) + if (reord_count > tp->reordering) { + if (after(TCP_SKB_CB(skb)->seq, tp->high_seq)) { + /* RFC: should we have find_below? */ + skb = tcp_write_queue_find(sk, tp->high_seq); + not_marked_skb = skb; + skb = tcp_write_queue_prev(sk, skb); + /* Timedout top is again uncertain? */ + if (tcp_skb_timedout(sk, skb)) + timedout_continue = 1; + } + /* TODO?: do skb fragmentation if necessary */ break; + } if (!(TCP_SKB_CB(skb)->sacked & TCPCB_SACKED_ACKED)) holes_seen += tcp_skb_pcount(skb); } } - if ((!IsFack(tp) || !tcp_skb_timedout(sk, skb)) && - after(TCP_SKB_CB(skb)->seq, tp->high_seq)) { - /* RFC: should we have find_below? */ - skb = tcp_write_queue_find(sk, tp->high_seq); - not_marked_skb = skb; - skb = tcp_write_queue_prev(sk, skb); - /* Timedout top is again uncertain? */ - if (tcp_skb_timedout(sk, skb)) - timedout_continue = 1; - } - /* RFC: ...else if (!tcp_skb_timedout) do skb fragmentation? */ - /* Phase II: Marker */ tcp_for_write_queue_backwards_from(skb, sk) { if ((tp->fackets_out <= tp->sacked_out + tp->lost_out + -- 1.4.2
Powered by blists - more mailing lists