lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 18 Oct 2011 04:30:32 +0200 From: Eric Dumazet <eric.dumazet@...il.com> To: Elmar Vonlanthen <evonlanthen@...il.com> Cc: linux-kernel@...r.kernel.org, netdev <netdev@...r.kernel.org>, Timo Teräs <timo.teras@....fi>, Herbert Xu <herbert@...dor.apana.org.au> Subject: Re: PROBLEM: System call 'sendmsg' of process ospfd (quagga) causes kernel oops Le lundi 17 octobre 2011 à 09:16 +0200, Elmar Vonlanthen a écrit : > 2011/10/14 Eric Dumazet <eric.dumazet@...il.com>: > > Please try following patch : > > > > [PATCH] ip_gre: dont increase dev->needed_headroom on a live device > > > > It seems ip_gre is able to change dev->needed_headroom on the fly. > > > > Its is not legal unfortunately and triggers a BUG in raw_sendmsg() > > > > skb = sock_alloc_send_skb(sk, ... + LL_ALLOCATED_SPACE(rt->dst.dev) > > > > < another cpu change dev->needed_headromm (making it bigger) > > > > ... > > skb_reserve(skb, LL_RESERVED_SPACE(rt->dst.dev)); > > > > We end with LL_RESERVED_SPACE() being bigger than LL_ALLOCATED_SPACE() > > -> we crash later because skb head is exhausted. > > > > Bug introduced in commit 243aad83 in 2.6.34 (ip_gre: include route > > header_len in max_headroom calculation) > > > > Reported-by: Elmar Vonlanthen <evonlanthen@...il.com> > > Signed-off-by: Eric Dumazet <eric.dumazet@...il.com> > > CC: Timo Teräs <timo.teras@....fi> > > CC: Herbert Xu <herbert@...dor.apana.org.au> > > --- > > diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c > > index 8871067..1505dcf 100644 > > --- a/net/ipv4/ip_gre.c > > +++ b/net/ipv4/ip_gre.c > > @@ -835,8 +835,6 @@ static netdev_tx_t ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev > > if (skb_headroom(skb) < max_headroom || skb_shared(skb)|| > > (skb_cloned(skb) && !skb_clone_writable(skb, 0))) { > > struct sk_buff *new_skb = skb_realloc_headroom(skb, max_headroom); > > - if (max_headroom > dev->needed_headroom) > > - dev->needed_headroom = max_headroom; > > if (!new_skb) { > > ip_rt_put(rt); > > dev->stats.tx_dropped++; > > Hello > > I tried this patch and I was not able anymore to reproduce the kernel > oops. So the patch solved the bug. > Thank you very much! > > Would it be possible to add the patch to the long term kernel 2.6.35 > as well? Because this is the one I use at the moment in production. > Thanks for testing. If David/Herbert/Timo agree, then patch should find its way into current kernel, then to stable trees as well. Thanks -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists