| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 17 Oct 2013 13:30:42 -0400 From: Vlad Yasevich <vyasevich@...il.com> To: netdev@...r.kernel.org Cc: linux-sctp@...r.kernel.org, Vlad Yasevich <vyasevich@...il.com>, Mark Thomas <Mark.Thomas@...aswitch.com>, Daniel Borkmann <dborkman@...hat.com>, Neil Horman <nhorman@...driver.com> Subject: [PATCH] sctp: Do not trigger BUG_ON when deleting assoc without primary path It is possible to enter sctp_cmd_delete_tcb() without having a primary path. The situations this most often happens in is when duplication cookie processing is triggered. In this case, we are deleting a temporarily created association that is not fully populated. Additially, at the time we are deleting the offending association, it is really too late to issue a BUG! This was introduced by: commit f9e42b853523cda0732022c2e0473c183f7aec65 net: sctp: sideeffect: throw BUG if primary_path is NULL This patch fixes the following observed crash: [ 42.325370] ------------[ cut here ]------------ [ 42.329216] kernel BUG at net/sctp/sm_sideeffect.c:863! [ 42.329216] invalid opcode: 0000 [#1] SMP [ 42.329216] Modules linked in: hmac sctp crc32c libcrc32c cls_u32 sch_netem sch_prio rfcomm bnep bluetooth rfkill nfsd auth_rpcgss oid_registry nfs_acl nfs lockd fscache sunrpc loop joydev hid_generic usbhid hid snd_intel8x0 snd_ac97_codec snd_pcm snd_page_alloc snd_seq snd_timer snd_seq_device psmouse snd ohci_pci evdev parport_pc parport pcspkr serio_raw ohci_hcd ehci_hcd usbcore ac processor thermal_sys soundcore ac97_bus microcode usb_common button i2c_piix4 i2c_core ext4 crc16 jbd2 mbcache sd_mod sg sr_mod cdrom crc_t10dif crct10dif_common ata_generic ahci libahci ata_piix e1000 libata scsi_mod [ 42.329216] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 3.12.0-rc5+ #2 [ 42.329216] Hardware name: innotek GmbH VirtualBox, BIOS VirtualBox 12/01/2006 [ 42.329216] task: ffffffff81610440 ti: ffffffff81600000 task.ti: ffffffff81600000 [ 42.329216] RIP: 0010:[<ffffffffa03add10>] [<ffffffffa03add10>] sctp_do_sm+0x159/0x1091 [sctp] [ 42.329216] RSP: 0018:ffff88007fc03990 EFLAGS: 00010246 [ 42.329216] RAX: ffff8800000829c0 RBX: ffff88002fd0a000 RCX: ffff88002fd0a6e0 [ 42.329216] RDX: 0000000000002710 RSI: 0000000000000000 RDI: ffff88007fc03900 [ 42.329216] RBP: ffff88007ca1ce80 R08: ffff88002fd0a6e0 R09: 0000000072a65008 [ 42.329216] R10: 0000000072a65008 R11: 519a9b1ce38676a9 R12: ffff88007fc039e8 [ 42.329216] R13: ffff88007fc03a08 R14: 0000000000000000 R15: ffff88000003dbc0 [ 42.329216] FS: 0000000000000000(0000) GS:ffff88007fc00000(0000) knlGS:0000000000000000 [ 42.329216] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 42.329216] CR2: ffffffffff600400 CR3: 000000002fd43000 CR4: 00000000000006f0 [ 42.329216] Stack: [ 42.329216] 0000000000000001 0000000000000286 ffff8800615d31c0 0000000100000000 [ 42.329216] 0000000a00000001 ffff880075107000 0000000100000003 ffff88000003dbc0 [ 42.329216] 0000000000000000 ffff88007d3b7000 ffff8800615d31c0 ffff88007ca1cc80 [ 42.329216] Call Trace: [ 42.329216] <IRQ> [ 42.329216] [<ffffffffa03b10ac>] ? sctp_assoc_bh_rcv+0xe0/0x11d [sctp] [ 42.329216] [<ffffffffa03c1cb2>] ? sctp_rcv+0x7c2/0x896 [sctp] [ 42.329216] [<ffffffff812eca5b>] ? ip_local_deliver_finish+0x105/0x17b [ 42.329216] [<ffffffff812c42d5>] ? __netif_receive_skb_core+0x44e/0x4c6 [ 42.329216] [<ffffffff812c450f>] ? netif_receive_skb+0x4c/0x7d [ 42.329216] [<ffffffff812c4c69>] ? napi_gro_receive+0x35/0x76 [ 42.329216] [<ffffffffa007ad4c>] ? e1000_clean_rx_irq+0x330/0x3cd [e1000] [ 42.329216] [<ffffffffa0079cc5>] ? e1000_clean+0x5b9/0x725 [e1000] [ 42.329216] [<ffffffff81051442>] ? autoremove_wake_function+0x9/0x2a [ 42.329216] [<ffffffff81056e7f>] ? __wake_up_common+0x42/0x78 [ 42.329216] [<ffffffff812c4a15>] ? net_rx_action+0xa2/0x1c6 [ 42.329216] [<ffffffff8103ae04>] ? __do_softirq+0xe8/0x201 [ 42.329216] [<ffffffff813838dc>] ? call_softirq+0x1c/0x30 [ 42.329216] [<ffffffff81003b7c>] ? do_softirq+0x2c/0x60 [ 42.329216] [<ffffffff8103afe2>] ? irq_exit+0x3b/0x7f [ 42.329216] [<ffffffff81003803>] ? do_IRQ+0x81/0x98 [ 42.329216] [<ffffffff8137d46a>] ? common_interrupt+0x6a/0x6a [ 42.329216] <EOI> [ 42.329216] [<ffffffff81008aa3>] ? default_idle+0x15/0x3d [ 42.329216] [<ffffffff81009021>] ? arch_cpu_idle+0x6/0x17 [ 42.329216] [<ffffffff8106fbad>] ? cpu_startup_entry+0x10d/0x180 [ 42.329216] [<ffffffff816adcd8>] ? start_kernel+0x3be/0x3c9 [ 42.329216] [<ffffffff816ad730>] ? repair_env_string+0x57/0x57 [ 42.329216] Code: 50 12 80 fa 0a 75 1a f6 83 dc 07 00 00 02 75 11 8a 80 30 01 00 00 83 e0 03 3c 03 0f 85 1e 0f 00 00 48 83 bb 48 01 00 00 00 75 02 <0f> 0b 48 89 df e8 56 47 01 00 48 89 df e8 e3 41 00 00 e9 fd 0e [ 42.329216] RIP [<ffffffffa03add10>] sctp_do_sm+0x159/0x1091 [sctp] [ 42.329216] RSP <ffff88007fc03990> Reported-by: Mark Thomas <Mark.Thomas@...aswitch.com> CC: Mark Thomas <Mark.Thomas@...aswitch.com> CC: Daniel Borkmann <dborkman@...hat.com> CC: Neil Horman <nhorman@...driver.com> Signed-off-by: Vlad Yasevich <vyasevich@...il.com> --- net/sctp/sm_sideeffect.c | 1 - 1 file changed, 1 deletion(-) diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c index 666c668..1a6eef3 100644 --- a/net/sctp/sm_sideeffect.c +++ b/net/sctp/sm_sideeffect.c @@ -860,7 +860,6 @@ static void sctp_cmd_delete_tcb(sctp_cmd_seq_t *cmds, (!asoc->temp) && (sk->sk_shutdown != SHUTDOWN_MASK)) return; - BUG_ON(asoc->peer.primary_path == NULL); sctp_unhash_established(asoc); sctp_association_free(asoc); } -- 1.8.3.1 -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists