lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 5 Jun 2018 06:27:49 -0400 From: Neil Horman <nhorman@...driver.com> To: Xin Long <lucien.xin@...il.com> Cc: network dev <netdev@...r.kernel.org>, linux-sctp@...r.kernel.org, davem@...emloft.net, Eric Dumazet <edumazet@...gle.com>, Marcelo Ricardo Leitner <marcelo.leitner@...il.com>, Dmitry Vyukov <dvyukov@...gle.com>, syzkaller@...glegroups.com Subject: Re: [PATCH net] sctp: not allow transport timeout value less than HZ/5 for hb_timer On Tue, Jun 05, 2018 at 12:16:58PM +0800, Xin Long wrote: > syzbot reported a rcu_sched self-detected stall on CPU which is caused > by too small value set on rto_min with SCTP_RTOINFO sockopt. With this > value, hb_timer will get stuck there, as in its timer handler it starts > this timer again with this value, then goes to the timer handler again. > > This problem is there since very beginning, and thanks to Eric for the > reproducer shared from a syzbot mail. > > This patch fixes it by not allowing sctp_transport_timeout to return a > smaller value than HZ/5 for hb_timer, which is based on TCP's min rto. > > Note that it doesn't fix this issue by limiting rto_min, as some users > are still using small rto and no proper value was found for it yet. > > Reported-by: syzbot+3dcd59a1f907245f891f@...kaller.appspotmail.com > Suggested-by: Marcelo Ricardo Leitner <marcelo.leitner@...il.com> > Signed-off-by: Xin Long <lucien.xin@...il.com> > --- > net/sctp/transport.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/sctp/transport.c b/net/sctp/transport.c > index 47f82bd..03fc2c4 100644 > --- a/net/sctp/transport.c > +++ b/net/sctp/transport.c > @@ -634,7 +634,7 @@ unsigned long sctp_transport_timeout(struct sctp_transport *trans) > trans->state != SCTP_PF) > timeout += trans->hbinterval; > > - return timeout; > + return max_t(unsigned long, timeout, HZ / 5); > } > > /* Reset transport variables to their initial values */ > -- > 2.1.0 > > Acked-by: Neil Horman <nhorman@...driver.com>
Powered by blists - more mailing lists