| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 5 Jun 2018 06:27:49 -0400
From: Neil Horman <nhorman@...driver.com>
To: Xin Long <lucien.xin@...il.com>
Cc: network dev <netdev@...r.kernel.org>, linux-sctp@...r.kernel.org,
davem@...emloft.net, Eric Dumazet <edumazet@...gle.com>,
Marcelo Ricardo Leitner <marcelo.leitner@...il.com>,
Dmitry Vyukov <dvyukov@...gle.com>, syzkaller@...glegroups.com
Subject: Re: [PATCH net] sctp: not allow transport timeout value less than
HZ/5 for hb_timer
On Tue, Jun 05, 2018 at 12:16:58PM +0800, Xin Long wrote:
> syzbot reported a rcu_sched self-detected stall on CPU which is caused
> by too small value set on rto_min with SCTP_RTOINFO sockopt. With this
> value, hb_timer will get stuck there, as in its timer handler it starts
> this timer again with this value, then goes to the timer handler again.
>
> This problem is there since very beginning, and thanks to Eric for the
> reproducer shared from a syzbot mail.
>
> This patch fixes it by not allowing sctp_transport_timeout to return a
> smaller value than HZ/5 for hb_timer, which is based on TCP's min rto.
>
> Note that it doesn't fix this issue by limiting rto_min, as some users
> are still using small rto and no proper value was found for it yet.
>
> Reported-by: syzbot+3dcd59a1f907245f891f@...kaller.appspotmail.com
> Suggested-by: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
> Signed-off-by: Xin Long <lucien.xin@...il.com>
> ---
> net/sctp/transport.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/sctp/transport.c b/net/sctp/transport.c
> index 47f82bd..03fc2c4 100644
> --- a/net/sctp/transport.c
> +++ b/net/sctp/transport.c
> @@ -634,7 +634,7 @@ unsigned long sctp_transport_timeout(struct sctp_transport *trans)
> trans->state != SCTP_PF)
> timeout += trans->hbinterval;
>
> - return timeout;
> + return max_t(unsigned long, timeout, HZ / 5);
> }
>
> /* Reset transport variables to their initial values */
> --
> 2.1.0
>
>
Acked-by: Neil Horman <nhorman@...driver.com>
Powered by blists - more mailing lists