| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <35cd974b-2b31-4f86-d53d-8e9516d4077e@tessares.net>
Date: Sat, 31 Aug 2019 15:14:35 +0200
From: Matthieu Baerts <matthieu.baerts@...sares.net>
To: Sasha Levin <sashal@...nel.org>,
Tim Froidcoeur <tim.froidcoeur@...sares.net>
Cc: aprout@...mit.edu, cpaasch@...le.com, davem@...emloft.net,
edumazet@...gle.com, gregkh@...uxfoundation.org,
jonathan.lemon@...il.com, jtl@...flix.com,
linux-kernel@...r.kernel.org, mkubecek@...e.cz,
ncardwell@...gle.com, stable@...r.kernel.org, ycheng@...gle.com,
netdev@...r.kernel.org
Subject: Re: [PATCH 4.14] tcp: fix tcp_rtx_queue_tail in case of empty
retransmit queue
Hi Sasha,
Thank you for your reply!
On 31/08/2019 14:20, Sasha Levin wrote:
> On Sat, Aug 24, 2019 at 08:03:51AM +0200, Tim Froidcoeur wrote:
>> Commit 8c3088f895a0 ("tcp: be more careful in tcp_fragment()")
>> triggers following stack trace:
>>
>> [25244.848046] kernel BUG at ./include/linux/skbuff.h:1406!
>> [25244.859335] RIP: 0010:skb_queue_prev+0x9/0xc
>> [25244.888167] Call Trace:
>> [25244.889182] <IRQ>
>> [25244.890001] tcp_fragment+0x9c/0x2cf
>> [25244.891295] tcp_write_xmit+0x68f/0x988
>> [25244.892732] __tcp_push_pending_frames+0x3b/0xa0
>> [25244.894347] tcp_data_snd_check+0x2a/0xc8
>> [25244.895775] tcp_rcv_established+0x2a8/0x30d
>> [25244.897282] tcp_v4_do_rcv+0xb2/0x158
>> [25244.898666] tcp_v4_rcv+0x692/0x956
>> [25244.899959] ip_local_deliver_finish+0xeb/0x169
>> [25244.901547] __netif_receive_skb_core+0x51c/0x582
>> [25244.903193] ? inet_gro_receive+0x239/0x247
>> [25244.904756] netif_receive_skb_internal+0xab/0xc6
>> [25244.906395] napi_gro_receive+0x8a/0xc0
>> [25244.907760] receive_buf+0x9a1/0x9cd
>> [25244.909160] ? load_balance+0x17a/0x7b7
>> [25244.910536] ? vring_unmap_one+0x18/0x61
>> [25244.911932] ? detach_buf+0x60/0xfa
>> [25244.913234] virtnet_poll+0x128/0x1e1
>> [25244.914607] net_rx_action+0x12a/0x2b1
>> [25244.915953] __do_softirq+0x11c/0x26b
>> [25244.917269] ? handle_irq_event+0x44/0x56
>> [25244.918695] irq_exit+0x61/0xa0
>> [25244.919947] do_IRQ+0x9d/0xbb
>> [25244.921065] common_interrupt+0x85/0x85
>> [25244.922479] </IRQ>
>>
>> tcp_rtx_queue_tail() (called by tcp_fragment()) can call
>> tcp_write_queue_prev() on the first packet in the queue, which will
>> trigger
>> the BUG in tcp_write_queue_prev(), because there is no previous packet.
>>
>> This happens when the retransmit queue is empty, for example in case of a
>> zero window.
>>
>> Patch is needed for 4.4, 4.9 and 4.14 stable branches.
>
> There needs to be a better explanation of why it's not needed
> upstream...
Commit 8c3088f895a0 ("tcp: be more careful in tcp_fragment()") was not a
simple cherry-pick of the original one from master (b617158dc096)
because there is a specific TCP rtx queue only since v4.15. For more
details, please see the commit message of b617158dc096 ("tcp: be more
careful in tcp_fragment()").
The BUG() is hit due to the specific code added to versions older than
v4.15. The comment in skb_queue_prev() (include/linux/skbuff.h:1406),
just before the BUG_ON() somehow suggests to add a check before using
it, what Tim did.
In master, this code path causing the issue will not be taken because
the implementation of tcp_rtx_queue_tail() is different:
tcp_fragment() → tcp_rtx_queue_tail() → tcp_write_queue_prev() →
skb_queue_prev() → BUG_ON()
Because this patch is specific to versions older than the two last
stable ones but still linked to the network architecture, who can review
and approve it? :)
Cheers,
Matt
--
Matthieu Baerts | R&D Engineer
matthieu.baerts@...sares.net
Tessares SA | Hybrid Access Solutions
www.tessares.net
1 Avenue Jean Monnet, 1348 Louvain-la-Neuve, Belgium
Powered by blists - more mailing lists