lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 23 May 2011 14:50:58 +0200 From: Eric Dumazet <eric.dumazet@...il.com> To: Denys Fedoryshchenko <denys@...p.net.lb> Cc: netdev@...r.kernel.org, hadi@...erus.ca Subject: Re: 2.6.38.x, 2.6.39 sfq? kernel panic in sfq_enqueue Le lundi 23 mai 2011 à 14:32 +0200, Eric Dumazet a écrit : > Ouch, thats an ip_fragment() bug I am afraid... nothing to do with SFQ > > It calls > > err = output(skb); > > and a bit later does : > > skb = frag; > frag = skb->next; // thats completely illegal here ! > skb->next = NULL; > > I am cooking a patch and send it in a couple of minutes. Oh well, false alarm, I am still trying to understand the case. Some other reports would be appreciated, because here is the strange thing : [ 4461.969603] Code: b6 70 10 3b b3 08 01 00 00 0f 8d df 01 00 00 jge .... 41 8b 74 24 28 mov 0x28(%r12),%esi qdisc_pkt_len(skb) 01 b3 b4 00 00 00 sch->qstats.backlog += qdisc_pkt_len(skb); RAX = slot R12 = SKB 48 8b 70 08 mov 0x8(%rax),%rsi slot->skblist_prev 49 89 04 24 mov %rax,(%r12) skb->next = (struct sk_buff *)slot; 49 89 74 24 08 mov %rsi,0x8(%r12) skb->prev = slot->skblist_prev; 48 8b 70 08 mov 0x8(%rax),%rsi slot->skblist_prev (refetch) <4c> 89 26 mov %r12,(%rsi) slot->skblist_prev->next = skb; // CRASH 0f b6 f2 movzbl %dl,%esi 4c 89 60 08 mov %r12,0x8(%rax) slot->skblist_prev = skb; 48 8d 3c 76 lea 48 8d bc fb 90 01 00 And in your report RAX = R12 !!! (ffff8801172a7d08) I cant see how it can happen (Its not even a valid skb address, since an SKB should be 64bytes aligned) If available a disassembly of sfq_enqueue() would be appreciated too ;) Thanks ! -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists