lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAPshTCgVGBpqgrMR8ub4+WKpEDMmPtPRfri8-35TVuHbf_H4yA@mail.gmail.com> Date: Wed, 5 Sep 2012 16:07:06 -0700 From: Jerry Chu <hkchu@...gle.com> To: Fengguang Wu <fengguang.wu@...el.com> Cc: Eric Dumazet <eric.dumazet@...il.com>, Marc Kleine-Budde <mkl@...gutronix.de>, "Eric W. Biederman" <ebiederm@...ssion.com>, networking <netdev@...r.kernel.org>, linux-can@...r.kernel.org Subject: Re: sctp_close/sk_free: kernel BUG at arch/x86/mm/physaddr.c:18! On Wed, Sep 5, 2012 at 3:28 PM, Fengguang Wu <fengguang.wu@...el.com> wrote: > On Wed, Sep 05, 2012 at 06:57:00PM +0200, Eric Dumazet wrote: >> On Wed, 2012-09-05 at 17:40 +0200, Eric Dumazet wrote: >> >> > Could you test the following patch please ? > > It works - no single error for 1000 boots! Sorry for introducing the bug, one of the casualties dealing with code that is shared outside of TCP. I did spend some effort adding special checks but I was wrong in assuming inet_create() will zero all the field including fastopenq inside icsk_accept_queue inside struct inet_connection_sock - although this is true for TCP and DCCP, SCTP doesn't have inet_connection_sock hence inet_csk(sk) is bogus. Kudo to Eric for fixing it quickly before I got to it. Jerry > > btw, the first bad commit has been bisected to > > commit 8336886f786fdacbc19b719c1f7ea91eb70706d4 > Author: Jerry Chu <hkchu@...gle.com> > Date: Fri Aug 31 12:29:12 2012 +0000 > > tcp: TCP Fast Open Server - support TFO listeners > >> > (Not sure why sctp doesnt memset/bzero its whole socket by the way...) >> > >> > Thanks >> >> Here is a more complete patch, as there are three potential problems, >> not only one : > > Great! I'll start tests for it. > > Thanks, > Fengguang > >> diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c >> index 4f70ef0..845372b 100644 >> --- a/net/ipv4/af_inet.c >> +++ b/net/ipv4/af_inet.c >> @@ -149,11 +149,8 @@ void inet_sock_destruct(struct sock *sk) >> pr_err("Attempt to release alive inet socket %p\n", sk); >> return; >> } >> - if (sk->sk_type == SOCK_STREAM) { >> - struct fastopen_queue *fastopenq = >> - inet_csk(sk)->icsk_accept_queue.fastopenq; >> - kfree(fastopenq); >> - } >> + if (sk->sk_protocol == IPPROTO_TCP) >> + kfree(inet_csk(sk)->icsk_accept_queue.fastopenq); >> >> WARN_ON(atomic_read(&sk->sk_rmem_alloc)); >> WARN_ON(atomic_read(&sk->sk_wmem_alloc)); >> diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c >> index 8464b79..f0c5b9c 100644 >> --- a/net/ipv4/inet_connection_sock.c >> +++ b/net/ipv4/inet_connection_sock.c >> @@ -314,7 +314,7 @@ struct sock *inet_csk_accept(struct sock *sk, int flags, int *err) >> newsk = req->sk; >> >> sk_acceptq_removed(sk); >> - if (sk->sk_type == SOCK_STREAM && queue->fastopenq != NULL) { >> + if (sk->sk_protocol == IPPROTO_TCP && queue->fastopenq != NULL) { >> spin_lock_bh(&queue->fastopenq->lock); >> if (tcp_rsk(req)->listener) { >> /* We are still waiting for the final ACK from 3WHS >> @@ -775,7 +775,7 @@ void inet_csk_listen_stop(struct sock *sk) >> >> percpu_counter_inc(sk->sk_prot->orphan_count); >> >> - if (sk->sk_type == SOCK_STREAM && tcp_rsk(req)->listener) { >> + if (sk->sk_protocol == IPPROTO_TCP && tcp_rsk(req)->listener) { >> BUG_ON(tcp_sk(child)->fastopen_rsk != req); >> BUG_ON(sk != tcp_rsk(req)->listener); >> >> > -- > To unsubscribe from this list: send the line "unsubscribe netdev" in > the body of a message to majordomo@...r.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists