lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190214074641epcms1p1db1c5589f96718a440a166328eec9ebd@epcms1p1>
Date:   Thu, 14 Feb 2019 16:46:41 +0900
From:   배석진 <soukjin.bae@...sung.com>
To:     "netdev@...r.kernel.org" <netdev@...r.kernel.org>
CC:     배석진 <soukjin.bae@...sung.com>,
        박종언 <jongeon.park@...sung.com>
Subject: [Bug reporting] kernel panic during handle the dst unreach icmp
 msg.

Dear all,


https://www.mail-archive.com/netdev@vger.kernel.org/msg256527.html

as we concerned before at above mail thread,
we faced a problem cased by not removed socket.

(from now, 'the socket' means the socket alloced at 0xFFFFFFC0051E5E00)

#1. the socket is state in TIME_WAIT1. maybe it's process closed the socket.
    below is memory dump information with Trace32.

  (struct sock *)0xFFFFFFC0051E5E00 = 0xFFFFFFC0051E5E00 = end+0x3FF9E4CE00 -> (
    __sk_common = (
       ...
       skc_rcv_saddr = 0x0200A8C0,   ==> 192.168.0.2
       ...
       skc_state = 4,                ==> TIME_WAIT1
       ...
       skc_flags = 0x4301,           ==> SOCK_DEAD(0x01) set


#2. user changed WIFI AP to another one, so previous netdevice deleted and destroied it's sockets.

[60392.948657][4:            netd] 02-13 00:39:32.095  5249  5323 I NetdDestroyed 30 sockets on 192.168.0.2 in 2.7 ms
[60392.948705][4:            netd] 02-13 00:39:32.095  5249  5323 D Netdnotify() code: 614, msg: Address removed 192.168.0.2/24 wlan0 128 0

  --> the socket will be exist for a while.
      because of 'sock_diag_destory() -> tcp_abort()' can not call tcp_done() for the socket.
      but clearing the socket's sk_write_queue by calling tcp_write_queue_purge(sk).


#3. icmp msg(dst unreach) came for sent packet by the socket.
    to retransmit them, lookup sk and fint it. (because the socket still exist)
    but it's sk_write_queue was already cleared so has no skb to send.
    and make the kernel bug.

<4>[60392.948306] I[1:    ksoftirqd/1:   19] ------------[ cut here ]------------
<0>[60392.948334] I[1:    ksoftirqd/1:   19] kernel BUG at net/ipv4/tcp_ipv4.c:519!
<2>[60392.948344] I[1:    ksoftirqd/1:   19] sec_debug_set_extra_info_fault = BUG / 0xffffff80090351d0
<0>[60392.948386] I[1:    ksoftirqd/1:   19] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
...
<4>[60392.950676] I[1:    ksoftirqd/1:   19] PC is at tcp_v4_err+0x4b0/0x4bc
<4>[60392.950684] I[1:    ksoftirqd/1:   19] LR is at tcp_v4_err+0x3ac/0x4bc


370 void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
371 {
        ...
516		icsk->icsk_rto = inet_csk_rto_backoff(icsk, TCP_RTO_MAX);
517
518		skb = tcp_write_queue_head(sk);
519		BUG_ON(!skb);
520
521		tcp_mstamp_refresh(tp);


we know that the line 519 removed on latest state. instead this will be shown to kernel panic.
how about below change? do not retransmit packets when socket was already closed.

best regards,



From: soukjin bae <soukjin.bae@...sung.com>
Date: Wen, 14 Jan 2019 14:26:35 +0900
Subject: net: Don't retransmit packets when socket was already closed
 
Signed-off-by: soukjin bae <soukjin.bae@...sung.com>
Signed-off-by: jongeon park <jongeon.park@...sung.com>
---
 net/ipv4/tcp_ipv4 | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/ipv4/tcp_ipv4 b/net/ipv4/tcp_ipv4
index fe4daf6..654bd19 100755
--- a/net/ipv4/tcp_ipv4
+++ b/net/ipv4/tcp_ipv4

@@ -442,6 +465,10 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
 		err = EPROTO;
 		break;
 	case ICMP_DEST_UNREACH:
+		/* Don't retransmit packets when socket was already closed */
+		if (sock_flag(sk, SOCK_DEAD))
+			goto out;
+
 		if (code > NR_ICMP_UNREACH)
 			goto out;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ