| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20190214074641epcms1p1db1c5589f96718a440a166328eec9ebd@epcms1p1>
Date: Thu, 14 Feb 2019 16:46:41 +0900
From: 배석진 <soukjin.bae@...sung.com>
To: "netdev@...r.kernel.org" <netdev@...r.kernel.org>
CC: 배석진 <soukjin.bae@...sung.com>,
박종언 <jongeon.park@...sung.com>
Subject: [Bug reporting] kernel panic during handle the dst unreach icmp
msg.
Dear all,
https://www.mail-archive.com/netdev@vger.kernel.org/msg256527.html
as we concerned before at above mail thread,
we faced a problem cased by not removed socket.
(from now, 'the socket' means the socket alloced at 0xFFFFFFC0051E5E00)
#1. the socket is state in TIME_WAIT1. maybe it's process closed the socket.
below is memory dump information with Trace32.
(struct sock *)0xFFFFFFC0051E5E00 = 0xFFFFFFC0051E5E00 = end+0x3FF9E4CE00 -> (
__sk_common = (
...
skc_rcv_saddr = 0x0200A8C0, ==> 192.168.0.2
...
skc_state = 4, ==> TIME_WAIT1
...
skc_flags = 0x4301, ==> SOCK_DEAD(0x01) set
#2. user changed WIFI AP to another one, so previous netdevice deleted and destroied it's sockets.
[60392.948657][4: netd] 02-13 00:39:32.095 5249 5323 I NetdDestroyed 30 sockets on 192.168.0.2 in 2.7 ms
[60392.948705][4: netd] 02-13 00:39:32.095 5249 5323 D Netdnotify() code: 614, msg: Address removed 192.168.0.2/24 wlan0 128 0
--> the socket will be exist for a while.
because of 'sock_diag_destory() -> tcp_abort()' can not call tcp_done() for the socket.
but clearing the socket's sk_write_queue by calling tcp_write_queue_purge(sk).
#3. icmp msg(dst unreach) came for sent packet by the socket.
to retransmit them, lookup sk and fint it. (because the socket still exist)
but it's sk_write_queue was already cleared so has no skb to send.
and make the kernel bug.
<4>[60392.948306] I[1: ksoftirqd/1: 19] ------------[ cut here ]------------
<0>[60392.948334] I[1: ksoftirqd/1: 19] kernel BUG at net/ipv4/tcp_ipv4.c:519!
<2>[60392.948344] I[1: ksoftirqd/1: 19] sec_debug_set_extra_info_fault = BUG / 0xffffff80090351d0
<0>[60392.948386] I[1: ksoftirqd/1: 19] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
...
<4>[60392.950676] I[1: ksoftirqd/1: 19] PC is at tcp_v4_err+0x4b0/0x4bc
<4>[60392.950684] I[1: ksoftirqd/1: 19] LR is at tcp_v4_err+0x3ac/0x4bc
370 void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
371 {
...
516 icsk->icsk_rto = inet_csk_rto_backoff(icsk, TCP_RTO_MAX);
517
518 skb = tcp_write_queue_head(sk);
519 BUG_ON(!skb);
520
521 tcp_mstamp_refresh(tp);
we know that the line 519 removed on latest state. instead this will be shown to kernel panic.
how about below change? do not retransmit packets when socket was already closed.
best regards,
From: soukjin bae <soukjin.bae@...sung.com>
Date: Wen, 14 Jan 2019 14:26:35 +0900
Subject: net: Don't retransmit packets when socket was already closed
Signed-off-by: soukjin bae <soukjin.bae@...sung.com>
Signed-off-by: jongeon park <jongeon.park@...sung.com>
---
net/ipv4/tcp_ipv4 | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/ipv4/tcp_ipv4 b/net/ipv4/tcp_ipv4
index fe4daf6..654bd19 100755
--- a/net/ipv4/tcp_ipv4
+++ b/net/ipv4/tcp_ipv4
@@ -442,6 +465,10 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
err = EPROTO;
break;
case ICMP_DEST_UNREACH:
+ /* Don't retransmit packets when socket was already closed */
+ if (sock_flag(sk, SOCK_DEAD))
+ goto out;
+
if (code > NR_ICMP_UNREACH)
goto out;
Powered by blists - more mailing lists