From: Vladis Dronov <vdronov@redhat.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: netdev@vger.kernel.org, stable@vger.kernel.org,
Marco Grassi <marco.gra@gmail.com>
Subject: Re: BUG() can be hit in tcp_collapse()
Date: Wed, 30 Nov 2016 12:00:17 -0500 (EST) [thread overview]
Message-ID: <1418136049.827916.1480525217226.JavaMail.zimbra@redhat.com> (raw)
In-Reply-To: <1716309808.12143903.1478869689618.JavaMail.zimbra@redhat.com>
Hello, Eric, Marco, all,
This is JFYI and a follow-up message.
A further investigation was made to find out the Linux kernel commit which has
introduced the flaw. It appeared that previous Linux kernel versions are vulnerable,
down to v3.6-rc1. This fact was hidden by 'net.ipv4.tcp_fastopen' set to 0 by default,
and now it is easier to notice since kernel v3.12 due to commit 0d41cca490 where the
default was changed to 1. With 'net.ipv4.tcp_fastopen' set to 1, previous Linux
kernels (including RHEL-7 ones) are also vulnerable.
The bug is here since tcp-fastopen feature was introduced in kernel v3.6-rc1, the first
commit when the reproducer starts to panic the kernel with net.ipv4.tcp_fastopen=1 set
is cf60af03ca, which is a part of commit sequence 2100c8d2d9..67da22d23f introducing
net-tcp-fastopen feature:
$ git bisect bad cf60af03ca4e71134206809ea892e49b92a88896
cf60af03ca4e71134206809ea892e49b92a88896 is the first bad commit
commit cf60af03ca4e71134206809ea892e49b92a88896
Author: Yuchung Cheng <ycheng@google.com>
Date: Thu Jul 19 06:43:09 2012 +0000
So, ideally, the upstream commit ac6e780070 which fixes the bug should have
"Fixes: cf60af03ca" statement, unfortunately, this investigation was not completed at
the time the patch was accepted upstream. And unfortunately I do not see other way
to add this information except making notes in a comment in the related code, which
seems weird.
Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer
next prev parent reply other threads:[~2016-11-30 17:00 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1348037656.11947320.1478787081068.JavaMail.zimbra@redhat.com>
2016-11-10 14:47 ` BUG() can be hit in tcp_collapse() Vladis Dronov
2016-11-10 15:34 ` Greg KH
2016-11-10 15:44 ` Eric Dumazet
2016-11-10 19:26 ` Eric Dumazet
2016-11-10 19:49 ` Eric Dumazet
2016-11-10 20:13 ` Eric Dumazet
2016-11-10 20:50 ` [PATCH net] tcp: take care of truncations done by sk_filter() Eric Dumazet
2016-11-10 21:04 ` Eric Dumazet
2016-11-10 21:12 ` [PATCH v2 " Eric Dumazet
2016-11-13 17:30 ` David Miller
2016-11-11 13:08 ` BUG() can be hit in tcp_collapse() Vladis Dronov
2016-11-30 17:00 ` Vladis Dronov [this message]
2016-11-30 17:33 ` Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1418136049.827916.1480525217226.JavaMail.zimbra@redhat.com \
--to=vdronov@redhat.com \
--cc=eric.dumazet@gmail.com \
--cc=marco.gra@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.