From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, bunk@stusta.de,
Wei Yongjun <yjwei@cn.fujitsu.com>,
YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>,
Arnaldo Carvalho de Melo <acme@ghostprotocols.net>,
"David S. Miller" <davem@davemloft.net>
Subject: [patch 09/28] IPV6: Fix kernel panic while send SCTP data with IP fragments
Date: Thu, 23 Aug 2007 15:26:30 -0700 [thread overview]
Message-ID: <20070823222630.GJ18559@kroah.com> (raw)
In-Reply-To: <20070823221811.GA18559@kroah.com>
[-- Attachment #1: ipv6-fix-kernel-panic-while-send-sctp-data-with-ip-fragments.patch --]
[-- Type: text/plain, Size: 4050 bytes --]
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Wei Yongjun <yjwei@cn.fujitsu.com>
If ICMP6 message with "Packet Too Big" is received after send SCTP DATA,
kernel panic will occur when SCTP DATA is send again.
This is because of a bad dest address when call to skb_copy_bits().
The messages sequence is like this:
Endpoint A Endpoint B
<------- SCTP DATA (size=1432)
ICMP6 message ------->
(Packet Too Big pmtu=1280)
<------- Resend SCTP DATA (size=1432)
------------kernel panic---------------
printing eip:
c05be62a
*pde = 00000000
Oops: 0002 [#1]
SMP
Modules linked in: scomm l2cap bluetooth ipv6 dm_mirror dm_mod video output sbs battery lp floppy sg i2c_piix4 i2c_core pcnet32 mii button ac parport_pc parport ide_cd cdrom serio_raw mptspi mptscsih mptbase scsi_transport_spi sd_mod scsi_mod ext3 jbd ehci_hcd ohci_hcd uhci_hcd
CPU: 0
EIP: 0060:[<c05be62a>] Not tainted VLI
EFLAGS: 00010282 (2.6.23-rc2 #1)
EIP is at skb_copy_bits+0x4f/0x1ef
eax: 000004d0 ebx: ce12a980 ecx: 00000134 edx: cfd5a880
esi: c8246858 edi: 00000000 ebp: c0759b14 esp: c0759adc
ds: 007b es: 007b fs: 00d8 gs: 0000 ss: 0068
Process swapper (pid: 0, ti=c0759000 task=c06d0340 task.ti=c0713000)
Stack: c0759b88 c0405867 ce12a980 c8bff838 c789c084 00000000 00000028 cfd5a880
d09f1890 000005dc 0000007b ce12a980 cfd5a880 c8bff838 c0759b88 d09bc521
000004d0 fffff96c 00000200 00000100 c0759b50 cfd5a880 00000246 c0759bd4
Call Trace:
[<c0405e1d>] show_trace_log_lvl+0x1a/0x2f
[<c0405ecd>] show_stack_log_lvl+0x9b/0xa3
[<c040608d>] show_registers+0x1b8/0x289
[<c0406271>] die+0x113/0x246
[<c0625dbc>] do_page_fault+0x4ad/0x57e
[<c0624642>] error_code+0x72/0x78
[<d09bc521>] ip6_output+0x8e5/0xab2 [ipv6]
[<d09bcec1>] ip6_xmit+0x2ea/0x3a3 [ipv6]
[<d0a3f2ca>] sctp_v6_xmit+0x248/0x253 [sctp]
[<d0a3c934>] sctp_packet_transmit+0x53f/0x5ae [sctp]
[<d0a34bf8>] sctp_outq_flush+0x555/0x587 [sctp]
[<d0a34d3c>] sctp_retransmit+0xf8/0x10f [sctp]
[<d0a3d183>] sctp_icmp_frag_needed+0x57/0x5b [sctp]
[<d0a3ece2>] sctp_v6_err+0xcd/0x148 [sctp]
[<d09cf1ce>] icmpv6_notify+0xe6/0x167 [ipv6]
[<d09d009a>] icmpv6_rcv+0x7d7/0x849 [ipv6]
[<d09be240>] ip6_input+0x1dc/0x310 [ipv6]
[<d09be965>] ipv6_rcv+0x294/0x2df [ipv6]
[<c05c3789>] netif_receive_skb+0x2d2/0x335
[<c05c5733>] process_backlog+0x7f/0xd0
[<c05c58f6>] net_rx_action+0x96/0x17e
[<c042e722>] __do_softirq+0x64/0xcd
[<c0406f37>] do_softirq+0x5c/0xac
=======================
Code: 00 00 29 ca 89 d0 2b 45 e0 89 55 ec 85 c0 7e 35 39 45 08 8b 55 e4 0f 4e 45 08 8b 75 e0 8b 7d dc 89 c1 c1 e9 02 03 b2 a0 00 00 00 <f3> a5 89 c1 83 e1 03 74 02 f3 a4 29 45 08 0f 84 7b 01 00 00 01
EIP: [<c05be62a>] skb_copy_bits+0x4f/0x1ef SS:ESP 0068:c0759adc
Kernel panic - not syncing: Fatal exception in interrupt
Arnaldo says:
====================
Thanks! I'm to blame for this one, problem was introduced in:
b0e380b1d8a8e0aca215df97702f99815f05c094
/*
* Copy a block of the IP datagram.
*/
- if (skb_copy_bits(skb, ptr, frag->h.raw, len))
+ if (skb_copy_bits(skb, ptr, skb_transport_header(skb),
len))
BUG();
left -= len;
====================
Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
net/ipv6/ip6_output.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -790,7 +790,7 @@ slow_path:
/*
* Copy a block of the IP datagram.
*/
- if (skb_copy_bits(skb, ptr, skb_transport_header(skb), len))
+ if (skb_copy_bits(skb, ptr, skb_transport_header(frag), len))
BUG();
left -= len;
--
next prev parent reply other threads:[~2007-08-23 22:31 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20070823220656.101239233@mini.kroah.org>
2007-08-23 22:18 ` [patch 00/28] 2.6.22-stable review cycle again Greg KH
2007-08-23 22:25 ` [patch 01/28] ocfs2: Fix bad source start calculation during kernel writes Greg KH
2007-08-23 22:25 ` [patch 02/28] NET: Share correct feature code between bridging and bonding Greg KH
2007-08-23 22:26 ` [patch 03/28] sky2: dont clear phy power bits Greg KH
2007-08-23 22:26 ` [patch 04/28] uml: fix previous request size limit fix Greg KH
2007-08-23 22:26 ` [patch 05/28] i386: fix lazy mode vmalloc synchronization for paravirt Greg KH
2007-08-23 22:26 ` [patch 06/28] signalfd: fix interaction with posix-timers Greg KH
2007-08-23 22:26 ` [patch 07/28] signalfd: make it group-wide, fix posix-timers scheduling Greg KH
2007-08-23 22:26 ` [patch 08/28] DCCP: Fix DCCP GFP_KERNEL allocation in atomic context Greg KH
2007-08-23 22:26 ` Greg KH [this message]
2007-08-23 22:26 ` [patch 10/28] IPv6: Invalid semicolon after if statement Greg KH
2007-08-23 22:26 ` [patch 11/28] Fix soft-fp underflow handling Greg KH
2007-08-23 22:26 ` [patch 12/28] Netfilter: Missing Kbuild entry for netfilter Greg KH
2007-08-23 22:26 ` [patch 13/28] SNAP: Fix SNAP protocol header accesses Greg KH
2007-08-23 22:27 ` [patch 14/28] NET: Fix missing rcu unlock in __sock_create() Greg KH
2007-08-23 22:27 ` [patch 15/28] SPARC64: Fix sparc64 task stack traces Greg KH
2007-08-23 22:27 ` [patch 16/28] SPARC64: Fix sparc64 PCI config accesses on sun4u Greg KH
2007-08-23 22:27 ` [patch 18/28] TCP: Fix TCP rate-halving on bidirectional flows Greg KH
2007-08-23 22:27 ` [patch 19/28] TCP: Fix TCP handling of SACK in " Greg KH
2007-08-23 22:27 ` [patch 20/28] PPP: Fix PPP buffer sizing Greg KH
2007-08-23 22:27 ` [patch 21/28] PCI: lets kill the PCI hidden behind bridge message Greg KH
2007-08-23 22:27 ` [patch 22/28] PCI: disable MSI on RS690 Greg KH
2007-08-23 22:27 ` [patch 23/28] PCI: disable MSI on RD580 Greg KH
2007-08-23 22:27 ` [patch 24/28] PCI: disable MSI on RX790 Greg KH
2007-08-23 22:27 ` [patch 25/28] USB: cdc-acm: fix sysfs attribute registration bug Greg KH
2007-08-24 13:59 ` Alan Stern
2007-08-24 15:49 ` [stable] " Greg KH
2007-08-24 17:59 ` Alan Stern
2007-08-24 18:04 ` Greg KH
2007-08-29 18:48 ` Chuck Ebbert
2007-08-29 23:33 ` Chuck Ebbert
2007-08-31 5:10 ` Greg KH
2007-08-23 22:27 ` [patch 26/28] USB: allow retry on descriptor fetch errors Greg KH
2007-08-23 22:27 ` [patch 27/28] USB: fix DoS in pwc USB video driver Greg KH
2007-08-23 22:28 ` [patch 28/28] usb: add PRODUCT, TYPE to usb-interface events Greg KH
2007-08-23 22:29 ` [patch 17/28] TCP: Do not autobind ports for TCP sockets Greg KH
2007-08-23 22:32 ` [patch 00/28] 2.6.22-stable review cycle again Greg KH
2007-08-29 19:43 ` Thomas Backlund
2007-08-29 20:03 ` Willy Tarreau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070823222630.GJ18559@kroah.com \
--to=gregkh@suse.de \
--cc=acme@ghostprotocols.net \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=bunk@stusta.de \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=davem@davemloft.net \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=yjwei@cn.fujitsu.com \
--cc=yoshfuji@linux-ipv6.org \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.