Re: for 3.0 : please add "c16a98e ipv6: tcp: fix panic in SYN processing"

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Willy Tarreau <w@1wt.eu>
Cc: David Miller <davem@davemloft.net>,
	Eric Dumazet <eric.dumazet@gmail.com>,
	netdev@vger.kernel.org, stable@vger.kernel.org
Subject: Re: for 3.0 : please add "c16a98e ipv6: tcp: fix panic in SYN processing"
Date: Fri, 18 Oct 2013 07:34:33 -0700	[thread overview]
Message-ID: <20131018143433.GA27502@kroah.com> (raw)
In-Reply-To: <20131018140442.GA16883@1wt.eu>

On Fri, Oct 18, 2013 at 04:04:42PM +0200, Willy Tarreau wrote:
> Greg, David,
> 
> one of our customers faced a panic in latest 2.6.32 when both somaxconn
> and the listen backlog are large on an IPv6 socket. It was also reported
> by one haproxy user on the latest RHEL6 kernel a few months ago. We found
> that the same bug affects 3.0 up to and including 3.0.100.
> 
> Eric had already spotted that bug and fixed it in 3.2 with the following
> patch :
> 
>   commit c16a98ed91597b40b22b540c6517103497ef8e74
>   Author: Eric Dumazet <eric.dumazet@gmail.com>
>   Date:   Wed Nov 23 15:49:31 2011 -0500
> 
>     ipv6: tcp: fix panic in SYN processing
>     
>     commit 72a3effaf633bc ([NET]: Size listen hash tables using backlog
>     hint) added a bug allowing inet6_synq_hash() to return an out of bound
>     array index, because of u16 overflow.
>     
>     Bug can happen if system admins set net.core.somaxconn &
>     net.ipv4.tcp_max_syn_backlog sysctls to values greater than 65536
>     
>     Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
>     Signed-off-by: David S. Miller <davem@davemloft.net>
> 
> In practice, the bug extends to lower values as well (32768 and above),
> because reqsk_queue_alloc() can round the number of entries to double of
> the backlog by doing roundup_pow_of_two(backlog+1), resulting in
> inet6_csk_search_req() calling inet6_synq_hash() with too large an integer.
> 
> Could we please apply it to 3.0 before it finishes its life ?

Unless David objects, I can queue this up just in time for the last
3.0.stable.

David?

next prev parent reply	other threads:[~2013-10-18 14:34 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-10-18 14:04 for 3.0 : please add "c16a98e ipv6: tcp: fix panic in SYN processing" Willy Tarreau
2013-10-18 14:34 ` Greg Kroah-Hartman [this message]
2013-10-18 17:31   ` David Miller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20131018143433.GA27502@kroah.com \
    --to=gregkh@linuxfoundation.org \
    --cc=davem@davemloft.net \
    --cc=eric.dumazet@gmail.com \
    --cc=netdev@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=w@1wt.eu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.