From mboxrd@z Thu Jan 1 00:00:00 1970 From: Wei Yongjun Subject: [PATCH] IPv6: Fix kernel panic while send SCTP data with IP fragments Date: Mon, 20 Aug 2007 09:28:27 +0800 Message-ID: <46C8EE3B.40105@cn.fujitsu.com> Mime-Version: 1.0 Content-Type: text/plain; charset=GB2312 Content-Transfer-Encoding: 7bit To: netdev@vger.kernel.org Return-path: Received: from [222.73.24.84] ([222.73.24.84]:50714 "EHLO song.cn.fujitsu.com" rhost-flags-FAIL-FAIL-OK-OK) by vger.kernel.org with ESMTP id S1751461AbXHTBaM (ORCPT ); Sun, 19 Aug 2007 21:30:12 -0400 Received: from tang.cn.fujitsu.com (tang.cn.fujitsu.com [10.167.250.3]) by song.cn.fujitsu.com (Postfix) with ESMTP id 37C491701A5 for ; Mon, 20 Aug 2007 09:30:11 +0800 (CST) Received: from fnst.cn.fujitsu.com (localhost.localdomain [127.0.0.1]) by tang.cn.fujitsu.com (8.13.1/8.13.1) with ESMTP id l7K1UADs011689 for ; Mon, 20 Aug 2007 09:30:10 +0800 Received: from [10.167.141.203] (unknown [10.167.141.203]) by fnst.cn.fujitsu.com (Postfix) with ESMTP id D52F42938D7 for ; Mon, 20 Aug 2007 09:44:05 +0800 (CST) Sender: netdev-owner@vger.kernel.org List-Id: netdev.vger.kernel.org If ICMP6 message with "Packet Too Big" is received after send SCTP DATA, kernel panic will occur when SCTP DATA is send again. This is because of a bad dest address when call to skb_copy_bits(). The messages sequence is like this: Endpoint A Endpoint B <------- SCTP DATA (size=1432) ICMP6 message -------> (Packet Too Big pmtu=1280) <------- Resend SCTP DATA (size=1432) ------------kernel panic--------------- printing eip: c05be62a *pde = 00000000 Oops: 0002 [#1] SMP Modules linked in: scomm l2cap bluetooth ipv6 dm_mirror dm_mod video output sbs battery lp floppy sg i2c_piix4 i2c_core pcnet32 mii button ac parport_pc parport ide_cd cdrom serio_raw mptspi mptscsih mptbase scsi_transport_spi sd_mod scsi_mod ext3 jbd ehci_hcd ohci_hcd uhci_hcd CPU: 0 EIP: 0060:[] Not tainted VLI EFLAGS: 00010282 (2.6.23-rc2 #1) EIP is at skb_copy_bits+0x4f/0x1ef eax: 000004d0 ebx: ce12a980 ecx: 00000134 edx: cfd5a880 esi: c8246858 edi: 00000000 ebp: c0759b14 esp: c0759adc ds: 007b es: 007b fs: 00d8 gs: 0000 ss: 0068 Process swapper (pid: 0, ti=c0759000 task=c06d0340 task.ti=c0713000) Stack: c0759b88 c0405867 ce12a980 c8bff838 c789c084 00000000 00000028 cfd5a880 d09f1890 000005dc 0000007b ce12a980 cfd5a880 c8bff838 c0759b88 d09bc521 000004d0 fffff96c 00000200 00000100 c0759b50 cfd5a880 00000246 c0759bd4 Call Trace: [] show_trace_log_lvl+0x1a/0x2f [] show_stack_log_lvl+0x9b/0xa3 [] show_registers+0x1b8/0x289 [] die+0x113/0x246 [] do_page_fault+0x4ad/0x57e [] error_code+0x72/0x78 [] ip6_output+0x8e5/0xab2 [ipv6] [] ip6_xmit+0x2ea/0x3a3 [ipv6] [] sctp_v6_xmit+0x248/0x253 [sctp] [] sctp_packet_transmit+0x53f/0x5ae [sctp] [] sctp_outq_flush+0x555/0x587 [sctp] [] sctp_retransmit+0xf8/0x10f [sctp] [] sctp_icmp_frag_needed+0x57/0x5b [sctp] [] sctp_v6_err+0xcd/0x148 [sctp] [] icmpv6_notify+0xe6/0x167 [ipv6] [] icmpv6_rcv+0x7d7/0x849 [ipv6] [] ip6_input+0x1dc/0x310 [ipv6] [] ipv6_rcv+0x294/0x2df [ipv6] [] netif_receive_skb+0x2d2/0x335 [] process_backlog+0x7f/0xd0 [] net_rx_action+0x96/0x17e [] __do_softirq+0x64/0xcd [] do_softirq+0x5c/0xac ======================= Code: 00 00 29 ca 89 d0 2b 45 e0 89 55 ec 85 c0 7e 35 39 45 08 8b 55 e4 0f 4e 45 08 8b 75 e0 8b 7d dc 89 c1 c1 e9 02 03 b2 a0 00 00 00 a5 89 c1 83 e1 03 74 02 f3 a4 29 45 08 0f 84 7b 01 00 00 01 EIP: [] skb_copy_bits+0x4f/0x1ef SS:ESP 0068:c0759adc Kernel panic - not syncing: Fatal exception in interrupt Following is the patch. Signed-off-by: Wei Yongjun --- a/net/ipv6/ip6_output.c 2007-08-14 10:36:03.000000000 -0400 +++ b/net/ipv6/ip6_output.c 2007-08-17 15:33:35.000000000 -0400 @@ -794,7 +794,7 @@ slow_path: /* * Copy a block of the IP datagram. */ - if (skb_copy_bits(skb, ptr, skb_transport_header(skb), len)) + if (skb_copy_bits(skb, ptr, skb_transport_header(frag), len)) BUG(); left -= len;