* [PATCH] DCCP: Fix double free of skb which may cause kernel panic
@ 2008-06-10 7:31 Wei Yongjun
2008-06-10 7:45 ` Wei Yongjun
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Wei Yongjun @ 2008-06-10 7:31 UTC (permalink / raw)
To: dccp
Since skb will be free after send reset, kfree_skb(skb) in
dccp_v6_ctl_send_reset() will cause kernel panic.
static int dccp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
...snip...
reset:
dccp_v6_ctl_send_reset(sk, skb);
discard:
if (opt_skb != NULL)
__kfree_skb(opt_skb);
kfree_skb(skb);
return 0;
}
This patch fix this problem.
Pid: 0, comm: swapper Not tainted (2.6.26-rc2 #1)
EIP: 0060:[<c05acdaf>] EFLAGS: 00010206 CPU: 0
EIP is at kfree_skb+0x9/0x30
EAX: 00002fde EBX: c7306e80 ECX: c7801080 EDX: 00002fde
ESI: c7983680 EDI: c72d9800 EBP: c075adfc ESP: c075adfc
DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
Process swapper (pid: 0, ti¿75a000 task¿6df3a0 task.ti¿714000)
Stack: c075ae08 c8a259d8 c7a0f848 c075ae38 c8a260fc c7983680 c72d9800 c72d9b90
64000000 c79836a0 c7306e80 8cf2437f c7a0f848 c7983680 c72d9800 c075ae78
c89e6c78 c7983680 c72d9800 0a804500 c79836a0 0c011908 f24206cc c46c3660
Call Trace:
[<c8a259d8>] ? dccp_v6_reqsk_destructor+0x1f/0x22 [dccp_ipv6]
[<c8a260fc>] ? dccp_v6_conn_request+0x243/0x27d [dccp_ipv6]
[<c89e6c78>] ? dccp_rcv_state_process+0x3d/0x4b5 [dccp]
[<c8a25976>] ? dccp_v6_do_rcv+0x132/0x175 [dccp_ipv6]
[<c05bb355>] ? sk_filter+0x66/0x6d
[<c05ab5c2>] ? sk_receive_skb+0x32/0x7c
[<c8a267b3>] ? dccp_v6_rcv+0x2a5/0x32a [dccp_ipv6]
[<c8ee2ee0>] ? ip6_input_finish+0x158/0x280 [ipv6]
[<c8ee304a>] ? ip6_input+0x42/0x47 [ipv6]
[<c8ee3357>] ? ipv6_rcv+0x27c/0x2c9 [ipv6]
[<c05b1336>] ? netif_receive_skb+0x2e0/0x349
[<c88f2a12>] ? pcnet32_poll+0x333/0x66e [pcnet32]
[<c0438afa>] ? clocksource_watchdog+0x21e/0x22d
[<c040428b>] ? common_interrupt+0x23/0x28
[<c05b308c>] ? net_rx_action+0x8f/0x147
[<c0427c5b>] ? __do_softirq+0x64/0xcd
[<c0405898>] ? do_softirq+0x55/0x88
[<c0427bf5>] ? irq_exit+0x38/0x3a
[<c0412b42>] ? smp_apic_timer_interrupt+0x71/0x7f
[<c04025eb>] ? default_idle+0x0/0x42
[<c0404348>] ? apic_timer_interrupt+0x28/0x30
[<c04025eb>] ? default_idle+0x0/0x42
[<c0402618>] ? default_idle+0x2d/0x42
[<c0402566>] ? cpu_idle+0x8b/0x9f
[<c060c89a>] ? rest_init+0x4e/0x50
===========
Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
--- a/net/dccp/ipv6.c 2008-05-29 22:27:55.000000000 -0400
+++ b/net/dccp/ipv6.c 2008-06-05 04:13:18.000000000 -0400
@@ -333,8 +333,6 @@ static void dccp_v6_ctl_send_reset(struc
return;
}
}
-
- kfree_skb(skb);
}
static struct request_sock_ops dccp6_request_sock_ops = {
--
To unsubscribe from this list: send the line "unsubscribe dccp" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] DCCP: Fix double free of skb which may cause kernel panic
2008-06-10 7:31 [PATCH] DCCP: Fix double free of skb which may cause kernel panic Wei Yongjun
@ 2008-06-10 7:45 ` Wei Yongjun
2008-06-10 8:01 ` [PATCH] DCCP: Fix double free of skb which may cause kernel Gerrit Renker
2008-06-10 8:36 ` [PATCH] DCCP: Fix double free of skb which may cause kernel panic Wei Yongjun
2 siblings, 0 replies; 4+ messages in thread
From: Wei Yongjun @ 2008-06-10 7:45 UTC (permalink / raw)
To: dccp
Hi, Gerrit Renker
Please ignore this mail, I will sent the patch again after the patch is
witten correctly.
Thanks.
Wei Yongjun wrote:
> Since skb will be free after send reset, kfree_skb(skb) in
> dccp_v6_ctl_send_reset() will cause kernel panic.
>
> static int dccp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
> ...snip...
> reset:
> dccp_v6_ctl_send_reset(sk, skb);
> discard:
> if (opt_skb != NULL)
> __kfree_skb(opt_skb);
> kfree_skb(skb);
> return 0;
> }
>
> This patch fix this problem.
>
> Pid: 0, comm: swapper Not tainted (2.6.26-rc2 #1)
> EIP: 0060:[<c05acdaf>] EFLAGS: 00010206 CPU: 0
> EIP is at kfree_skb+0x9/0x30
> EAX: 00002fde EBX: c7306e80 ECX: c7801080 EDX: 00002fde
> ESI: c7983680 EDI: c72d9800 EBP: c075adfc ESP: c075adfc
> DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
> Process swapper (pid: 0, tiÀ75a000 taskÀ6df3a0 task.tiÀ714000)
> Stack: c075ae08 c8a259d8 c7a0f848 c075ae38 c8a260fc c7983680 c72d9800
> c72d9b90
> 64000000 c79836a0 c7306e80 8cf2437f c7a0f848 c7983680 c72d9800
> c075ae78
> c89e6c78 c7983680 c72d9800 0a804500 c79836a0 0c011908 f24206cc
> c46c3660
> Call Trace:
> [<c8a259d8>] ? dccp_v6_reqsk_destructor+0x1f/0x22 [dccp_ipv6]
> [<c8a260fc>] ? dccp_v6_conn_request+0x243/0x27d [dccp_ipv6]
> [<c89e6c78>] ? dccp_rcv_state_process+0x3d/0x4b5 [dccp]
> [<c8a25976>] ? dccp_v6_do_rcv+0x132/0x175 [dccp_ipv6]
> [<c05bb355>] ? sk_filter+0x66/0x6d
> [<c05ab5c2>] ? sk_receive_skb+0x32/0x7c
> [<c8a267b3>] ? dccp_v6_rcv+0x2a5/0x32a [dccp_ipv6]
> [<c8ee2ee0>] ? ip6_input_finish+0x158/0x280 [ipv6]
> [<c8ee304a>] ? ip6_input+0x42/0x47 [ipv6]
> [<c8ee3357>] ? ipv6_rcv+0x27c/0x2c9 [ipv6]
> [<c05b1336>] ? netif_receive_skb+0x2e0/0x349
> [<c88f2a12>] ? pcnet32_poll+0x333/0x66e [pcnet32]
> [<c0438afa>] ? clocksource_watchdog+0x21e/0x22d
> [<c040428b>] ? common_interrupt+0x23/0x28
> [<c05b308c>] ? net_rx_action+0x8f/0x147
> [<c0427c5b>] ? __do_softirq+0x64/0xcd
> [<c0405898>] ? do_softirq+0x55/0x88
> [<c0427bf5>] ? irq_exit+0x38/0x3a
> [<c0412b42>] ? smp_apic_timer_interrupt+0x71/0x7f
> [<c04025eb>] ? default_idle+0x0/0x42
> [<c0404348>] ? apic_timer_interrupt+0x28/0x30
> [<c04025eb>] ? default_idle+0x0/0x42
> [<c0402618>] ? default_idle+0x2d/0x42
> [<c0402566>] ? cpu_idle+0x8b/0x9f
> [<c060c89a>] ? rest_init+0x4e/0x50
> ===========>
>
> Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
>
> --- a/net/dccp/ipv6.c 2008-05-29 22:27:55.000000000 -0400
> +++ b/net/dccp/ipv6.c 2008-06-05 04:13:18.000000000 -0400
> @@ -333,8 +333,6 @@ static void dccp_v6_ctl_send_reset(struc
> return;
> }
> }
> -
> - kfree_skb(skb);
> }
>
> static struct request_sock_ops dccp6_request_sock_ops = {
>
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe dccp" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
--
--------------------------------------------------
Wei Yongjun
Development Dept.I
Nanjing Fujitsu Nanda Software Tech. Co., Ltd.(FNST)
8/F., Civil Defense Building, No.189 Guangzhou Road,
Nanjing, 210029, China
TEL: +86+25-86630523-836
COINS: 79955-836
FAX: +86+25-83317685
MAIL: yjwei@cn.fujitsu.com
--------------------------------------------------
This communication is for use by the intended recipient(s) only and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not an intended recipient of this communication, you are hereby notified that any dissemination, distribution or copying hereof is strictly prohibited. If you have received this communication in error, please notify me by reply e-mail, permanently delete this communication from your system, and destroy any hard copies you may have printed
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] DCCP: Fix double free of skb which may cause kernel
2008-06-10 7:31 [PATCH] DCCP: Fix double free of skb which may cause kernel panic Wei Yongjun
2008-06-10 7:45 ` Wei Yongjun
@ 2008-06-10 8:01 ` Gerrit Renker
2008-06-10 8:36 ` [PATCH] DCCP: Fix double free of skb which may cause kernel panic Wei Yongjun
2 siblings, 0 replies; 4+ messages in thread
From: Gerrit Renker @ 2008-06-10 8:01 UTC (permalink / raw)
To: dccp
> Hi, Gerrit Renker
>
> Please ignore this mail, I will sent the patch again after the patch is
> witten correctly.
>
Yes indeed - there is a valid point here but it needs a bit more investigation.
There are several paths for the control flow in dccp_v6_ctl_send_reset().
I am further wondering, since dccp_v4_ctl_send_reset() is similar, if
you can trigger the same condition in DCCPv4?
Can not test this at the moment, probably not before today.
Gerrit
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] DCCP: Fix double free of skb which may cause kernel panic
2008-06-10 7:31 [PATCH] DCCP: Fix double free of skb which may cause kernel panic Wei Yongjun
2008-06-10 7:45 ` Wei Yongjun
2008-06-10 8:01 ` [PATCH] DCCP: Fix double free of skb which may cause kernel Gerrit Renker
@ 2008-06-10 8:36 ` Wei Yongjun
2 siblings, 0 replies; 4+ messages in thread
From: Wei Yongjun @ 2008-06-10 8:36 UTC (permalink / raw)
To: dccp
Gerrit Renker wrote:
>> Hi, Gerrit Renker
>>
>> Please ignore this mail, I will sent the patch again after the patch is
>> witten correctly.
>>
>>
> Yes indeed - there is a valid point here but it needs a bit more investigation.
>
> There are several paths for the control flow in dccp_v6_ctl_send_reset().
> I am further wondering, since dccp_v4_ctl_send_reset() is similar, if
> you can trigger the same condition in DCCPv4?
>
> Can not test this at the moment, probably not before today.
>
This is happened when I write test case, and can be test again. The IPv4
has no problem.
I test this used send REQUEST to endpoint with bad option, and the first
time nothing happend, the second time kernel panic is happened.
But this problem it is not cause by kree_skb of
dccp_v6_ctl_send_reset(), it has no problem since it not free skb while
skb is sent correctly.
> Gerrit
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2008-06-10 8:36 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-06-10 7:31 [PATCH] DCCP: Fix double free of skb which may cause kernel panic Wei Yongjun
2008-06-10 7:45 ` Wei Yongjun
2008-06-10 8:01 ` [PATCH] DCCP: Fix double free of skb which may cause kernel Gerrit Renker
2008-06-10 8:36 ` [PATCH] DCCP: Fix double free of skb which may cause kernel panic Wei Yongjun
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.