From: Pavel Emelyanov <xemul@parallels.com>
To: Eric Dumazet <eric.dumazet@gmail.com>,
David Miller <davem@davemloft.net>
Cc: Tommi Rantala <tt.rantala@gmail.com>,
netdev@vger.kernel.org, Dave Jones <davej@redhat.com>
Subject: Re: [PATCH] net: fix infinite loop in __skb_recv_datagram()
Date: Tue, 12 Feb 2013 20:18:13 +0400 [thread overview]
Message-ID: <511A6B45.3090504@parallels.com> (raw)
In-Reply-To: <1360685813.13993.12.camel@edumazet-glaptop>
On 02/12/2013 08:16 PM, Eric Dumazet wrote:
> From: Eric Dumazet <edumazet@google.com>
>
> Tommi was fuzzing with trinity and reported the following problem :
>
> commit 3f518bf745 (datagram: Add offset argument to __skb_recv_datagram)
> missed that a raw socket receive queue can contain skbs with no payload.
>
> We can loop in __skb_recv_datagram() with MSG_PEEK mode, because
> wait_for_packet() is not prepared to skip these skbs.
>
> [ 83.541011] INFO: rcu_sched detected stalls on CPUs/tasks: {}
> (detected by 0, t=26002 jiffies, g=27673, c=27672, q=75)
> [ 83.541011] INFO: Stall ended before state dump start
> [ 108.067010] BUG: soft lockup - CPU#0 stuck for 22s! [trinity-child31:2847]
> ...
> [ 108.067010] Call Trace:
> [ 108.067010] [<ffffffff818cc103>] __skb_recv_datagram+0x1a3/0x3b0
> [ 108.067010] [<ffffffff818cc33d>] skb_recv_datagram+0x2d/0x30
> [ 108.067010] [<ffffffff819ed43d>] rawv6_recvmsg+0xad/0x240
> [ 108.067010] [<ffffffff818c4b04>] sock_common_recvmsg+0x34/0x50
> [ 108.067010] [<ffffffff818bc8ec>] sock_recvmsg+0xbc/0xf0
> [ 108.067010] [<ffffffff818bf31e>] sys_recvfrom+0xde/0x150
> [ 108.067010] [<ffffffff81ca4329>] system_call_fastpath+0x16/0x1b
>
> Reported-by: Tommi Rantala <tt.rantala@gmail.com>
> Tested-by: Tommi Rantala <tt.rantala@gmail.com>
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Cc: Pavel Emelyanov <xemul@parallels.com>
Acked-by: Pavel Emelyanov <xemul@parallels.com>
Thanks!
> ---
> net/core/datagram.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/core/datagram.c b/net/core/datagram.c
> index 0337e2b..368f9c3 100644
> --- a/net/core/datagram.c
> +++ b/net/core/datagram.c
> @@ -187,7 +187,7 @@ struct sk_buff *__skb_recv_datagram(struct sock *sk, unsigned int flags,
> skb_queue_walk(queue, skb) {
> *peeked = skb->peeked;
> if (flags & MSG_PEEK) {
> - if (*off >= skb->len) {
> + if (*off >= skb->len && skb->len) {
> *off -= skb->len;
> continue;
> }
>
>
> .
>
next prev parent reply other threads:[~2013-02-12 16:18 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-11 19:25 soft lockup at __skb_recv_datagram() when fuzzing with trinity as root in VM Tommi Rantala
2013-02-12 0:19 ` Eric Dumazet
2013-02-12 3:15 ` Eric Dumazet
2013-02-12 7:42 ` Tommi Rantala
2013-02-12 16:16 ` [PATCH] net: fix infinite loop in __skb_recv_datagram() Eric Dumazet
2013-02-12 16:18 ` Pavel Emelyanov [this message]
2013-02-12 21:07 ` David Miller
2013-02-15 12:41 ` Hannes Frederic Sowa
2013-02-15 17:43 ` Ben Hutchings
2013-02-15 17:55 ` Hannes Frederic Sowa
2013-02-15 18:56 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=511A6B45.3090504@parallels.com \
--to=xemul@parallels.com \
--cc=davej@redhat.com \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=tt.rantala@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.