Re: [PATCH/RFC net] ipv6: fix fragmentation bug

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Fan Du <fan.du@windriver.com>
To: Alexander Aring <alex.aring@gmail.com>
Cc: <davem@davemloft.net>, <kuznet@ms2.inr.ac.ru>,
	<jmorris@namei.org>, <yoshfuji@linux-ipv6.org>, <kaber@trash.net>,
	<netdev@vger.kernel.org>
Subject: Re: [PATCH/RFC net] ipv6: fix fragmentation bug
Date: Mon, 4 Nov 2013 17:39:38 +0800	[thread overview]
Message-ID: <52776B5A.6030701@windriver.com> (raw)
In-Reply-To: <1383557174-19424-2-git-send-email-alex.aring@gmail.com>

Hi, Alexander

I don't know whether which head commit you are sitting, this issue might has already been fixed by Steffen:
https://git.kernel.org/cgit/linux/kernel/git/klassert/ipsec.git/commit/?id=84502b5ef9849a9694673b15c31bd3ac693010ae


On 2013年11月04日 17:26, Alexander Aring wrote:
> In a very poor 6lowpan wireless connection I got this:
>
> BUG: unable to handle kernel NULL pointer dereference
> at 0000000c
> IP: [<c0389538>] _decode_session6+0x4f/0x1db
> *pde = 00000000
> Oops: 0000 [#1] SMP
> Modules linked in:
> CPU: 0 PID: 0 Comm: swapper/0 Not tainted
> 3.12.0-rc6-12694-g9ce9a7b-dirty #194
> Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
> task: c05007e8 ti: c7808000 task.ti: c04f6000
> EIP: 0060:[<c0389538>] EFLAGS: 00210246 CPU: 0
> EIP is at _decode_session6+0x4f/0x1db
> EAX: 00000000 EBX: c5e602e0 ECX: 00000000 EDX: c5e65c3d
> ESI: c5e602e0 EDI: c7809ee8 EBP: c7809eac ESP: c7809e70
>   DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
> CR0: 8005003b CR2: 0000000c CR3: 07b31000 CR4: 00000690
> Stack:
>   00000005 00282c6c 00000001 c05232dc c5e602e0 c0095bc0 c051de00 c0360508
>   c7809eac c5e602e0 c5e602e0 c037ef65 00000001 c795aa60 c795aa60 00000000
>   00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> Call Trace:
>   [<c0360508>] ? __xfrm_decode_session+0x22/0x2f
>   [<c037ef65>] ? icmpv6_route_lookup+0xa9/0x119
>   [<c037f396>] ? icmp6_send+0x3c1/0x4bf
>   [<c037efd5>] ? icmpv6_route_lookup+0x119/0x119
>   [<c038cea6>] ? icmpv6_send+0x17/0x1a
>   [<c0382fbd>] ? ip6_expire_frag_queue+0x10a/0x11b
>   [<c0382fce>] ? ip6_expire_frag_queue+0x11b/0x11b
>   [<c0127eda>] ? call_timer_fn.isra.28+0x13/0x58
>   [<c01280bf>] ? run_timer_softirq+0x11a/0x14d
>   [<c0124097>] ? __do_softirq+0x95/0x13c
>
> I think we need to drop skb_dst_drop(skb) in ip6_frag_queue because we
> send a icmp6_send in the expire function "ip6_expire_frag_queue":
>
> icmpv6_send(fq->q.fragments, ICMPV6_TIME_EXCEED, ICMPV6_EXC_FRAGTIME,
> 0);
>
> and it can be that the skb is already freed. This null pointer
> dereference occurs when the timer expires.
>
> Signed-off-by: Alexander Aring<alex.aring@gmail.com>
> ---
>   net/ipv6/reassembly.c | 1 -
>   1 file changed, 1 deletion(-)
>
> diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
> index cc85a9b..6463ae0 100644
> --- a/net/ipv6/reassembly.c
> +++ b/net/ipv6/reassembly.c
> @@ -352,7 +352,6 @@ found:
>   		return res;
>   	}
>
> -	skb_dst_drop(skb);
>   	inet_frag_lru_move(&fq->q);
>   	return -1;
>

-- 
浮沉随浪只记今朝笑

--fan

next prev parent reply	other threads:[~2013-11-04  9:39 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-11-04  9:26 [PATCH/RFC net] ipv6: probably fragmentation bug Alexander Aring
2013-11-04  9:26 ` [PATCH/RFC net] ipv6: fix " Alexander Aring
2013-11-04  9:39   ` Fan Du [this message]
2013-11-04  9:43     ` Alexander Aring
2013-11-04  9:46       ` Fan Du
2013-11-04  9:51         ` Alexander Aring
2013-11-04 14:25   ` Eric Dumazet

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=52776B5A.6030701@windriver.com \
    --to=fan.du@windriver.com \
    --cc=alex.aring@gmail.com \
    --cc=davem@davemloft.net \
    --cc=jmorris@namei.org \
    --cc=kaber@trash.net \
    --cc=kuznet@ms2.inr.ac.ru \
    --cc=netdev@vger.kernel.org \
    --cc=yoshfuji@linux-ipv6.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.