From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Alexey Kodanev <alexey.kodanev@oracle.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 3.10 07/55] net: sysctl_net_core: check SNDBUF and RCVBUF for min length
Date: Tue, 24 Mar 2015 16:42:47 +0100 [thread overview]
Message-ID: <20150324154159.057175194@linuxfoundation.org> (raw)
In-Reply-To: <20150324154158.748418668@linuxfoundation.org>
3.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Kodanev <alexey.kodanev@oracle.com>
[ Upstream commit b1cb59cf2efe7971d3d72a7b963d09a512d994c9 ]
sysctl has sysctl.net.core.rmem_*/wmem_* parameters which can be
set to incorrect values. Given that 'struct sk_buff' allocates from
rcvbuf, incorrectly set buffer length could result to memory
allocation failures. For example, set them as follows:
# sysctl net.core.rmem_default=64
net.core.wmem_default = 64
# sysctl net.core.wmem_default=64
net.core.wmem_default = 64
# ping localhost -s 1024 -i 0 > /dev/null
This could result to the following failure:
skbuff: skb_over_panic: text:ffffffff81628db4 len:-32 put:-32
head:ffff88003a1cc200 data:ffff88003a1cc200 tail:0xffffffe0 end:0xc0 dev:<NULL>
kernel BUG at net/core/skbuff.c:102!
invalid opcode: 0000 [#1] SMP
...
task: ffff88003b7f5550 ti: ffff88003ae88000 task.ti: ffff88003ae88000
RIP: 0010:[<ffffffff8155fbd1>] [<ffffffff8155fbd1>] skb_put+0xa1/0xb0
RSP: 0018:ffff88003ae8bc68 EFLAGS: 00010296
RAX: 000000000000008d RBX: 00000000ffffffe0 RCX: 0000000000000000
RDX: ffff88003fdcf598 RSI: ffff88003fdcd9c8 RDI: ffff88003fdcd9c8
RBP: ffff88003ae8bc88 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 00000000000002b2 R12: 0000000000000000
R13: 0000000000000000 R14: ffff88003d3f7300 R15: ffff88000012a900
FS: 00007fa0e2b4a840(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000d0f7e0 CR3: 000000003b8fb000 CR4: 00000000000006f0
Stack:
ffff88003a1cc200 00000000ffffffe0 00000000000000c0 ffffffff818cab1d
ffff88003ae8bd68 ffffffff81628db4 ffff88003ae8bd48 ffff88003b7f5550
ffff880031a09408 ffff88003b7f5550 ffff88000012aa48 ffff88000012ab00
Call Trace:
[<ffffffff81628db4>] unix_stream_sendmsg+0x2c4/0x470
[<ffffffff81556f56>] sock_write_iter+0x146/0x160
[<ffffffff811d9612>] new_sync_write+0x92/0xd0
[<ffffffff811d9cd6>] vfs_write+0xd6/0x180
[<ffffffff811da499>] SyS_write+0x59/0xd0
[<ffffffff81651532>] system_call_fastpath+0x12/0x17
Code: 00 00 48 89 44 24 10 8b 87 c8 00 00 00 48 89 44 24 08 48 8b 87 d8 00
00 00 48 c7 c7 30 db 91 81 48 89 04 24 31 c0 e8 4f a8 0e 00 <0f> 0b
eb fe 66 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 48 83
RIP [<ffffffff8155fbd1>] skb_put+0xa1/0xb0
RSP <ffff88003ae8bc68>
Kernel panic - not syncing: Fatal exception
Moreover, the possible minimum is 1, so we can get another kernel panic:
...
BUG: unable to handle kernel paging request at ffff88013caee5c0
IP: [<ffffffff815604cf>] __alloc_skb+0x12f/0x1f0
...
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/sysctl_net_core.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/net/core/sysctl_net_core.c
+++ b/net/core/sysctl_net_core.c
@@ -23,6 +23,8 @@
static int zero = 0;
static int one = 1;
static int ushort_max = USHRT_MAX;
+static int min_sndbuf = SOCK_MIN_SNDBUF;
+static int min_rcvbuf = SOCK_MIN_RCVBUF;
#ifdef CONFIG_RPS
static int rps_sock_flow_sysctl(ctl_table *table, int write,
@@ -97,7 +99,7 @@ static struct ctl_table net_core_table[]
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = proc_dointvec_minmax,
- .extra1 = &one,
+ .extra1 = &min_sndbuf,
},
{
.procname = "rmem_max",
@@ -105,7 +107,7 @@ static struct ctl_table net_core_table[]
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = proc_dointvec_minmax,
- .extra1 = &one,
+ .extra1 = &min_rcvbuf,
},
{
.procname = "wmem_default",
@@ -113,7 +115,7 @@ static struct ctl_table net_core_table[]
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = proc_dointvec_minmax,
- .extra1 = &one,
+ .extra1 = &min_sndbuf,
},
{
.procname = "rmem_default",
@@ -121,7 +123,7 @@ static struct ctl_table net_core_table[]
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = proc_dointvec_minmax,
- .extra1 = &one,
+ .extra1 = &min_rcvbuf,
},
{
.procname = "dev_weight",
next prev parent reply other threads:[~2015-03-24 15:44 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-24 15:42 [PATCH 3.10 00/55] 3.10.73-stable review Greg Kroah-Hartman
2015-03-24 15:42 ` [PATCH 3.10 01/55] sparc32: destroy_context() and switch_mm() needs to disable interrupts Greg Kroah-Hartman
2015-03-24 15:42 ` [PATCH 3.10 02/55] sparc: semtimedop() unreachable due to comparison error Greg Kroah-Hartman
2015-03-24 15:42 ` [PATCH 3.10 03/55] sparc: perf: Remove redundant perf_pmu_{en|dis}able calls Greg Kroah-Hartman
2015-03-24 15:42 ` [PATCH 3.10 04/55] sparc: perf: Make counting mode actually work Greg Kroah-Hartman
2015-03-24 15:42 ` [PATCH 3.10 05/55] sparc: Touch NMI watchdog when walking cpus and calling printk Greg Kroah-Hartman
2015-03-24 15:42 ` [PATCH 3.10 06/55] sparc64: Fix several bugs in memmove() Greg Kroah-Hartman
2015-03-24 15:42 ` Greg Kroah-Hartman [this message]
2015-03-24 15:42 ` [PATCH 3.10 08/55] rds: avoid potential stack overflow Greg Kroah-Hartman
2015-03-24 15:42 ` [PATCH 3.10 09/55] inet_diag: fix possible overflow in inet_diag_dump_one_icsk() Greg Kroah-Hartman
2015-03-24 15:42 ` [PATCH 3.10 10/55] caif: fix MSG_OOB test in caif_seqpkt_recvmsg() Greg Kroah-Hartman
2015-03-24 15:42 ` [PATCH 3.10 11/55] rxrpc: bogus MSG_PEEK test in rxrpc_recvmsg() Greg Kroah-Hartman
2015-03-24 15:42 ` [PATCH 3.10 12/55] Revert "net: cx82310_eth: use common match macro" Greg Kroah-Hartman
2015-03-24 15:42 ` [PATCH 3.10 13/55] tcp: fix tcp fin memory accounting Greg Kroah-Hartman
2015-03-24 15:42 ` [PATCH 3.10 14/55] net: compat: Update get_compat_msghdr() to match copy_msghdr_from_user() behaviour Greg Kroah-Hartman
2015-03-24 15:42 ` [PATCH 3.10 15/55] tcp: make connect() mem charging friendly Greg Kroah-Hartman
2015-03-24 15:42 ` [PATCH 3.10 17/55] drm/radeon: do a posting read in evergreen_set_irq Greg Kroah-Hartman
2015-03-24 15:42 ` [PATCH 3.10 18/55] drm/radeon: do a posting read in r100_set_irq Greg Kroah-Hartman
2015-03-24 15:42 ` [PATCH 3.10 19/55] drm/radeon: do a posting read in r600_set_irq Greg Kroah-Hartman
2015-03-24 15:43 ` [PATCH 3.10 20/55] drm/radeon: do a posting read in si_set_irq Greg Kroah-Hartman
2015-03-24 15:43 ` [PATCH 3.10 21/55] drm/radeon: do a posting read in rs600_set_irq Greg Kroah-Hartman
2015-03-24 15:43 ` [PATCH 3.10 23/55] fuse: set stolen page uptodate Greg Kroah-Hartman
2015-03-24 15:43 ` [PATCH 3.10 24/55] fuse: notify: dont move pages Greg Kroah-Hartman
2015-03-24 15:43 ` [PATCH 3.10 25/55] virtio_console: init work unconditionally Greg Kroah-Hartman
2015-03-24 15:43 ` [PATCH 3.10 26/55] Change email address for 8250_pci Greg Kroah-Hartman
2015-03-24 15:43 ` [PATCH 3.10 27/55] can: add missing initialisations in CAN related skbuffs Greg Kroah-Hartman
2015-03-24 15:43 ` [PATCH 3.10 28/55] workqueue: fix hang involving racing cancel[_delayed]_work_sync()s for PREEMPT_NONE Greg Kroah-Hartman
2015-03-24 15:43 ` [PATCH 3.10 29/55] tpm/ibmvtpm: Additional LE support for tpm_ibmvtpm_send Greg Kroah-Hartman
2015-03-24 15:43 ` [PATCH 3.10 30/55] spi: pl022: Fix race in giveback() leading to driver lock-up Greg Kroah-Hartman
2015-03-24 15:43 ` [PATCH 3.10 31/55] ALSA: control: Add sanity checks for user ctl id name string Greg Kroah-Hartman
2015-03-24 15:43 ` [PATCH 3.10 32/55] ALSA: hda - Fix built-in mic on Compaq Presario CQ60 Greg Kroah-Hartman
2015-03-24 15:43 ` [PATCH 3.10 33/55] ALSA: hda - Dont access stereo amps for mono channel widgets Greg Kroah-Hartman
2015-03-24 15:43 ` [PATCH 3.10 34/55] ALSA: hda - Set single_adc_amp flag for CS420x codecs Greg Kroah-Hartman
2015-03-24 15:43 ` [PATCH 3.10 35/55] ALSA: hda - Add workaround for MacBook Air 5,2 built-in mic Greg Kroah-Hartman
2015-03-24 15:43 ` [PATCH 3.10 36/55] ALSA: hda - Treat stereo-to-mono mix properly Greg Kroah-Hartman
2015-03-24 15:43 ` [PATCH 3.10 37/55] regulator: Only enable disabled regulators on resume Greg Kroah-Hartman
2015-03-24 15:43 ` [PATCH 3.10 38/55] regulator: core: Fix enable GPIO reference counting Greg Kroah-Hartman
2015-03-24 15:43 ` [PATCH 3.10 39/55] nilfs2: fix deadlock of segment constructor during recovery Greg Kroah-Hartman
2015-03-24 15:43 ` [PATCH 3.10 40/55] xen-pciback: limit guest control of command register Greg Kroah-Hartman
2015-03-24 15:43 ` [PATCH 3.10 41/55] libsas: Fix Kernel Crash in smp_execute_task Greg Kroah-Hartman
2015-03-24 15:43 ` [PATCH 3.10 42/55] crypto: aesni - fix memory usage in GCM decryption Greg Kroah-Hartman
2015-03-24 15:43 ` [PATCH 3.10 43/55] x86/fpu: Avoid math_state_restore() without used_math() in __restore_xstate_sig() Greg Kroah-Hartman
2015-03-24 15:43 ` [PATCH 3.10 44/55] x86/fpu: Drop_fpu() should not assume that tsk equals current Greg Kroah-Hartman
2015-03-24 15:43 ` [PATCH 3.10 45/55] x86/vdso: Fix the build on GCC5 Greg Kroah-Hartman
2015-03-24 15:43 ` [PATCH 3.10 46/55] powerpc/smp: Wait until secondaries are active & online Greg Kroah-Hartman
2015-03-24 15:43 ` [PATCH 3.10 47/55] ipvs: add missing ip_vs_pe_put in sync code Greg Kroah-Hartman
2015-03-24 15:43 ` [PATCH 3.10 48/55] ipvs: rerouting to local clients is not needed anymore Greg Kroah-Hartman
2015-03-24 15:43 ` [PATCH 3.10 49/55] ARM: at91: pm: fix at91rm9200 standby Greg Kroah-Hartman
2015-03-24 15:43 ` [PATCH 3.10 50/55] target: Fix reference leak in target_get_sess_cmd() error path Greg Kroah-Hartman
2015-03-24 15:43 ` [PATCH 3.10 51/55] iscsi-target: Avoid early conn_logout_comp for iser connections Greg Kroah-Hartman
2015-03-24 15:43 ` [PATCH 3.10 52/55] target/pscsi: Fix NULL pointer dereference in get_device_type Greg Kroah-Hartman
2015-03-24 15:43 ` [PATCH 3.10 53/55] target: Fix R_HOLDER bit usage for AllRegistrants Greg Kroah-Hartman
2015-03-24 15:43 ` [PATCH 3.10 54/55] target: Allow AllRegistrants to re-RESERVE existing reservation Greg Kroah-Hartman
2015-03-24 15:43 ` [PATCH 3.10 55/55] target: Allow Write Exclusive non-reservation holders to READ Greg Kroah-Hartman
2015-03-25 2:34 ` [PATCH 3.10 00/55] 3.10.73-stable review Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150324154159.057175194@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alexey.kodanev@oracle.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox