* igmp: possible NULL dereference after GFP_ATOMIC allocation?
@ 2007-01-30 10:57 Alexey Dobriyan
2007-01-30 11:34 ` David Stevens
0 siblings, 1 reply; 6+ messages in thread
From: Alexey Dobriyan @ 2007-01-30 10:57 UTC (permalink / raw)
To: netdev; +Cc: kuznet, dlstevens, davem
igmpv3_newpack() uses alloc_skb() with GFP_ATOMIC.
It fails, igmpv3_newpack() returns NULL.
add_grhead(), sees NULL, returns NULL.
At one place add_grhead() return value fed into skb_put() which
dereferences it.
net/ipv4/igmp.c:
454 if (first) {
455 skb = add_grhead(skb, pmc, type, &pgr);
456 first = 0;
457 }
458 psrc = (u32 *)skb_put(skb, sizeof(u32));
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: igmp: possible NULL dereference after GFP_ATOMIC allocation?
2007-01-30 10:57 igmp: possible NULL dereference after GFP_ATOMIC allocation? Alexey Dobriyan
@ 2007-01-30 11:34 ` David Stevens
2007-01-30 15:04 ` Alexey Dobriyan
2007-02-05 15:04 ` [PATCH] igmp: check add_grhead() return value Alexey Dobriyan
0 siblings, 2 replies; 6+ messages in thread
From: David Stevens @ 2007-01-30 11:34 UTC (permalink / raw)
To: Alexey Dobriyan; +Cc: davem, kuznet, netdev, netdev-owner
Alexey,
I think you're correct-- looks like it needs:
if (!skb)
return NULL;
just before the skb_put(), since an allocation (and failure)
could occur in either the igmpv3_newpack() call or in add_grhead().
Also, similar code in net/ipv6/mcast..c.
Will you be submitting the patch?
+-DLS
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: igmp: possible NULL dereference after GFP_ATOMIC allocation?
2007-01-30 11:34 ` David Stevens
@ 2007-01-30 15:04 ` Alexey Dobriyan
2007-01-31 9:39 ` Jarek Poplawski
2007-02-05 15:04 ` [PATCH] igmp: check add_grhead() return value Alexey Dobriyan
1 sibling, 1 reply; 6+ messages in thread
From: Alexey Dobriyan @ 2007-01-30 15:04 UTC (permalink / raw)
To: David Stevens; +Cc: davem, kuznet, netdev, netdev-owner
On Tue, Jan 30, 2007 at 03:34:18AM -0800, David Stevens wrote:
> I think you're correct-- looks like it needs:
>
> if (!skb)
> return NULL;
>
> just before the skb_put(), since an allocation (and failure)
> could occur in either the igmpv3_newpack() call or in add_grhead().
> Also, similar code in net/ipv6/mcast..c.
>
> Will you be submitting the patch?
One box here can semi-reliably reproduce oops which is attributed to
these allocation failures. I'll tell if patch works or not soon.
BUG: unable to handle kernel NULL pointer dereference at virtual address 00000064
EIP is at add_grec+0x22b/0x372
eax: 00000000 ebx: 00000000 ecx: f567cb20 edx: f567cb20
esi: e91ad540 edi: 00000001 ebp: 00000000 esp: c0787f54
ds: 007b es: 007b ss: 0068
Process swapper (pid: 0, veid: 0, ti=c0787000 task=c0670be0 task.ti=c073e000)
Stack: c0787f80 00000001 00000005 e08a8920 c930a800 00000000 e08a892c 00000000
00000000 00000000 00000000 00000000 e08a8920 e2000ea0 00000000 00000005
c05f1510 00000000 00000001 00000000 c0678580 c07fbb00 00000100 c05f13ac
Call Trace:
[<c05f1510>] igmp_ifc_timer_expire+0x164/0x1db
[<c042cd17>] run_timer_softirq+0x116/0x18d
[<c0427ea8>] __do_softirq+0x84/0x109
[<c0406234>] do_softirq+0x55/0xad
=======================
Code: fa ff ff 89 c3 c7 44 24 1c 00 00 00 00 eb 04 85 ff 74 18 8b 4c 24 08 8d 44 24 2c 8b 54 24 0c 89 04 24 89 d8 e8 66 fc ff ff 89 c3 <83> 7b 64 00 8b bb a0 00 00 00 74 0b 0f 0b 66 b8 5a 03 b8 52 e9
EIP: [<c05f1265>] add_grec+0x22b/0x372 SS:ESP 0068:c0787f54
Kernel panic - not syncing: Fatal exception in interrupt
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: igmp: possible NULL dereference after GFP_ATOMIC allocation?
2007-01-30 15:04 ` Alexey Dobriyan
@ 2007-01-31 9:39 ` Jarek Poplawski
0 siblings, 0 replies; 6+ messages in thread
From: Jarek Poplawski @ 2007-01-31 9:39 UTC (permalink / raw)
To: Alexey Dobriyan; +Cc: David Stevens, davem, kuznet, netdev, netdev-owner
On 30-01-2007 16:04, Alexey Dobriyan wrote:
> On Tue, Jan 30, 2007 at 03:34:18AM -0800, David Stevens wrote:
>> I think you're correct-- looks like it needs:
>>
>> if (!skb)
>> return NULL;
>>
>> just before the skb_put(), since an allocation (and failure)
>> could occur in either the igmpv3_newpack() call or in add_grhead().
>> Also, similar code in net/ipv6/mcast..c.
>>
>> Will you be submitting the patch?
>
> One box here can semi-reliably reproduce oops which is attributed to
> these allocation failures. I'll tell if patch works or not soon.
I also think this "if" is needed there and hope you
are right but, actually, skb allocating errors
shouldn't be so semi-reliable.
I don't know what is the kernel version of this box,
but probably another reason could be in_device not
fully initialized, so you could check for David's
Stevens patch to devinet.c.
Regards,
Jarek P.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH] igmp: check add_grhead() return value
2007-01-30 11:34 ` David Stevens
2007-01-30 15:04 ` Alexey Dobriyan
@ 2007-02-05 15:04 ` Alexey Dobriyan
2007-02-06 22:35 ` David Miller
1 sibling, 1 reply; 6+ messages in thread
From: Alexey Dobriyan @ 2007-02-05 15:04 UTC (permalink / raw)
To: David Stevens, davem; +Cc: kuznet, netdev
OK, now that we aren't seeing crashes which can be attributed to these
NULL dereferences any longer.
--------------------------------------
add_grhead() allocates memory with GFP_ATOMIC and in at least two places skb
from it passed to skb_put() without checking.
Signed-off-by: Alexey Dobriyan <adobriyan@openvz.org>
---
net/ipv4/igmp.c | 2 ++
net/ipv6/mcast.c | 2 ++
2 files changed, 4 insertions(+)
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -455,6 +455,8 @@ static struct sk_buff *add_grec(struct s
skb = add_grhead(skb, pmc, type, &pgr);
first = 0;
}
+ if (!skb)
+ return NULL;
psrc = (__be32 *)skb_put(skb, sizeof(__be32));
*psrc = psf->sf_inaddr;
scount++; stotal++;
--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -1582,6 +1582,8 @@ static struct sk_buff *add_grec(struct s
skb = add_grhead(skb, pmc, type, &pgr);
first = 0;
}
+ if (!skb)
+ return NULL;
psrc = (struct in6_addr *)skb_put(skb, sizeof(*psrc));
*psrc = psf->sf_addr;
scount++; stotal++;
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] igmp: check add_grhead() return value
2007-02-05 15:04 ` [PATCH] igmp: check add_grhead() return value Alexey Dobriyan
@ 2007-02-06 22:35 ` David Miller
0 siblings, 0 replies; 6+ messages in thread
From: David Miller @ 2007-02-06 22:35 UTC (permalink / raw)
To: adobriyan; +Cc: dlstevens, kuznet, netdev
From: Alexey Dobriyan <adobriyan@openvz.org>
Date: Mon, 5 Feb 2007 18:04:33 +0300
> OK, now that we aren't seeing crashes which can be attributed to these
> NULL dereferences any longer.
> --------------------------------------
> add_grhead() allocates memory with GFP_ATOMIC and in at least two places skb
> from it passed to skb_put() without checking.
>
> Signed-off-by: Alexey Dobriyan <adobriyan@openvz.org>
Thanks for the patch and for testing Alexey.
Applied, and I'll push this to -stable too.
Thanks again.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2007-02-06 22:36 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-01-30 10:57 igmp: possible NULL dereference after GFP_ATOMIC allocation? Alexey Dobriyan
2007-01-30 11:34 ` David Stevens
2007-01-30 15:04 ` Alexey Dobriyan
2007-01-31 9:39 ` Jarek Poplawski
2007-02-05 15:04 ` [PATCH] igmp: check add_grhead() return value Alexey Dobriyan
2007-02-06 22:35 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).