From: Dan Carpenter <error27@gmail.com>
To: linux-sctp@vger.kernel.org, netdev@vger.kernel.org
Subject: stack trace from sctp_getsockopt_local_addrs()
Date: Mon, 6 Sep 2010 21:59:06 +0200 [thread overview]
Message-ID: <20100906195905.GA7423@bicker> (raw)
In sctp_getsockopt_local_addrs() we can potentially try allocate too
much memory depending on what the user passes to us as "len".
net/sctp/socket.c
4489 to = optval + offsetof(struct sctp_getaddrs,addrs);
4490 space_left = len - offsetof(struct sctp_getaddrs,addrs);
4491
4492 addrs = kmalloc(space_left, GFP_KERNEL);
4493 if (!addrs)
4494 return -ENOMEM;
4495
It's harmless. "space_left" is never zero and we handle memory
allocation failures correctly but it's still a little messy and can lead
to a stack trace. It's a WARN_ONCE() so it's not a huge deal.
Sep 6 20:57:07 bicker kernel: [84533.160286] ------------[ cut here ]------------
Sep 6 20:57:07 bicker kernel: [84533.160304] WARNING: at mm/page_alloc.c:1971 __alloc_pages_nodemask+0x153/0x4ed()
Sep 6 20:57:07 bicker kernel: [84533.160311] Hardware name: 900HA
Sep 6 20:57:07 bicker kernel: [84533.160315] Modules linked in: ufs ppp_deflate zlib_deflate bsd_comp ppp_async crc_ccitt pp
p_generic slhc sctp crc32c libcrc32c option usb_wwan usbserial ath5k atl1e ath
Sep 6 20:57:07 bicker kernel: [84533.160359] Pid: 8949, comm: a.out Not tainted 2.6.36-rc3+ #39
Sep 6 20:57:07 bicker kernel: [84533.160365] Call Trace:
Sep 6 20:57:07 bicker kernel: [84533.160380] [<c103019e>] warn_slowpath_common+0x60/0x75
Sep 6 20:57:07 bicker kernel: [84533.160391] [<c10301c2>] warn_slowpath_null+0xf/0x13
Sep 6 20:57:07 bicker kernel: [84533.160402] [<c10914ff>] __alloc_pages_nodemask+0x153/0x4ed
Sep 6 20:57:07 bicker kernel: [84533.160414] [<c10307de>] ? release_console_sem+0x177/0x1a4
Sep 6 20:57:07 bicker kernel: [84533.160428] [<c10918a8>] __get_free_pages+0xf/0x21
Sep 6 20:57:07 bicker kernel: [84533.160440] [<c10b1625>] __kmalloc+0x2f/0xf9
Sep 6 20:57:07 bicker kernel: [84533.160473] [<f83964bc>] sctp_getsockopt+0x99d/0x16b5 [sctp]
This could happen if you called
getsockopt(sd, SOL_SCTP, SCTP_GET_LOCAL_ADDRS, getaddrs, &len);
without initializing "len".
regards,
dan carpenter
reply other threads:[~2010-09-06 20:02 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100906195905.GA7423@bicker \
--to=error27@gmail.com \
--cc=linux-sctp@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).