From: Vladis Dronov <vdronov@redhat.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: netdev@vger.kernel.org, stable@vger.kernel.org,
Marco Grassi <marco.gra@gmail.com>
Subject: Re: BUG() can be hit in tcp_collapse()
Date: Wed, 30 Nov 2016 12:00:17 -0500 (EST) [thread overview]
Message-ID: <1418136049.827916.1480525217226.JavaMail.zimbra@redhat.com> (raw)
In-Reply-To: <1716309808.12143903.1478869689618.JavaMail.zimbra@redhat.com>
Hello, Eric, Marco, all,
This is JFYI and a follow-up message.
A further investigation was made to find out the Linux kernel commit which has
introduced the flaw. It appeared that previous Linux kernel versions are vulnerable,
down to v3.6-rc1. This fact was hidden by 'net.ipv4.tcp_fastopen' set to 0 by default,
and now it is easier to notice since kernel v3.12 due to commit 0d41cca490 where the
default was changed to 1. With 'net.ipv4.tcp_fastopen' set to 1, previous Linux
kernels (including RHEL-7 ones) are also vulnerable.
The bug is here since tcp-fastopen feature was introduced in kernel v3.6-rc1, the first
commit when the reproducer starts to panic the kernel with net.ipv4.tcp_fastopen=1 set
is cf60af03ca, which is a part of commit sequence 2100c8d2d9..67da22d23f introducing
net-tcp-fastopen feature:
$ git bisect bad cf60af03ca4e71134206809ea892e49b92a88896
cf60af03ca4e71134206809ea892e49b92a88896 is the first bad commit
commit cf60af03ca4e71134206809ea892e49b92a88896
Author: Yuchung Cheng <ycheng@google.com>
Date: Thu Jul 19 06:43:09 2012 +0000
So, ideally, the upstream commit ac6e780070 which fixes the bug should have
"Fixes: cf60af03ca" statement, unfortunately, this investigation was not completed at
the time the patch was accepted upstream. And unfortunately I do not see other way
to add this information except making notes in a comment in the related code, which
seems weird.
Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer
next prev parent reply other threads:[~2016-11-30 17:00 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1348037656.11947320.1478787081068.JavaMail.zimbra@redhat.com>
2016-11-10 14:47 ` BUG() can be hit in tcp_collapse() Vladis Dronov
2016-11-10 15:34 ` Greg KH
2016-11-10 15:44 ` Eric Dumazet
2016-11-10 19:26 ` Eric Dumazet
2016-11-10 19:49 ` Eric Dumazet
2016-11-10 20:13 ` Eric Dumazet
2016-11-11 13:08 ` Vladis Dronov
2016-11-30 17:00 ` Vladis Dronov [this message]
2016-11-30 17:33 ` Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1418136049.827916.1480525217226.JavaMail.zimbra@redhat.com \
--to=vdronov@redhat.com \
--cc=eric.dumazet@gmail.com \
--cc=marco.gra@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).