Re: BUG() can be hit in tcp_collapse()

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Greg KH <greg@kroah.com>
To: Vladis Dronov <vdronov@redhat.com>
Cc: netdev@vger.kernel.org, stable@vger.kernel.org,
	Marco Grassi <marco.gra@gmail.com>
Subject: Re: BUG() can be hit in tcp_collapse()
Date: Thu, 10 Nov 2016 16:34:44 +0100	[thread overview]
Message-ID: <20161110153444.GA17206@kroah.com> (raw)
In-Reply-To: <1623420310.11961160.1478789246631.JavaMail.zimbra@redhat.com>

On Thu, Nov 10, 2016 at 09:47:26AM -0500, Vladis Dronov wrote:
> Hello,
> 
> It was discovered by Marco Grassi <marco.gra@gmail.com> (many thanks) that the
> latest stable Linux kernel v4.8.6 is crashing in tcp_collapse() after making
> certain syscalls:
> 
> [    9.622886] kernel BUG at net/ipv4/tcp_input.c:4813!
> [    9.623299] invalid opcode: 0000 [#1] SMP
> [    9.623642] Modules linked in: iptable_nat nf_nat_ipv4 nf_nat
> [    9.624287] CPU: 2 PID: 2871 Comm: poc Not tainted 4.8.6 #2
> [    9.624730] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.2-20150714_191134- 04/01/2014
> [    9.625459] task: ffff8801387b9a00 task.stack: ffff8801380e4000
> [    9.625929] RIP: 0010:[<ffffffff8178d4ec>]  [<ffffffff8178d4ec>] tcp_collapse+0x3ac/0x3b0
> [    9.626609] RSP: 0018:ffff8801380e7b78  EFLAGS: 00010282
> [    9.627028] RAX: 00000000fffffff2 RBX: 0000000000000ec0 RCX: 0000000000000ec0
> [    9.627587] RDX: ffff8801365cd000 RSI: 0000000000000000 RDI: ffff8801364106e0
> [    9.628142] RBP: ffff8801380e7bc8 R08: 0000000000000000 R09: ffff88013b003300
> [    9.628704] R10: ffff8801365cd000 R11: 0000000000000000 R12: 0000000000000ec0
> [    9.629259] R13: ffff88013663ae00 R14: 00000000cdf0ca26 R15: ffff8801364106e0
> [    9.629819] FS:  00007f2cef695800(0000) GS:ffff88013fc80000(0000) knlGS:0000000000000000
> [    9.630945] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [    9.631655] CR2: 000000002002a000 CR3: 0000000139d46000 CR4: 00000000001406e0
> [    9.632462] Stack:
> [    9.632900]  0000000000000000 cdf0da2600000001 ffff880138050000 ffff8801380500a8
> [    9.634138]  ffff880100000000 ffff880138050688 0000000000000900 ffff8801364136e0
> [    9.635379]  ffff880138050000 ffff880138050688 ffff8801380e7c00 ffffffff8178d630
> [    9.636622] Call Trace:
> [    9.637087]  [<ffffffff8178d630>] tcp_try_rmem_schedule+0x140/0x380
> [    9.637834]  [<ffffffff81791aa8>] tcp_data_queue+0x898/0xcf0
> [    9.638538]  [<ffffffff8179210b>] tcp_rcv_established+0x20b/0x6c0
> [    9.639268]  [<ffffffff81710143>] ? sk_reset_timer+0x13/0x30
> [    9.639968]  [<ffffffff81813009>] tcp_v6_do_rcv+0x1b9/0x420
> [    9.640666]  [<ffffffff81710b02>] __release_sock+0x82/0xf0
> [    9.641353]  [<ffffffff81710b9b>] release_sock+0x2b/0x90
> [    9.642029]  [<ffffffff817890ca>] tcp_sendmsg+0x55a/0xb60
> [    9.642714]  [<ffffffff817b29d0>] inet_sendmsg+0x60/0x90
> [    9.643389]  [<ffffffff8170c7b3>] sock_sendmsg+0x33/0x40
> [    9.644064]  [<ffffffff8170ccee>] SYSC_sendto+0xee/0x160
> [    9.645530]  [<ffffffff8170d6f9>] SyS_sendto+0x9/0x10
> [    9.646190]  [<ffffffff81909df2>] entry_SYSCALL_64_fastpath+0x1a/0xa4
> [    9.646947] Code: 48 c7 07 00 00 00 00 48 89 42 08 48 89 10 e8 cc 7e f8 ff 49 8b 47 30 48 8b 80 80 01 00 00 65 48 ff 80 b0 01 00 00 e9 72 fd ff ff <0f> 0b 66 90 55 48 89 e5 41 57 41 56 41 55 41 54 49 89 fe 53 8b 
> [    9.651794] RIP  [<ffffffff8178d4ec>] tcp_collapse+0x3ac/0x3b0
> [    9.652554]  RSP <ffff8801380e7b78>
> 
> The reproducer is generated by the syzkaller, please, see attached. The
> following BUG() is hit:
> 
> [net/ipv4/tcp_input.c]
> static void
> tcp_collapse(struct sock *sk, struct sk_buff_head *list,
>              struct sk_buff *head, struct sk_buff *tail,
>              u32 start, u32 end)
> {
> ...
> /* Copy data, releasing collapsed skbs. */
> while (copy > 0) {
>         int offset = start - TCP_SKB_CB(skb)->seq;
>         int size = TCP_SKB_CB(skb)->end_seq - start;
> 
>         BUG_ON(offset < 0);
>         if (size > 0) {
>                 size = min(copy, size);
> 4812:           if (skb_copy_bits(skb, offset, skb_put(nskb, size), size))
> 4813:                   BUG();
> 
> /usr/src/linux-4.8.6/net/ipv4/tcp_input.c: 4812
> 0xffffffff8178d390 <tcp_collapse+0x250>:        mov    %r12d,%esi
> 0xffffffff8178d393 <tcp_collapse+0x253>:        callq  0xffffffff81713ce0 <skb_put>
> 0xffffffff8178d398 <tcp_collapse+0x258>:        mov    -0x30(%rbp),%r8d
> 0xffffffff8178d39c <tcp_collapse+0x25c>:        mov    %r12d,%ecx
> 0xffffffff8178d39f <tcp_collapse+0x25f>:        mov    %rax,%rdx
> 0xffffffff8178d3a2 <tcp_collapse+0x262>:        mov    %r15,%rdi
> 0xffffffff8178d3a5 <tcp_collapse+0x265>:        mov    %r8d,%esi
> 0xffffffff8178d3a8 <tcp_collapse+0x268>:        callq  0xffffffff81714b90 <skb_copy_bits>
> 0xffffffff8178d3ad <tcp_collapse+0x26d>:        test   %eax,%eax
> 0xffffffff8178d3af <tcp_collapse+0x26f>:        jne    0xffffffff8178d4ec <tcp_collapse+0x3ac>
> ...
> /usr/src/linux-4.8.6/net/ipv4/tcp_input.c: 4813
> 0xffffffff8178d4ec <tcp_collapse+0x3ac>:        ud2    
> 
> I have checked that the reproducer can cause hitting this BUG() in the kernels
> since, at least v4.0. I was not checking the earlier kernels except RHEL-7 ones
> (3.10.0-xxx) which are not vulnerable.
> 
> The upstream kernels since v4.9-rc1 are not vulnerable too and I have bisected
> the repo to the commit c9c3321257 which fixes the issue.
> 
> $ git tag --contain c9c3321257e1b95be9b375f811fb250162af8d39
> v4.9-rc1
> 
> Stable v4.8.6 kernel with the c9c3321257 commit applied does not hit the BUG(),
> so I believe this commit should be backported to the stable branch. This commit
> applies cleanly to the v4.8.6 tree with just line offsets.

I'll be glad to take it if the network maintainer says it is safe to do
so and acks it :)

thanks,

greg k-h

next prev parent reply	other threads:[~2016-11-10 15:34 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <1348037656.11947320.1478787081068.JavaMail.zimbra@redhat.com>
2016-11-10 14:47 ` BUG() can be hit in tcp_collapse() Vladis Dronov
2016-11-10 15:34   ` Greg KH [this message]
2016-11-10 15:44   ` Eric Dumazet
2016-11-10 19:26     ` Eric Dumazet
2016-11-10 19:49       ` Eric Dumazet
2016-11-10 20:13         ` Eric Dumazet
2016-11-11 13:08           ` Vladis Dronov
2016-11-30 17:00             ` Vladis Dronov
2016-11-30 17:33               ` Eric Dumazet

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20161110153444.GA17206@kroah.com \
    --to=greg@kroah.com \
    --cc=marco.gra@gmail.com \
    --cc=netdev@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=vdronov@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).