From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from out4-smtp.messagingengine.com ([66.111.4.28]:57311 "EHLO out4-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933658AbcKJPe7 (ORCPT ); Thu, 10 Nov 2016 10:34:59 -0500 Date: Thu, 10 Nov 2016 16:34:44 +0100 From: Greg KH To: Vladis Dronov Cc: netdev@vger.kernel.org, stable@vger.kernel.org, Marco Grassi Subject: Re: BUG() can be hit in tcp_collapse() Message-ID: <20161110153444.GA17206@kroah.com> References: <1348037656.11947320.1478787081068.JavaMail.zimbra@redhat.com> <1623420310.11961160.1478789246631.JavaMail.zimbra@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1623420310.11961160.1478789246631.JavaMail.zimbra@redhat.com> Sender: stable-owner@vger.kernel.org List-ID: On Thu, Nov 10, 2016 at 09:47:26AM -0500, Vladis Dronov wrote: > Hello, > > It was discovered by Marco Grassi (many thanks) that the > latest stable Linux kernel v4.8.6 is crashing in tcp_collapse() after making > certain syscalls: > > [ 9.622886] kernel BUG at net/ipv4/tcp_input.c:4813! > [ 9.623299] invalid opcode: 0000 [#1] SMP > [ 9.623642] Modules linked in: iptable_nat nf_nat_ipv4 nf_nat > [ 9.624287] CPU: 2 PID: 2871 Comm: poc Not tainted 4.8.6 #2 > [ 9.624730] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.2-20150714_191134- 04/01/2014 > [ 9.625459] task: ffff8801387b9a00 task.stack: ffff8801380e4000 > [ 9.625929] RIP: 0010:[] [] tcp_collapse+0x3ac/0x3b0 > [ 9.626609] RSP: 0018:ffff8801380e7b78 EFLAGS: 00010282 > [ 9.627028] RAX: 00000000fffffff2 RBX: 0000000000000ec0 RCX: 0000000000000ec0 > [ 9.627587] RDX: ffff8801365cd000 RSI: 0000000000000000 RDI: ffff8801364106e0 > [ 9.628142] RBP: ffff8801380e7bc8 R08: 0000000000000000 R09: ffff88013b003300 > [ 9.628704] R10: ffff8801365cd000 R11: 0000000000000000 R12: 0000000000000ec0 > [ 9.629259] R13: ffff88013663ae00 R14: 00000000cdf0ca26 R15: ffff8801364106e0 > [ 9.629819] FS: 00007f2cef695800(0000) GS:ffff88013fc80000(0000) knlGS:0000000000000000 > [ 9.630945] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 9.631655] CR2: 000000002002a000 CR3: 0000000139d46000 CR4: 00000000001406e0 > [ 9.632462] Stack: > [ 9.632900] 0000000000000000 cdf0da2600000001 ffff880138050000 ffff8801380500a8 > [ 9.634138] ffff880100000000 ffff880138050688 0000000000000900 ffff8801364136e0 > [ 9.635379] ffff880138050000 ffff880138050688 ffff8801380e7c00 ffffffff8178d630 > [ 9.636622] Call Trace: > [ 9.637087] [] tcp_try_rmem_schedule+0x140/0x380 > [ 9.637834] [] tcp_data_queue+0x898/0xcf0 > [ 9.638538] [] tcp_rcv_established+0x20b/0x6c0 > [ 9.639268] [] ? sk_reset_timer+0x13/0x30 > [ 9.639968] [] tcp_v6_do_rcv+0x1b9/0x420 > [ 9.640666] [] __release_sock+0x82/0xf0 > [ 9.641353] [] release_sock+0x2b/0x90 > [ 9.642029] [] tcp_sendmsg+0x55a/0xb60 > [ 9.642714] [] inet_sendmsg+0x60/0x90 > [ 9.643389] [] sock_sendmsg+0x33/0x40 > [ 9.644064] [] SYSC_sendto+0xee/0x160 > [ 9.645530] [] SyS_sendto+0x9/0x10 > [ 9.646190] [] entry_SYSCALL_64_fastpath+0x1a/0xa4 > [ 9.646947] Code: 48 c7 07 00 00 00 00 48 89 42 08 48 89 10 e8 cc 7e f8 ff 49 8b 47 30 48 8b 80 80 01 00 00 65 48 ff 80 b0 01 00 00 e9 72 fd ff ff <0f> 0b 66 90 55 48 89 e5 41 57 41 56 41 55 41 54 49 89 fe 53 8b > [ 9.651794] RIP [] tcp_collapse+0x3ac/0x3b0 > [ 9.652554] RSP > > The reproducer is generated by the syzkaller, please, see attached. The > following BUG() is hit: > > [net/ipv4/tcp_input.c] > static void > tcp_collapse(struct sock *sk, struct sk_buff_head *list, > struct sk_buff *head, struct sk_buff *tail, > u32 start, u32 end) > { > ... > /* Copy data, releasing collapsed skbs. */ > while (copy > 0) { > int offset = start - TCP_SKB_CB(skb)->seq; > int size = TCP_SKB_CB(skb)->end_seq - start; > > BUG_ON(offset < 0); > if (size > 0) { > size = min(copy, size); > 4812: if (skb_copy_bits(skb, offset, skb_put(nskb, size), size)) > 4813: BUG(); > > /usr/src/linux-4.8.6/net/ipv4/tcp_input.c: 4812 > 0xffffffff8178d390 : mov %r12d,%esi > 0xffffffff8178d393 : callq 0xffffffff81713ce0 > 0xffffffff8178d398 : mov -0x30(%rbp),%r8d > 0xffffffff8178d39c : mov %r12d,%ecx > 0xffffffff8178d39f : mov %rax,%rdx > 0xffffffff8178d3a2 : mov %r15,%rdi > 0xffffffff8178d3a5 : mov %r8d,%esi > 0xffffffff8178d3a8 : callq 0xffffffff81714b90 > 0xffffffff8178d3ad : test %eax,%eax > 0xffffffff8178d3af : jne 0xffffffff8178d4ec > ... > /usr/src/linux-4.8.6/net/ipv4/tcp_input.c: 4813 > 0xffffffff8178d4ec : ud2 > > I have checked that the reproducer can cause hitting this BUG() in the kernels > since, at least v4.0. I was not checking the earlier kernels except RHEL-7 ones > (3.10.0-xxx) which are not vulnerable. > > The upstream kernels since v4.9-rc1 are not vulnerable too and I have bisected > the repo to the commit c9c3321257 which fixes the issue. > > $ git tag --contain c9c3321257e1b95be9b375f811fb250162af8d39 > v4.9-rc1 > > Stable v4.8.6 kernel with the c9c3321257 commit applied does not hit the BUG(), > so I believe this commit should be backported to the stable branch. This commit > applies cleanly to the v4.8.6 tree with just line offsets. I'll be glad to take it if the network maintainer says it is safe to do so and acks it :) thanks, greg k-h