q3k
/
linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
linux/net/ipv6
History
Wei Yongjun 8984e41d18 [IPV6]: Fix kernel panic while send SCTP data with IP fragments 
If ICMP6 message with "Packet Too Big" is received after send SCTP DATA,
kernel panic will occur when SCTP DATA is send again.

This is because of a bad dest address when call to skb_copy_bits().

The messages sequence is like this:

Endpoint A                             Endpoint B
                               <-------  SCTP DATA (size=1432)
ICMP6 message ------->
(Packet Too Big pmtu=1280)
                               <-------  Resend SCTP DATA (size=1432)
------------kernel panic---------------

 printing eip:
c05be62a
*pde = 00000000
Oops: 0002 [#1]
SMP
Modules linked in: scomm l2cap bluetooth ipv6 dm_mirror dm_mod video output sbs battery lp floppy sg i2c_piix4 i2c_core pcnet32 mii button ac parport_pc parport ide_cd cdrom serio_raw mptspi mptscsih mptbase scsi_transport_spi sd_mod scsi_mod ext3 jbd ehci_hcd ohci_hcd uhci_hcd
CPU:    0
EIP:    0060:[<c05be62a>]    Not tainted VLI
EFLAGS: 00010282   (2.6.23-rc2 #1)
EIP is at skb_copy_bits+0x4f/0x1ef
eax: 000004d0   ebx: ce12a980   ecx: 00000134   edx: cfd5a880
esi: c8246858   edi: 00000000   ebp: c0759b14   esp: c0759adc
ds: 007b   es: 007b   fs: 00d8  gs: 0000  ss: 0068
Process swapper (pid: 0, ti=c0759000 task=c06d0340 task.ti=c0713000)
Stack: c0759b88 c0405867 ce12a980 c8bff838 c789c084 00000000 00000028 cfd5a880
       d09f1890 000005dc 0000007b ce12a980 cfd5a880 c8bff838 c0759b88 d09bc521
       000004d0 fffff96c 00000200 00000100 c0759b50 cfd5a880 00000246 c0759bd4
Call Trace:
 [<c0405e1d>] show_trace_log_lvl+0x1a/0x2f
 [<c0405ecd>] show_stack_log_lvl+0x9b/0xa3
 [<c040608d>] show_registers+0x1b8/0x289
 [<c0406271>] die+0x113/0x246
 [<c0625dbc>] do_page_fault+0x4ad/0x57e
 [<c0624642>] error_code+0x72/0x78
 [<d09bc521>] ip6_output+0x8e5/0xab2 [ipv6]
 [<d09bcec1>] ip6_xmit+0x2ea/0x3a3 [ipv6]
 [<d0a3f2ca>] sctp_v6_xmit+0x248/0x253 [sctp]
 [<d0a3c934>] sctp_packet_transmit+0x53f/0x5ae [sctp]
 [<d0a34bf8>] sctp_outq_flush+0x555/0x587 [sctp]
 [<d0a34d3c>] sctp_retransmit+0xf8/0x10f [sctp]
 [<d0a3d183>] sctp_icmp_frag_needed+0x57/0x5b [sctp]
 [<d0a3ece2>] sctp_v6_err+0xcd/0x148 [sctp]
 [<d09cf1ce>] icmpv6_notify+0xe6/0x167 [ipv6]
 [<d09d009a>] icmpv6_rcv+0x7d7/0x849 [ipv6]
 [<d09be240>] ip6_input+0x1dc/0x310 [ipv6]
 [<d09be965>] ipv6_rcv+0x294/0x2df [ipv6]
 [<c05c3789>] netif_receive_skb+0x2d2/0x335
 [<c05c5733>] process_backlog+0x7f/0xd0
 [<c05c58f6>] net_rx_action+0x96/0x17e
 [<c042e722>] __do_softirq+0x64/0xcd
 [<c0406f37>] do_softirq+0x5c/0xac
 =======================
Code: 00 00 29 ca 89 d0 2b 45 e0 89 55 ec 85 c0 7e 35 39 45 08 8b 55 e4 0f 4e 45 08 8b 75 e0 8b 7d dc 89 c1 c1 e9 02 03 b2 a0 00 00 00 <f3> a5 89 c1 83 e1 03 74 02 f3 a4 29 45 08 0f 84 7b 01 00 00 01
EIP: [<c05be62a>] skb_copy_bits+0x4f/0x1ef SS:ESP 0068:c0759adc
Kernel panic - not syncing: Fatal exception in interrupt

Arnaldo says:
====================
Thanks! I'm to blame for this one, problem was introduced in:

b0e380b1d8

@@ -761,7 +762,7 @@ slow_path:
                /*
                 *      Copy a block of the IP datagram.
                 */
-               if (skb_copy_bits(skb, ptr, frag->h.raw, len))
+               if (skb_copy_bits(skb, ptr, skb_transport_header(skb),
len))
                        BUG();
                left -= len;
====================

Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
 		2007-08-21 20:59:08 -07:00
..
netfilter [NETFILTER]: Make nf_ct_ipv6_skip_exthdr() static. 2007-07-31 02:28:26 -07:00
Kconfig [IPV6] MIP6: Loadable module support for MIPv6. 2007-07-10 22:15:42 -07:00
Makefile [IPV6] MIP6: Loadable module support for MIPv6. 2007-07-10 22:15:42 -07:00
addrconf.c [IPV4/IPV6]: Fail registration if inet device construction fails 2007-07-31 02:28:16 -07:00
addrconf_core.c [IPV6]: ipv6_addr_type() doesn't know about RFC4193 addresses. 2007-07-31 02:28:21 -07:00
af_inet6.c [TCP]: Invoke tcp_sendmsg() directly, do not use inet_sendmsg(). 2007-08-02 19:42:28 -07:00
ah6.c [XFRM]: Add module alias for transformation type. 2007-07-10 22:15:43 -07:00
anycast.c [NET]: Make all initialized struct seq_operations const. 2007-07-10 23:07:31 -07:00
datagram.c [IPV6]: Do not send RH0 anymore. 2007-07-10 22:55:49 -07:00
esp6.c [XFRM]: Add module alias for transformation type. 2007-07-10 22:15:43 -07:00
exthdrs.c [IPV6]: Do not send RH0 anymore. 2007-07-10 22:55:49 -07:00
exthdrs_core.c [NET] IPV6: Fix whitespace errors. 2007-02-10 23:19:42 -08:00
fib6_rules.c [NETLINK]: Mark netlink policies const 2007-06-07 13:40:10 -07:00
icmp.c [IPV6]: MSG_ERRQUEUE messages do not pass to connected raw sockets 2007-07-14 23:53:08 -07:00
inet6_connection_sock.c [TCP]: Restore SKB socket owner setting in tcp_transmit_skb(). 2007-01-26 01:04:55 -08:00
inet6_hashtables.c [IPV6] HASHTABLES: Use appropriate seed for caluculating ehash index. 2007-02-12 20:26:39 -08:00
ip6_fib.c mm: Remove slab destructors from kmem_cache_create(). 2007-07-20 10:11:58 +09:00
ip6_flowlabel.c [NET]: Make all initialized struct seq_operations const. 2007-07-10 23:07:31 -07:00
ip6_input.c [IPV6]: Reverse sense of promisc tests in ip6_mc_input 2007-05-14 03:00:27 -07:00
ip6_output.c [IPV6]: Fix kernel panic while send SCTP data with IP fragments 2007-08-21 20:59:08 -07:00
ip6_tunnel.c ip6_tunnel - endianness annotations 2007-07-26 11:11:56 -07:00
ipcomp6.c [XFRM]: Add module alias for transformation type. 2007-07-10 22:15:43 -07:00
ipv6_sockglue.c [IPv6]: Invalid semicolon after if statement 2007-08-15 15:07:30 -07:00
mcast.c [NET]: Make all initialized struct seq_operations const. 2007-07-10 23:07:31 -07:00
mip6.c [XFRM]: Add module alias for transformation type. 2007-07-10 22:15:43 -07:00
ndisc.c [IPV6] NDISC: Fix thinko to control Router Preference support. 2007-06-22 16:07:04 -07:00
netfilter.c [SK_BUFF]: Introduce ipv6_hdr(), remove skb->nh.ipv6h 2007-04-25 22:25:14 -07:00
proc.c [IPV6]: Track device renames in snmp6. 2007-04-28 21:16:39 -07:00
protocol.c [IPV6]: Decentralize EXPORT_SYMBOLs. 2007-04-25 22:23:36 -07:00
raw.c [NET]: Make all initialized struct seq_operations const. 2007-07-10 23:07:31 -07:00
reassembly.c [SK_BUFF]: unions of just one member don't get anything done, kill them 2007-04-25 22:26:20 -07:00
route.c [IPV6]: Don't update ADVMSS on routes where the MTU is not also updated 2007-07-31 02:28:04 -07:00
sit.c [NET]: Avoid copying writable clones in tunnel drivers 2007-07-10 22:19:05 -07:00
sysctl_net_ipv6.c [PATCH] sysctl: remove insert_at_head from register_sysctl 2007-02-14 08:09:59 -08:00
tcp_ipv6.c [IPV6]: Clean up duplicate includes in net/ipv6/ 2007-08-13 22:52:03 -07:00
tunnel6.c [IPSEC]: changing API of xfrm6_tunnel_register 2007-02-13 12:55:55 -08:00
udp.c [UDP]: Revert 2-pass hashing changes. 2007-06-07 13:40:50 -07:00
udp_impl.h [UDP]: Revert 2-pass hashing changes. 2007-06-07 13:40:50 -07:00
udplite.c [UDP]: Revert 2-pass hashing changes. 2007-06-07 13:40:50 -07:00
xfrm6_input.c [IPSEC]: Fix panic when using inter address familiy IPsec on loopback. 2007-05-31 01:23:28 -07:00
xfrm6_mode_beet.c [SK_BUFF]: unions of just one member don't get anything done, kill them 2007-04-25 22:26:20 -07:00
xfrm6_mode_ro.c [SK_BUFF]: Some more layer header conversions 2007-04-25 22:26:03 -07:00
xfrm6_mode_transport.c [SK_BUFF]: unions of just one member don't get anything done, kill them 2007-04-25 22:26:20 -07:00
xfrm6_mode_tunnel.c [IPSEC]: Fix panic when using inter address familiy IPsec on loopback. 2007-05-31 01:23:28 -07:00
xfrm6_output.c [SK_BUFF]: Introduce skb_reset_network_header(skb) 2007-04-25 22:24:46 -07:00
xfrm6_policy.c [IPV6] MIP6: Loadable module support for MIPv6. 2007-07-10 22:15:42 -07:00
xfrm6_state.c [IPV6] MIP6: Loadable module support for MIPv6. 2007-07-10 22:15:42 -07:00
xfrm6_tunnel.c mm: Remove slab destructors from kmem_cache_create(). 2007-07-20 10:11:58 +09:00