kernel-ark/net
Daniel Lezcano bdccc4ca13 tcp: fix kernel panic with listening_get_next
# BUG: unable to handle kernel NULL pointer dereference at
0000000000000038
IP: [<ffffffff821ed01e>] listening_get_next+0x50/0x1b3
PGD 11e4b9067 PUD 11d16c067 PMD 0
Oops: 0000 [1] SMP
last sysfs file: /sys/devices/system/cpu/cpu3/cache/index2/shared_cpu_map
CPU 3
Modules linked in: bridge ipv6 button battery ac loop dm_mod tg3 ext3
jbd edd fan thermal processor thermal_sys hwmon sg sata_svw libata dock
serverworks sd_mod scsi_mod ide_disk ide_core [last unloaded: freq_table]
Pid: 3368, comm: slpd Not tainted 2.6.26-rc2-mm1-lxc4 #1
RIP: 0010:[<ffffffff821ed01e>] [<ffffffff821ed01e>]
listening_get_next+0x50/0x1b3
RSP: 0018:ffff81011e1fbe18 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8100be0ad3c0 RCX: ffff8100619f50c0
RDX: ffffffff82475be0 RSI: ffff81011d9ae6c0 RDI: ffff8100be0ad508
RBP: ffff81011f4f1240 R08: 00000000ffffffff R09: ffff8101185b6780
R10: 000000000000002d R11: ffffffff820fdbfa R12: ffff8100be0ad3c8
R13: ffff8100be0ad6a0 R14: ffff8100be0ad3c0 R15: ffffffff825b8ce0
FS: 00007f6a0ebd16d0(0000) GS:ffff81011f424540(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000038 CR3: 000000011dc20000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process slpd (pid: 3368, threadinfo ffff81011e1fa000, task
ffff81011f4b8660)
Stack: 00000000000002ee ffff81011f5a57c0 ffff81011f4f1240
ffff81011e1fbe90
0000000000001000 0000000000000000 00007fff16bf2590 ffffffff821ed9c8
ffff81011f5a57c0 ffff81011d9ae6c0 000000000000041a ffffffff820b0abd
Call Trace:
[<ffffffff821ed9c8>] ? tcp_seq_next+0x34/0x7e
[<ffffffff820b0abd>] ? seq_read+0x1aa/0x29d
[<ffffffff820d21b4>] ? proc_reg_read+0x73/0x8e
[<ffffffff8209769c>] ? vfs_read+0xaa/0x152
[<ffffffff82097a7d>] ? sys_read+0x45/0x6e
[<ffffffff8200bd2b>] ? system_call_after_swapgs+0x7b/0x80


Code: 31 a9 25 00 e9 b5 00 00 00 ff 45 20 83 7d 0c 01 75 79 4c 8b 75 10
48 8b 0e eb 1d 48 8b 51 20 0f b7 45 08 39 02 75 0e 48 8b 41 28 <4c> 39
78 38 0f 84 93 00 00 00 48 8b 09 48 85 c9 75 de 8b 55 1c
RIP [<ffffffff821ed01e>] listening_get_next+0x50/0x1b3
RSP <ffff81011e1fbe18>
CR2: 0000000000000038

This kernel panic appears with CONFIG_NET_NS=y.

How to reproduce ?

    On the buggy host (host A)
       * ip addr add 1.2.3.4/24 dev eth0

    On a remote host (host B)
       * ip addr add 1.2.3.5/24 dev eth0
       * iptables -A INPUT -p tcp -s 1.2.3.4 -j DROP
       * ssh 1.2.3.4

    On host A:
       * netstat -ta or cat /proc/net/tcp

This bug happens when reading /proc/net/tcp[6] when there is a req_sock
at the SYN_RECV state.

When a SYN is received the minisock is created and the sk field is set to
NULL. In the listening_get_next function, we try to look at the field 
req->sk->sk_net.

When looking at how to fix this bug, I noticed that is useless to do
the check for the minisock belonging to the namespace. A minisock belongs
to a listen point and this one is per namespace, so when browsing the
minisock they are always per namespace.

Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-07-19 00:15:13 -07:00
..
9p 9p: fix error path during early mount 2008-05-14 19:23:27 -05:00
802 Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/torvalds/linux-2.6 2008-07-18 02:39:39 -07:00
8021q Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/torvalds/linux-2.6 2008-07-18 02:39:39 -07:00
appletalk [NET] NETNS: Omit net_device->nd_net without CONFIG_NET_NS. 2008-03-26 04:39:53 +09:00
atm atm: use const where reasonable 2008-06-17 16:20:06 -07:00
ax25 ax25: Fix std timer socket destroy handling. 2008-06-17 21:26:37 -07:00
bluetooth net: remove CVS keywords 2008-06-11 21:00:38 -07:00
bridge Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/torvalds/linux-2.6 2008-07-18 02:39:39 -07:00
can can: add sanity checks 2008-07-05 23:38:43 -07:00
core pkt_sched: Manage qdisc list inside of root qdisc. 2008-07-18 22:50:15 -07:00
dccp mib: add net to NET_INC_STATS_BH 2008-07-16 20:31:16 -07:00
decnet sock: add net to prot->enter_memory_pressure callback 2008-07-16 20:28:10 -07:00
econet econet: Use sock_orphan() instead of open-coded (and buggy) variant. 2008-06-17 03:01:47 -07:00
ethernet [NET]: Return more appropriate error from eth_validate_addr(). 2008-04-13 22:45:40 -07:00
ieee80211 wext: Emit event stream entries correctly when compat. 2008-06-16 18:50:49 -07:00
ipv4 tcp: fix kernel panic with listening_get_next 2008-07-19 00:15:13 -07:00
ipv6 tcp: Fix MD5 signatures for non-linear skbs 2008-07-19 00:01:42 -07:00
ipx [NET] NETNS: Omit net_device->nd_net without CONFIG_NET_NS. 2008-03-26 04:39:53 +09:00
irda Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/torvalds/linux-2.6 2008-07-18 02:39:39 -07:00
iucv Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/torvalds/linux-2.6 2008-07-18 02:39:39 -07:00
key Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2008-06-13 20:52:39 -07:00
lapb [LAPB] net/lapb/lapb_iface.c: use LIST_HEAD instead of LIST_HEAD_INIT 2008-01-28 14:56:52 -08:00
llc llc: Use sock_graft() instead of by-hand version. 2008-06-17 01:21:03 -07:00
mac80211 pkt_sched: Kill netdev_queue lock. 2008-07-17 19:21:30 -07:00
netfilter Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/torvalds/linux-2.6 2008-07-18 02:39:39 -07:00
netlabel Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/torvalds/linux-2.6 2008-07-18 02:39:39 -07:00
netlink Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2008-07-05 23:08:07 -07:00
netrom netdev: Allocate multiple queues for TX. 2008-07-17 19:21:00 -07:00
packet packet: add PACKET_RESERVE sockopt 2008-07-18 18:05:19 -07:00
rfkill rfkill: ignore errors from rfkill_toggle_radio in rfkill_add_switch 2008-07-08 14:16:03 -04:00
rose netdev: Allocate multiple queues for TX. 2008-07-17 19:21:00 -07:00
rxrpc MIB: add struct net to UDP_INC_STATS_BH 2008-07-05 21:18:48 -07:00
sched pkt_sched: Fix noqueue_qdisc initialization. 2008-07-18 23:00:11 -07:00
sctp sctp: Update sctp global memory limit allocations. 2008-07-18 23:08:21 -07:00
sunrpc Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/torvalds/linux-2.6 2008-07-18 02:39:39 -07:00
tipc tipc: Optimization to multicast name lookup algorithm 2008-07-14 22:45:33 -07:00
unix Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2008-06-28 01:19:40 -07:00
wanrouter net: Remove references to wan-router.txt in Kconfigs 2008-07-14 22:22:29 -07:00
wireless wext: make sysfs bits optional and deprecate them 2008-07-14 14:52:57 -04:00
x25 x25: Use sock_orphan() instead of open-coded (and buggy) variant. 2008-06-17 03:05:13 -07:00
xfrm xfrm: Add a XFRM_STATE_AF_UNSPEC flag to xfrm_usersa_info 2008-07-10 16:55:37 -07:00
compat.c net: Add compat support for getsockopt (MCAST_MSFILTER) 2008-04-29 03:23:22 -07:00
Kconfig net: Add STP demux layer 2008-07-05 21:25:39 -07:00
Makefile vlan: uninline __vlan_hwaccel_rx 2008-07-08 03:23:36 -07:00
nonet.c
socket.c wext: Dispatch and handle compat ioctls entirely in net/wireless/wext.c 2008-06-16 18:32:46 -07:00
sysctl_net.c net: remove CVS keywords 2008-06-11 21:00:38 -07:00
TUNABLE