github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-09 07:03:37 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
d845c58816
linux/include/net
History
Vlad Yasevich 6552df6df2 sctp: Fix a race between ICMP protocol unreachable and connect() 
commit 50b5d6ad63 upstream.

ICMP protocol unreachable handling completely disregarded
the fact that the user may have locked the socket.  It proceeded
to destroy the association, even though the user may have
held the lock and had a ref on the association.  This resulted
in the following:

Attempt to release alive inet socket f6afcc00

=========================
[ BUG: held lock freed! ]
-------------------------
somenu/2672 is freeing memory f6afcc00-f6afcfff, with a lock still held
there!
 (sk_lock-AF_INET){+.+.+.}, at: [<c122098a>] sctp_connect+0x13/0x4c
1 lock held by somenu/2672:
 #0:  (sk_lock-AF_INET){+.+.+.}, at: [<c122098a>] sctp_connect+0x13/0x4c

stack backtrace:
Pid: 2672, comm: somenu Not tainted 2.6.32-telco #55
Call Trace:
 [<c1232266>] ? printk+0xf/0x11
 [<c1038553>] debug_check_no_locks_freed+0xce/0xff
 [<c10620b4>] kmem_cache_free+0x21/0x66
 [<c1185f25>] __sk_free+0x9d/0xab
 [<c1185f9c>] sk_free+0x1c/0x1e
 [<c1216e38>] sctp_association_put+0x32/0x89
 [<c1220865>] __sctp_connect+0x36d/0x3f4
 [<c122098a>] ? sctp_connect+0x13/0x4c
 [<c102d073>] ? autoremove_wake_function+0x0/0x33
 [<c12209a8>] sctp_connect+0x31/0x4c
 [<c11d1e80>] inet_dgram_connect+0x4b/0x55
 [<c11834fa>] sys_connect+0x54/0x71
 [<c103a3a2>] ? lock_release_non_nested+0x88/0x239
 [<c1054026>] ? might_fault+0x42/0x7c
 [<c1054026>] ? might_fault+0x42/0x7c
 [<c11847ab>] sys_socketcall+0x6d/0x178
 [<c10da994>] ? trace_hardirqs_on_thunk+0xc/0x10
 [<c1002959>] syscall_call+0x7/0xb

This was because the sctp_wait_for_connect() would aqcure the socket
lock and then proceed to release the last reference count on the
association, thus cause the fully destruction path to finish freeing
the socket.

The simplest solution is to start a very short timer in case the socket
is owned by user.  When the timer expires, we can do some verification
and be able to do the release properly.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2011-01-07 14:43:18 -08:00
..
9p 9p: fix readdir corner cases 2009-11-02 08:43:45 -06:00
bluetooth
irda
iucv
netfilter ipv6: reassembly: use seperate reassembly queues for conntrack and local delivery 2010-01-06 15:04:39 -08:00
netns netfilter: nf_conntrack: fix hash resizing with namespaces 2010-02-23 07:37:53 -08:00
phonet
sctp sctp: Fix a race between ICMP protocol unreachable and connect() 2011-01-07 14:43:18 -08:00
tc_act
tipc
act_api.h
addrconf.h
af_ieee802154.h
af_rxrpc.h
af_unix.h
ah.h
arp.h
atmclip.h
ax25.h
ax88796.h
cfg80211.h
checksum.h
cipso_ipv4.h
compat.h net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
datalink.h
dcbnl.h
dn_dev.h
dn_fib.h
dn_neigh.h
dn_nsp.h
dn_route.h
dn.h
dsa.h
dsfield.h
dst_ops.h
dst.h
esp.h
ethoc.h
fib_rules.h
flow.h
garp.h
gen_stats.h
genetlink.h
icmp.h
ieee80211_radiotap.h
ieee802154_netdev.h
ieee802154.h
if_inet6.h
inet_common.h
inet_connection_sock.h net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
inet_ecn.h
inet_frag.h
inet_hashtables.h
inet_sock.h
inet_timewait_sock.h net: Fix struct inet_timewait_sock bitfield annotation 2009-10-20 01:13:26 -07:00
inet6_connection_sock.h
inet6_hashtables.h
inetpeer.h
ip_fib.h net: Fix RPF to work with policy routing 2009-10-29 22:49:12 -07:00
ip_vs.h
ip.h netfilter: fix crashes in bridge netfilter caused by fragment jumps 2010-01-06 15:04:40 -08:00
ip6_checksum.h
ip6_fib.h
ip6_route.h
ip6_tunnel.h
ipcomp.h
ipconfig.h
ipip.h Revert "sit: stateless autoconf for isatap" 2009-09-26 20:28:07 -07:00
ipv6.h netfilter: fix crashes in bridge netfilter caused by fragment jumps 2010-01-06 15:04:40 -08:00
ipx.h
iw_handler.h
lapb.h
lib80211.h
llc_c_ac.h
llc_c_ev.h
llc_c_st.h
llc_conn.h
llc_if.h
llc_pdu.h
llc_s_ac.h
llc_s_ev.h
llc_s_st.h
llc_sap.h
llc.h
mac80211.h mac80211: Retry null data frame for power save 2010-04-01 15:58:52 -07:00
mip6.h
ndisc.h
neighbour.h
net_namespace.h
netdma.h
netevent.h
netlabel.h
netlink.h
netrom.h ax25: netrom: rose: Fix timer oopses 2010-02-09 04:50:56 -08:00
nexthop.h
nl802154.h
p8022.h
pkt_cls.h
pkt_sched.h
protocol.h
psnap.h
raw.h
rawv6.h
red.h
regulatory.h
request_sock.h
rose.h
route.h
rtnetlink.h
sch_generic.h
scm.h
slhc_vj.h
snmp.h
sock.h net: Fix struct sock bitfield annotation 2009-10-11 23:03:52 -07:00
stp.h
tcp_states.h
tcp.h tcp: Prevent overzealous packetization by SWS logic. 2010-09-26 17:21:20 -07:00
timewait_sock.h
transp_v6.h
udp.h net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
udplite.h
wext.h wext: add back wireless/ dir in sysfs for cfg80211 interfaces 2009-09-28 16:55:07 -04:00
wimax.h
wpan-phy.h
x25.h x25: Patch to fix bug 15678 - x25 accesses fields beyond end of packet. 2010-12-09 13:27:09 -08:00
x25device.h
xfrm.h