Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753902AbaLARge (ORCPT ); Mon, 1 Dec 2014 12:36:34 -0500 Received: from mx1.redhat.com ([209.132.183.28]:36731 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752882AbaLARgc (ORCPT ); Mon, 1 Dec 2014 12:36:32 -0500 Message-ID: <547CA719.6060101@redhat.com> Date: Mon, 01 Dec 2014 18:36:25 +0100 From: Daniel Borkmann User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/17.0 Thunderbird/17.0 MIME-Version: 1.0 To: =?UTF-8?B?Um9iZXJ0IMWad2nEmWNraQ==?= CC: linux-sctp@vger.kernel.org, linux-kernel@vger.kernel.org, vyasevich@gmail.com Subject: Re: panic in skb_push via sctp References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 12/01/2014 05:49 PM, Robert Święcki wrote: > I don't have much more, cause my kernel is kASLRNized and gdb cannot > handle that, but pasting output from kdb. Maybe somebody will be able > to see something obvious. > > <0>[93699.703244] skbuff: skb_under_panic: text:ffffffff83cff03e > len:104 put:56 head:ffff8803bd804ec0 data:ffff8803bd804ebc tail:0x64 > end:0xc0 dev: Thanks for the report! On a first view, it looks like we should be using MAX_HEADER instead of LL_MAX_HEADER here, could you try with the following patch: diff --git a/net/sctp/output.c b/net/sctp/output.c index 42dffd4..fc5e45b 100644 --- a/net/sctp/output.c +++ b/net/sctp/output.c @@ -401,12 +401,12 @@ int sctp_packet_transmit(struct sctp_packet *packet) sk = chunk->skb->sk; /* Allocate the new skb. */ - nskb = alloc_skb(packet->size + LL_MAX_HEADER, GFP_ATOMIC); + nskb = alloc_skb(packet->size + MAX_HEADER, GFP_ATOMIC); if (!nskb) goto nomem; /* Make sure the outbound skb has enough header room reserved. */ - skb_reserve(nskb, packet->overhead + LL_MAX_HEADER); + skb_reserve(nskb, packet->overhead + MAX_HEADER); /* Set the owning socket so that we know where to get the * destination IP address. > [9]kdb> bt > Stack traceback for pid 14150 > 0xffff88039c81ebf0 14150 15338 1 9 R 0xffff88039c81f0f0 *trinity-c9 > ffff8805318ab4b8 0000000000000018 ffffffff83abddc4 ffff8803bd804ebc > 0000000000000064 00000000000000c0 ffffffff84bc674d ffff8805318ab508 > ffff8805318ab518 00000000ffffffff 0000000000000000 ffff8805318ab558 > Call Trace: > [] ? skb_panic+0x154/0x220 > [] ? ip_queue_xmit+0x12e/0x16d0 > [] ? skb_push+0xc1/0x100 > [] ? ip_queue_xmit+0x12e/0x16d0 > [] ? __skb_checksum+0x110/0x730 > [] ? kmem_cache_free+0x1d2/0x210 > [] ? sctp_v4_xmit+0x101/0x1a0 > [] ? sctp_packet_transmit+0xf32/0x2050 > [] ? sctp_chunkify+0x4c/0x2a0 > [] ? kasan_poison_shadow+0x34/0x40 > [] ? sctp_csum_combine+0x20/0x20 > [] ? sctp_packet_release_owner+0x50/0x50 > [] ? sctp_outq_flush+0x6ee/0x2fa0 > [] ? preempt_count_add+0x16f/0x1b0 > [] ? sctp_outq_uncork+0x6d/0x90 > [] ? sctp_do_sm+0x2c25/0x4a40 > [] ? __ip_route_output_key+0xa50/0x2830 > [] ? xfrm_lookup_route+0x21/0x100 > [] ? ip_route_output_flow+0x69/0x90 > [] ? extract_entropy+0xa2/0x230 > [] ? sctp_v4_get_dst+0x65f/0x1040 > [] ? sctp_primitive_ASSOCIATE+0x84/0xd0 > [] ? sctp_sendmsg+0x15b6/0x29b0 > [] ? toggle_bp_slot.constprop.11+0x1d0/0x530 > [] ? generic_perform_write+0x266/0x450 > [] ? inet_sendmsg+0x231/0x360 > [] ? sock_sendmsg+0xc4/0x150 > [] ? __fdget+0x13/0x20 > [] ? sockfd_lookup_light+0x21/0x230 > [] ? SYSC_sendto+0x166/0x240 > [] ? syscall_trace_enter_phase2+0x2f2/0x640 > [] ? SyS_sendto+0xe/0x10 > [] ? tracesys_phase2+0xd8/0xdd > > [9]kdb> rd > ax: 0000000000000087 bx: ffff8803c086ed00 cx: 0000000000000000 > dx: 1ffffffff0a51c6b si: 1ffffffff0a51c6b di: ffffffff81391731 > bp: ffff8805318ab528 sp: ffff8805318ab4b8 r8: ffffffff8528e415 > r9: 0000000000000000 r10: ffffe8fff0a51c80 r11: 0000000000000007 > r12: ffffffff849a5420 r13: 00000000000000c0 r14: 0000000000000064 > r15: ffff8803bd804ebc ip: ffffffff83abddc4 flags: 00010296 cs: 00000010 > ss: 00000018 ds: 00000018 es: 00000018 fs: 00000018 gs: 00000018 > > ONFIG_KASAN_INLINE enabled > 0GPF could be caused by NULL-ptr deref or user memory access > 2KGDB: re-enter exception: ALL breakpoints killed > 0CONFIG_KASAN_INLINE enabled > 0GPF could be caused by NULL-ptr deref or user memory access > dCPU: 9 PID: 14150 Comm: trinity-c9 Tainted: G B W I 3.18.0-rc1+ #8 > dHardware name: Dell Inc. Precision WorkStation T3500 /09KPNV, BIOS > A08 09/16/2010 > ffff8805318aacb8 00000000ea01fa3d 0000000000000000 00000000000003e8 > ffff8805318aaa68 ffffffff845b35bb 1ffffffff0a512a4 ffffffff852ddd00 > ffff8805318aab08 ffffffff81459b3d ffff880500000000 ffffffff811394e5 > Call Trace: > [] dump_stack+0x4f/0x7c > [] kgdb_handle_exception+0x34d/0x360 > [] ? show_stack_log_lvl+0x1f5/0x480 > [] __kgdb_notify+0x10e/0x3c0 > [] kgdb_notify+0x39/0x80 > [] notifier_call_chain+0xc2/0x130 > [] atomic_notifier_call_chain+0x37/0x50 > [] notify_die+0x3d/0x60 > [] do_general_protection+0x225/0x3c0 > [] general_protection+0x28/0x30 > [] ? show_stack_log_lvl+0x1f5/0x480 > [] ? show_stack_log_lvl+0x35/0x480 > [] ? kdbgetaddrarg+0x559/0x850 > [] show_stack+0x3d/0x100 > [] kdb_show_stack+0xb2/0x1c0 > [] kdb_bt+0x56e/0x8b0 > [] ? kdb_printf+0x50/0x70 > [] kdb_parse+0x67b/0xf80 > [] kdb_main_loop+0x69c/0x9f0 > [] kdb_stub+0x6b0/0x1230 > [] kgdb_cpu_enter+0x569/0xce0 > [] kgdb_handle_exception+0x2c9/0x360 > [] __kgdb_notify+0x10e/0x3c0 > [] kgdb_notify+0x39/0x80 > [] notifier_call_chain+0xc2/0x130 > [] atomic_notifier_call_chain+0x37/0x50 > [] notify_die+0x3d/0x60 > [] do_error_trap+0x5f/0x1b0 > [] ? preempt_schedule+0x62/0xa0 > [] ? ___preempt_schedule+0x35/0x37 > [] ? trace_hardirqs_off_thunk+0x3a/0x3f > [] do_invalid_op+0x20/0x30 > [] invalid_op+0x1e/0x30 > [] ? printk+0xa8/0xc3 > [] ? vprintk_emit+0x341/0x720 > [] ? skb_panic+0x154/0x220 > [] ? skb_panic+0x154/0x220 > [] ? ip_queue_xmit+0x12e/0x16d0 > [] skb_push+0xc1/0x100 > [] ip_queue_xmit+0x12e/0x16d0 > [] ? __skb_checksum+0x110/0x730 > [] ? kmem_cache_free+0x1d2/0x210 > [] sctp_v4_xmit+0x101/0x1a0 > [] sctp_packet_transmit+0xf32/0x2050 > [] ? sctp_chunkify+0x4c/0x2a0 > [] ? kasan_poison_shadow+0x34/0x40 > [] ? sctp_csum_combine+0x20/0x20 > [] ? sctp_packet_release_owner+0x50/0x50 > [] sctp_outq_flush+0x6ee/0x2fa0 > [] ? preempt_count_add+0x16f/0x1b0 > [] sctp_outq_uncork+0x6d/0x90 > [] sctp_do_sm+0x2c25/0x4a40 > [] ? __ip_route_output_key+0xa50/0x2830 > [] ? xfrm_lookup_route+0x21/0x100 > [] ? ip_route_output_flow+0x69/0x90 > [] ? extract_entropy+0xa2/0x230 > [] ? sctp_v4_get_dst+0x65f/0x1040 > [] sctp_primitive_ASSOCIATE+0x84/0xd0 > [] sctp_sendmsg+0x15b6/0x29b0 > [] ? toggle_bp_slot.constprop.11+0x1d0/0x530 > [] ? generic_perform_write+0x266/0x450 > [] inet_sendmsg+0x231/0x360 > [] sock_sendmsg+0xc4/0x150 > [] ? __fdget+0x13/0x20 > [] ? sockfd_lookup_light+0x21/0x230 > [] SYSC_sendto+0x166/0x240 > [] ? syscall_trace_enter_phase2+0x2f2/0x640 > [] SyS_sendto+0xe/0x10 > [] tracesys_phase2+0xd8/0xdd > 0Kernel panic - not syncing: Recursive entry to debugger > dCPU: 9 PID: 14150 Comm: trinity-c9 Tainted: G B W I 3.18.0-rc1+ #8 > dHardware name: Dell Inc. Precision WorkStation T3500 /09KPNV, BIOS > A08 09/16/2010 > ffff8805318aacb8 00000000ea01fa3d 0000000000000000 00000000000003e8 > ffff8805318aa9e8 ffffffff845b35bb 1ffffffff0a51c00 ffffffff84b62959 > ffff8805318aaa68 ffffffff845ae6ed ffff880300000008 ffff8805318aaa78 > Call Trace: > [] dump_stack+0x4f/0x7c > [] panic+0x168/0x2c3 > [] kgdb_handle_exception+0x360/0x360 > [] ? show_stack_log_lvl+0x1f5/0x480 > [] __kgdb_notify+0x10e/0x3c0 > [] kgdb_notify+0x39/0x80 > [] notifier_call_chain+0xc2/0x130 > [] atomic_notifier_call_chain+0x37/0x50 > [] notify_die+0x3d/0x60 > [] do_general_protection+0x225/0x3c0 > [] general_protection+0x28/0x30 > [] ? show_stack_log_lvl+0x1f5/0x480 > [] ? show_stack_log_lvl+0x35/0x480 > [] ? kdbgetaddrarg+0x559/0x850 > [] show_stack+0x3d/0x100 > [] kdb_show_stack+0xb2/0x1c0 > [] kdb_bt+0x56e/0x8b0 > [] ? kdb_printf+0x50/0x70 > [] kdb_parse+0x67b/0xf80 > [] kdb_main_loop+0x69c/0x9f0 > [] kdb_stub+0x6b0/0x1230 > [] kgdb_cpu_enter+0x569/0xce0 > [] kgdb_handle_exception+0x2c9/0x360 > [] __kgdb_notify+0x10e/0x3c0 > [] kgdb_notify+0x39/0x80 > [] notifier_call_chain+0xc2/0x130 > [] atomic_notifier_call_chain+0x37/0x50 > [] notify_die+0x3d/0x60 > [] do_error_trap+0x5f/0x1b0 > [] ? preempt_schedule+0x62/0xa0 > [] ? ___preempt_schedule+0x35/0x37 > [] ? trace_hardirqs_off_thunk+0x3a/0x3f > [] do_invalid_op+0x20/0x30 > [] invalid_op+0x1e/0x30 > [] ? printk+0xa8/0xc3 > [] ? vprintk_emit+0x341/0x720 > [] ? skb_panic+0x154/0x220 > [] ? skb_panic+0x154/0x220 > [] ? ip_queue_xmit+0x12e/0x16d0 > [] skb_push+0xc1/0x100 > [] ip_queue_xmit+0x12e/0x16d0 > [] ? __skb_checksum+0x110/0x730 > [] ? kmem_cache_free+0x1d2/0x210 > [] sctp_v4_xmit+0x101/0x1a0 > [] sctp_packet_transmit+0xf32/0x2050 > [] ? sctp_chunkify+0x4c/0x2a0 > [] ? kasan_poison_shadow+0x34/0x40 > [] ? sctp_csum_combine+0x20/0x20 > [] ? sctp_packet_release_owner+0x50/0x50 > [] sctp_outq_flush+0x6ee/0x2fa0 > [] ? preempt_count_add+0x16f/0x1b0 > [] sctp_outq_uncork+0x6d/0x90 > [] sctp_do_sm+0x2c25/0x4a40 > [] ? __ip_route_output_key+0xa50/0x2830 > [] ? xfrm_lookup_route+0x21/0x100 > [] ? ip_route_output_flow+0x69/0x90 > [] ? extract_entropy+0xa2/0x230 > [] ? sctp_v4_get_dst+0x65f/0x1040 > [] sctp_primitive_ASSOCIATE+0x84/0xd0 > [] sctp_sendmsg+0x15b6/0x29b0 > [] ? toggle_bp_slot.constprop.11+0x1d0/0x530 > [] ? generic_perform_write+0x266/0x450 > [] inet_sendmsg+0x231/0x360 > [] sock_sendmsg+0xc4/0x150 > [] ? __fdget+0x13/0x20 > [] ? sockfd_lookup_light+0x21/0x230 > [] SYSC_sendto+0x166/0x240 > [] ? syscall_trace_enter_phase2+0x2f2/0x640 > [] SyS_sendto+0xe/0x10 > [] tracesys_phase2+0xd8/0xdd > 0Shutting down cpus with NMI > PANIC: Recursive entry to debugger > dCPU: 9 PID: 14150 Comm: trinity-c9 Tainted: G B W I 3.18.0-rc1+ #8 > dHardware name: Dell Inc. Precision WorkStation T3500 /09KPNV, BIOS > A08 09/16/2010 > ffff88053f528f58 00000000ea01fa3d 0000000000000000 00000000000003e8 > ffff88053f528de8 ffffffff845b35bb 1ffff100a7ea51fb ffffffff852ddd00 > ffff88053f528e88 ffffffff81459b3d ffff88053f528e68 ffffffff81459f83 > Call Trace: > <#DB> [] dump_stack+0x4f/0x7c > [] kgdb_handle_exception+0x34d/0x360 > [] ? kgdb_breakpoint+0x13/0x20 > [] __kgdb_notify+0x10e/0x3c0 > [] ? notify_die+0x3d/0x60 > [] kgdb_ll_trap+0x76/0xa0 > [] do_int3+0x93/0x210 > [] int3+0x3a/0x50 > [] ? kgdb_breakpoint+0x14/0x20 > <> [] kgdb_panic_event+0x29/0x30 > [] notifier_call_chain+0xc2/0x130 > [] atomic_notifier_call_chain+0x37/0x50 > [] panic+0x1b8/0x2c3 > [] kgdb_handle_exception+0x360/0x360 > [] ? show_stack_log_lvl+0x1f5/0x480 > [] __kgdb_notify+0x10e/0x3c0 > [] kgdb_notify+0x39/0x80 > [] notifier_call_chain+0xc2/0x130 > [] atomic_notifier_call_chain+0x37/0x50 > [] notify_die+0x3d/0x60 > [] do_general_protection+0x225/0x3c0 > [] general_protection+0x28/0x30 > [] ? show_stack_log_lvl+0x1f5/0x480 > [] ? show_stack_log_lvl+0x35/0x480 > [] ? kdbgetaddrarg+0x559/0x850 > [] show_stack+0x3d/0x100 > [] kdb_show_stack+0xb2/0x1c0 > [] kdb_bt+0x56e/0x8b0 > [] ? kdb_printf+0x50/0x70 > [] kdb_parse+0x67b/0xf80 > [] kdb_main_loop+0x69c/0x9f0 > [] kdb_stub+0x6b0/0x1230 > [] kgdb_cpu_enter+0x569/0xce0 > [] kgdb_handle_exception+0x2c9/0x360 > [] __kgdb_notify+0x10e/0x3c0 > [] kgdb_notify+0x39/0x80 > [] notifier_call_chain+0xc2/0x130 > [] atomic_notifier_call_chain+0x37/0x50 > [] notify_die+0x3d/0x60 > [] do_error_trap+0x5f/0x1b0 > [] ? preempt_schedule+0x62/0xa0 > [] ? ___preempt_schedule+0x35/0x37 > [] ? trace_hardirqs_off_thunk+0x3a/0x3f > [] do_invalid_op+0x20/0x30 > [] invalid_op+0x1e/0x30 > [] ? printk+0xa8/0xc3 > [] ? vprintk_emit+0x341/0x720 > [] ? skb_panic+0x154/0x220 > [] ? skb_panic+0x154/0x220 > [] ? ip_queue_xmit+0x12e/0x16d0 > [] skb_push+0xc1/0x100 > [] ip_queue_xmit+0x12e/0x16d0 > [] ? __skb_checksum+0x110/0x730 > [] ? kmem_cache_free+0x1d2/0x210 > [] sctp_v4_xmit+0x101/0x1a0 > [] sctp_packet_transmit+0xf32/0x2050 > [] ? sctp_chunkify+0x4c/0x2a0 > [] ? kasan_poison_shadow+0x34/0x40 > [] ? sctp_csum_combine+0x20/0x20 > [] ? sctp_packet_release_owner+0x50/0x50 > [] sctp_outq_flush+0x6ee/0x2fa0 > [] ? preempt_count_add+0x16f/0x1b0 > [] sctp_outq_uncork+0x6d/0x90 > [] sctp_do_sm+0x2c25/0x4a40 > [] ? __ip_route_output_key+0xa50/0x2830 > [] ? xfrm_lookup_route+0x21/0x100 > [] ? ip_route_output_flow+0x69/0x90 > [] ? extract_entropy+0xa2/0x230 > [] ? sctp_v4_get_dst+0x65f/0x1040 > [] sctp_primitive_ASSOCIATE+0x84/0xd0 > [] sctp_sendmsg+0x15b6/0x29b0 > [] ? toggle_bp_slot.constprop.11+0x1d0/0x530 > [] ? generic_perform_write+0x266/0x450 > [] inet_sendmsg+0x231/0x360 > [] sock_sendmsg+0xc4/0x150 > [] ? __fdget+0x13/0x20 > [] ? sockfd_lookup_light+0x21/0x230 > [] SYSC_sendto+0x166/0x240 > [] ? syscall_trace_enter_phase2+0x2f2/0x640 > [] SyS_sendto+0xe/0x10 > [] tracesys_phase2+0xd8/0xdd > > > > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/