Message ID | 1269981913-18073-1-git-send-email-steve@digidescorp.com |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
From: "Steven J. Magnani" <steve@digidescorp.com> Date: Tue, 30 Mar 2010 15:45:13 -0500 > tcp_read_sock() can have a eat skbs without immediately advancing copied_seq. > This can cause a panic in tcp_collapse() if it is called as a result > of the recv_actor dropping the socket lock. > > A userspace program that splices data from a socket to either another > socket or to a file can trigger this bug. > > Signed-off-by: Steven J. Magnani <steve@digidescorp.com> Thanks for fixing this I'll look at your patch more closely right now. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
From: David Miller <davem@davemloft.net> Date: Tue, 30 Mar 2010 13:47:41 -0700 (PDT) > From: "Steven J. Magnani" <steve@digidescorp.com> > Date: Tue, 30 Mar 2010 15:45:13 -0500 > >> tcp_read_sock() can have a eat skbs without immediately advancing copied_seq. >> This can cause a panic in tcp_collapse() if it is called as a result >> of the recv_actor dropping the socket lock. >> >> A userspace program that splices data from a socket to either another >> socket or to a file can trigger this bug. >> >> Signed-off-by: Steven J. Magnani <steve@digidescorp.com> > > Thanks for fixing this I'll look at your patch more closely > right now. Patch applied, thanks Steven! -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff -uprN a/net/ipv4/tcp.c b/net/ipv4/tcp.c --- a/net/ipv4/tcp.c 2010-03-30 15:25:55.000000000 -0500 +++ b/net/ipv4/tcp.c 2010-03-30 15:27:49.000000000 -0500 @@ -1335,6 +1335,7 @@ int tcp_read_sock(struct sock *sk, read_ sk_eat_skb(sk, skb, 0); if (!desc->count) break; + tp->copied_seq = seq; } tp->copied_seq = seq;
tcp_read_sock() can have a eat skbs without immediately advancing copied_seq. This can cause a panic in tcp_collapse() if it is called as a result of the recv_actor dropping the socket lock. A userspace program that splices data from a socket to either another socket or to a file can trigger this bug. Signed-off-by: Steven J. Magnani <steve@digidescorp.com> --- -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html