[PATCH] IPv6: Fix kernel panic while send SCTP data with IP fragments
If ICMP6 message with "Packet Too Big" is received after send SCTP DATA, kernel panic will occur when SCTP DATA is send again. This is because of a bad dest address when call to skb_copy_bits(). The messages sequence is like this: Endpoint A Endpoint B <--- SCTP DATA (size=1432) ICMP6 message ---> (Packet Too Big pmtu=1280) <--- Resend SCTP DATA (size=1432) kernel panic--- printing eip: c05be62a *pde = Oops: 0002 [#1] SMP Modules linked in: scomm l2cap bluetooth ipv6 dm_mirror dm_mod video output sbs battery lp floppy sg i2c_piix4 i2c_core pcnet32 mii button ac parport_pc parport ide_cd cdrom serio_raw mptspi mptscsih mptbase scsi_transport_spi sd_mod scsi_mod ext3 jbd ehci_hcd ohci_hcd uhci_hcd CPU:0 EIP:0060:[]Not tainted VLI EFLAGS: 00010282 (2.6.23-rc2 #1) EIP is at skb_copy_bits+0x4f/0x1ef eax: 04d0 ebx: ce12a980 ecx: 0134 edx: cfd5a880 esi: c8246858 edi: ebp: c0759b14 esp: c0759adc ds: 007b es: 007b fs: 00d8 gs: ss: 0068 Process swapper (pid: 0, ti=c0759000 task=c06d0340 task.ti=c0713000) Stack: c0759b88 c0405867 ce12a980 c8bff838 c789c084 0028 cfd5a880 d09f1890 05dc 007b ce12a980 cfd5a880 c8bff838 c0759b88 d09bc521 04d0 f96c 0200 0100 c0759b50 cfd5a880 0246 c0759bd4 Call Trace: [] show_trace_log_lvl+0x1a/0x2f [] show_stack_log_lvl+0x9b/0xa3 [] show_registers+0x1b8/0x289 [] die+0x113/0x246 [] do_page_fault+0x4ad/0x57e [] error_code+0x72/0x78 [] ip6_output+0x8e5/0xab2 [ipv6] [] ip6_xmit+0x2ea/0x3a3 [ipv6] [] sctp_v6_xmit+0x248/0x253 [sctp] [] sctp_packet_transmit+0x53f/0x5ae [sctp] [] sctp_outq_flush+0x555/0x587 [sctp] [] sctp_retransmit+0xf8/0x10f [sctp] [] sctp_icmp_frag_needed+0x57/0x5b [sctp] [] sctp_v6_err+0xcd/0x148 [sctp] [] icmpv6_notify+0xe6/0x167 [ipv6] [] icmpv6_rcv+0x7d7/0x849 [ipv6] [] ip6_input+0x1dc/0x310 [ipv6] [] ipv6_rcv+0x294/0x2df [ipv6] [] netif_receive_skb+0x2d2/0x335 [] process_backlog+0x7f/0xd0 [] net_rx_action+0x96/0x17e [] __do_softirq+0x64/0xcd [] do_softirq+0x5c/0xac === Code: 00 00 29 ca 89 d0 2b 45 e0 89 55 ec 85 c0 7e 35 39 45 08 8b 55 e4 0f 4e 45 08 8b 75 e0 8b 7d dc 89 c1 c1 e9 02 03 b2 a0 00 00 00 a5 89 c1 83 e1 03 74 02 f3 a4 29 45 08 0f 84 7b 01 00 00 01 EIP: [] skb_copy_bits+0x4f/0x1ef SS:ESP 0068:c0759adc Kernel panic - not syncing: Fatal exception in interrupt Following is the patch. Signed-off-by: Wei Yongjun <[EMAIL PROTECTED]> --- a/net/ipv6/ip6_output.c 2007-08-14 10:36:03.0 -0400 +++ b/net/ipv6/ip6_output.c 2007-08-17 15:33:35.0 -0400 @@ -794,7 +794,7 @@ slow_path: /* * Copy a block of the IP datagram. */ - if (skb_copy_bits(skb, ptr, skb_transport_header(skb), len)) + if (skb_copy_bits(skb, ptr, skb_transport_header(frag), len)) BUG(); left -= len; - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] IPv6: Fix kernel panic while send SCTP data with IP fragments
Em Mon, Aug 20, 2007 at 09:28:27AM +0800, Wei Yongjun escreveu: > If ICMP6 message with "Packet Too Big" is received after send SCTP DATA, > kernel panic will occur when SCTP DATA is send again. > > This is because of a bad dest address when call to skb_copy_bits(). > > The messages sequence is like this: > > Endpoint A Endpoint B ><--- SCTP DATA (size=1432) > ICMP6 message ---> > (Packet Too Big pmtu=1280) ><--- Resend SCTP DATA (size=1432) > kernel panic--- Thanks! I'm to blame for this one, problem was introduced in: b0e380b1d8a8e0aca215df97702f99815f05c094 @@ -761,7 +762,7 @@ slow_path: /* * Copy a block of the IP datagram. */ - if (skb_copy_bits(skb, ptr, frag->h.raw, len)) + if (skb_copy_bits(skb, ptr, skb_transport_header(skb), len)) BUG(); left -= len; So please add: Signed-off-by: Arnaldo Carvalho de Melo <[EMAIL PROTECTED]> To this patch. - Arnaldo > printing eip: > c05be62a > *pde = > Oops: 0002 [#1] > SMP > Modules linked in: scomm l2cap bluetooth ipv6 dm_mirror dm_mod video output > sbs battery lp floppy sg i2c_piix4 i2c_core pcnet32 mii button ac parport_pc > parport ide_cd cdrom serio_raw mptspi mptscsih mptbase scsi_transport_spi > sd_mod scsi_mod ext3 jbd ehci_hcd ohci_hcd uhci_hcd > CPU:0 > EIP:0060:[]Not tainted VLI > EFLAGS: 00010282 (2.6.23-rc2 #1) > EIP is at skb_copy_bits+0x4f/0x1ef > eax: 04d0 ebx: ce12a980 ecx: 0134 edx: cfd5a880 > esi: c8246858 edi: ebp: c0759b14 esp: c0759adc > ds: 007b es: 007b fs: 00d8 gs: ss: 0068 > Process swapper (pid: 0, ti=c0759000 task=c06d0340 task.ti=c0713000) > Stack: c0759b88 c0405867 ce12a980 c8bff838 c789c084 0028 cfd5a880 >d09f1890 05dc 007b ce12a980 cfd5a880 c8bff838 c0759b88 d09bc521 >04d0 f96c 0200 0100 c0759b50 cfd5a880 0246 c0759bd4 > Call Trace: > [] show_trace_log_lvl+0x1a/0x2f > [] show_stack_log_lvl+0x9b/0xa3 > [] show_registers+0x1b8/0x289 > [] die+0x113/0x246 > [] do_page_fault+0x4ad/0x57e > [] error_code+0x72/0x78 > [] ip6_output+0x8e5/0xab2 [ipv6] > [] ip6_xmit+0x2ea/0x3a3 [ipv6] > [] sctp_v6_xmit+0x248/0x253 [sctp] > [] sctp_packet_transmit+0x53f/0x5ae [sctp] > [] sctp_outq_flush+0x555/0x587 [sctp] > [] sctp_retransmit+0xf8/0x10f [sctp] > [] sctp_icmp_frag_needed+0x57/0x5b [sctp] > [] sctp_v6_err+0xcd/0x148 [sctp] > [] icmpv6_notify+0xe6/0x167 [ipv6] > [] icmpv6_rcv+0x7d7/0x849 [ipv6] > [] ip6_input+0x1dc/0x310 [ipv6] > [] ipv6_rcv+0x294/0x2df [ipv6] > [] netif_receive_skb+0x2d2/0x335 > [] process_backlog+0x7f/0xd0 > [] net_rx_action+0x96/0x17e > [] __do_softirq+0x64/0xcd > [] do_softirq+0x5c/0xac > === > Code: 00 00 29 ca 89 d0 2b 45 e0 89 55 ec 85 c0 7e 35 39 45 08 8b 55 e4 0f 4e > 45 08 8b 75 e0 8b 7d dc 89 c1 c1 e9 02 03 b2 a0 00 00 00 a5 89 c1 83 e1 > 03 74 02 f3 a4 29 45 08 0f 84 7b 01 00 00 01 > EIP: [] skb_copy_bits+0x4f/0x1ef SS:ESP 0068:c0759adc > Kernel panic - not syncing: Fatal exception in interrupt > > Following is the patch. > > Signed-off-by: Wei Yongjun <[EMAIL PROTECTED]> > > > --- a/net/ipv6/ip6_output.c 2007-08-14 10:36:03.0 -0400 > +++ b/net/ipv6/ip6_output.c 2007-08-17 15:33:35.0 -0400 > @@ -794,7 +794,7 @@ slow_path: > /* >* Copy a block of the IP datagram. >*/ > - if (skb_copy_bits(skb, ptr, skb_transport_header(skb), len)) > + if (skb_copy_bits(skb, ptr, skb_transport_header(frag), len)) > BUG(); > left -= len; > > > > > - > To unsubscribe from this list: send the line "unsubscribe netdev" in > the body of a message to [EMAIL PROTECTED] > More majordomo info at http://vger.kernel.org/majordomo-info.html - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] IPv6: Fix kernel panic while send SCTP data with IP fragments
In article <[EMAIL PROTECTED]> (at Mon, 20 Aug 2007 09:28:27 +0800), Wei Yongjun <[EMAIL PROTECTED]> says: > If ICMP6 message with "Packet Too Big" is received after send SCTP DATA, > kernel panic will occur when SCTP DATA is send again. > > This is because of a bad dest address when call to skb_copy_bits(). : > Signed-off-by: Wei Yongjun <[EMAIL PROTECTED]> Acked-by: YOSHIFUJI Hideaki <[EMAIL PROTECTED]> --yoshfuji - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] IPv6: Fix kernel panic while send SCTP data with IP fragments
Hi Arnaldo Carvalho de Melo: Em Mon, Aug 20, 2007 at 09:28:27AM +0800, Wei Yongjun escreveu: If ICMP6 message with "Packet Too Big" is received after send SCTP DATA, kernel panic will occur when SCTP DATA is send again. This is because of a bad dest address when call to skb_copy_bits(). The messages sequence is like this: Endpoint A Endpoint B <--- SCTP DATA (size=1432) ICMP6 message ---> (Packet Too Big pmtu=1280) <--- Resend SCTP DATA (size=1432) kernel panic--- Thanks! I'm to blame for this one, problem was introduced in: b0e380b1d8a8e0aca215df97702f99815f05c094 @@ -761,7 +762,7 @@ slow_path: /* * Copy a block of the IP datagram. */ - if (skb_copy_bits(skb, ptr, frag->h.raw, len)) + if (skb_copy_bits(skb, ptr, skb_transport_header(skb), len)) BUG(); left -= len; So please add: Signed-off-by: Arnaldo Carvalho de Melo <[EMAIL PROTECTED]> To this patch. - Arnaldo printing eip: c05be62a *pde = Oops: 0002 [#1] SMP Modules linked in: scomm l2cap bluetooth ipv6 dm_mirror dm_mod video output sbs battery lp floppy sg i2c_piix4 i2c_core pcnet32 mii button ac parport_pc parport ide_cd cdrom serio_raw mptspi mptscsih mptbase scsi_transport_spi sd_mod scsi_mod ext3 jbd ehci_hcd ohci_hcd uhci_hcd CPU:0 EIP:0060:[]Not tainted VLI EFLAGS: 00010282 (2.6.23-rc2 #1) EIP is at skb_copy_bits+0x4f/0x1ef eax: 04d0 ebx: ce12a980 ecx: 0134 edx: cfd5a880 esi: c8246858 edi: ebp: c0759b14 esp: c0759adc ds: 007b es: 007b fs: 00d8 gs: ss: 0068 Process swapper (pid: 0, ti=c0759000 task=c06d0340 task.ti=c0713000) Stack: c0759b88 c0405867 ce12a980 c8bff838 c789c084 0028 cfd5a880 d09f1890 05dc 007b ce12a980 cfd5a880 c8bff838 c0759b88 d09bc521 04d0 f96c 0200 0100 c0759b50 cfd5a880 0246 c0759bd4 Call Trace: [] show_trace_log_lvl+0x1a/0x2f [] show_stack_log_lvl+0x9b/0xa3 [] show_registers+0x1b8/0x289 [] die+0x113/0x246 [] do_page_fault+0x4ad/0x57e [] error_code+0x72/0x78 [] ip6_output+0x8e5/0xab2 [ipv6] [] ip6_xmit+0x2ea/0x3a3 [ipv6] [] sctp_v6_xmit+0x248/0x253 [sctp] [] sctp_packet_transmit+0x53f/0x5ae [sctp] [] sctp_outq_flush+0x555/0x587 [sctp] [] sctp_retransmit+0xf8/0x10f [sctp] [] sctp_icmp_frag_needed+0x57/0x5b [sctp] [] sctp_v6_err+0xcd/0x148 [sctp] [] icmpv6_notify+0xe6/0x167 [ipv6] [] icmpv6_rcv+0x7d7/0x849 [ipv6] [] ip6_input+0x1dc/0x310 [ipv6] [] ipv6_rcv+0x294/0x2df [ipv6] [] netif_receive_skb+0x2d2/0x335 [] process_backlog+0x7f/0xd0 [] net_rx_action+0x96/0x17e [] __do_softirq+0x64/0xcd [] do_softirq+0x5c/0xac === Code: 00 00 29 ca 89 d0 2b 45 e0 89 55 ec 85 c0 7e 35 39 45 08 8b 55 e4 0f 4e 45 08 8b 75 e0 8b 7d dc 89 c1 c1 e9 02 03 b2 a0 00 00 00 a5 89 c1 83 e1 03 74 02 f3 a4 29 45 08 0f 84 7b 01 00 00 01 EIP: [] skb_copy_bits+0x4f/0x1ef SS:ESP 0068:c0759adc Kernel panic - not syncing: Fatal exception in interrupt Following is the patch. Have changed. Thanks Regards Signed-off-by: Wei Yongjun <[EMAIL PROTECTED]> Signed-off-by: Arnaldo Carvalho de Melo <[EMAIL PROTECTED]> --- a/net/ipv6/ip6_output.c 2007-08-14 10:36:03.0 -0400 +++ b/net/ipv6/ip6_output.c 2007-08-17 15:33:35.0 -0400 @@ -794,7 +794,7 @@ slow_path: /* * Copy a block of the IP datagram. */ - if (skb_copy_bits(skb, ptr, skb_transport_header(skb), len)) + if (skb_copy_bits(skb, ptr, skb_transport_header(frag), len)) BUG(); left -= len; - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] IPv6: Fix kernel panic while send SCTP data with IP fragments
From: Wei Yongjun <[EMAIL PROTECTED]> Date: Mon, 20 Aug 2007 10:27:36 +0800 > Hi Arnaldo Carvalho de Melo: > > Em Mon, Aug 20, 2007 at 09:28:27AM +0800, Wei Yongjun escreveu: > > > >> If ICMP6 message with "Packet Too Big" is received after send SCTP DATA, > >> kernel panic will occur when SCTP DATA is send again. > >> > >> This is because of a bad dest address when call to skb_copy_bits(). > >> > >> The messages sequence is like this: > >> > >> Endpoint A Endpoint B > >><--- SCTP DATA (size=1432) > >> ICMP6 message ---> > >> (Packet Too Big pmtu=1280) > >><--- Resend SCTP DATA (size=1432) > >> kernel panic--- > >> > > > > Thanks! I'm to blame for this one, problem was introduced in: > > > > b0e380b1d8a8e0aca215df97702f99815f05c094 > > > > @@ -761,7 +762,7 @@ slow_path: > > /* > > * Copy a block of the IP datagram. > > */ > > - if (skb_copy_bits(skb, ptr, frag->h.raw, len)) > > + if (skb_copy_bits(skb, ptr, skb_transport_header(skb), > > len)) > > BUG(); > > left -= len; > > > > So please add: > > > > Signed-off-by: Arnaldo Carvalho de Melo <[EMAIL PROTECTED]> > > > > To this patch. > > > > - Arnaldo > > > > > > > >> printing eip: > >> c05be62a > >> *pde = > >> Oops: 0002 [#1] > >> SMP > >> Modules linked in: scomm l2cap bluetooth ipv6 dm_mirror dm_mod video > >> output sbs battery lp floppy sg i2c_piix4 i2c_core pcnet32 mii button ac > >> parport_pc parport ide_cd cdrom serio_raw mptspi mptscsih mptbase > >> scsi_transport_spi sd_mod scsi_mod ext3 jbd ehci_hcd ohci_hcd uhci_hcd > >> CPU:0 > >> EIP:0060:[]Not tainted VLI > >> EFLAGS: 00010282 (2.6.23-rc2 #1) > >> EIP is at skb_copy_bits+0x4f/0x1ef > >> eax: 04d0 ebx: ce12a980 ecx: 0134 edx: cfd5a880 > >> esi: c8246858 edi: ebp: c0759b14 esp: c0759adc > >> ds: 007b es: 007b fs: 00d8 gs: ss: 0068 > >> Process swapper (pid: 0, ti=c0759000 task=c06d0340 task.ti=c0713000) > >> Stack: c0759b88 c0405867 ce12a980 c8bff838 c789c084 0028 > >> cfd5a880 > >>d09f1890 05dc 007b ce12a980 cfd5a880 c8bff838 c0759b88 > >> d09bc521 > >>04d0 f96c 0200 0100 c0759b50 cfd5a880 0246 > >> c0759bd4 > >> Call Trace: > >> [] show_trace_log_lvl+0x1a/0x2f > >> [] show_stack_log_lvl+0x9b/0xa3 > >> [] show_registers+0x1b8/0x289 > >> [] die+0x113/0x246 > >> [] do_page_fault+0x4ad/0x57e > >> [] error_code+0x72/0x78 > >> [] ip6_output+0x8e5/0xab2 [ipv6] > >> [] ip6_xmit+0x2ea/0x3a3 [ipv6] > >> [] sctp_v6_xmit+0x248/0x253 [sctp] > >> [] sctp_packet_transmit+0x53f/0x5ae [sctp] > >> [] sctp_outq_flush+0x555/0x587 [sctp] > >> [] sctp_retransmit+0xf8/0x10f [sctp] > >> [] sctp_icmp_frag_needed+0x57/0x5b [sctp] > >> [] sctp_v6_err+0xcd/0x148 [sctp] > >> [] icmpv6_notify+0xe6/0x167 [ipv6] > >> [] icmpv6_rcv+0x7d7/0x849 [ipv6] > >> [] ip6_input+0x1dc/0x310 [ipv6] > >> [] ipv6_rcv+0x294/0x2df [ipv6] > >> [] netif_receive_skb+0x2d2/0x335 > >> [] process_backlog+0x7f/0xd0 > >> [] net_rx_action+0x96/0x17e > >> [] __do_softirq+0x64/0xcd > >> [] do_softirq+0x5c/0xac > >> === > >> Code: 00 00 29 ca 89 d0 2b 45 e0 89 55 ec 85 c0 7e 35 39 45 08 8b 55 e4 0f > >> 4e 45 08 8b 75 e0 8b 7d dc 89 c1 c1 e9 02 03 b2 a0 00 00 00 a5 89 c1 > >> 83 e1 03 74 02 f3 a4 29 45 08 0f 84 7b 01 00 00 01 > >> EIP: [] skb_copy_bits+0x4f/0x1ef SS:ESP 0068:c0759adc > >> Kernel panic - not syncing: Fatal exception in interrupt > >> > >> Following is the patch. > >> > Have changed. Thanks > > Regards > > > Signed-off-by: Wei Yongjun <[EMAIL PROTECTED]> > Signed-off-by: Arnaldo Carvalho de Melo <[EMAIL PROTECTED]> Applied, thanks everyone. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html