From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>, syzbot <syzkaller@googlegroups.com>, Gerrit Renker <gerrit@erg.abdn.ac.uk>, dccp@vger.kernel.org, "David S. Miller" <davem@davemloft.net> Subject: [PATCH 4.9 19/66] net: dccp: avoid crash in ccid3_hc_rx_send_feedback() Date: Fri, 20 Jul 2018 14:13:36 +0200 [thread overview] Message-ID: <20180720121408.363216040@linuxfoundation.org> (raw) In-Reply-To: <20180720121407.228772286@linuxfoundation.org> 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Eric Dumazet <edumazet@google.com> [ Upstream commit 74174fe5634ffbf645a7ca5a261571f700b2f332 ] On fast hosts or malicious bots, we trigger a DCCP_BUG() which seems excessive. syzbot reported : BUG: delta (-6195) <= 0 at net/dccp/ccids/ccid3.c:628/ccid3_hc_rx_send_feedback() CPU: 1 PID: 18 Comm: ksoftirqd/1 Not tainted 4.18.0-rc1+ #112 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113 ccid3_hc_rx_send_feedback net/dccp/ccids/ccid3.c:628 [inline] ccid3_hc_rx_packet_recv.cold.16+0x38/0x71 net/dccp/ccids/ccid3.c:793 ccid_hc_rx_packet_recv net/dccp/ccid.h:185 [inline] dccp_deliver_input_to_ccids+0xf0/0x280 net/dccp/input.c:180 dccp_rcv_established+0x87/0xb0 net/dccp/input.c:378 dccp_v4_do_rcv+0x153/0x180 net/dccp/ipv4.c:654 sk_backlog_rcv include/net/sock.h:914 [inline] __sk_receive_skb+0x3ba/0xd80 net/core/sock.c:517 dccp_v4_rcv+0x10f9/0x1f58 net/dccp/ipv4.c:875 ip_local_deliver_finish+0x2eb/0xda0 net/ipv4/ip_input.c:215 NF_HOOK include/linux/netfilter.h:287 [inline] ip_local_deliver+0x1e9/0x750 net/ipv4/ip_input.c:256 dst_input include/net/dst.h:450 [inline] ip_rcv_finish+0x823/0x2220 net/ipv4/ip_input.c:396 NF_HOOK include/linux/netfilter.h:287 [inline] ip_rcv+0xa18/0x1284 net/ipv4/ip_input.c:492 __netif_receive_skb_core+0x2488/0x3680 net/core/dev.c:4628 __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4693 process_backlog+0x219/0x760 net/core/dev.c:5373 napi_poll net/core/dev.c:5771 [inline] net_rx_action+0x7da/0x1980 net/core/dev.c:5837 __do_softirq+0x2e8/0xb17 kernel/softirq.c:284 run_ksoftirqd+0x86/0x100 kernel/softirq.c:645 smpboot_thread_fn+0x417/0x870 kernel/smpboot.c:164 kthread+0x345/0x410 kernel/kthread.c:240 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412 Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk> Cc: dccp@vger.kernel.org Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- net/dccp/ccids/ccid3.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) --- a/net/dccp/ccids/ccid3.c +++ b/net/dccp/ccids/ccid3.c @@ -624,9 +624,8 @@ static void ccid3_hc_rx_send_feedback(st case CCID3_FBACK_PERIODIC: delta = ktime_us_delta(now, hc->rx_tstamp_last_feedback); if (delta <= 0) - DCCP_BUG("delta (%ld) <= 0", (long)delta); - else - hc->rx_x_recv = scaled_div32(hc->rx_bytes_recv, delta); + delta = 1; + hc->rx_x_recv = scaled_div32(hc->rx_bytes_recv, delta); break; default: return;
WARNING: multiple messages have this Message-ID (diff)
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: dccp@vger.kernel.org Subject: [PATCH 4.9 19/66] net: dccp: avoid crash in ccid3_hc_rx_send_feedback() Date: Fri, 20 Jul 2018 12:13:36 +0000 [thread overview] Message-ID: <20180720121408.363216040@linuxfoundation.org> (raw) 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Eric Dumazet <edumazet@google.com> [ Upstream commit 74174fe5634ffbf645a7ca5a261571f700b2f332 ] On fast hosts or malicious bots, we trigger a DCCP_BUG() which seems excessive. syzbot reported : BUG: delta (-6195) <= 0 at net/dccp/ccids/ccid3.c:628/ccid3_hc_rx_send_feedback() CPU: 1 PID: 18 Comm: ksoftirqd/1 Not tainted 4.18.0-rc1+ #112 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113 ccid3_hc_rx_send_feedback net/dccp/ccids/ccid3.c:628 [inline] ccid3_hc_rx_packet_recv.cold.16+0x38/0x71 net/dccp/ccids/ccid3.c:793 ccid_hc_rx_packet_recv net/dccp/ccid.h:185 [inline] dccp_deliver_input_to_ccids+0xf0/0x280 net/dccp/input.c:180 dccp_rcv_established+0x87/0xb0 net/dccp/input.c:378 dccp_v4_do_rcv+0x153/0x180 net/dccp/ipv4.c:654 sk_backlog_rcv include/net/sock.h:914 [inline] __sk_receive_skb+0x3ba/0xd80 net/core/sock.c:517 dccp_v4_rcv+0x10f9/0x1f58 net/dccp/ipv4.c:875 ip_local_deliver_finish+0x2eb/0xda0 net/ipv4/ip_input.c:215 NF_HOOK include/linux/netfilter.h:287 [inline] ip_local_deliver+0x1e9/0x750 net/ipv4/ip_input.c:256 dst_input include/net/dst.h:450 [inline] ip_rcv_finish+0x823/0x2220 net/ipv4/ip_input.c:396 NF_HOOK include/linux/netfilter.h:287 [inline] ip_rcv+0xa18/0x1284 net/ipv4/ip_input.c:492 __netif_receive_skb_core+0x2488/0x3680 net/core/dev.c:4628 __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4693 process_backlog+0x219/0x760 net/core/dev.c:5373 napi_poll net/core/dev.c:5771 [inline] net_rx_action+0x7da/0x1980 net/core/dev.c:5837 __do_softirq+0x2e8/0xb17 kernel/softirq.c:284 run_ksoftirqd+0x86/0x100 kernel/softirq.c:645 smpboot_thread_fn+0x417/0x870 kernel/smpboot.c:164 kthread+0x345/0x410 kernel/kthread.c:240 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412 Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk> Cc: dccp@vger.kernel.org Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- net/dccp/ccids/ccid3.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) --- a/net/dccp/ccids/ccid3.c +++ b/net/dccp/ccids/ccid3.c @@ -624,9 +624,8 @@ static void ccid3_hc_rx_send_feedback(st case CCID3_FBACK_PERIODIC: delta = ktime_us_delta(now, hc->rx_tstamp_last_feedback); if (delta <= 0) - DCCP_BUG("delta (%ld) <= 0", (long)delta); - else - hc->rx_x_recv = scaled_div32(hc->rx_bytes_recv, delta); + delta = 1; + hc->rx_x_recv = scaled_div32(hc->rx_bytes_recv, delta); break; default: return;
next prev parent reply other threads:[~2018-07-20 12:29 UTC|newest] Thread overview: 78+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-07-20 12:13 [PATCH 4.9 00/66] 4.9.114-stable review Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 01/66] MIPS: Use async IPIs for arch_trigger_cpumask_backtrace() Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 02/66] compiler, clang: suppress warning for unused static inline functions Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 03/66] compiler, clang: properly override inline for clang Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 04/66] compiler, clang: always inline when CONFIG_OPTIMIZE_INLINING is disabled Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 05/66] compiler-gcc.h: Add __attribute__((gnu_inline)) to all inline declarations Greg Kroah-Hartman 2018-07-20 12:13 ` Greg Kroah-Hartman 2018-07-20 12:13 ` Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 06/66] x86/asm: Add _ASM_ARG* constants for argument registers to <asm/asm.h> Greg Kroah-Hartman 2018-07-20 12:13 ` Greg Kroah-Hartman 2018-07-20 12:13 ` Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 07/66] x86/paravirt: Make native_save_fl() extern inline Greg Kroah-Hartman 2018-07-20 12:13 ` Greg Kroah-Hartman 2018-07-20 12:13 ` Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 08/66] ocfs2: subsystem.su_mutex is required while accessing the item->ci_parent Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 09/66] ocfs2: ip_alloc_sem should be taken in ocfs2_get_block() Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 10/66] mtd: m25p80: consider max message size in m25p80_read Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 11/66] spi/bcm63xx: make spi subsystem aware of message size limits Greg Kroah-Hartman 2018-07-20 12:34 ` Mark Brown 2018-07-20 13:39 ` Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 13/66] bcm63xx_enet: correct clock usage Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 14/66] bcm63xx_enet: do not write to random DMA channel on BCM6345 Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 15/66] crypto: crypto4xx - remove bad list_del Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 16/66] crypto: crypto4xx - fix crypto4xx_build_pdr, crypto4xx_build_sdr leak Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 17/66] atm: zatm: Fix potential Spectre v1 Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 18/66] ipvlan: fix IFLA_MTU ignored on NEWLINK Greg Kroah-Hartman 2018-07-20 12:13 ` Greg Kroah-Hartman [this message] 2018-07-20 12:13 ` [PATCH 4.9 19/66] net: dccp: avoid crash in ccid3_hc_rx_send_feedback() Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 20/66] net: dccp: switch rx_tstamp_last_feedback to monotonic clock Greg Kroah-Hartman 2018-07-20 12:13 ` Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 21/66] net/mlx5: Fix incorrect raw command length parsing Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 22/66] net/mlx5: Fix wrong size allocation for QoS ETC TC regitster Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 23/66] net_sched: blackhole: tell upper qdisc about dropped packets Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 24/66] net: sungem: fix rx checksum support Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 25/66] qed: Fix use of incorrect size in memcpy call Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 26/66] qed: Limit msix vectors in kdump kernel to the minimum required count Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 28/66] r8152: napi hangup fix after disconnect Greg Kroah-Hartman 2018-07-20 12:13 ` [4.9,28/66] " Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 29/66] tcp: fix Fast Open key endianness Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 31/66] vhost_net: validate sock before trying to put its fd Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 32/66] net/packet: fix use-after-free Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 33/66] net/mlx5: Fix command interface race in polling mode Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 34/66] net: cxgb3_main: fix potential Spectre v1 Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 35/66] rtlwifi: rtl8821ae: fix firmware is not ready to run Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 36/66] net: lan78xx: Fix race in tx pending skb size calculation Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 37/66] netfilter: ebtables: reject non-bridge targets Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 38/66] reiserfs: fix buffer overflow with long warning messages Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 39/66] KEYS: DNS: fix parsing multiple options Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 40/66] netfilter: ipv6: nf_defrag: drop skb dst before queueing Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 41/66] rds: avoid unenecessary cong_update in loop transport Greg Kroah-Hartman 2018-07-20 12:13 ` [PATCH 4.9 42/66] net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL Greg Kroah-Hartman 2018-07-20 12:14 ` [PATCH 4.9 43/66] arm64: assembler: introduce ldr_this_cpu Greg Kroah-Hartman 2018-07-20 12:14 ` [PATCH 4.9 44/66] KVM: arm64: Store vcpu on the stack during __guest_enter() Greg Kroah-Hartman 2018-07-20 12:14 ` [PATCH 4.9 45/66] KVM: arm/arm64: Convert kvm_host_cpu_state to a static per-cpu allocation Greg Kroah-Hartman 2018-07-20 12:14 ` [PATCH 4.9 46/66] KVM: arm64: Change hyp_panic()s dependency on tpidr_el2 Greg Kroah-Hartman 2018-07-20 12:14 ` [PATCH 4.9 47/66] arm64: alternatives: use tpidr_el2 on VHE hosts Greg Kroah-Hartman 2018-07-20 12:14 ` [PATCH 4.9 48/66] KVM: arm64: Stop save/restoring host tpidr_el1 on VHE Greg Kroah-Hartman 2018-07-20 12:14 ` [PATCH 4.9 49/66] arm64: alternatives: Add dynamic patching feature Greg Kroah-Hartman 2018-07-20 12:14 ` [PATCH 4.9 50/66] KVM: arm/arm64: Do not use kern_hyp_va() with kvm_vgic_global_state Greg Kroah-Hartman 2018-07-20 12:14 ` [PATCH 4.9 51/66] KVM: arm64: Avoid storing the vcpu pointer on the stack Greg Kroah-Hartman 2018-07-20 12:14 ` [PATCH 4.9 52/66] arm/arm64: smccc: Add SMCCC-specific return codes Greg Kroah-Hartman 2018-07-20 12:14 ` [PATCH 4.9 53/66] arm64: Call ARCH_WORKAROUND_2 on transitions between EL0 and EL1 Greg Kroah-Hartman 2018-07-20 12:14 ` [PATCH 4.9 54/66] arm64: Add per-cpu infrastructure to call ARCH_WORKAROUND_2 Greg Kroah-Hartman 2018-07-20 12:14 ` [PATCH 4.9 55/66] arm64: Add ARCH_WORKAROUND_2 probing Greg Kroah-Hartman 2018-07-20 12:14 ` [PATCH 4.9 56/66] arm64: Add ssbd command-line option Greg Kroah-Hartman 2018-07-20 12:14 ` [PATCH 4.9 57/66] arm64: ssbd: Add global mitigation state accessor Greg Kroah-Hartman 2018-07-20 12:14 ` [PATCH 4.9 58/66] arm64: ssbd: Skip apply_ssbd if not using dynamic mitigation Greg Kroah-Hartman 2018-07-20 12:14 ` [PATCH 4.9 59/66] arm64: ssbd: Restore mitigation status on CPU resume Greg Kroah-Hartman 2018-07-20 12:14 ` [PATCH 4.9 60/66] arm64: ssbd: Introduce thread flag to control userspace mitigation Greg Kroah-Hartman 2018-07-20 12:14 ` [PATCH 4.9 61/66] arm64: ssbd: Add prctl interface for per-thread mitigation Greg Kroah-Hartman 2018-07-20 12:14 ` [PATCH 4.9 62/66] arm64: KVM: Add HYP per-cpu accessors Greg Kroah-Hartman 2018-07-20 12:14 ` [PATCH 4.9 63/66] arm64: KVM: Add ARCH_WORKAROUND_2 support for guests Greg Kroah-Hartman 2018-07-20 12:14 ` [PATCH 4.9 64/66] arm64: KVM: Handle guests ARCH_WORKAROUND_2 requests Greg Kroah-Hartman 2018-07-20 12:14 ` [PATCH 4.9 65/66] arm64: KVM: Add ARCH_WORKAROUND_2 discovery through ARCH_FEATURES_FUNC_ID Greg Kroah-Hartman 2018-07-20 13:34 ` [PATCH 4.9 00/66] 4.9.114-stable review Nathan Chancellor 2018-07-20 13:40 ` Greg Kroah-Hartman 2018-07-21 7:36 ` Naresh Kamboju 2018-07-21 13:40 ` Guenter Roeck
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20180720121408.363216040@linuxfoundation.org \ --to=gregkh@linuxfoundation.org \ --cc=davem@davemloft.net \ --cc=dccp@vger.kernel.org \ --cc=edumazet@google.com \ --cc=gerrit@erg.abdn.ac.uk \ --cc=linux-kernel@vger.kernel.org \ --cc=stable@vger.kernel.org \ --cc=syzkaller@googlegroups.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.