[BUG] scheduling while atomic when lseek()ing in /proc/net/tcp

[BUG] scheduling while atomic when lseek()ing in /proc/net/tcp

[Tore Anderson]

  Hi,

  The following code instantly freezes my all of my machines running 
 any of the beavers:

    #include <sys/types.h>
    #include <sys/stat.h>
    #include <fcntl.h>
    #include <unistd.h>
    #include <stdio.h>

    int main(void) {
            char buf[8192];
            int fd, chars;
            fd = open("/proc/net/tcp", O_RDONLY);
            chars = read(fd, buf, sizeof(buf));
            lseek(fd, -chars+1, SEEK_CUR);
            close(fd);
            return 0;
    }

  It only happens when I lseek() anywhere from -chars+1 to -chars+150
 inclusive (in other words, somewhere on the first line).  I do not
 need root to abuse this, which makes it an excellent DoS attack for
 anyone with an unprivileged account.

  I do get an oops, but as I do not have a serial console I'd rather
 not transcribe it to paper and post it unless it's crucial to
 pinpointing the bug.

-- 
Tore Anderson

Re: [BUG] scheduling while atomic when lseek()ing in /proc/net/tcp

[Raj]

[-- Attachment #1: Type: text/plain, Size: 255 bytes --]

Tore Anderson wrote:

>  Hi,
>
>  The following code instantly freezes my all of my machines running 
> any of the beavers:
>  
>
The following patch fixed this, but i am _not_not_not sure whether this 
is the right way to do.
Any ideas folks ?

/Raj





[-- Attachment #2: lseek_crash.patch --]
[-- Type: text/plain, Size: 294 bytes --]

--- seq_file.c.org	2003-11-28 11:12:28.000000000 +0530
+++ seq_file.c	2003-11-28 11:44:44.968883784 +0530
@@ -213,6 +213,9 @@
 	switch (origin) {
 		case 1:
 			offset += file->f_pos;
+			if(offset >= 0)
+				retval = file->f_pos = offset;
+			break;
 		case 0:
 			if (offset < 0)
 				break;

Re: [BUG] scheduling while atomic when lseek()ing in /proc/net/tcp

[OGAWA Hirofumi]

Tore Anderson <tore@linpro.no> writes:

>     #include <sys/types.h>
>     #include <sys/stat.h>
>     #include <fcntl.h>
>     #include <unistd.h>
>     #include <stdio.h>
> 
>     int main(void) {
>             char buf[8192];
>             int fd, chars;
>             fd = open("/proc/net/tcp", O_RDONLY);
>             chars = read(fd, buf, sizeof(buf));
>             lseek(fd, -chars+1, SEEK_CUR);
>             close(fd);
>             return 0;
>     }

This seems to need initialization of st->state in tcp_seq_start().
tcp_seq_stop() is run with previous st->state, so it call the unneeded
unlock etc.

 net/ipv4/tcp_ipv4.c |    1 +
 1 files changed, 1 insertion(+)

diff -puN net/ipv4/tcp_ipv4.c~tcp_seq-oops-fix net/ipv4/tcp_ipv4.c
--- linux-2.6.0-test11/net/ipv4/tcp_ipv4.c~tcp_seq-oops-fix	2003-11-29 00:52:15.000000000 +0900
+++ linux-2.6.0-test11-hirofumi/net/ipv4/tcp_ipv4.c	2003-11-29 00:52:28.000000000 +0900
@@ -2356,6 +2356,7 @@ static void *tcp_get_idx(struct seq_file
 static void *tcp_seq_start(struct seq_file *seq, loff_t *pos)
 {
 	struct tcp_iter_state* st = seq->private;
+	st->state = TCP_SEQ_STATE_LISTENING;
 	st->num = 0;
 	return *pos ? tcp_get_idx(seq, *pos - 1) : SEQ_START_TOKEN;
 }

_
-- 
OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>

Re: [BUG] scheduling while atomic when lseek()ing in /proc/net/tcp

[David S. Miller]

On Sat, 29 Nov 2003 02:12:38 +0900
OGAWA Hirofumi <hirofumi@mail.parknet.co.jp> wrote:

> This seems to need initialization of st->state in tcp_seq_start().
> tcp_seq_stop() is run with previous st->state, so it call the unneeded
> unlock etc.

Patch applied, arigato Hirofumi-san.