From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
syzbot <syzkaller@googlegroups.com>,
Gerrit Renker <gerrit@erg.abdn.ac.uk>,
dccp@vger.kernel.org, "David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.4 13/31] net: dccp: avoid crash in ccid3_hc_rx_send_feedback()
Date: Fri, 20 Jul 2018 14:13:43 +0200 [thread overview]
Message-ID: <20180720121340.633256628@linuxfoundation.org> (raw)
In-Reply-To: <20180720121340.158484922@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 74174fe5634ffbf645a7ca5a261571f700b2f332 ]
On fast hosts or malicious bots, we trigger a DCCP_BUG() which
seems excessive.
syzbot reported :
BUG: delta (-6195) <= 0 at net/dccp/ccids/ccid3.c:628/ccid3_hc_rx_send_feedback()
CPU: 1 PID: 18 Comm: ksoftirqd/1 Not tainted 4.18.0-rc1+ #112
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
ccid3_hc_rx_send_feedback net/dccp/ccids/ccid3.c:628 [inline]
ccid3_hc_rx_packet_recv.cold.16+0x38/0x71 net/dccp/ccids/ccid3.c:793
ccid_hc_rx_packet_recv net/dccp/ccid.h:185 [inline]
dccp_deliver_input_to_ccids+0xf0/0x280 net/dccp/input.c:180
dccp_rcv_established+0x87/0xb0 net/dccp/input.c:378
dccp_v4_do_rcv+0x153/0x180 net/dccp/ipv4.c:654
sk_backlog_rcv include/net/sock.h:914 [inline]
__sk_receive_skb+0x3ba/0xd80 net/core/sock.c:517
dccp_v4_rcv+0x10f9/0x1f58 net/dccp/ipv4.c:875
ip_local_deliver_finish+0x2eb/0xda0 net/ipv4/ip_input.c:215
NF_HOOK include/linux/netfilter.h:287 [inline]
ip_local_deliver+0x1e9/0x750 net/ipv4/ip_input.c:256
dst_input include/net/dst.h:450 [inline]
ip_rcv_finish+0x823/0x2220 net/ipv4/ip_input.c:396
NF_HOOK include/linux/netfilter.h:287 [inline]
ip_rcv+0xa18/0x1284 net/ipv4/ip_input.c:492
__netif_receive_skb_core+0x2488/0x3680 net/core/dev.c:4628
__netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4693
process_backlog+0x219/0x760 net/core/dev.c:5373
napi_poll net/core/dev.c:5771 [inline]
net_rx_action+0x7da/0x1980 net/core/dev.c:5837
__do_softirq+0x2e8/0xb17 kernel/softirq.c:284
run_ksoftirqd+0x86/0x100 kernel/softirq.c:645
smpboot_thread_fn+0x417/0x870 kernel/smpboot.c:164
kthread+0x345/0x410 kernel/kthread.c:240
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Cc: dccp@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/dccp/ccids/ccid3.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/net/dccp/ccids/ccid3.c
+++ b/net/dccp/ccids/ccid3.c
@@ -624,9 +624,8 @@ static void ccid3_hc_rx_send_feedback(st
case CCID3_FBACK_PERIODIC:
delta = ktime_us_delta(now, hc->rx_tstamp_last_feedback);
if (delta <= 0)
- DCCP_BUG("delta (%ld) <= 0", (long)delta);
- else
- hc->rx_x_recv = scaled_div32(hc->rx_bytes_recv, delta);
+ delta = 1;
+ hc->rx_x_recv = scaled_div32(hc->rx_bytes_recv, delta);
break;
default:
return;
next prev parent reply other threads:[~2018-07-20 12:26 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-20 12:13 [PATCH 4.4 00/31] 4.4.143-stable review Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 01/31] compiler, clang: suppress warning for unused static inline functions Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 02/31] compiler, clang: properly override inline for clang Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 03/31] compiler, clang: always inline when CONFIG_OPTIMIZE_INLINING is disabled Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 04/31] compiler-gcc.h: Add __attribute__((gnu_inline)) to all inline declarations Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 05/31] x86/asm: Add _ASM_ARG* constants for argument registers to <asm/asm.h> Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 06/31] Revert "sit: reload iphdr in ipip6_rcv" Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 07/31] ocfs2: subsystem.su_mutex is required while accessing the item->ci_parent Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 08/31] bcm63xx_enet: correct clock usage Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 09/31] bcm63xx_enet: do not write to random DMA channel on BCM6345 Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 10/31] crypto: crypto4xx - remove bad list_del Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 11/31] crypto: crypto4xx - fix crypto4xx_build_pdr, crypto4xx_build_sdr leak Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 12/31] atm: zatm: Fix potential Spectre v1 Greg Kroah-Hartman
2018-07-20 12:13 ` Greg Kroah-Hartman [this message]
2018-07-20 12:13 ` [PATCH 4.4 14/31] net: dccp: switch rx_tstamp_last_feedback to monotonic clock Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 15/31] net/mlx5: Fix incorrect raw command length parsing Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 16/31] net: sungem: fix rx checksum support Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 17/31] qed: Limit msix vectors in kdump kernel to the minimum required count Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 18/31] r8152: napi hangup fix after disconnect Greg Kroah-Hartman
2018-08-24 16:38 ` Ben Hutchings
2018-08-25 7:43 ` Jiri Slaby
2018-09-12 18:54 ` Ben Hutchings
2018-07-20 12:13 ` [PATCH 4.4 19/31] tcp: fix Fast Open key endianness Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 21/31] vhost_net: validate sock before trying to put its fd Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 22/31] net_sched: blackhole: tell upper qdisc about dropped packets Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 23/31] net/mlx5: Fix command interface race in polling mode Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 24/31] net: cxgb3_main: fix potential Spectre v1 Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 25/31] rtlwifi: rtl8821ae: fix firmware is not ready to run Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 26/31] MIPS: Call dump_stack() from show_regs() Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 27/31] MIPS: Use async IPIs for arch_trigger_cpumask_backtrace() Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 28/31] netfilter: ebtables: reject non-bridge targets Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 29/31] KEYS: DNS: fix parsing multiple options Greg Kroah-Hartman
2018-07-20 12:14 ` [PATCH 4.4 30/31] rds: avoid unenecessary cong_update in loop transport Greg Kroah-Hartman
2018-07-20 12:14 ` [PATCH 4.4 31/31] net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL Greg Kroah-Hartman
2018-07-20 13:34 ` [PATCH 4.4 00/31] 4.4.143-stable review Nathan Chancellor
2018-07-21 7:38 ` Naresh Kamboju
2018-07-21 13:39 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180720121340.633256628@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=dccp@vger.kernel.org \
--cc=edumazet@google.com \
--cc=gerrit@erg.abdn.ac.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).