* [BUG] scheduling while atomic when lseek()ing in /proc/net/tcp
@ 2003-11-27 23:05 Tore Anderson
2003-11-28 6:19 ` Raj
2003-11-28 17:12 ` OGAWA Hirofumi
0 siblings, 2 replies; 4+ messages in thread
From: Tore Anderson @ 2003-11-27 23:05 UTC (permalink / raw)
To: linux-kernel
Hi,
The following code instantly freezes my all of my machines running
any of the beavers:
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>
int main(void) {
char buf[8192];
int fd, chars;
fd = open("/proc/net/tcp", O_RDONLY);
chars = read(fd, buf, sizeof(buf));
lseek(fd, -chars+1, SEEK_CUR);
close(fd);
return 0;
}
It only happens when I lseek() anywhere from -chars+1 to -chars+150
inclusive (in other words, somewhere on the first line). I do not
need root to abuse this, which makes it an excellent DoS attack for
anyone with an unprivileged account.
I do get an oops, but as I do not have a serial console I'd rather
not transcribe it to paper and post it unless it's crucial to
pinpointing the bug.
--
Tore Anderson
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [BUG] scheduling while atomic when lseek()ing in /proc/net/tcp
2003-11-27 23:05 [BUG] scheduling while atomic when lseek()ing in /proc/net/tcp Tore Anderson
@ 2003-11-28 6:19 ` Raj
2003-11-28 17:12 ` OGAWA Hirofumi
1 sibling, 0 replies; 4+ messages in thread
From: Raj @ 2003-11-28 6:19 UTC (permalink / raw)
To: Tore Anderson; +Cc: linux-kernel
[-- Attachment #1: Type: text/plain, Size: 255 bytes --]
Tore Anderson wrote:
> Hi,
>
> The following code instantly freezes my all of my machines running
> any of the beavers:
>
>
The following patch fixed this, but i am _not_not_not sure whether this
is the right way to do.
Any ideas folks ?
/Raj
[-- Attachment #2: lseek_crash.patch --]
[-- Type: text/plain, Size: 294 bytes --]
--- seq_file.c.org 2003-11-28 11:12:28.000000000 +0530
+++ seq_file.c 2003-11-28 11:44:44.968883784 +0530
@@ -213,6 +213,9 @@
switch (origin) {
case 1:
offset += file->f_pos;
+ if(offset >= 0)
+ retval = file->f_pos = offset;
+ break;
case 0:
if (offset < 0)
break;
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [BUG] scheduling while atomic when lseek()ing in /proc/net/tcp
2003-11-27 23:05 [BUG] scheduling while atomic when lseek()ing in /proc/net/tcp Tore Anderson
2003-11-28 6:19 ` Raj
@ 2003-11-28 17:12 ` OGAWA Hirofumi
2003-11-30 4:42 ` David S. Miller
1 sibling, 1 reply; 4+ messages in thread
From: OGAWA Hirofumi @ 2003-11-28 17:12 UTC (permalink / raw)
To: Tore Anderson; +Cc: David S. Miller, linux-kernel
Tore Anderson <tore@linpro.no> writes:
> #include <sys/types.h>
> #include <sys/stat.h>
> #include <fcntl.h>
> #include <unistd.h>
> #include <stdio.h>
>
> int main(void) {
> char buf[8192];
> int fd, chars;
> fd = open("/proc/net/tcp", O_RDONLY);
> chars = read(fd, buf, sizeof(buf));
> lseek(fd, -chars+1, SEEK_CUR);
> close(fd);
> return 0;
> }
This seems to need initialization of st->state in tcp_seq_start().
tcp_seq_stop() is run with previous st->state, so it call the unneeded
unlock etc.
net/ipv4/tcp_ipv4.c | 1 +
1 files changed, 1 insertion(+)
diff -puN net/ipv4/tcp_ipv4.c~tcp_seq-oops-fix net/ipv4/tcp_ipv4.c
--- linux-2.6.0-test11/net/ipv4/tcp_ipv4.c~tcp_seq-oops-fix 2003-11-29 00:52:15.000000000 +0900
+++ linux-2.6.0-test11-hirofumi/net/ipv4/tcp_ipv4.c 2003-11-29 00:52:28.000000000 +0900
@@ -2356,6 +2356,7 @@ static void *tcp_get_idx(struct seq_file
static void *tcp_seq_start(struct seq_file *seq, loff_t *pos)
{
struct tcp_iter_state* st = seq->private;
+ st->state = TCP_SEQ_STATE_LISTENING;
st->num = 0;
return *pos ? tcp_get_idx(seq, *pos - 1) : SEQ_START_TOKEN;
}
_
--
OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [BUG] scheduling while atomic when lseek()ing in /proc/net/tcp
2003-11-28 17:12 ` OGAWA Hirofumi
@ 2003-11-30 4:42 ` David S. Miller
0 siblings, 0 replies; 4+ messages in thread
From: David S. Miller @ 2003-11-30 4:42 UTC (permalink / raw)
To: OGAWA Hirofumi; +Cc: tore, linux-kernel
On Sat, 29 Nov 2003 02:12:38 +0900
OGAWA Hirofumi <hirofumi@mail.parknet.co.jp> wrote:
> This seems to need initialization of st->state in tcp_seq_start().
> tcp_seq_stop() is run with previous st->state, so it call the unneeded
> unlock etc.
Patch applied, arigato Hirofumi-san.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2003-11-30 4:43 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-11-27 23:05 [BUG] scheduling while atomic when lseek()ing in /proc/net/tcp Tore Anderson
2003-11-28 6:19 ` Raj
2003-11-28 17:12 ` OGAWA Hirofumi
2003-11-30 4:42 ` David S. Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).