This is a note to let you know that I've just added the patch titled
net: sctp: do not trigger BUG_ON in sctp_cmd_delete_tcb
to the 3.11-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
net-sctp-do-not-trigger-bug_on-in-sctp_cmd_delete_tcb.patch
and it can be found in the queue-3.11 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 4de3b2820b148893b9b901368eeae1c34d739a17 Mon Sep 17 00:00:00 2001
From: Daniel Borkmann <dborkman@xxxxxxxxxx>
Date: Thu, 31 Oct 2013 09:13:32 +0100
Subject: net: sctp: do not trigger BUG_ON in sctp_cmd_delete_tcb
From: Daniel Borkmann <dborkman@xxxxxxxxxx>
[ Upstream commit 7926c1d5be0b7cbe5b8d5c788d7d39237e7b212c ]
Introduced in f9e42b853523 ("net: sctp: sideeffect: throw BUG if
primary_path is NULL"), we intended to find a buggy assoc that's
part of the assoc hash table with a primary_path that is NULL.
However, we better remove the BUG_ON for now and find a more
suitable place to assert for these things as Mark reports that
this also triggers the bug when duplication cookie processing
happens, and the assoc is not part of the hash table (so all
good in this case). Such a situation can for example easily be
reproduced by:
tc qdisc add dev eth0 root handle 1: prio bands 2 priomap 1 1 1 1 1 1
tc qdisc add dev eth0 parent 1:2 handle 20: netem loss 20%
tc filter add dev eth0 protocol ip parent 1: prio 2 u32 match ip \
protocol 132 0xff match u8 0x0b 0xff at 32 flowid 1:2
This drops 20% of COOKIE-ACK packets. After some follow-up
discussion with Vlad we came to the conclusion that for now we
should still better remove this BUG_ON() assertion, and come up
with two follow-ups later on, that is, i) find a more suitable
place for this assertion, and possibly ii) have a special
allocator/initializer for such kind of temporary assocs.
Reported-by: Mark Thomas <Mark.Thomas@xxxxxxxxxxxxxx>
Signed-off-by: Vlad Yasevich <vyasevich@xxxxxxxxx>
Signed-off-by: Daniel Borkmann <dborkman@xxxxxxxxxx>
Acked-by: Neil Horman <nhorman@xxxxxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/sctp/sm_sideeffect.c | 1 -
1 file changed, 1 deletion(-)
--- a/net/sctp/sm_sideeffect.c
+++ b/net/sctp/sm_sideeffect.c
@@ -866,7 +866,6 @@ static void sctp_cmd_delete_tcb(sctp_cmd
(!asoc->temp) && (sk->sk_shutdown != SHUTDOWN_MASK))
return;
- BUG_ON(asoc->peer.primary_path == NULL);
sctp_unhash_established(asoc);
sctp_association_free(asoc);
}
Patches currently in stable-queue which might be from dborkman@xxxxxxxxxx are
queue-3.11/net-sctp-do-not-trigger-bug_on-in-sctp_cmd_delete_tcb.patch
queue-3.11/net-flow_dissector-fail-on-evil-iph-ihl.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html