This is a note to let you know that I've just added the patch titled net: sctp: do not trigger BUG_ON in sctp_cmd_delete_tcb to the 3.11-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: net-sctp-do-not-trigger-bug_on-in-sctp_cmd_delete_tcb.patch and it can be found in the queue-3.11 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 4de3b2820b148893b9b901368eeae1c34d739a17 Mon Sep 17 00:00:00 2001 From: Daniel Borkmann <dborkman@xxxxxxxxxx> Date: Thu, 31 Oct 2013 09:13:32 +0100 Subject: net: sctp: do not trigger BUG_ON in sctp_cmd_delete_tcb From: Daniel Borkmann <dborkman@xxxxxxxxxx> [ Upstream commit 7926c1d5be0b7cbe5b8d5c788d7d39237e7b212c ] Introduced in f9e42b853523 ("net: sctp: sideeffect: throw BUG if primary_path is NULL"), we intended to find a buggy assoc that's part of the assoc hash table with a primary_path that is NULL. However, we better remove the BUG_ON for now and find a more suitable place to assert for these things as Mark reports that this also triggers the bug when duplication cookie processing happens, and the assoc is not part of the hash table (so all good in this case). Such a situation can for example easily be reproduced by: tc qdisc add dev eth0 root handle 1: prio bands 2 priomap 1 1 1 1 1 1 tc qdisc add dev eth0 parent 1:2 handle 20: netem loss 20% tc filter add dev eth0 protocol ip parent 1: prio 2 u32 match ip \ protocol 132 0xff match u8 0x0b 0xff at 32 flowid 1:2 This drops 20% of COOKIE-ACK packets. After some follow-up discussion with Vlad we came to the conclusion that for now we should still better remove this BUG_ON() assertion, and come up with two follow-ups later on, that is, i) find a more suitable place for this assertion, and possibly ii) have a special allocator/initializer for such kind of temporary assocs. Reported-by: Mark Thomas <Mark.Thomas@xxxxxxxxxxxxxx> Signed-off-by: Vlad Yasevich <vyasevich@xxxxxxxxx> Signed-off-by: Daniel Borkmann <dborkman@xxxxxxxxxx> Acked-by: Neil Horman <nhorman@xxxxxxxxxxxxx> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- net/sctp/sm_sideeffect.c | 1 - 1 file changed, 1 deletion(-) --- a/net/sctp/sm_sideeffect.c +++ b/net/sctp/sm_sideeffect.c @@ -866,7 +866,6 @@ static void sctp_cmd_delete_tcb(sctp_cmd (!asoc->temp) && (sk->sk_shutdown != SHUTDOWN_MASK)) return; - BUG_ON(asoc->peer.primary_path == NULL); sctp_unhash_established(asoc); sctp_association_free(asoc); } Patches currently in stable-queue which might be from dborkman@xxxxxxxxxx are queue-3.11/net-sctp-do-not-trigger-bug_on-in-sctp_cmd_delete_tcb.patch queue-3.11/net-flow_dissector-fail-on-evil-iph-ihl.patch -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html