linux/net
Eric Dumazet 77c1090f94 net: fix infinite loop in __skb_recv_datagram()
Tommi was fuzzing with trinity and reported the following problem :

commit 3f518bf745 (datagram: Add offset argument to __skb_recv_datagram)
missed that a raw socket receive queue can contain skbs with no payload.

We can loop in __skb_recv_datagram() with MSG_PEEK mode, because
wait_for_packet() is not prepared to skip these skbs.

[   83.541011] INFO: rcu_sched detected stalls on CPUs/tasks: {}
(detected by 0, t=26002 jiffies, g=27673, c=27672, q=75)
[   83.541011] INFO: Stall ended before state dump start
[  108.067010] BUG: soft lockup - CPU#0 stuck for 22s! [trinity-child31:2847]
...
[  108.067010] Call Trace:
[  108.067010]  [<ffffffff818cc103>] __skb_recv_datagram+0x1a3/0x3b0
[  108.067010]  [<ffffffff818cc33d>] skb_recv_datagram+0x2d/0x30
[  108.067010]  [<ffffffff819ed43d>] rawv6_recvmsg+0xad/0x240
[  108.067010]  [<ffffffff818c4b04>] sock_common_recvmsg+0x34/0x50
[  108.067010]  [<ffffffff818bc8ec>] sock_recvmsg+0xbc/0xf0
[  108.067010]  [<ffffffff818bf31e>] sys_recvfrom+0xde/0x150
[  108.067010]  [<ffffffff81ca4329>] system_call_fastpath+0x16/0x1b

Reported-by: Tommi Rantala <tt.rantala@gmail.com>
Tested-by: Tommi Rantala <tt.rantala@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Pavel Emelyanov <xemul@parallels.com>
Acked-by: Pavel Emelyanov <xemul@parallels.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-12 16:07:19 -05:00
..
9p
802
8021q
appletalk
atm
ax25
batman-adv batman-adv: filter ARP packets with invalid MAC addresses in DAT 2013-01-27 14:02:39 +01:00
bluetooth Bluetooth: Fix hci_conn timeout routine 2013-01-31 15:38:02 -02:00
bridge bridge: set priority of STP packets 2013-02-11 14:16:52 -05:00
caif
can
ceph
core net: fix infinite loop in __skb_recv_datagram() 2013-02-12 16:07:19 -05:00
dcb
dccp
decnet
dns_resolver
dsa
ethernet
ieee802154
ipv4 arp: fix possible crash in arp_rcv() 2013-02-10 20:39:39 -05:00
ipv6 Merge branch 'master' of git://1984.lsi.us.es/nf 2013-02-10 20:44:08 -05:00
ipx
irda
iucv
key
l2tp l2tp: dont play with skb->truesize 2013-02-08 01:49:49 -05:00
lapb
llc
mac80211
mac802154
netfilter ipvs: sctp: fix checksumming on snat and dnat handlers 2013-02-06 09:56:50 +09:00
netlabel
netlink
netrom
nfc
openvswitch openvswitch: Move LRO check from transmit to receive. 2013-01-21 23:57:26 -08:00
packet packet: fix leakage of tx_ring memory 2013-02-03 16:15:23 -05:00
phonet
rds
rfkill
rose
rxrpc
sched netem: fix delay calculation in rate extension 2013-01-29 15:43:02 -05:00
sctp net: sctp: sctp_endpoint_free: zero out secret key data 2013-02-08 14:54:24 -05:00
sunrpc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-02-09 07:55:24 +11:00
tipc
unix
wanrouter
wimax
wireless Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into for-davem 2013-02-01 13:43:25 -05:00
x25
xfrm
compat.c
Kconfig
Makefile
nonet.c
socket.c
sysctl_net.c