NetBSD Problem Report #44742
From jailbird@fdf.net Sat Mar 19 04:23:17 2011
Return-Path: <jailbird@fdf.net>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id 9E1EF63B100
for <gnats-bugs@gnats.NetBSD.org>; Sat, 19 Mar 2011 04:23:17 +0000 (UTC)
Message-Id: <20110319042315.65E2B15C8024@bobdole.fdf.net>
Date: Sat, 19 Mar 2011 04:23:15 +0000 (UTC)
From: jailbird@fdf.net
Reply-To: jailbird@fdf.net
To: gnats-bugs@gnats.NetBSD.org
Subject: Remotely triggerable ECN panic in tcp_output() on current
X-Send-Pr-Version: 3.95
>Number: 44742
>Category: kern
>Synopsis: When ECN is enabled, panics can be remotely triggered
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Mar 19 04:25:00 +0000 2011
>Closed-Date: Sat May 14 18:48:50 +0000 2011
>Last-Modified: Sat May 14 18:48:50 +0000 2011
>Originator: Dustin Marquess
>Release: NetBSD 5.99.48 (also effects at least 5.99.47)
>Organization:
>Environment:
System: NetBSD bobdole.fdf.net 5.99.48 NetBSD 5.99.48 (BOBDOLE) #0: Sat Mar 19 03:18:47 UTC 2011 root@bobdole.fdf.net:/usr/src/sys/arch/amd64/compile/BOBDOLE amd64
Architecture: x86_64
Machine: amd64
>Description:
login: uvm_fault(0xffff80004d5b1018, 0x0, 2) -> e
fatal page fault in supervisor mode
trap type 6 code 2 rip ffffffff80358f4c cs 8 rflags 10246 cr2 91 cpl 4 rsp fff0
kernel: page fault trap, code=0
Stopped in pid 71.1 (ftpd) at netbsd:tcp_output+0x1aef: orb $0x2,0x9
1(%rax)
db{1}> trace
tcp_output() at netbsd:tcp_output+0x1aef
tcp_usrreq() at netbsd:tcp_usrreq+0x179
tcp_usrreq_wrapper() at netbsd:tcp_usrreq_wrapper+-0x351b
sosend() at netbsd:sosend+0x497
soo_write() at netbsd:soo_write+0x2d
dofilewrite() at netbsd:dofilewrite+0x76
sys_write() at netbsd:sys_write+0x6e
syscall() at netbsd:syscall+0xaa
(gdb) info line *(tcp_output+0x1aef)
Line 1350 of "../../../../netinet/tcp_output.c"
starts at address 0xffffffff80358f45 <tcp_output+6888>
and ends at 0xffffffff80358f58 <tcp_output+6907>.
tcp_output.c:1350 is:
tp->t_inpcb->inp_ip.ip_tos |= IPTOS_ECN_ECT0;
>How-To-Repeat:
Connect from an ECN capable host (in this case, Windows 7 x86 using
FlashFXP).
>Fix:
Disabling ECN stops the panic:
sysctl -w net.inet.tcp.ecn.enable=0
sysctl -w net.inet6.tcp6.ecn.enable=0
>Release-Note:
>Audit-Trail:
From: matthew green <mrg@eterna.com.au>
To: gnats-bugs@NetBSD.org, jailbird@fdf.net
Cc: kern-bug-people@netbsd.org, gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org
Subject: re: kern/44742: Remotely triggerable ECN panic in tcp_output() on current
Date: Tue, 22 Mar 2011 06:48:56 +1100
please try this patch. i noticed all other uses of
tp->t_inpcb assume it may be NULL.
Index: tcp_output.c
===================================================================
RCS file: /cvsroot/src/sys/netinet/tcp_output.c,v
retrieving revision 1.169
diff -p -r1.169 tcp_output.c
*** tcp_output.c 26 Jan 2010 18:09:08 -0000 1.169
--- tcp_output.c 21 Mar 2011 19:47:02 -0000
*************** send:
*** 1347,1358 ****
switch (af) {
#ifdef INET
case AF_INET:
! tp->t_inpcb->inp_ip.ip_tos |= IPTOS_ECN_ECT0;
break;
#endif
#ifdef INET6
case AF_INET6:
! ip6->ip6_flow |= htonl(IPTOS_ECN_ECT0 << 20);
break;
#endif
}
--- 1347,1362 ----
switch (af) {
#ifdef INET
case AF_INET:
! if (tp->t_inpcb)
! tp->t_inpcb->inp_ip.ip_tos |=
! IPTOS_ECN_ECT0;
break;
#endif
#ifdef INET6
case AF_INET6:
! if (ip6)
! ip6->ip6_flow |=
! htonl(IPTOS_ECN_ECT0 << 20);
break;
#endif
}
From: Matthew Mondor <mm_lists@pulsar-zone.net>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: kern/44742: Remotely triggerable ECN panic in tcp_output() on
current
Date: Mon, 21 Mar 2011 16:18:50 -0400
On Mon, 21 Mar 2011 19:50:08 +0000 (UTC)
matthew green <mrg@eterna.com.au> wrote:
> please try this patch. i noticed all other uses of
> tp->t_inpcb assume it may be NULL.
I just wanted to note that I checked and netbsd-5 appears to use the
same code.
Thanks,
--
Matt
From: "Matt Thomas" <matt@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/44742 CVS commit: src/sys/netinet
Date: Mon, 21 Mar 2011 20:39:32 +0000
Module Name: src
Committed By: matt
Date: Mon Mar 21 20:39:32 UTC 2011
Modified Files:
src/sys/netinet: tcp_output.c
Log Message:
Clean up setting ECN bit in TOS. Fixes PR 44742
To generate a diff of this commit:
cvs rdiff -u -r1.169 -r1.170 src/sys/netinet/tcp_output.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Dustin Marquess <dustin@fdf.net>
To: matthew green <mrg@eterna.com.au>
Cc: gnats-bugs@netbsd.org, kern-bug-people@netbsd.org, gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org
Subject: Re: kern/44742: Remotely triggerable ECN panic in tcp_output() on current
Date: Wed, 23 Mar 2011 20:40:04 -0700
VXBkYXRpbmcgdG8gdGhlIGxhdGVzdCBIRUFELCB3aGljaCBzZWVtcyB0byBoYXZlIGEgbW9kaWZp
ZWQgdmVyc2lvbiBvZgp0aGlzIHBhdGNoLCBkb2VzIGluZGVlZCBmaXggdGhlIHByb2JsZW0hICBO
byBtb3JlIGNyYXNoLCBhbmQgdGhlCmNvbm5lY3Rpb24gd29ya3MuCgpUaGFua3MhCi1EdXN0aW4K
Ck9uIE1vbiwgTWFyIDIxLCAyMDExIGF0IDEyOjQ4IFBNLCBtYXR0aGV3IGdyZWVuIDxtcmdAZXRl
cm5hLmNvbS5hdT4gd3JvdGU6Cj4KPiBwbGVhc2UgdHJ5IHRoaXMgcGF0Y2guIKBpIG5vdGljZWQg
YWxsIG90aGVyIHVzZXMgb2YKPiB0cC0+dF9pbnBjYiBhc3N1bWUgaXQgbWF5IGJlIE5VTEwuCj4K
Pgo+IEluZGV4OiB0Y3Bfb3V0cHV0LmMKPiA9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Cj4gUkNTIGZpbGU6IC9jdnNyb290
L3NyYy9zeXMvbmV0aW5ldC90Y3Bfb3V0cHV0LmMsdgo+IHJldHJpZXZpbmcgcmV2aXNpb24gMS4x
NjkKPiBkaWZmIC1wIC1yMS4xNjkgdGNwX291dHB1dC5jCj4gKioqIHRjcF9vdXRwdXQuYyCgIKAg
oCCgMjYgSmFuIDIwMTAgMTg6MDk6MDggLTAwMDAgoCCgIKAxLjE2OQo+IC0tLSB0Y3Bfb3V0cHV0
LmMgoCCgIKAgoDIxIE1hciAyMDExIDE5OjQ3OjAyIC0wMDAwCj4gKioqKioqKioqKioqKioqIHNl
bmQ6Cj4gKioqIDEzNDcsMTM1OCAqKioqCj4goCCgIKAgoCCgIKAgoCCgIKAgoCCgIKBzd2l0Y2gg
KGFmKSB7Cj4goCNpZmRlZiBJTkVUCj4goCCgIKAgoCCgIKAgoCCgIKAgoCCgIKBjYXNlIEFGX0lO
RVQ6Cj4gISCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCB0cC0+dF9pbnBjYi0+aW5wX2lw
LmlwX3RvcyB8PSBJUFRPU19FQ05fRUNUMDsKPiCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAg
oCCgYnJlYWs7Cj4goCNlbmRpZgo+IKAjaWZkZWYgSU5FVDYKPiCgIKAgoCCgIKAgoCCgIKAgoCCg
IKAgoGNhc2UgQUZfSU5FVDY6Cj4gISCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCBpcDYt
PmlwNl9mbG93IHw9IGh0b25sKElQVE9TX0VDTl9FQ1QwIDw8IDIwKTsKPiCgIKAgoCCgIKAgoCCg
IKAgoCCgIKAgoCCgIKAgoCCgYnJlYWs7Cj4goCNlbmRpZgo+IKAgoCCgIKAgoCCgIKAgoCCgIKAg
oCCgfQo+IC0tLSAxMzQ3LDEzNjIgLS0tLQo+IKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgc3dpdGNo
IChhZikgewo+IKAjaWZkZWYgSU5FVAo+IKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgY2FzZSBBRl9J
TkVUOgo+ICEgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgaWYgKHRwLT50X2lucGNiKQo+
ICEgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCB0cC0+dF9pbnBjYi0+aW5w
X2lwLmlwX3RvcyB8PQo+ICEgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCg
IKAgSVBUT1NfRUNOX0VDVDA7Cj4goCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoGJyZWFr
Owo+IKAjZW5kaWYKPiCgI2lmZGVmIElORVQ2Cj4goCCgIKAgoCCgIKAgoCCgIKAgoCCgIKBjYXNl
IEFGX0lORVQ2Ogo+ICEgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgaWYgKGlwNikKPiAh
IKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgaXA2LT5pcDZfZmxvdyB8PQo+
ICEgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgaHRvbmwoSVBUT1Nf
RUNOX0VDVDAgPDwgMjApOwo+IKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKAgoCCgIKBicmVhazsK
PiCgI2VuZGlmCj4goCCgIKAgoCCgIKAgoCCgIKAgoCCgIKB9Cj4K
From: "Jeff Rizzo" <riz@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/44742 CVS commit: [netbsd-5] src/sys/netinet
Date: Tue, 29 Mar 2011 20:12:14 +0000
Module Name: src
Committed By: riz
Date: Tue Mar 29 20:12:14 UTC 2011
Modified Files:
src/sys/netinet [netbsd-5]: tcp_output.c
Log Message:
Pull up following revision(s) (requested by spz in ticket #1586):
sys/netinet/tcp_output.c: revision 1.170
Clean up setting ECN bit in TOS. Fixes PR 44742
To generate a diff of this commit:
cvs rdiff -u -r1.167 -r1.167.10.1 src/sys/netinet/tcp_output.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Jeff Rizzo" <riz@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/44742 CVS commit: [netbsd-5-1] src/sys/netinet
Date: Tue, 29 Mar 2011 20:13:04 +0000
Module Name: src
Committed By: riz
Date: Tue Mar 29 20:13:03 UTC 2011
Modified Files:
src/sys/netinet [netbsd-5-1]: tcp_output.c
Log Message:
Pull up following revision(s) (requested by spz in ticket #1586):
sys/netinet/tcp_output.c: revision 1.170
Clean up setting ECN bit in TOS. Fixes PR 44742
To generate a diff of this commit:
cvs rdiff -u -r1.167 -r1.167.20.1 src/sys/netinet/tcp_output.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Jeff Rizzo" <riz@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/44742 CVS commit: [netbsd-5-0] src/sys/netinet
Date: Tue, 29 Mar 2011 20:13:34 +0000
Module Name: src
Committed By: riz
Date: Tue Mar 29 20:13:34 UTC 2011
Modified Files:
src/sys/netinet [netbsd-5-0]: tcp_output.c
Log Message:
Pull up following revision(s) (requested by spz in ticket #1586):
sys/netinet/tcp_output.c: revision 1.170
Clean up setting ECN bit in TOS. Fixes PR 44742
To generate a diff of this commit:
cvs rdiff -u -r1.167 -r1.167.16.1 src/sys/netinet/tcp_output.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Jeff Rizzo" <riz@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/44742 CVS commit: [netbsd-4] src/sys/netinet
Date: Sun, 3 Apr 2011 15:05:14 +0000
Module Name: src
Committed By: riz
Date: Sun Apr 3 15:05:13 UTC 2011
Modified Files:
src/sys/netinet [netbsd-4]: tcp_output.c
Log Message:
Pull up following revision(s) (requested by spz in ticket #1424):
sys/netinet/tcp_output.c: revision 1.170
Clean up setting ECN bit in TOS. Fixes PR 44742
To generate a diff of this commit:
cvs rdiff -u -r1.153.2.1 -r1.153.2.2 src/sys/netinet/tcp_output.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Jeff Rizzo" <riz@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/44742 CVS commit: [netbsd-4-0] src/sys/netinet
Date: Sun, 3 Apr 2011 15:06:15 +0000
Module Name: src
Committed By: riz
Date: Sun Apr 3 15:06:14 UTC 2011
Modified Files:
src/sys/netinet [netbsd-4-0]: tcp_output.c
Log Message:
Pull up following revision(s) (requested by spz in ticket #1424):
sys/netinet/tcp_output.c: revision 1.170
Clean up setting ECN bit in TOS. Fixes PR 44742
To generate a diff of this commit:
cvs rdiff -u -r1.153.2.1 -r1.153.2.1.4.1 src/sys/netinet/tcp_output.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Sat, 14 May 2011 18:48:50 +0000
State-Changed-Why:
Fixed and pulled up to all branches. Not sure if there's an advisory about
this, but those aren't tracked in gnats.
>Unformatted:
sys/netinet/tcp_output.c 1.169
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home