Re: Deadlock with icmpv6fuzz

Deadlock with icmpv6fuzz · Eric Sesterhenn <hidden> · 2009-01-20
Re: Deadlock with icmpv6fuzz · David Miller <davem@davemloft.net> · 2009-01-27
Re: Deadlock with icmpv6fuzz · Eric Sesterhenn <hidden> · 2009-01-27
Re: Deadlock with icmpv6fuzz · Herbert Xu <herbert@gondor.apana.org.au> · 2009-01-28
Re: Deadlock with icmpv6fuzz · David Miller <davem@davemloft.net> · 2009-01-30
Re: Deadlock with icmpv6fuzz · Herbert Xu <herbert@gondor.apana.org.au> · 2009-02-05
Re: Deadlock with icmpv6fuzz · Eric Sesterhenn <hidden> · 2009-02-05
Re: Deadlock with icmpv6fuzz · Roland Dreier <hidden> · 2009-02-05
Re: Deadlock with icmpv6fuzz · Herbert Xu <herbert@gondor.apana.org.au> · 2009-02-05
Re: Deadlock with icmpv6fuzz · David Miller <davem@davemloft.net> · 2009-02-06
Re: Deadlock with icmpv6fuzz · Herbert Xu <herbert@gondor.apana.org.au> · 2009-02-06
Re: Deadlock with icmpv6fuzz · David Miller <davem@davemloft.net> · 2009-02-06
Re: Deadlock with icmpv6fuzz · Herbert Xu <herbert@gondor.apana.org.au> · 2009-02-06
Re: Deadlock with icmpv6fuzz · David Miller <davem@davemloft.net> · 2009-02-06
Re: Deadlock with icmpv6fuzz · Herbert Xu <herbert@gondor.apana.org.au> · 2009-02-06
Re: Deadlock with icmpv6fuzz · Herbert Xu <herbert@gondor.apana.org.au> · 2009-02-06
Re: Deadlock with icmpv6fuzz · David Miller <davem@davemloft.net> · 2009-02-06
Re: Deadlock with icmpv6fuzz · Herbert Xu <herbert@gondor.apana.org.au> · 2009-02-09
Re: Deadlock with icmpv6fuzz · David Miller <davem@davemloft.net> · 2009-02-09
Re: Deadlock with icmpv6fuzz · David Miller <davem@davemloft.net> · 2009-02-25
Re: Deadlock with icmpv6fuzz · Herbert Xu <herbert@gondor.apana.org.au> · 2009-02-25
Re: Deadlock with icmpv6fuzz · David Miller <davem@davemloft.net> · 2009-02-06
Re: Deadlock with icmpv6fuzz · David Miller <davem@davemloft.net> · 2009-02-05

From: Roland Dreier <hidden>
Date: 2009-02-05 22:24:05

 > [ 2880.044328] icmpv6fuzz: page allocation failure. order:9, mode:0x40d0
 > [ 2880.044495] Pid: 10968, comm: icmpv6fuzz Not tainted
 > 2.6.29-rc3-00580-ga2fe994-dirty #239
 > [ 2880.044694] Call Trace:
 > [ 2880.044802]  [<c016886a>] __alloc_pages_internal+0x38e/0x3aa
 > [ 2880.044954]  [<c016889a>] __get_free_pages+0x14/0x24
 > [ 2880.071336]  [<c018412c>] __kmalloc+0x2e/0x122
 > [ 2880.071589]  [<c06fa227>] ipv6_flowlabel_opt+0x1e0/0x7b1
 > [ 2880.092922]  [<c06e8c9e>] ipv6_setsockopt+0xa0f/0xb89

From a quick scan of the code, it looks as if optlen is never sanity

checked in the case of setsockopt(IPV6_FLOWLABEL_MGR), and
ipv6_flowlabel_opt() calls into fl_create() with whatever value
userspace passes in, which then pretty much does kmalloc(optlen).
So if icmpv6fuzz passes some big random value, it can cause this failure.

I don't know what the appropriate limit should be, so no patch, sorry.

 - R.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help