Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1428944AbdDYJ4s (ORCPT ); Tue, 25 Apr 2017 05:56:48 -0400 Received: from mx1.redhat.com ([209.132.183.28]:54404 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1758286AbdDYJ4h (ORCPT ); Tue, 25 Apr 2017 05:56:37 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 892D33D943 Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=honli@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 892D33D943 From: Honggang LI To: dledford@redhat.com, sean.hefty@intel.com, hal.rosenstock@gmail.com, pabeni@redhat.com, linux-rdma@vger.kernel.org Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org, Honggang Li Subject: [PATCH] IB/IPoIB: Check the headroom size Date: Tue, 25 Apr 2017 17:55:55 +0800 Message-Id: <1493114155-12101-1-git-send-email-honli@redhat.com> X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Tue, 25 Apr 2017 09:56:36 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 9225 Lines: 132 From: Honggang Li Minimal hard_header_len set by bond_compute_features is ETH_HLEN, which is smaller than IPOIB_HARD_LEN. ipoib_hard_header should check the size of headroom to avoid skb_under_panic. [ 122.871493] ipoib_hard_header: skb->head= ffff8808179d9400, skb->data= ffff8808179d9420, skb_headroom= 0x20 [ 123.055400] bond0: Releasing backup interface mthca_ib1 [ 123.560529] bond_compute_features:1112 bond0 bond_dev->hard_header_len = 14 [ 123.568822] CPU: 0 PID: 12336 Comm: ifdown-ib Not tainted 4.9.0-debug #1 [ 123.576668] Hardware name: Dell Inc. PowerEdge R415/0GXH08, BIOS 2.0.2 10/22/2012 [ 123.585284] ffffc90009027be8 ffffffff81362d6c ffff8808198b7000 0000000000010000 [ 123.593845] ffffc90009027c50 ffffffffa06cf833 ffff8808198b7000 ffff8808198b78c0 [ 123.602392] ffffc90009027c30 ffffffff815ed725 ffff8808158a9c00 00000000a67486bf [ 123.610926] Call Trace: [ 123.614454] [] dump_stack+0x63/0x87 [ 123.620661] [] bond_compute_features.isra.42+0x243/0x260 [bonding] [ 123.629546] [] ? call_netdevice_notifiers_info+0x35/0x60 [ 123.637557] [] __bond_release_one+0x2db/0x530 [bonding] [ 123.645483] [] bond_release+0x10/0x20 [bonding] [ 123.652711] [] bond_option_slaves_set+0xe8/0x130 [bonding] [ 123.660874] [] __bond_opt_set+0xd6/0x320 [bonding] [ 123.668357] [] bond_opt_tryset_rtnl+0x56/0xa0 [bonding] [ 123.676284] [] bonding_sysfs_store_option+0x35/0x60 [bonding] [ 123.684748] [] dev_attr_store+0x18/0x30 [ 123.691311] [] sysfs_kf_write+0x3a/0x50 [ 123.697879] [] kernfs_fop_write+0x10b/0x190 [ 123.704801] [] __vfs_write+0x37/0x160 [ 123.711213] [] ? selinux_file_permission+0xe5/0x120 [ 123.718856] [] ? security_file_permission+0x3b/0xc0 [ 123.726506] [] vfs_write+0xb2/0x1b0 [ 123.732776] [] ? syscall_trace_enter+0x1d0/0x2b0 [ 123.740148] [] SyS_write+0x55/0xc0 [ 123.746288] [] do_syscall_64+0x67/0x180 [ 123.752846] [] entry_SYSCALL64_slow_path+0x25/0x25 [ 123.760421] bond0: last VLAN challenged slave mthca_ib1 left bond bond0 - VLAN blocking is removed [ 124.023489] dump_LL_RESERVED_SPACE, bond0, dev->hard_header_len = 0xe, dev->needed_headroom= 0x0, HH_DATA_MOD= 0x10 [ 124.023490] dump_LL_RESERVED_SPACE, bond0, LL_RESERVED_SPACE(dev) = 0x10 [ 124.023491] dump_LL_RESERVED_SPACE, bond0, dev->hard_header_len = 0xe, dev->needed_headroom= 0x0, HH_DATA_MOD= 0x10 [ 124.023492] dump_LL_RESERVED_SPACE, bond0, LL_RESERVED_SPACE(dev) = 0x10 [ 124.023494] arp_create:547 skb->head= ffff8808179dac00, skb->data= ffff8808179dac00, skb_headroom= 0x0, [ 124.023495] arp_create:549 skb->head= ffff8808179dac00, skb->data= ffff8808179dac10, skb_headroom= 0x10, [ 124.023496] arp_create:551 skb->head= ffff8808179dac00, skb->data= ffff8808179dac10, skb_headroom= 0x10, [ 124.023497] arp_create:553 skb->head= ffff8808179dac00, skb->data= ffff8808179dac10, skb_headroom= 0x10, [ 124.023498] arp_create:564 skb->head= ffff8808179dac00, skb->data= ffff8808179dac10, skb_headroom= 0x10, bond0 [ 124.023500] ipoib_hard_header: skb->head= ffff8808179dac00, skb->data= ffff8808179dac10, skb_headroom= 0x10 [ 124.023502] skbuff: skb_under_panic: text:ffffffffa040f6a9 len:80 put:20 head:ffff8808179dac00 data:ffff8808179dabf8 tail:0x48 end:0xc0 dev:bond0 [ 124.023536] ------------[ cut here ]------------ [ 124.023537] kernel BUG at net/core/skbuff.c:105! [ 124.023539] invalid opcode: 0000 [#1] SMP [ 124.023563] Modules linked in: bonding amd64_edac_mod edac_mce_amd edac_core kvm_amd kvm ib_mthca ipmi_ssif ipmi_devintf irqbypass ipmi_si dcdbas acpi_power_meter sp5100_tco ipmi_msghandler sg pcspkr i2c_piix4 k10temp shpchp acpi_cpufreq rpcrdma ib_isert iscsi_target_mod ib_iser libiscsi scsi_transport_iscsi ib_srpt target_core_mod ib_srp scsi_transport_srp ib_ipoib nfsd rdma_ucm auth_rpcgss ib_ucm nfs_acl ib_uverbs lockd grace ib_umad rdma_cm sunrpc ib_cm iw_cm ib_core ip_tables xfs libcrc32c sd_mod ata_generic pata_acpi mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm ahci drm libahci pata_atiixp serio_raw libata i2c_core bnx2 fjes dm_mirror dm_region_hash dm_log dm_mod [ 124.023567] CPU: 2 PID: 12265 Comm: ping Not tainted 4.9.0-debug #1 [ 124.023567] Hardware name: Dell Inc. PowerEdge R415/0GXH08, BIOS 2.0.2 10/22/2012 [ 124.023569] task: ffff880818214080 task.stack: ffffc900085e0000 [ 124.023577] RIP: 0010:[] [] skb_panic+0x66/0x68 [ 124.023578] RSP: 0018:ffffc900085e38e0 EFLAGS: 00010246 [ 124.023578] RAX: 0000000000000085 RBX: ffff880816a72500 RCX: 0000000000000000 [ 124.023579] RDX: 0000000000000000 RSI: 0000000000000296 RDI: 0000000000000296 [ 124.023580] RBP: ffffc900085e3900 R08: 0000000000000085 R09: ffffffff82012ce5 [ 124.023581] R10: 00000000000003ed R11: 0000000000000000 R12: ffff8808198b7368 [ 124.023581] R13: 0000000000000608 R14: 000000000701de0a R15: ffff8808198b7000 [ 124.023583] FS: 00002b3922409b00(0000) GS:ffff88083fc80000(0000) knlGS:0000000000000000 [ 124.023584] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 124.023584] CR2: 00002ac965af0072 CR3: 0000000814472000 CR4: 00000000000006e0 [ 124.023585] Stack: [ 124.023588] ffff8808179dabf8 0000000000000048 00000000000000c0 ffff8808198b7000 [ 124.023590] ffffc900085e3910 ffffffff815dcb5d ffffc900085e3938 ffffffffa040f6a9 [ 124.023592] ffff8808179dac10 ffff8808198b7368 000000000601de0a ffffc900085e3990 [ 124.023592] Call Trace: [ 124.023598] [] skb_push+0x3d/0x40 [ 124.023607] [] ipoib_hard_header+0x69/0x90 [ib_ipoib] [ 124.023611] [] arp_create+0x2ae/0x3e0 [ 124.023613] [] arp_send_dst.part.19+0x28/0x50 [ 124.023615] [] arp_solicit+0x115/0x290 [ 124.023618] [] ? skb_clone+0x4c/0xa0 [ 124.023619] [] ? __skb_clone+0x2e/0x140 [ 124.023622] [] neigh_probe+0x45/0x60 [ 124.023624] [] __neigh_event_send+0xa7/0x230 [ 124.023625] [] neigh_resolve_output+0x12e/0x1c0 [ 124.023628] [] ip_finish_output2+0x14b/0x370 [ 124.023630] [] ip_finish_output+0x136/0x1e0 [ 124.023632] [] ip_output+0x6e/0xf0 [ 124.023633] [] ? __ip_local_out+0x72/0x120 [ 124.023635] [] ? ip_fragment.constprop.49+0x80/0x80 [ 124.023636] [] ip_local_out+0x35/0x40 [ 124.023638] [] ip_send_skb+0x19/0x40 [ 124.023640] [] ip_push_pending_frames+0x33/0x40 [ 124.023641] [] raw_sendmsg+0x77a/0xb00 [ 124.023644] [] ? skb_recv_datagram+0x41/0x60 [ 124.023645] [] ? raw_recvmsg+0x94/0x1d0 [ 124.023650] [] ? sock_has_perm+0x70/0x90 [ 124.023653] [] ? ___sys_recvmsg+0xf2/0x1f0 [ 124.023655] [] inet_sendmsg+0x67/0xa0 [ 124.023657] [] sock_sendmsg+0x38/0x50 [ 124.023659] [] SYSC_sendto+0x102/0x190 [ 124.023662] [] ? __audit_syscall_entry+0xaf/0x100 [ 124.023665] [] ? syscall_trace_enter+0x1d0/0x2b0 [ 124.023667] [] ? __audit_syscall_exit+0x1db/0x260 [ 124.023669] [] SyS_sendto+0xe/0x10 [ 124.023670] [] do_syscall_64+0x67/0x180 [ 124.023673] [] entry_SYSCALL64_slow_path+0x25/0x25 [ 124.023688] Code: 00 00 48 89 44 24 10 8b 87 c8 00 00 00 48 89 44 24 08 48 8b 87 d8 00 00 00 48 c7 c7 50 83 ab 81 48 89 04 24 31 c0 e8 5f e6 a9 ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 0f 1f 44 00 00 55 48 [ 124.023690] RIP [] skb_panic+0x66/0x68 [ 124.023691] RSP [ 124.023696] ---[ end trace 95c238901cb322be ]--- [ 124.026071] Kernel panic - not syncing: Fatal exception in interrupt [ 124.026368] Kernel Offset: disabled [ 124.644414] ---[ end Kernel panic - not syncing: Fatal exception in interrupt Fixes: fc791b633515 ('IB/ipoib: move back IB LL address into the hard header') Reported-by: Norbert P Signed-off-by: Honggang Li --- drivers/infiniband/ulp/ipoib/ipoib_main.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c index d1d3fb7..3668e1e 100644 --- a/drivers/infiniband/ulp/ipoib/ipoib_main.c +++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c @@ -1161,6 +1161,9 @@ static int ipoib_hard_header(struct sk_buff *skb, { struct ipoib_header *header; + if (unlikely(skb_headroom(skb) < IPOIB_HARD_LEN)) + return -EINVAL; + header = (struct ipoib_header *) skb_push(skb, sizeof *header); header->proto = htons(type); -- 1.8.3.1