Received: by 10.213.65.68 with SMTP id h4csp1123816imn; Wed, 28 Mar 2018 21:25:06 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/z+RiFtSlUk1LuLA8SL6R52y+LheU/4KLAnWuaN6STX059Zrl0Cij1d0Zs9bmXq0+TqNBf X-Received: by 2002:a17:902:8609:: with SMTP id f9-v6mr1749833plo.8.1522297506057; Wed, 28 Mar 2018 21:25:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522297506; cv=none; d=google.com; s=arc-20160816; b=mHYBIh8Prv4Z08mkgdiG/dGdCfzo34hrkK1PzXnai5L7h8lxf7i8won7usT3aXdjlb b446d/W8JmMZ/DKQeTza4hD857zlJQv84daowy4F+UsRSDJQwr0dVyE715wf9XuFW+Qx 3QMrxtIgbcyU272FMWYBT0xskBNCf8s7qO4IF0y7uZMnhAWsYPSXC/TFdmrMwWLNW3Xj 1jGq7QTzFAVRz0yVu7z5e5pZLdICov5stU69GwiwedS4xRB2KJbq0XVji5Yq/8N4ekkZ F4E+G2u24Bv5NeuEpxaKM+Q9vLYDKaXRgAblOrX8cKrtm4IPUg3m/+W6poV4/RKV7LUM CtAQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:in-reply-to :mime-version:user-agent:date:message-id:from:cc:references:to :subject:dkim-signature:arc-authentication-results; bh=4ZC9HGPo0OAioT1CZpJeOafKBWbzKCoFjWOX9wwCWBE=; b=hxVcv+XP/qjx6yRIp6PwgcYWifNadiwCeDBna4Fp1Moma7bjMa5knx63iIZpBh/S3/ mghKe66WF5TMoC8402kH3+XKGjjuWamO2WOZkCyLhPx7PBFV6+4OPGplBrTHUAUkFoBO n1rcW/v1zt5OWUZ9clItFlZ8XUOXa5Jsp1H9Xg5FyUX9dYJcZl476AL4J+pBsYiNmgoT Htn4kyuuoNByb22j9HRnKU5f+FKPrzzwXDUfrzT25pd7dgjZF5pgBCNFpurSqiguJqrH Vg5D/Y8jwZDqiB1+nzhk5UETI7jqcMgXBk+vKkTcfpzOkfWi2R5amy83XoTA2hT89Whx 8vWA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=Qk0pozXP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t26si3892954pfg.414.2018.03.28.21.24.51; Wed, 28 Mar 2018 21:25:06 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=Qk0pozXP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751897AbeC2EX6 (ORCPT + 99 others); Thu, 29 Mar 2018 00:23:58 -0400 Received: from aserp2120.oracle.com ([141.146.126.78]:40964 "EHLO aserp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750707AbeC2EX5 (ORCPT ); Thu, 29 Mar 2018 00:23:57 -0400 Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w2T4IARK140889; Thu, 29 Mar 2018 04:23:52 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=subject : to : references : cc : from : message-id : date : mime-version : in-reply-to : content-type : content-transfer-encoding; s=corp-2017-10-26; bh=4ZC9HGPo0OAioT1CZpJeOafKBWbzKCoFjWOX9wwCWBE=; b=Qk0pozXPlmAfNy+i4KAcbvu9Zhkcn1fMKBmWCbvpTVgEYLYMB4JtQtEfCTSCQm6RxZyk cFU6B/qcoE9bLBzPiVA16YON0oyVzK8dMPMb+K4ciSyCUBF4gDuALLJEg0EP1VO01W9M 5hiKBlhXO6N7RCNEdAzzvcCY+h5F+lgFC0elsW4yxRrf4UIjjcLN3W+oIJVMgA1ytver D3bA4xV5dCDkathlAsBWT3TSCnu8KREpckTJ8gRZKowxLjM3DemRafs2Z8NaA9p5tx2a b0YVB2RiZ+FDySXS3gUv7N9ikRCpv90vxjTmSIyEq1snTEG3pkcsiPXwoN34JLOpUSFW 1w== Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by aserp2120.oracle.com with ESMTP id 2h0s0d00a9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 29 Mar 2018 04:23:52 +0000 Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by aserv0021.oracle.com (8.14.4/8.14.4) with ESMTP id w2T4NpBl010227 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 29 Mar 2018 04:23:51 GMT Received: from abhmp0010.oracle.com (abhmp0010.oracle.com [141.146.116.16]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w2T4NoDF029512; Thu, 29 Mar 2018 04:23:50 GMT Received: from [10.182.69.93] (/10.182.69.93) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 28 Mar 2018 21:23:50 -0700 Subject: Re: [Xen-devel] [PATCH v2 1/1] xen-netback: process malformed sk_buff correctly to avoid BUG_ON() To: Eric Dumazet References: <1522295463-469-1-git-send-email-dongli.zhang@oracle.com> <2c741a81-23b3-fa26-89b2-6c3d94b20b96@gmail.com> Cc: xen-devel@lists.xenproject.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, paul.durrant@citrix.com, wei.liu2@citrix.com From: Dongli Zhang Message-ID: <1abfb88c-050a-8054-c237-fe66b0a59eab@oracle.com> Date: Thu, 29 Mar 2018 12:24:51 +0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: <2c741a81-23b3-fa26-89b2-6c3d94b20b96@gmail.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8846 signatures=668695 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1803290046 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Eric, On 03/29/2018 12:03 PM, Eric Dumazet wrote: > > > On 03/28/2018 08:51 PM, Dongli Zhang wrote: >> The "BUG_ON(!frag_iter)" in function xenvif_rx_next_chunk() is triggered if >> the received sk_buff is malformed, that is, when the sk_buff has pattern >> (skb->data_len && !skb_shinfo(skb)->nr_frags). Below is a sample call >> stack: >> >> ... > > >> >> The issue is hit by xen-netback when there is bug with other networking >> interface (e.g., dom0 physical NIC), who has generated and forwarded >> malformed sk_buff to dom0 vifX.Y. It is possible to reproduce the issue on >> purpose with below sample code in a kernel module: >> >> skb->dev = dev; // dev of vifX.Y >> skb->len = 386; >> skb->data_len = 352; >> skb->tail = 98; >> skb->end = 384; >> skb_shinfo(skb)->nr_frags = 0; >> dev->netdev_ops->ndo_start_xmit(skb, dev); >> > > This would be a serious bug in the provider of such skb. /nods > > Are you sure you do not have instead an skb with a chain of skbs ? > > (skb_shinfo(skb)->frag_list would be not NULL) I am sure the skb_shinfo(skb)->frag_list is NULL. > > Maybe your driver is wrongly advertising NETIF_F_FRAGLIST > > commit 2167ca029c244901831 would be the bug origin then... Unlike the new linux version (whose BUG_ON() does not panic the server), the BUG_ON() in prior old kernel version would panic xen dom0 server and then people would always blame xen paravirtual driver. Indeed, xen-netback did not process the malformed sk_buff appropriately on rx path. The issue is not hit with old dom0 kernel, when I am running the debug module (as shown in below link) to generate a malformed sk_buff on purpose. https://lists.xenproject.org/archives/html/xen-devel/2018-03/msg03176.html Dongli Zhang