Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3306663imu; Sun, 11 Nov 2018 12:03:01 -0800 (PST) X-Google-Smtp-Source: AJdET5dABDbbx2qfes34E17kUcvSAPFjuQtpCwlVxYDbluvd5CH18bcRcgPE6XFOi+jZ4HKft163 X-Received: by 2002:a62:4e49:: with SMTP id c70mr331824pfb.167.1541966581909; Sun, 11 Nov 2018 12:03:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541966581; cv=none; d=google.com; s=arc-20160816; b=ulRqffXUNCJ9OTphYqzU5/kX+H4hvC938XKUEtemdyEEM2xCI5j7o9bjzxfRvgLesE KE76XTHl/2459UeYoA/TuB2UpZHpTetUF6iy3xA5an6Lh2QqJpBpBhFxnY0InSfQmlpp Po1aN1IJOrFijc1VJ5G3qCRCrWjPhmGN1IAEx8ic0rv6wjO3mlujP0smsJN2nqsSWeyJ ynxaKTN7adpt2ft22vb6uo57q3e+DdAEW27AQlETdhOJDXbnWvV2Vtqpiyq2HmnkDa/2 BTbAIHbxMt0L9Or81DkpiMJkVhJpMGiwBqYomVK/bvmN2LdiQn3IhuDvaXYKnUJWp/jo aiPw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=/mTVvXmn3QGWgQ0WMoaqNB92aU3/T4cCKowlCPFYilM=; b=FBrVeOiOLexYQLmGPdKAleJBRBdjQVrFxPK7X+2xbHZ+GQA4EeNCNsjNkjKBfBkaKd vWuA7rKx3NIi6OI8CCVvCamSyJRpABxRZXkxfPhAOcVelhzqAsYFQAGKxK2tE/jvH6xO cG2fzsCWpTNeCNvNf/QPTNCc/AZDQtq/zrNKpUwui9/+BLputuvYxDLYCfy8q0MTI8+n fb5Y4/vFFR8nr/5mk7QJK1WZMeUIKA9mYSoDSxrCzwNrKxI5oO25G8dAVml2m8Fgm/NX 9F13px7VykGu1TxA1qLkDu+dRDi2XJkOJ/0rnRRrJwcYOYjLXzvl2LP6qx6LZXcWUv1E aqPQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f39-v6si15988557plb.149.2018.11.11.12.02.46; Sun, 11 Nov 2018 12:03:01 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730772AbeKLFsc (ORCPT + 99 others); Mon, 12 Nov 2018 00:48:32 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:51028 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730689AbeKLFs3 (ORCPT ); Mon, 12 Nov 2018 00:48:29 -0500 Received: from [192.168.4.242] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1gLvso-0000l6-QA; Sun, 11 Nov 2018 19:58:58 +0000 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1gLvsX-0001lA-Kt; Sun, 11 Nov 2018 19:58:41 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "David S. Miller" , "Eric Dumazet" , "Florian Westphal" Date: Sun, 11 Nov 2018 19:49:05 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 277/366] atl1c: reserve min skb headroom In-Reply-To: X-SA-Exim-Connect-IP: 192.168.4.242 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.61-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Florian Westphal commit 6e56830776828d8ca9897fc4429eeab47c3bb432 upstream. Got crash report with following backtrace: BUG: unable to handle kernel paging request at ffff8801869daffe RIP: 0010:[] [] ip6_finish_output2+0x394/0x4c0 RSP: 0018:ffff880186c83a98 EFLAGS: 00010283 RAX: ffff8801869db00e ... [] ip6_finish_output+0x8c/0xf0 [] ip6_output+0x57/0x100 [] ip6_forward+0x4b9/0x840 [] ip6_rcv_finish+0x66/0xc0 [] ipv6_rcv+0x319/0x530 [] netif_receive_skb+0x1c/0x70 [] atl1c_clean+0x1ec/0x310 [atl1c] ... The bad access is in neigh_hh_output(), at skb->data - 16 (HH_DATA_MOD). atl1c driver provided skb with no headroom, so 14 bytes (ethernet header) got pulled, but then 16 are copied. Reserve NET_SKB_PAD bytes headroom, like netdev_alloc_skb(). Compile tested only; I lack hardware. Fixes: 7b7017642199 ("atl1c: Fix misuse of netdev_alloc_skb in refilling rx ring") Signed-off-by: Florian Westphal Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings --- drivers/net/ethernet/atheros/atl1c/atl1c_main.c | 1 + 1 file changed, 1 insertion(+) --- a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c +++ b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c @@ -1674,6 +1674,7 @@ static struct sk_buff *atl1c_alloc_skb(s skb = build_skb(page_address(page) + adapter->rx_page_offset, adapter->rx_frag_size); if (likely(skb)) { + skb_reserve(skb, NET_SKB_PAD); adapter->rx_page_offset += adapter->rx_frag_size; if (adapter->rx_page_offset >= PAGE_SIZE) adapter->rx_page = NULL;