Received: by 2002:ac0:950c:0:0:0:0:0 with SMTP id f12csp2291888imc; Tue, 12 Mar 2019 10:43:31 -0700 (PDT) X-Google-Smtp-Source: APXvYqy8v22uo8HY9n4VD9gxxWeGFCAwq58qaSpRAnRE4iJdbERvlgaLSfT0HsZoygQjtLdq6ulP X-Received: by 2002:a63:c60c:: with SMTP id w12mr6578058pgg.446.1552412611097; Tue, 12 Mar 2019 10:43:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1552412611; cv=none; d=google.com; s=arc-20160816; b=y73VctaJNhUIuQxD3Z311bIFBrjkcrzUr9rTk+MNpneb4uYePFT0ym+Fzg0iwucFjy 7EoPyDlEMEXi1aUHrW1Ky0JS4fXKP7koY0Q5UTbWHi7T4YG2xq9yBKawSBkIxMoFWMFa 0mfJcdBhVi6FHHL6W//up46XPyvvBFDcPzbFV2FWq6Pqp+DdiJZGW8vAfM0Vphjk7IIB ComwmCHhTdjSaVNms6/0AePRZVz18MIXXy788pTgbgs/vwUSH6kF+UHSUUpHWF9YP8JS JQJHuA1yWZsBZyqDSOmCklXLmuMBSEvn+iDV7Sy/oKHZkrwFUyfNLK8DCXjFBuir0AXP 1T0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Bgp2g47wobLzvjGP/7W+ll7jHtx/B8XwGtnlvODyMC4=; b=eGn04kSCxl1T8EN9JPwVgmsgm5yUuw44F/SnAknir7QWjSMFMb/+Uxgo/o4T3llcov bThgYRzEVl5KmBYonmcKbo/8uxsTxsUPbLVmv345nFq/M7AhS/fNOnVi31EjNzRukUMS XM1Y/twyEUpI9zVxe1VG50Yg+SduKmtYIU6mGbOcalGt7gQx3uniubc4KVXJl6SvZMi+ wP+pMlAdWHIqGegbccXpP08X8GFG6Tg1/J8LP5jdfTzv/mKTjWa7C9c/kBNFl/UL1cq4 6WyrS0I3oeC+Or764Ky84keFOkRAF3E5aifLuHSRUG9rqtwdjocYb0YtgYHGlSXsOQPH 2MtA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=D27NUUWL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v7si3172098pgq.125.2019.03.12.10.43.14; Tue, 12 Mar 2019 10:43:31 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=D27NUUWL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729047AbfCLRmS (ORCPT + 99 others); Tue, 12 Mar 2019 13:42:18 -0400 Received: from mail.kernel.org ([198.145.29.99]:57266 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727763AbfCLRQA (ORCPT ); Tue, 12 Mar 2019 13:16:00 -0400 Received: from localhost (unknown [104.133.8.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B02662171F; Tue, 12 Mar 2019 17:15:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1552410958; bh=hxA2Bjctbt9lyj67lNSsUa/7ForX0mBCQJt8+7ZpddQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=D27NUUWLRsN3NRY1rIy/Sc62I+viIUxbGxU7Q7nOPmKwynWQ5LqB/IPrOdcp5TU3J pb3ewDUIATeZqBladoqSWA7Q+RAp0I+8eUz+y1jrx2thPPRCBTNbbzKAl2Tq0c4q0x Whahdgmxnsath3g2z7mSL1w7Zgl1cjHojbkeDF5U= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sheng Lan , Qin Ji , Eric Dumazet , Eric Dumazet , "David S. Miller" Subject: [PATCH 4.14 019/135] net: netem: fix skb length BUG_ON in __skb_to_sgvec Date: Tue, 12 Mar 2019 10:07:46 -0700 Message-Id: <20190312170342.874789902@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190312170341.127810985@linuxfoundation.org> References: <20190312170341.127810985@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Sheng Lan [ Upstream commit 5845f706388a4cde0f6b80f9e5d33527e942b7d9 ] It can be reproduced by following steps: 1. virtio_net NIC is configured with gso/tso on 2. configure nginx as http server with an index file bigger than 1M bytes 3. use tc netem to produce duplicate packets and delay: tc qdisc add dev eth0 root netem delay 100ms 10ms 30% duplicate 90% 4. continually curl the nginx http server to get index file on client 5. BUG_ON is seen quickly [10258690.371129] kernel BUG at net/core/skbuff.c:4028! [10258690.371748] invalid opcode: 0000 [#1] SMP PTI [10258690.372094] CPU: 5 PID: 0 Comm: swapper/5 Tainted: G W 5.0.0-rc6 #2 [10258690.372094] RSP: 0018:ffffa05797b43da0 EFLAGS: 00010202 [10258690.372094] RBP: 00000000000005ea R08: 0000000000000000 R09: 00000000000005ea [10258690.372094] R10: ffffa0579334d800 R11: 00000000000002c0 R12: 0000000000000002 [10258690.372094] R13: 0000000000000000 R14: ffffa05793122900 R15: ffffa0578f7cb028 [10258690.372094] FS: 0000000000000000(0000) GS:ffffa05797b40000(0000) knlGS:0000000000000000 [10258690.372094] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [10258690.372094] CR2: 00007f1a6dc00868 CR3: 000000001000e000 CR4: 00000000000006e0 [10258690.372094] Call Trace: [10258690.372094] [10258690.372094] skb_to_sgvec+0x11/0x40 [10258690.372094] start_xmit+0x38c/0x520 [virtio_net] [10258690.372094] dev_hard_start_xmit+0x9b/0x200 [10258690.372094] sch_direct_xmit+0xff/0x260 [10258690.372094] __qdisc_run+0x15e/0x4e0 [10258690.372094] net_tx_action+0x137/0x210 [10258690.372094] __do_softirq+0xd6/0x2a9 [10258690.372094] irq_exit+0xde/0xf0 [10258690.372094] smp_apic_timer_interrupt+0x74/0x140 [10258690.372094] apic_timer_interrupt+0xf/0x20 [10258690.372094] In __skb_to_sgvec(), the skb->len is not equal to the sum of the skb's linear data size and nonlinear data size, thus BUG_ON triggered. Because the skb is cloned and a part of nonlinear data is split off. Duplicate packet is cloned in netem_enqueue() and may be delayed some time in qdisc. When qdisc len reached the limit and returns NET_XMIT_DROP, the skb will be retransmit later in write queue. the skb will be fragmented by tso_fragment(), the limit size that depends on cwnd and mss decrease, the skb's nonlinear data will be split off. The length of the skb cloned by netem will not be updated. When we use virtio_net NIC and invoke skb_to_sgvec(), the BUG_ON trigger. To fix it, netem returns NET_XMIT_SUCCESS to upper stack when it clones a duplicate packet. Fixes: 35d889d1 ("sch_netem: fix skb leak in netem_enqueue()") Signed-off-by: Sheng Lan Reported-by: Qin Ji Suggested-by: Eric Dumazet Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/sched/sch_netem.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) --- a/net/sched/sch_netem.c +++ b/net/sched/sch_netem.c @@ -435,6 +435,7 @@ static int netem_enqueue(struct sk_buff int nb = 0; int count = 1; int rc = NET_XMIT_SUCCESS; + int rc_drop = NET_XMIT_DROP; /* Do not fool qdisc_drop_all() */ skb->prev = NULL; @@ -474,6 +475,7 @@ static int netem_enqueue(struct sk_buff q->duplicate = 0; rootq->enqueue(skb2, rootq, to_free); q->duplicate = dupsave; + rc_drop = NET_XMIT_SUCCESS; } /* @@ -486,7 +488,7 @@ static int netem_enqueue(struct sk_buff if (skb_is_gso(skb)) { segs = netem_segment(skb, sch, to_free); if (!segs) - return NET_XMIT_DROP; + return rc_drop; } else { segs = skb; } @@ -509,8 +511,10 @@ static int netem_enqueue(struct sk_buff 1<<(prandom_u32() % 8); } - if (unlikely(sch->q.qlen >= sch->limit)) - return qdisc_drop_all(skb, sch, to_free); + if (unlikely(sch->q.qlen >= sch->limit)) { + qdisc_drop_all(skb, sch, to_free); + return rc_drop; + } qdisc_qstats_backlog_inc(sch, skb);