From: Stephen Hemminger <shemminger@vyatta.com>
To: "Michael S. Tsirkin" <m.s.tsirkin@gmail.com>
Cc: mst@redhat.com, Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
netdev@vger.kernel.org, Rusty Russell <rusty@rustcorp.com.au>,
Max Krasnyansky <maxk@qualcomm.com>,
"Rafael J. Wysocki" <rjw@sisk.pl>
Subject: Re: [PATCH] tun: fix BUG with large packets without TUN_VNET_HDR
Date: Thu, 16 Apr 2009 13:56:52 -0700 [thread overview]
Message-ID: <20090416135652.57afec63@nehalam> (raw)
In-Reply-To: <20090416204556.GA5846@dhcp-1-124.tlv.redhat.com>
On Thu, 16 Apr 2009 23:45:57 +0300
"Michael S. Tsirkin" <mst@redhat.com> wrote:
> On a tap device, the linear part of skb must be at least ETH_HLEN,
> otherwise eth_type_trans triggers BUG_ON in skb_pull(skb, ETH_HLEN).
> This patch makes sure the linear part is always large enough.
>
> Without the patch, tun sets the linear part size to 0 if TUN_VNET_HDR
> is not set and the packet is too large to put in a linear skb,
> which causes BUGs for me.
>
> BTW, it seems that this behaviour has been there for a long while, since at
> least v2.6.27 (commit f42157cb568c1eb02eca7df4da67553a9edae24a: tun: fallback
> if skb_alloc() fails on big packets), but started triggering for me only in
> v2.6.30-rc1, because of commit 33dccbb050bbe35b88ca8cf1228dcf3e4d4b3554 (tun:
> Limit amount of queued packets per device), which made all large packets
> non-linear. Before that, most packets would still typically be linear until
> memory gets fragmented, which hides the issue.
>
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> ---
Why not just use pskb_may_pull?
--- a/drivers/net/tun.c 2009-04-16 13:52:00.178013518 -0700
+++ b/drivers/net/tun.c 2009-04-16 13:55:47.227752328 -0700
@@ -595,6 +595,9 @@ static __inline__ ssize_t tun_get_user(s
switch (tun->flags & TUN_TYPE_MASK) {
case TUN_TUN_DEV:
+ if (!pskb_may_pull(skb, 1))
+ goto drop;
+
if (tun->flags & TUN_NO_PI) {
switch (skb->data[0] & 0xf0) {
case 0x40:
@@ -604,6 +607,7 @@ static __inline__ ssize_t tun_get_user(s
pi.proto = htons(ETH_P_IPV6);
break;
default:
+ drop:
tun->dev->stats.rx_dropped++;
kfree_skb(skb);
return -EINVAL;
@@ -615,6 +619,9 @@ static __inline__ ssize_t tun_get_user(s
skb->dev = tun->dev;
break;
case TUN_TAP_DEV:
+ if (!pskb_may_pull(skb, ETH_HLEN))
+ goto drop;
+
skb->protocol = eth_type_trans(skb, tun->dev);
break;
};
next parent reply other threads:[~2009-04-16 20:56 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20090416204556.GA5846@dhcp-1-124.tlv.redhat.com>
2009-04-16 20:56 ` Stephen Hemminger [this message]
2009-04-16 21:05 ` [PATCH] tun: fix BUG with large packets without TUN_VNET_HDR Michael S. Tsirkin
2009-04-16 23:50 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090416135652.57afec63@nehalam \
--to=shemminger@vyatta.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=m.s.tsirkin@gmail.com \
--cc=maxk@qualcomm.com \
--cc=mst@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=rjw@sisk.pl \
--cc=rusty@rustcorp.com.au \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.