All of lore.kernel.org
 help / color / mirror / Atom feed
From: Guillaume Nault <g.nault@alphalink.fr>
To: Xin Long <lucien.xin@gmail.com>
Cc: syzbot
	<syzbot+ed0838d0fa4c4f2b528e20286e6dc63effc7c14d@syzkaller.appspotmail.com>,
	davem <davem@davemloft.net>,
	"Eric Dumazet" <eric.dumazet@gmail.com>,
	kuznet <kuznet@ms2.inr.ac.ru>,
	LKML <linux-kernel@vger.kernel.org>,
	linux-sctp@vger.kernel.org,
	"network dev" <netdev@vger.kernel.org>,
	"Neil Horman" <nhorman@tuxdriver.com>,
	syzkaller-bugs@googlegroups.com,
	"Vlad Yasevich" <vyasevich@gmail.com>,
	"Américo Wang" <xiyou.wangcong@gmail.com>,
	yoshfuji <yoshfuji@linux-ipv6.org>
Subject: Re: kernel BUG at net/core/skbuff.c:LINE! (2)
Date: Fri, 19 Jan 2018 17:19:00 +0000	[thread overview]
Message-ID: <20180119171900.GO1422@alphalink.fr> (raw)
In-Reply-To: <CADvbK_f8KVdqWMoFmhOxMxGD8OM5XxoCzMSiyxDv2d+F8sTa_w@mail.gmail.com>

On Tue, Jan 16, 2018 at 04:21:40PM +0800, Xin Long wrote:
> ipv4 tunnels don't  really set dev->hard_header_len properly,
> we may should fix it in pppoe by using needed_headroom,
> as what it doesn't in arp_create.
> 
I'm a bit in doubt about which device needs to be fixed. Should ip_gre
set ->hard_header_len? Or should pppoe take ->needed_headroom into
account in skb_reserve()? I'd favor the later option too, but I haven't
figured out the semantic of these fields precisely enough to justify
this choice.

> @@ -860,16 +861,16 @@ static int pppoe_sendmsg(struct socket *sock,
> struct msghdr *m,
>         if (total_len > (dev->mtu + dev->hard_header_len))
>                 goto end;
> 
> +       rlen = LL_RESERVED_SPACE(dev) + dev->needed_tailroom;
> 
> -       skb = sock_wmalloc(sk, total_len + dev->hard_header_len + 32,
> -                          0, GFP_KERNEL);
> +       skb = sock_wmalloc(sk, total_len + rlen + 32, 0, GFP_KERNEL);
>         if (!skb) {
>                 error = -ENOMEM;
>                 goto end;
>         }
> 
>         /* Reserve space for headers. */
> -       skb_reserve(skb, dev->hard_header_len);
> +       skb_reserve(skb, rlen);
Any reason why you include dev->needed_tailroom in skb_reserve()?
BTW, we also have to fix __pppoe_xmit.

What about this patch?


---- >8 ----
diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c
index 4e1da1645b15..42518af53332 100644
--- a/drivers/net/ppp/pppoe.c
+++ b/drivers/net/ppp/pppoe.c
@@ -842,6 +842,7 @@ static int pppoe_sendmsg(struct socket *sock, struct msghdr *m,
 	struct pppoe_hdr *ph;
 	struct net_device *dev;
 	char *start;
+	int hlen;
 
 	lock_sock(sk);
 	if (sock_flag(sk, SOCK_DEAD) || !(sk->sk_state & PPPOX_CONNECTED)) {
@@ -860,16 +861,16 @@ static int pppoe_sendmsg(struct socket *sock, struct msghdr *m,
 	if (total_len > (dev->mtu + dev->hard_header_len))
 		goto end;
 
-
-	skb = sock_wmalloc(sk, total_len + dev->hard_header_len + 32,
-			   0, GFP_KERNEL);
+	hlen = LL_RESERVED_SPACE(dev);
+	skb = sock_wmalloc(sk, hlen + sizeof(struct pppoe_hdr) + total_len +
+			   dev->needed_tailroom, 0, GFP_KERNEL);
 	if (!skb) {
 		error = -ENOMEM;
 		goto end;
 	}
 
 	/* Reserve space for headers. */
-	skb_reserve(skb, dev->hard_header_len);
+	skb_reserve(skb, hlen);
 	skb_reset_network_header(skb);
 
 	skb->dev = dev;
@@ -930,7 +931,7 @@ static int __pppoe_xmit(struct sock *sk, struct sk_buff *skb)
 	/* Copy the data if there is no space for the header or if it's
 	 * read-only.
 	 */
-	if (skb_cow_head(skb, sizeof(*ph) + dev->hard_header_len))
+	if (skb_cow_head(skb, LL_RESERVED_SPACE(dev) + sizeof(*ph)))
 		goto abort;
 
 	__skb_push(skb, sizeof(*ph));

WARNING: multiple messages have this Message-ID (diff)
From: Guillaume Nault <g.nault@alphalink.fr>
To: Xin Long <lucien.xin@gmail.com>
Cc: syzbot
	<syzbot+ed0838d0fa4c4f2b528e20286e6dc63effc7c14d@syzkaller.appspotmail.com>,
	davem <davem@davemloft.net>,
	"Eric Dumazet" <eric.dumazet@gmail.com>,
	kuznet <kuznet@ms2.inr.ac.ru>,
	LKML <linux-kernel@vger.kernel.org>,
	linux-sctp@vger.kernel.org,
	"network dev" <netdev@vger.kernel.org>,
	"Neil Horman" <nhorman@tuxdriver.com>,
	syzkaller-bugs@googlegroups.com,
	"Vlad Yasevich" <vyasevich@gmail.com>,
	"Américo Wang" <xiyou.wangcong@gmail.com>,
	yoshfuji <yoshfuji@linux-ipv6.org>
Subject: Re: kernel BUG at net/core/skbuff.c:LINE! (2)
Date: Fri, 19 Jan 2018 18:19:00 +0100	[thread overview]
Message-ID: <20180119171900.GO1422@alphalink.fr> (raw)
In-Reply-To: <CADvbK_f8KVdqWMoFmhOxMxGD8OM5XxoCzMSiyxDv2d+F8sTa_w@mail.gmail.com>

On Tue, Jan 16, 2018 at 04:21:40PM +0800, Xin Long wrote:
> ipv4 tunnels don't  really set dev->hard_header_len properly,
> we may should fix it in pppoe by using needed_headroom,
> as what it doesn't in arp_create.
> 
I'm a bit in doubt about which device needs to be fixed. Should ip_gre
set ->hard_header_len? Or should pppoe take ->needed_headroom into
account in skb_reserve()? I'd favor the later option too, but I haven't
figured out the semantic of these fields precisely enough to justify
this choice.

> @@ -860,16 +861,16 @@ static int pppoe_sendmsg(struct socket *sock,
> struct msghdr *m,
>         if (total_len > (dev->mtu + dev->hard_header_len))
>                 goto end;
> 
> +       rlen = LL_RESERVED_SPACE(dev) + dev->needed_tailroom;
> 
> -       skb = sock_wmalloc(sk, total_len + dev->hard_header_len + 32,
> -                          0, GFP_KERNEL);
> +       skb = sock_wmalloc(sk, total_len + rlen + 32, 0, GFP_KERNEL);
>         if (!skb) {
>                 error = -ENOMEM;
>                 goto end;
>         }
> 
>         /* Reserve space for headers. */
> -       skb_reserve(skb, dev->hard_header_len);
> +       skb_reserve(skb, rlen);
Any reason why you include dev->needed_tailroom in skb_reserve()?
BTW, we also have to fix __pppoe_xmit.

What about this patch?


---- >8 ----
diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c
index 4e1da1645b15..42518af53332 100644
--- a/drivers/net/ppp/pppoe.c
+++ b/drivers/net/ppp/pppoe.c
@@ -842,6 +842,7 @@ static int pppoe_sendmsg(struct socket *sock, struct msghdr *m,
 	struct pppoe_hdr *ph;
 	struct net_device *dev;
 	char *start;
+	int hlen;
 
 	lock_sock(sk);
 	if (sock_flag(sk, SOCK_DEAD) || !(sk->sk_state & PPPOX_CONNECTED)) {
@@ -860,16 +861,16 @@ static int pppoe_sendmsg(struct socket *sock, struct msghdr *m,
 	if (total_len > (dev->mtu + dev->hard_header_len))
 		goto end;
 
-
-	skb = sock_wmalloc(sk, total_len + dev->hard_header_len + 32,
-			   0, GFP_KERNEL);
+	hlen = LL_RESERVED_SPACE(dev);
+	skb = sock_wmalloc(sk, hlen + sizeof(struct pppoe_hdr) + total_len +
+			   dev->needed_tailroom, 0, GFP_KERNEL);
 	if (!skb) {
 		error = -ENOMEM;
 		goto end;
 	}
 
 	/* Reserve space for headers. */
-	skb_reserve(skb, dev->hard_header_len);
+	skb_reserve(skb, hlen);
 	skb_reset_network_header(skb);
 
 	skb->dev = dev;
@@ -930,7 +931,7 @@ static int __pppoe_xmit(struct sock *sk, struct sk_buff *skb)
 	/* Copy the data if there is no space for the header or if it's
 	 * read-only.
 	 */
-	if (skb_cow_head(skb, sizeof(*ph) + dev->hard_header_len))
+	if (skb_cow_head(skb, LL_RESERVED_SPACE(dev) + sizeof(*ph)))
 		goto abort;
 
 	__skb_push(skb, sizeof(*ph));

  reply	other threads:[~2018-01-19 17:19 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-10-30 14:36 kernel BUG at net/core/skbuff.c:LINE! (2) syzbot
2017-11-05 10:25 ` Xin Long
2017-11-05 10:25   ` Xin Long
2017-12-08  8:16 ` syzbot
2017-12-08  8:45   ` Xin Long
2017-12-08  8:45     ` Xin Long
2017-12-09 11:23     ` Xin Long
2017-12-09 11:23       ` Xin Long
2017-12-09 16:59       ` Eric Dumazet
2017-12-09 16:59         ` Eric Dumazet
2017-12-10  4:36         ` Xin Long
2017-12-10  4:36           ` Xin Long
2017-12-10  4:51           ` Eric Dumazet
2017-12-10  4:51             ` Eric Dumazet
2017-12-11 15:03         ` [PATCH net] ipv6: mcast: better catch silly mtu values Eric Dumazet
2017-12-12 12:55           ` Xin Long
2017-12-13 18:17           ` David Miller
2017-12-09 19:36     ` kernel BUG at net/core/skbuff.c:LINE! (2) Cong Wang
2017-12-09 19:36       ` Cong Wang
2017-12-10  4:38       ` Xin Long
2017-12-10  4:38         ` Xin Long
2017-12-10  5:12         ` Eric Dumazet
2017-12-10  5:12           ` Eric Dumazet
2018-01-15 20:22 ` syzbot
2018-01-16  8:21   ` Xin Long
2018-01-16  8:21     ` Xin Long
2018-01-19 17:19     ` Guillaume Nault [this message]
2018-01-19 17:19       ` Guillaume Nault
2018-01-19 18:02       ` Xin Long
2018-01-19 18:02         ` Xin Long

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180119171900.GO1422@alphalink.fr \
    --to=g.nault@alphalink.fr \
    --cc=davem@davemloft.net \
    --cc=eric.dumazet@gmail.com \
    --cc=kuznet@ms2.inr.ac.ru \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-sctp@vger.kernel.org \
    --cc=lucien.xin@gmail.com \
    --cc=netdev@vger.kernel.org \
    --cc=nhorman@tuxdriver.com \
    --cc=syzbot+ed0838d0fa4c4f2b528e20286e6dc63effc7c14d@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=vyasevich@gmail.com \
    --cc=xiyou.wangcong@gmail.com \
    --cc=yoshfuji@linux-ipv6.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.