From: Shmulik Ladkani <shmulik@metanetworks.com>
To: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>,
Eric Dumazet <eric.dumazet@gmail.com>,
eyal@metanetworks.com, netdev <netdev@vger.kernel.org>,
Shmulik Ladkani <shmulik.ladkani@gmail.com>,
Alexander Duyck <alexander.duyck@gmail.com>
Subject: Re: [PATCH net] net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list
Date: Fri, 6 Sep 2019 09:47:44 +0300 [thread overview]
Message-ID: <20190906094744.345d9442@pixies> (raw)
In-Reply-To: <CAF=yD-J9Ax9f7BsGBFAaG=QU6CPVw6sSzBkZJOHRW-m6o49oyw@mail.gmail.com>
On Thu, 5 Sep 2019 17:51:20 -0400
Willem de Bruijn <willemdebruijn.kernel@gmail.com> wrote:
> On Thu, Sep 5, 2019 at 2:36 PM Shmulik Ladkani <shmulik@metanetworks.com> wrote:
> >
> > + if (mss != GSO_BY_FRAGS &&
> > + (skb_shinfo(head_skb)->gso_type & SKB_GSO_DODGY)) {
> > + /* gso_size is untrusted.
> > + *
> > + * If head_skb has a frag_list with a linear non head_frag
> > + * item, and head_skb's headlen does not fit requested
> > + * gso_size, fall back to copying the skbs - by disabling sg.
> > + *
> > + * We assume checking the first frag suffices, i.e if either of
> > + * the frags have non head_frag data, then the first frag is
> > + * too.
> > + */
> > + if (list_skb && skb_headlen(list_skb) && !list_skb->head_frag &&
> > + (mss != skb_headlen(head_skb) - doffset)) {
>
> I thought the idea was to check skb_headlen(list_skb), as that is the
> cause of the problem. Is skb_headlen(head_skb) a good predictor of
> that? I can certainly imagine that it is, just not sure.
Yes, 'mss != skb_headlen(HEAD_SKB)' seems to be a very good predictor,
both for the test reproducer, and what's observered on a live system.
We *CANNOT* use 'mss != skb_headlen(LIST_SKB)' as the test condition.
The packet could have just a SINGLE frag_list member, and that member could
be a "small remainder" not reaching the full mss size - so we could hit
the test condition EVEN FOR NON gso_size mangled frag_list skbs -
which is not desired.
Also, is we test 'mss != skb_headlen(list_skb)' and execute 'sg=false'
ONLY IF 'list_skb' is *NOT* the last item, this is still bogus.
Imagine a gso_size mangled packet having just head_skb and a single
"small remainder" frag. This packet will hit the BUG_ON, as the
'sg=false' solution is now skipped according to the revised condition.
> Thanks for preparing the patch, and explaining the problem and
> solution clearly in the commit message. I'm pretty sure I'll have
> forgotten the finer details next time we have to look at this
> function again.
Indeed. Apparently I've been there myself few years back and forgot all
the gritty details :) see [0]
[0] https://patchwork.ozlabs.org/patch/661419/
next prev parent reply other threads:[~2019-09-06 6:47 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-05 18:36 [PATCH net] net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list Shmulik Ladkani
2019-09-05 21:49 ` Alexander Duyck
2019-09-06 6:20 ` Shmulik Ladkani
2019-09-05 21:51 ` Willem de Bruijn
2019-09-06 6:47 ` Shmulik Ladkani [this message]
2019-09-06 14:49 ` Willem de Bruijn
2019-09-06 15:37 ` Shmulik Ladkani
2019-09-06 15:42 ` Alexander Duyck
2019-09-06 16:44 ` Willem de Bruijn
2019-09-06 20:02 ` Shmulik Ladkani
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190906094744.345d9442@pixies \
--to=shmulik@metanetworks.com \
--cc=alexander.duyck@gmail.com \
--cc=daniel@iogearbox.net \
--cc=eric.dumazet@gmail.com \
--cc=eyal@metanetworks.com \
--cc=netdev@vger.kernel.org \
--cc=shmulik.ladkani@gmail.com \
--cc=willemdebruijn.kernel@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.