From: Shmulik Ladkani <shmulik.ladkani@gmail.com>
To: Jiri Benc <jbenc@redhat.com>, willemb@google.com
Cc: netdev@vger.kernel.org, Eric Dumazet <eric.dumazet@gmail.com>,
Tomas Hruby <tomas@tigera.io>,
Jeremi Piotrowski <jpiotrowski@linux.microsoft.com>,
alexanderduyck@meta.com, Jakub Kicinski <kuba@kernel.org>
Subject: Re: [PATCH net] net: gso: fix panic on frag_list with mixed head alloc types
Date: Sat, 29 Oct 2022 10:41:31 +0300 [thread overview]
Message-ID: <20221029104131.07fbc6cf@blondie> (raw)
In-Reply-To: <559cea869928e169240d74c386735f3f95beca32.1666858629.git.jbenc@redhat.com>
On Thu, 27 Oct 2022 10:20:56 +0200
Jiri Benc <jbenc@redhat.com> wrote:
> It turns out this assumption does not hold. We've seen BUG_ON being hit
> in skb_segment when skbs on the frag_list had differing head_frag. That
> particular case was with vmxnet3; looking at the driver, it indeed uses
> different skb allocation strategies based on the packet size. The last
> packet in frag_list can thus be kmalloced if it is sufficiently small.
> And there's nothing preventing drivers from mixing things even more
> freely.
Hi Jiri,
One of my early attempts to fix the original BUG was to also detect:
> - some frag in the frag_list has a linear part that is NOT head_frag,
> or length not equal to the requested gso_size
See [0], see skb_is_nonlinear_equal_frags() there
(Note that your current suggestion implements the "some frag in the
frag_list has a linear part that is NOT head_frag" condition, but not
"length not equal to the requested gso_size")
As a response, Willem suggested:
> My suggestion only tested the first frag_skb length. If a list can be
> created where the first frag_skb is head_frag but a later one is not,
> it will fail short. I kind of doubt that.
See [1]
So we eventually concluded testing just
!list_skb->head_frag && skb_headlen(list_skb)
and not every frag in frag_list.
Maybe Willem can elaborate on that.
[0] https://lore.kernel.org/netdev/20190903185121.56906d31@pixies/
[1] https://lore.kernel.org/netdev/CA+FuTScE=pyopY=3f5E4JGx1zyGqT+XS+8ss13UN4if4TZ2NbA@mail.gmail.com/
next prev parent reply other threads:[~2022-10-29 7:41 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-27 8:20 [PATCH net] net: gso: fix panic on frag_list with mixed head alloc types Jiri Benc
2022-10-29 4:41 ` Jakub Kicinski
2022-10-31 15:54 ` Jiri Benc
2022-10-29 7:41 ` Shmulik Ladkani [this message]
2022-10-29 14:10 ` Willem de Bruijn
2022-10-31 16:52 ` Jiri Benc
2022-10-31 21:16 ` Willem de Bruijn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221029104131.07fbc6cf@blondie \
--to=shmulik.ladkani@gmail.com \
--cc=alexanderduyck@meta.com \
--cc=eric.dumazet@gmail.com \
--cc=jbenc@redhat.com \
--cc=jpiotrowski@linux.microsoft.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=tomas@tigera.io \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.