From: Patrick McHardy <kaber@trash.net>
To: David Miller <davem@davemloft.net>
Cc: ben@bigfootnetworks.com, netdev@vger.kernel.org
Subject: Re: Bridge + Conntrack + SKB Recycle: Fragment Reassembly Errors
Date: Sun, 22 Nov 2009 01:21:17 +0100 [thread overview]
Message-ID: <4B0883FD.2090806@trash.net> (raw)
In-Reply-To: <20091121.110832.213888237.davem@davemloft.net>
David Miller wrote:
> From: Patrick McHardy <kaber@trash.net>
> Date: Tue, 10 Nov 2009 17:50:38 +0100
>
>> This code in ip_fragment() looks suspicious:
>>
>> if (skb_has_frags(skb)) {
>> ...
>> skb_walk_frags(skb, frag) {
>> ...
>> if (skb->sk) {
>> frag->sk = skb->sk;
>> frag->destructor = sock_wfree;
>> truesizes += frag->truesize;
>> }
>>
>> truesizes is later used to adjust truesize of the head skb.
>> For some reason this is only done when it originated from a
>> local socket.
>
> Well, it shouldn't look _that_ suspicious.
>
> What this code is doing is making sure that after we make all of these
> changes, the truesize of the SKBs referrng to the socket do not
> change.
>
> It's simply making sure that the math works out when all the
> sock_wfree() calls occur later.
>
> If we don't have a socket involved, there is no reason to make
> these adjustments.
That seems to be the assumption. But ip_defrag() uses skb->truesize
as well to make sure the defragmentation memory limits are not exceeded.
In this case what seems to be happening is:
- gianfar with skb recycling enabled receives a number of fragments
on a bridge (~64000b total)
- conntrack defragments the packet using ip_defrag(), which causes
skb->truesize of the head fragment to account for all the fragments
- the packet is refragmented in the bridging code using ip_fragment().
This doesn't re-adjust skb->truesize of the head fragment when the
packet is not associated with a socket
- the head is recycled in gianfar
- another fragment is received and reuses the recycled skb with a
huge truesize
- the defragmentation limits are exceeded due to the huge truesize
So it seems we need to adjust skb->truesize in ip_fragment() since
skb_recycle_check() assumes the skb is linear (and therefore
skb->truesize reflects the linear size). Ben's suggestions of adding
an upper limit based on the requested size to skb_recycle_check()
makes sense to me as well to avoid this problem when recycling large
linear skbs.
next prev parent reply other threads:[~2009-11-22 0:21 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-10 16:09 Bridge + Conntrack + SKB Recycle: Fragment Reassembly Errors ben
2009-11-10 16:50 ` Patrick McHardy
2009-11-21 19:08 ` David Miller
2009-11-22 0:21 ` Patrick McHardy [this message]
2009-11-22 0:29 ` Patrick McHardy
2009-12-01 16:00 ` ben
2009-12-01 16:24 ` Patrick McHardy
2009-12-01 23:54 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B0883FD.2090806@trash.net \
--to=kaber@trash.net \
--cc=ben@bigfootnetworks.com \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.