From mboxrd@z Thu Jan 1 00:00:00 1970 From: yumkam@gmail.com (Yuriy M. Kaminskiy) Subject: Re: skb_under_panic in ip_tunnel_xmit Date: Sun, 06 Mar 2016 02:37:55 +0300 Message-ID: References: <20160302171159.8A27C384B80@fruggeri-Arora18.sjc.aristanetworks.com> <1456942489.648.113.camel@edumazet-ThinkPad-T530> Mime-Version: 1.0 Content-Type: text/plain To: netdev@vger.kernel.org Return-path: Received: from plane.gmane.org ([80.91.229.3]:35680 "EHLO plane.gmane.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751035AbcCEXiI (ORCPT ); Sat, 5 Mar 2016 18:38:08 -0500 Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1acLlt-0001D6-3m for netdev@vger.kernel.org; Sun, 06 Mar 2016 00:38:05 +0100 Received: from ppp37-190-56-95.pppoe.spdop.ru ([37.190.56.95]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 06 Mar 2016 00:38:05 +0100 Received: from yumkam by ppp37-190-56-95.pppoe.spdop.ru with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 06 Mar 2016 00:38:05 +0100 Sender: netdev-owner@vger.kernel.org List-ID: Eric Dumazet writes: > On mer., 2016-03-02 at 09:11 -0800, Francesco Ruggeri wrote: >> I can consistently get this panic on 4.4.1 as well as 3.18. >> >> [ 2076.264975] gre: GRE over IPv4 demultiplexor driver >> [ 2076.269326] ip_gre: GRE over IPv4 tunneling driver >> [ 2076.274464] conntrack: generic helper won't handle protocol 47. Please consider loading the specific helper module. >> [ 2088.868553] skbuff: skb_under_panic: text:ffffffff814c03f2 >> len:108 put:20 head:ffff8800a5f6c400 data:ffff8800a5f6c3f8 tail:0x64 >> end:0xc0 dev:t3 >> [ 2088.869755] ------------[ cut here ]------------ >> [ 2088.870179] kernel BUG at net/core/skbuff.c:102! >> [ 2088.870599] invalid opcode: 0000 [#1] SMP >> [ 2088.871024] Modules linked in: ip_gre ip_tunnel gre dummy >> iptable_filter rfcomm bnep macvlan snd_seq_midi snd_seq_midi_event >> btusb btrtl btbcm btintel sg bluetooth joydev snd_ens1371 >> snd_ac97_codec ac97_bus coretemp hwmon snd_seq snd_pcm snd_timer >> snd_rawmidi snd_seq_device snd ppdev soundcore ip6table_filter >> ip6_tables bonding gameport serio_raw pcspkr battery kvm parport_pc >> nfsd auth_rpcgss oid_registry parport irqbypass ac irda crc_ccitt >> fuse nfs_acl lockd xt_multiport acpi_cpufreq tpm_tis tpm iptable_nat >> shpchp grace nf_conntrack_ipv4 nf_defrag_ipv4 i2c_piix4 nf_nat_ipv4 >> ip_tables nf_nat nf_conntrack x_tables tun 8021q uinput vmwgfx >> crc32c_intel drm_kms_helper syscopyarea sysfillrect sysimgblt >> fb_sys_fops ttm ehci_pci drm aesni_intel aes_x86_64 glue_helper lrw >> gf128mul ablk_helper > cryptd i2c_core >> [ 2088.875474] sr_mod mptspi mptscsih ehci_hcd mptbase >> scsi_transport_spi e1000 uhci_hcd cdrom sunrpc dm_mirror >> dm_region_hash dm_log dm_mod autofs4 >> [ 2088.876737] CPU: 1 PID: 6420 Comm: ping Not tainted 4.4.1-2980094.AroraKernelnextfruggeri.2.fc18.x86_64 #1 >> [ 2088.878039] Hardware name: VMware, Inc. VMware Virtual >> Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2012 >> [ 2088.879521] task: ffff880035ea0000 ti: ffff8800b0ff8000 task.ti: ffff8800b0ff8000 >> [ 2088.880285] RIP: 0010:[] [] skb_panic+0x66/0x68 >> [ 2088.881214] RSP: 0018:ffff8800b0ffb728 EFLAGS: 00010292 >> [ 2088.881945] RAX: 0000000000000083 RBX: ffff8800b51b6c00 RCX: 0000000000000000 >> [ 2088.882692] RDX: ffff88013ae2f101 RSI: ffff88013ae2cae8 RDI: ffff88013ae2cae8 >> [ 2088.883424] RBP: ffff8800b0ffb748 R08: 0000000000000000 R09: 00000000ffffffff >> [ 2088.884110] R10: 00000000ffffffff R11: ffff88013621f3e0 R12: 0000000000000054 >> [ 2088.884846] R13: ffffffff81a9fe40 R14: 0000000000000000 R15: 0000000003030303 >> [ 2088.885535] FS: 00007f24b4a24740(0000) GS:ffff88013ae20000(0000) knlGS:0000000000000000 >> [ 2088.886270] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 >> [ 2088.887014] CR2: 00007f9d6fb26000 CR3: 00000000aae66000 CR4: 00000000001406e0 >> [ 2088.887817] Stack: >> [ 2088.888582] ffff8800a5f6c3f8 0000000000000064 00000000000000c0 ffff880138fac000 >> [ 2088.889378] ffff8800b0ffb758 ffffffff8143b640 ffff8800b0ffb7c8 ffffffff814c03f2 >> [ 2088.890188] ffff880000000040 ffffffff00000040 ffff880000000000 000000000000002f >> [ 2088.891011] Call Trace: >> [ 2088.892073] [] skb_push+0x3b/0x3c >> [ 2088.893156] [] iptunnel_xmit+0xad/0x145 >> [ 2088.894033] [] ip_tunnel_xmit+0x673/0x790 [ip_tunnel] >> [ 2088.894884] [] __gre_xmit+0x76/0x7f [ip_gre] >> [ 2088.895700] [] ipgre_xmit+0xd3/0xef [ip_gre] >> [ 2088.896573] [] dev_hard_start_xmit+0x226/0x2fc >> [ 2088.897387] [] __dev_queue_xmit+0x333/0x425 >> [ 2088.898183] [] dev_queue_xmit+0x10/0x12 >> [ 2088.898996] [] neigh_direct_output+0x11/0x13 >> [ 2088.899793] [] ip_finish_output2+0x233/0x293 >> [ 2088.900582] [] ? dst_mtu+0xb/0xd >> [ 2088.901283] [] ip_finish_output+0x146/0x159 >> [ 2088.901990] [] ? ip_generic_getfrag+0x5c/0x98 >> [ 2088.902658] [] ip_output+0x5f/0x91 >> [ 2088.903306] [] ? ip_finish_output2+0x293/0x293 >> [ 2088.903964] [] ? __ip_local_out+0x73/0x7c >> [ 2088.904625] [] ? dst_mtu+0xd/0xd >> [ 2088.905222] [] dst_output+0xf/0x11 >> [ 2088.905820] [] ip_local_out+0x31/0x3a >> [ 2088.906378] [] ip_send_skb+0x1a/0x3f >> [ 2088.906938] [] ip_push_pending_frames+0x33/0x3b >> [ 2088.907465] [] raw_sendmsg+0x794/0x8ea >> [ 2088.907981] [] ? __skb_recv_datagram+0x201/0x487 >> [ 2088.908548] [] ? skb_recv_datagram+0x32/0x34 >> [ 2088.909050] [] ? raw_recvmsg+0x68/0x159 >> [ 2088.909705] [] ? rw_copy_check_uvector+0x6e/0x109 >> [ 2088.910247] [] inet_sendmsg+0x3c/0x65 >> [ 2088.910775] [] sock_sendmsg_nosec+0x12/0x1d >> [ 2088.911279] [] sock_sendmsg+0x29/0x2e >> [ 2088.911764] [] ___sys_sendmsg+0x1a6/0x23f >> [ 2088.912349] [] ? ldsem_up_read+0x1b/0x30 >> [ 2088.912820] [] ? tty_ldisc_deref+0x16/0x18 >> [ 2088.913299] [] ? tty_write+0x207/0x222 >> [ 2088.913743] [] ? n_tty_receive_buf+0x13/0x13 >> [ 2088.914244] [] ? __fget_light+0x2c/0x4d >> [ 2088.914671] [] __sys_sendmsg+0x42/0x60 >> [ 2088.915126] [] SyS_sendmsg+0x12/0x1e >> [ 2088.915534] [] entry_SYSCALL_64_fastpath+0x12/0x71 >> [ 2088.915947] Code: 00 00 48 89 44 24 10 8b 87 c8 00 00 00 48 89 44 >> 24 08 48 8b 87 d8 00 00 00 48 c7 c7 29 ba 85 81 48 89 04 24 31 c0 e8 >> d4 4e bd ff <0f> 0b 0f 1f 44 00 00 55 48 89 e5 41 54 4c 8d a7 a8 01 >> 00 00 53 >> [ 2088.917397] RIP [] skb_panic+0x66/0x68 >> [ 2088.917914] RSP >> >> I use this script, which creates gre tunnels t1 and t3, creates a tx >> loop between them, then sends a packet through t3 and t1 before >> dropping it with an iptables rule. >> >> ip link add dummy1 type dummy >> ip addr add 1.1.1.1/32 dev dummy1 >> ip link set dummy1 up >> >> ip link add dummy3 type dummy >> ip addr add 3.3.3.3/32 dev dummy3 >> ip link set dummy3 up >> >> ip tunnel add t1 mode gre local 1.1.1.1 remote 2.2.2.2 >> ip link set t1 up >> >> ip tunnel add t3 mode gre local 3.3.3.3 remote 4.4.4.4 >> ip link set t3 up >> >> ip route add 2.2.2.2 dev t3 >> ip route add 4.4.4.4 dev t1 >> >> iptables -I OUTPUT -p gre -d 2.2.2.2 -j DROP >> >> ping -f 2.2.2.2 >> >> The root cause of the crash is that with every packet >> t3->needed_headroom and t1->needed_headroom are strictly incremented >> in ip_tunnel_xmit, since each one uses the other's needed_headroom. >> >> The immediate cause of the crash is that when needed_headroom wraps >> around (in my case I get max_headroom = 65540 and t3->needed_headroom >> = 4, max_headroom is unsigned int and needed_headroom is unsigned >> short) skb_cow_head does not allocate enough headroom in the skb. >> >> I have not been able to come with a solution except not updating a >> tunnel's needed_headroom, but that would have a performance impact >> (see also http://marc.info/?l=linux-netdev&m=145594279014551&w=2). >> Any suggestions? >> >> Thanks, >> Francesco Ruggeri >> > I am not sure we want to support ~64K of headers. > > Is this something real, or just another root-exploit > linux-bug-of-the-day trick ? Unless I miss something, it looks like something that should work in `unshare -rn`. > When I want to reboot my host I usually type 'reboot', as it looks nicer > to me ;)