From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Gao feng <gaofeng@cn.fujitsu.com>,
YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>,
Hannes Frederic Sowa <hannes@stressinduktion.org>,
"David S. Miller" <davem@davemloft.net>
Subject: [ 14/79] ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size
Date: Fri, 26 Jul 2013 13:47:04 -0700 [thread overview]
Message-ID: <20130726204723.425607856@linuxfoundation.org> (raw)
In-Reply-To: <20130726204721.849052763@linuxfoundation.org>
3.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
[ Upstream commit 75a493e60ac4bbe2e977e7129d6d8cbb0dd236be ]
If the socket had an IPV6_MTU value set, ip6_append_data_mtu lost track
of this when appending the second frame on a corked socket. This results
in the following splat:
[37598.993962] ------------[ cut here ]------------
[37598.994008] kernel BUG at net/core/skbuff.c:2064!
[37598.994008] invalid opcode: 0000 [#1] SMP
[37598.994008] Modules linked in: tcp_lp uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media vfat fat usb_storage fuse ebtable_nat xt_CHECKSUM bridge stp llc ipt_MASQUERADE nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat
+nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi
+scsi_transport_iscsi rfcomm bnep iTCO_wdt iTCO_vendor_support snd_hda_codec_conexant arc4 iwldvm mac80211 snd_hda_intel acpi_cpufreq mperf coretemp snd_hda_codec microcode cdc_wdm cdc_acm
[37598.994008] snd_hwdep cdc_ether snd_seq snd_seq_device usbnet mii joydev btusb snd_pcm bluetooth i2c_i801 e1000e lpc_ich mfd_core ptp iwlwifi pps_core snd_page_alloc mei cfg80211 snd_timer thinkpad_acpi snd tpm_tis soundcore rfkill tpm tpm_bios vhost_net tun macvtap macvlan kvm_intel kvm uinput binfmt_misc
+dm_crypt i915 i2c_algo_bit drm_kms_helper drm i2c_core wmi video
[37598.994008] CPU 0
[37598.994008] Pid: 27320, comm: t2 Not tainted 3.9.6-200.fc18.x86_64 #1 LENOVO 27744PG/27744PG
[37598.994008] RIP: 0010:[<ffffffff815443a5>] [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330
[37598.994008] RSP: 0018:ffff88003670da18 EFLAGS: 00010202
[37598.994008] RAX: ffff88018105c018 RBX: 0000000000000004 RCX: 00000000000006c0
[37598.994008] RDX: ffff88018105a6c0 RSI: ffff88018105a000 RDI: ffff8801e1b0aa00
[37598.994008] RBP: ffff88003670da78 R08: 0000000000000000 R09: ffff88018105c040
[37598.994008] R10: ffff8801e1b0aa00 R11: 0000000000000000 R12: 000000000000fff8
[37598.994008] R13: 00000000000004fc R14: 00000000ffff0504 R15: 0000000000000000
[37598.994008] FS: 00007f28eea59740(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000
[37598.994008] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[37598.994008] CR2: 0000003d935789e0 CR3: 00000000365cb000 CR4: 00000000000407f0
[37598.994008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[37598.994008] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[37598.994008] Process t2 (pid: 27320, threadinfo ffff88003670c000, task ffff88022c162ee0)
[37598.994008] Stack:
[37598.994008] ffff88022e098a00 ffff88020f973fc0 0000000000000008 00000000000004c8
[37598.994008] ffff88020f973fc0 00000000000004c4 ffff88003670da78 ffff8801e1b0a200
[37598.994008] 0000000000000018 00000000000004c8 ffff88020f973fc0 00000000000004c4
[37598.994008] Call Trace:
[37598.994008] [<ffffffff815fc21f>] ip6_append_data+0xccf/0xfe0
[37598.994008] [<ffffffff8158d9f0>] ? ip_copy_metadata+0x1a0/0x1a0
[37598.994008] [<ffffffff81661f66>] ? _raw_spin_lock_bh+0x16/0x40
[37598.994008] [<ffffffff8161548d>] udpv6_sendmsg+0x1ed/0xc10
[37598.994008] [<ffffffff812a2845>] ? sock_has_perm+0x75/0x90
[37598.994008] [<ffffffff815c3693>] inet_sendmsg+0x63/0xb0
[37598.994008] [<ffffffff812a2973>] ? selinux_socket_sendmsg+0x23/0x30
[37598.994008] [<ffffffff8153a450>] sock_sendmsg+0xb0/0xe0
[37598.994008] [<ffffffff810135d1>] ? __switch_to+0x181/0x4a0
[37598.994008] [<ffffffff8153d97d>] sys_sendto+0x12d/0x180
[37598.994008] [<ffffffff810dfb64>] ? __audit_syscall_entry+0x94/0xf0
[37598.994008] [<ffffffff81020ed1>] ? syscall_trace_enter+0x231/0x240
[37598.994008] [<ffffffff8166a7e7>] tracesys+0xdd/0xe2
[37598.994008] Code: fe 07 00 00 48 c7 c7 04 28 a6 81 89 45 a0 4c 89 4d b8 44 89 5d a8 e8 1b ac b1 ff 44 8b 5d a8 4c 8b 4d b8 8b 45 a0 e9 cf fe ff ff <0f> 0b 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 48
[37598.994008] RIP [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330
[37598.994008] RSP <ffff88003670da18>
[37599.007323] ---[ end trace d69f6a17f8ac8eee ]---
While there, also check if path mtu discovery is activated for this
socket. The logic was adapted from ip6_append_data when first writing
on the corked socket.
This bug was introduced with commit
0c1833797a5a6ec23ea9261d979aa18078720b74 ("ipv6: fix incorrect ipsec
fragment").
v2:
a) Replace IPV6_PMTU_DISC_DO with IPV6_PMTUDISC_PROBE.
b) Don't pass ipv6_pinfo to ip6_append_data_mtu (suggestion by Gao
feng, thanks!).
c) Change mtu to unsigned int, else we get a warning about
non-matching types because of the min()-macro type-check.
Acked-by: Gao feng <gaofeng@cn.fujitsu.com>
Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/ip6_output.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1098,11 +1098,12 @@ static inline struct ipv6_rt_hdr *ip6_rt
return src ? kmemdup(src, (src->hdrlen + 1) * 8, gfp) : NULL;
}
-static void ip6_append_data_mtu(int *mtu,
+static void ip6_append_data_mtu(unsigned int *mtu,
int *maxfraglen,
unsigned int fragheaderlen,
struct sk_buff *skb,
- struct rt6_info *rt)
+ struct rt6_info *rt,
+ bool pmtuprobe)
{
if (!(rt->dst.flags & DST_XFRM_TUNNEL)) {
if (skb == NULL) {
@@ -1114,7 +1115,9 @@ static void ip6_append_data_mtu(int *mtu
* this fragment is not first, the headers
* space is regarded as data space.
*/
- *mtu = dst_mtu(rt->dst.path);
+ *mtu = min(*mtu, pmtuprobe ?
+ rt->dst.dev->mtu :
+ dst_mtu(rt->dst.path));
}
*maxfraglen = ((*mtu - fragheaderlen) & ~7)
+ fragheaderlen - sizeof(struct frag_hdr);
@@ -1131,11 +1134,10 @@ int ip6_append_data(struct sock *sk, int
struct ipv6_pinfo *np = inet6_sk(sk);
struct inet_cork *cork;
struct sk_buff *skb, *skb_prev = NULL;
- unsigned int maxfraglen, fragheaderlen;
+ unsigned int maxfraglen, fragheaderlen, mtu;
int exthdrlen;
int dst_exthdrlen;
int hh_len;
- int mtu;
int copy;
int err;
int offset = 0;
@@ -1292,7 +1294,9 @@ alloc_new_skb:
/* update mtu and maxfraglen if necessary */
if (skb == NULL || skb_prev == NULL)
ip6_append_data_mtu(&mtu, &maxfraglen,
- fragheaderlen, skb, rt);
+ fragheaderlen, skb, rt,
+ np->pmtudisc ==
+ IPV6_PMTUDISC_PROBE);
skb_prev = skb;
next prev parent reply other threads:[~2013-07-26 21:45 UTC|newest]
Thread overview: 98+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-26 20:46 [ 00/79] 3.10.4-stable review Greg Kroah-Hartman
2013-07-26 20:46 ` [ 01/79] writeback: Fix periodic writeback after fs mount Greg Kroah-Hartman
2013-07-26 20:46 ` [ 02/79] sparc32: vm_area_struct access for old Sun SPARCs Greg Kroah-Hartman
2013-07-27 15:39 ` Ben Hutchings
2013-07-26 20:46 ` [ 03/79] ipv6: only apply anti-spoofing checks to not-pointopoint tunnels Greg Kroah-Hartman
2013-07-26 20:46 ` [ 04/79] neighbour: fix a race in neigh_destroy() Greg Kroah-Hartman
2013-07-26 20:46 ` [ 05/79] x25: Fix broken locking in ioctl error paths Greg Kroah-Hartman
2013-07-26 20:46 ` [ 06/79] net: Swap ver and type in pppoe_hdr Greg Kroah-Hartman
2013-07-27 15:58 ` Ben Hutchings
2013-07-28 0:55 ` David Miller
2013-07-28 3:14 ` Ben Hutchings
2013-07-28 4:16 ` Greg KH
2013-07-28 4:39 ` David Miller
2013-07-28 18:29 ` Greg KH
2013-07-26 20:46 ` [ 07/79] gre: fix a regression in ioctl Greg Kroah-Hartman
2013-07-26 20:46 ` [ 08/79] vti: remove duplicated code to fix a memory leak Greg Kroah-Hartman
2013-07-26 20:46 ` [ 09/79] ipv6,mcast: always hold idev->lock before mca_lock Greg Kroah-Hartman
2013-07-26 20:47 ` [ 10/79] ip_tunnels: Use skb-len to PMTU check Greg Kroah-Hartman
2013-07-26 20:47 ` [ 11/79] l2tp: add missing .owner to struct pppox_proto Greg Kroah-Hartman
2013-07-26 20:47 ` [ 12/79] ipip: fix a regression in ioctl Greg Kroah-Hartman
2013-07-26 20:47 ` [ 13/79] ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data Greg Kroah-Hartman
2013-07-26 20:47 ` Greg Kroah-Hartman [this message]
2013-07-26 20:47 ` [ 15/79] ipv6: rt6_check_neigh should successfully verify neigh if no NUD information are available Greg Kroah-Hartman
2013-07-26 20:47 ` [ 16/79] sfc: Fix memory leak when discarding scattered packets Greg Kroah-Hartman
2013-07-26 20:47 ` [ 17/79] net/cadence/macb: fix bug/typo in extracting gem_irq_read_clear bit Greg Kroah-Hartman
2013-07-26 20:47 ` [ 18/79] virtio: support unlocked queue poll Greg Kroah-Hartman
2013-07-26 20:47 ` [ 19/79] virtio_net: fix race in RX VQ processing Greg Kroah-Hartman
2013-07-26 20:47 ` [ 20/79] vhost-net: fix use-after-free in vhost_net_flush Greg Kroah-Hartman
2013-07-26 20:47 ` [ 21/79] sunvnet: vnet_port_remove must call unregister_netdev Greg Kroah-Hartman
2013-07-26 20:47 ` [ 22/79] ifb: fix rcu_sched self-detected stalls Greg Kroah-Hartman
2013-07-26 20:47 ` [ 23/79] tuntap: correctly linearize skb when zerocopy is used Greg Kroah-Hartman
2013-07-26 20:47 ` [ 24/79] macvtap: " Greg Kroah-Hartman
2013-07-26 20:47 ` [ 25/79] ipv6: in case of link failure remove route directly instead of letting it expire Greg Kroah-Hartman
2013-07-26 20:47 ` [ 26/79] 9p: fix off by one causing access violations and memory corruption Greg Kroah-Hartman
2013-07-26 20:47 ` [ 27/79] alx: fix lockdep annotation Greg Kroah-Hartman
2013-07-26 20:47 ` [ 28/79] ipv6: fix route selection if kernel is not compiled with CONFIG_IPV6_ROUTER_PREF Greg Kroah-Hartman
2013-07-26 20:47 ` [ 29/79] dummy: fix oops when loading the dummy failed Greg Kroah-Hartman
2013-07-26 20:47 ` [ 30/79] ifb: fix oops when loading the ifb failed Greg Kroah-Hartman
2013-07-26 20:47 ` [ 31/79] gre: Fix MTU sizing check for gretap tunnels Greg Kroah-Hartman
2013-07-26 20:47 ` [ 32/79] ipv6: only static routes qualify for equal cost multipathing Greg Kroah-Hartman
2013-07-26 20:47 ` [ 33/79] atl1e: fix dma mapping warnings Greg Kroah-Hartman
2013-07-26 20:47 ` [ 34/79] atl1e: unmap partially mapped skb on dma error and free skb Greg Kroah-Hartman
2013-07-26 20:47 ` [ 35/79] ipv4: set transport header earlier Greg Kroah-Hartman
2013-07-26 20:47 ` [ 36/79] be2net: Fix to avoid hardware workaround when not needed Greg Kroah-Hartman
2013-07-26 20:47 ` [ 37/79] hyperv: Fix the NETIF_F_SG flag setting in netvsc Greg Kroah-Hartman
2013-07-26 20:47 ` [ 38/79] pkt_sched: sch_qfq: remove a source of high packet delay/jitter Greg Kroah-Hartman
2013-07-26 20:47 ` [ 39/79] tuntap: do not zerocopy if iov needs more pages than MAX_SKB_FRAGS Greg Kroah-Hartman
2013-07-26 20:47 ` [ 40/79] macvtap: " Greg Kroah-Hartman
2013-07-26 20:47 ` [ 41/79] vlan: mask vlan prio bits Greg Kroah-Hartman
2013-07-26 20:47 ` [ 42/79] vlan: fix a race in egress prio management Greg Kroah-Hartman
2013-07-27 16:55 ` Ben Hutchings
2013-07-27 17:38 ` Eric Dumazet
2013-07-27 17:58 ` Ben Hutchings
2013-07-26 20:47 ` [ 43/79] MIPS: Oceton: Fix build error Greg Kroah-Hartman
2013-07-26 20:47 ` [ 44/79] RAPIDIO: IDT_GEN2: " Greg Kroah-Hartman
2013-07-26 20:47 ` [ 45/79] fuse: readdirplus: fix dentry leak Greg Kroah-Hartman
2013-07-26 20:47 ` [ 46/79] fuse: readdirplus: fix instantiate Greg Kroah-Hartman
2013-07-26 20:47 ` [ 47/79] fuse: readdirplus: sanity checks Greg Kroah-Hartman
2013-07-26 20:47 ` [ 48/79] bcache: Fix a dumb race Greg Kroah-Hartman
2013-07-26 20:47 ` [ 49/79] bcache: Advertise that flushes are supported Greg Kroah-Hartman
2013-07-26 20:47 ` [ 50/79] bcache: Shutdown fix Greg Kroah-Hartman
2013-07-26 20:47 ` [ 51/79] bcache: Fix a sysfs splat on shutdown Greg Kroah-Hartman
2013-07-26 20:47 ` [ 52/79] bcache: Fix GC_SECTORS_USED() calculation Greg Kroah-Hartman
2013-07-26 20:47 ` [ 53/79] bcache: Journal replay fix Greg Kroah-Hartman
2013-07-26 20:47 ` [ 54/79] EDAC: Fix lockdep splat Greg Kroah-Hartman
2013-07-26 20:47 ` [ 55/79] SCSI: mpt3sas: Infinite loops can occur if MPI2_IOCSTATUS_CONFIG_INVALID_PAGE is not returned Greg Kroah-Hartman
2013-07-26 20:47 ` [ 56/79] SCSI: mpt3sas: fix for kernel panic when driver loads with HBA conected to non LUN 0 configured expander Greg Kroah-Hartman
2013-07-26 20:47 ` [ 57/79] SCSI: megaraid_sas: fix memory leak if SGL has zero length entries Greg Kroah-Hartman
2013-07-26 20:47 ` [ 58/79] lib/Kconfig.debug: Restrict FRAME_POINTER for MIPS Greg Kroah-Hartman
2013-07-26 20:47 ` [ 59/79] usb: serial: option: blacklist ONDA MT689DC QMI interface Greg Kroah-Hartman
2013-07-26 20:47 ` [ 60/79] usb: option: add TP-LINK MA260 Greg Kroah-Hartman
2013-07-26 20:47 ` [ 61/79] usb: serial: option: add Olivetti Olicard 200 Greg Kroah-Hartman
2013-07-26 20:47 ` [ 62/79] usb: serial: option.c: remove ONDA MT825UP product ID fromdriver Greg Kroah-Hartman
2013-07-26 20:47 ` [ 63/79] USB: option: append Petatel NP10T device to GSM modems list Greg Kroah-Hartman
2013-07-26 20:47 ` [ 64/79] USB: option: add D-Link DWM-152/C1 and DWM-156/C1 Greg Kroah-Hartman
2013-07-26 20:47 ` [ 65/79] usb: serial: option: Add ONYX 3G device support Greg Kroah-Hartman
2013-07-26 20:47 ` [ 66/79] ARM: S3C24XX: Add missing clkdev entries for s3c2440 UART Greg Kroah-Hartman
2013-07-26 20:47 ` [ 67/79] ARM: footbridge: fix overlapping PCI mappings Greg Kroah-Hartman
2013-07-26 20:47 ` [ 68/79] usb: serial: cp210x: Add USB ID for Netgear Switches embedded serial adapter Greg Kroah-Hartman
2013-07-26 20:47 ` [ 69/79] USB: cp210x: add MMB and PI ZigBee USB Device Support Greg Kroah-Hartman
2013-07-26 20:48 ` [ 70/79] usb: cp210x support SEL C662 Vendor/Device Greg Kroah-Hartman
2013-07-26 20:48 ` [ 71/79] ext4: fix error handling in ext4_ext_truncate() Greg Kroah-Hartman
2013-07-27 21:33 ` Ben Hutchings
2013-07-28 11:40 ` Theodore Ts'o
2013-07-28 18:27 ` Greg Kroah-Hartman
2013-07-28 21:15 ` Ben Hutchings
2013-07-26 20:48 ` [ 72/79] PM / Sleep: avoid autosleep in shutdown progress Greg Kroah-Hartman
2013-07-26 20:48 ` [ 73/79] media: saa7134: Fix unlocked snd_pcm_stop() call Greg Kroah-Hartman
2013-07-26 20:48 ` [ 74/79] media: dmxdev: remove dvb_ringbuffer_flush() on writer side Greg Kroah-Hartman
2013-07-26 20:48 ` [ 75/79] lockd: protect nlm_blocked access in nlmsvc_retry_blocked Greg Kroah-Hartman
2013-07-26 20:48 ` [ 76/79] hrtimers: Move SMP function call to thread context Greg Kroah-Hartman
2013-07-26 20:48 ` [ 77/79] ALSA: hda - Remove NO_PRESENCE bit override for Dell 1420n Laptop Greg Kroah-Hartman
2013-07-26 20:48 ` [ 78/79] ALSA: usb-audio: 6fire: return correct XRUN indication Greg Kroah-Hartman
2013-07-26 20:48 ` [ 79/79] ALSA: hda - Fix EAPD GPIO control for Sigmatel codecs Greg Kroah-Hartman
2013-07-27 0:19 ` [ 00/79] 3.10.4-stable review Shuah Khan
2013-07-27 0:57 ` Greg Kroah-Hartman
2013-07-28 0:48 ` linux
2013-07-28 18:26 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130726204723.425607856@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=gaofeng@cn.fujitsu.com \
--cc=hannes@stressinduktion.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox