From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Sheng Lan <lansheng@huawei.com>,
Qin Ji <jiqin.ji@huawei.com>,
Eric Dumazet <eric.dumazet@gmail.com>,
Eric Dumazet <edumazet@google.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.9 18/96] net: netem: fix skb length BUG_ON in __skb_to_sgvec
Date: Tue, 12 Mar 2019 10:09:36 -0700 [thread overview]
Message-ID: <20190312171035.916739282@linuxfoundation.org> (raw)
In-Reply-To: <20190312171034.530434962@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sheng Lan <lansheng@huawei.com>
[ Upstream commit 5845f706388a4cde0f6b80f9e5d33527e942b7d9 ]
It can be reproduced by following steps:
1. virtio_net NIC is configured with gso/tso on
2. configure nginx as http server with an index file bigger than 1M bytes
3. use tc netem to produce duplicate packets and delay:
tc qdisc add dev eth0 root netem delay 100ms 10ms 30% duplicate 90%
4. continually curl the nginx http server to get index file on client
5. BUG_ON is seen quickly
[10258690.371129] kernel BUG at net/core/skbuff.c:4028!
[10258690.371748] invalid opcode: 0000 [#1] SMP PTI
[10258690.372094] CPU: 5 PID: 0 Comm: swapper/5 Tainted: G W 5.0.0-rc6 #2
[10258690.372094] RSP: 0018:ffffa05797b43da0 EFLAGS: 00010202
[10258690.372094] RBP: 00000000000005ea R08: 0000000000000000 R09: 00000000000005ea
[10258690.372094] R10: ffffa0579334d800 R11: 00000000000002c0 R12: 0000000000000002
[10258690.372094] R13: 0000000000000000 R14: ffffa05793122900 R15: ffffa0578f7cb028
[10258690.372094] FS: 0000000000000000(0000) GS:ffffa05797b40000(0000) knlGS:0000000000000000
[10258690.372094] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[10258690.372094] CR2: 00007f1a6dc00868 CR3: 000000001000e000 CR4: 00000000000006e0
[10258690.372094] Call Trace:
[10258690.372094] <IRQ>
[10258690.372094] skb_to_sgvec+0x11/0x40
[10258690.372094] start_xmit+0x38c/0x520 [virtio_net]
[10258690.372094] dev_hard_start_xmit+0x9b/0x200
[10258690.372094] sch_direct_xmit+0xff/0x260
[10258690.372094] __qdisc_run+0x15e/0x4e0
[10258690.372094] net_tx_action+0x137/0x210
[10258690.372094] __do_softirq+0xd6/0x2a9
[10258690.372094] irq_exit+0xde/0xf0
[10258690.372094] smp_apic_timer_interrupt+0x74/0x140
[10258690.372094] apic_timer_interrupt+0xf/0x20
[10258690.372094] </IRQ>
In __skb_to_sgvec(), the skb->len is not equal to the sum of the skb's
linear data size and nonlinear data size, thus BUG_ON triggered.
Because the skb is cloned and a part of nonlinear data is split off.
Duplicate packet is cloned in netem_enqueue() and may be delayed
some time in qdisc. When qdisc len reached the limit and returns
NET_XMIT_DROP, the skb will be retransmit later in write queue.
the skb will be fragmented by tso_fragment(), the limit size
that depends on cwnd and mss decrease, the skb's nonlinear
data will be split off. The length of the skb cloned by netem
will not be updated. When we use virtio_net NIC and invoke skb_to_sgvec(),
the BUG_ON trigger.
To fix it, netem returns NET_XMIT_SUCCESS to upper stack
when it clones a duplicate packet.
Fixes: 35d889d1 ("sch_netem: fix skb leak in netem_enqueue()")
Signed-off-by: Sheng Lan <lansheng@huawei.com>
Reported-by: Qin Ji <jiqin.ji@huawei.com>
Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/sch_netem.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -441,6 +441,7 @@ static int netem_enqueue(struct sk_buff
int nb = 0;
int count = 1;
int rc = NET_XMIT_SUCCESS;
+ int rc_drop = NET_XMIT_DROP;
/* Do not fool qdisc_drop_all() */
skb->prev = NULL;
@@ -480,6 +481,7 @@ static int netem_enqueue(struct sk_buff
q->duplicate = 0;
rootq->enqueue(skb2, rootq, to_free);
q->duplicate = dupsave;
+ rc_drop = NET_XMIT_SUCCESS;
}
/*
@@ -492,7 +494,7 @@ static int netem_enqueue(struct sk_buff
if (skb_is_gso(skb)) {
segs = netem_segment(skb, sch, to_free);
if (!segs)
- return NET_XMIT_DROP;
+ return rc_drop;
} else {
segs = skb;
}
@@ -515,8 +517,10 @@ static int netem_enqueue(struct sk_buff
1<<(prandom_u32() % 8);
}
- if (unlikely(sch->q.qlen >= sch->limit))
- return qdisc_drop_all(skb, sch, to_free);
+ if (unlikely(sch->q.qlen >= sch->limit)) {
+ qdisc_drop_all(skb, sch, to_free);
+ return rc_drop;
+ }
qdisc_qstats_backlog_inc(sch, skb);
next prev parent reply other threads:[~2019-03-12 17:18 UTC|newest]
Thread overview: 108+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-12 17:09 [PATCH 4.9 00/96] 4.9.163-stable review Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 01/96] USB: serial: option: add Telit ME910 ECM composition Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 02/96] USB: serial: cp210x: add ID for Ingenico 3070 Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 03/96] USB: serial: ftdi_sio: add ID for Hjelmslund Electronics USB485 Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 04/96] cpufreq: Use struct kobj_attribute instead of struct global_attr Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 05/96] ncpfs: fix build warning of strncpy Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 06/96] isdn: isdn_tty: " Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 07/96] staging: comedi: ni_660x: fix missing break in switch statement Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 08/96] staging: wilc1000: fix to set correct value for vif_num Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 09/96] staging: android: ion: fix sys heap pools gfp_flags Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 10/96] ip6mr: Do not call __IP6_INC_STATS() from preemptible context Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 11/96] net-sysfs: Fix mem leak in netdev_register_kobject Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 12/96] sky2: Disable MSI on Dell Inspiron 1545 and Gateway P-79 Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 13/96] team: Free BPF filter when unregistering netdev Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 14/96] bnxt_en: Drop oversize TX packets to prevent errors Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 15/96] hv_netvsc: Fix IP header checksum for coalesced packets Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 16/96] net: dsa: mv88e6xxx: Fix u64 statistics Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 17/96] netlabel: fix out-of-bounds memory accesses Greg Kroah-Hartman
2019-03-12 17:09 ` Greg Kroah-Hartman [this message]
2019-03-12 17:09 ` [PATCH 4.9 19/96] net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 20/96] net: sit: fix memory leak in sit_init_net() Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 21/96] xen-netback: dont populate the hash cache on XenBus disconnect Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 22/96] xen-netback: fix occasional leak of grant ref mappings under memory pressure Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 23/96] net: Add __icmp_send helper Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 24/96] net: avoid use IPCB in cipso_v4_error Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 25/96] tun: fix blocking read Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 26/96] tun: remove unnecessary memory barrier Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 27/96] net: phy: Micrel KSZ8061: link failure after cable connect Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 28/96] x86/CPU/AMD: Set the CPB bit unconditionally on F17h Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 29/96] applicom: Fix potential Spectre v1 vulnerabilities Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 30/96] MIPS: irq: Allocate accurate order pages for irq stack Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 31/96] hugetlbfs: fix races and page leaks during migration Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 32/96] exec: Fix mem leak in kernel_read_file Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 33/96] media: uvcvideo: Fix type check leading to overflow Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 34/96] vti4: Fix a ipip packet processing bug in IPCOMP virtual tunnel Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 35/96] perf core: Fix perf_proc_update_handler() bug Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 36/96] perf tools: Handle TOPOLOGY headers with no CPU Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 37/96] IB/{hfi1, qib}: Fix WC.byte_len calculation for UD_SEND_WITH_IMM Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 38/96] iommu/amd: Call free_iova_fast with pfn in map_sg Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 39/96] iommu/amd: Unmap all mapped pages in error path of map_sg Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 40/96] ipvs: Fix signed integer overflow when setsockopt timeout Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 4.9 41/96] iommu/amd: Fix IOMMU page flush when detach device from a domain Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 42/96] xtensa: SMP: fix ccount_timer_shutdown Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 43/96] xtensa: SMP: fix secondary CPU initialization Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 44/96] xtensa: smp_lx200_defconfig: fix vectors clash Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 45/96] xtensa: SMP: mark each possible CPU as present Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 46/96] xtensa: SMP: limit number of possible CPUs by NR_CPUS Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 47/96] net: altera_tse: fix msgdma_tx_completion on non-zero fill_level case Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 48/96] net: hns: Fix for missing of_node_put() after of_parse_phandle() Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 49/96] net: hns: Fix wrong read accesses via Clause 45 MDIO protocol Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 50/96] net: stmmac: dwmac-rk: fix error handling in rk_gmac_powerup() Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 51/96] gpio: vf610: Mask all GPIO interrupts Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 52/96] nfs: Fix NULL pointer dereference of dev_name Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 53/96] qed: Fix VF probe failure while FLR Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 54/96] scsi: libfc: free skb when receiving invalid flogi resp Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 55/96] platform/x86: Fix unmet dependency warning for SAMSUNG_Q10 Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 56/96] cifs: fix computation for MAX_SMB2_HDR_SIZE Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 57/96] arm64: kprobe: Always blacklist the KVM world-switch code Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 58/96] x86/kexec: Dont setup EFI info if EFI runtime is not enabled Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 59/96] x86_64: increase stack size for KASAN_EXTRA Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 60/96] mm, memory_hotplug: is_mem_section_removable do not pass the end of a zone Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 61/96] mm, memory_hotplug: test_pages_in_a_zone do not pass the end of zone Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 62/96] fs/drop_caches.c: avoid softlockups in drop_pagecache_sb() Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 63/96] autofs: drop dentry reference only when it is never used Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 64/96] autofs: fix error return in autofs_fill_super() Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 65/96] soc: fsl: qbman: avoid race in clearing QMan interrupt Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 66/96] ARM: pxa: ssp: unneeded to free devm_ allocated data Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 67/96] arm64: dts: add msm8996 compatible to gicv3 Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 68/96] usb: phy: fix link errors Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 69/96] irqchip/mmp: Only touch the PJ4 IRQ & FIQ bits on enable/disable Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 70/96] drm/sun4i: tcon: Prepare and enable TCON channel 0 clock at init Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 71/96] dmaengine: at_xdmac: Fix wrongfull report of a channel as in use Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 72/96] vsock/virtio: fix kernel panic after device hot-unplug Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 73/96] vsock/virtio: reset connected sockets on device removal Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 74/96] dmaengine: dmatest: Abort test in case of mapping error Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 75/96] selftests: netfilter: fix config fragment CONFIG_NF_TABLES_INET Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 76/96] selftests: netfilter: add simple masq/redirect test cases Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 77/96] netfilter: nf_nat: skip nat clash resolution for same-origin entries Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 78/96] s390/qeth: fix use-after-free in error path Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 79/96] perf symbols: Filter out hidden symbols from labels Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 80/96] perf trace: Support multiple "vfs_getname" probes Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 81/96] MIPS: Loongson: Introduce and use loongson_llsc_mb() Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 82/96] MIPS: Remove function size check in get_frame_info() Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 83/96] fs: ratelimit __find_get_block_slow() failure message Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 84/96] Input: wacom_serial4 - add support for Wacom ArtPad II tablet Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 85/96] Input: elan_i2c - add id for touchpad found in Lenovo s21e-20 Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 86/96] iscsi_ibft: Fix missing break in switch statement Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 87/96] scsi: aacraid: " Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 88/96] futex,rt_mutex: Restructure rt_mutex_finish_proxy_lock() Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 89/96] ARM: dts: exynos: Fix pinctrl definition for eMMC RTSN line on Odroid X2/U3 Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 90/96] ARM: dts: exynos: Add minimal clkout parameters to Exynos3250 PMU Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 91/96] drm: disable uncached DMA optimization for ARM and arm64 Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 92/96] ARM: 8781/1: Fix Thumb-2 syscall return for binutils 2.29+ Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 93/96] ARM: dts: exynos: Do not ignore real-world fuse values for thermal zone 0 on Exynos5420 Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 94/96] perf/x86/intel: Make cpuc allocations consistent Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 95/96] perf/x86/intel: Generalize dynamic constraint creation Greg Kroah-Hartman
2019-03-12 17:10 ` [PATCH 4.9 96/96] x86: Add TSX Force Abort CPUID/MSR Greg Kroah-Hartman
2019-03-12 23:02 ` [PATCH 4.9 00/96] 4.9.163-stable review kernelci.org bot
2019-03-13 3:32 ` Naresh Kamboju
2019-03-13 14:44 ` Guenter Roeck
2019-03-13 15:14 ` Greg Kroah-Hartman
2019-03-13 16:32 ` Guenter Roeck
2019-03-13 17:58 ` Greg Kroah-Hartman
2019-03-13 18:23 ` Daniel Díaz
2019-03-13 17:35 ` Jon Hunter
2019-03-13 20:34 ` Guenter Roeck
2019-03-13 20:49 ` Greg Kroah-Hartman
2019-03-13 22:06 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190312171035.916739282@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=eric.dumazet@gmail.com \
--cc=jiqin.ji@huawei.com \
--cc=lansheng@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox