* [PATCH net] net: gro: set the last skb->next to NULL when it get merged @ 2021-10-26 13:18 kerneljasonxing 2021-10-27 7:23 ` Jason Xing 2021-10-27 19:20 ` Eric Dumazet 0 siblings, 2 replies; 9+ messages in thread From: kerneljasonxing @ 2021-10-26 13:18 UTC (permalink / raw) To: davem, kuba, alobakin, jonathan.lemon, willemb, pabeni, vvs, cong.wang Cc: netdev, linux-kernel, kerneljasonxing, Jason Xing From: Jason Xing <xingwanli@kuaishou.com> Setting the @next of the last skb to NULL to prevent the panic in future when someone does something to the last of the gro list but its @next is invalid. For example, without the fix (commit: ece23711dd95), a panic could happen with the clsact loaded when skb is redirected and then validated in validate_xmit_skb_list() which could access the error addr of the @next of the last skb. Thus, "general protection fault" would appear after that. Signed-off-by: Jason Xing <xingwanli@kuaishou.com> --- net/core/skbuff.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 2170bea..7b248f1 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -4396,6 +4396,7 @@ int skb_gro_receive(struct sk_buff *p, struct sk_buff *skb) skb_shinfo(p)->frag_list = skb; else NAPI_GRO_CB(p)->last->next = skb; + skb->next = NULL; NAPI_GRO_CB(p)->last = skb; __skb_header_release(skb); lp = p; -- 1.8.3.1 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH net] net: gro: set the last skb->next to NULL when it get merged 2021-10-26 13:18 [PATCH net] net: gro: set the last skb->next to NULL when it get merged kerneljasonxing @ 2021-10-27 7:23 ` Jason Xing 2021-10-27 8:07 ` Jason Xing 2021-10-27 19:20 ` Eric Dumazet 1 sibling, 1 reply; 9+ messages in thread From: Jason Xing @ 2021-10-27 7:23 UTC (permalink / raw) To: David Miller, kuba, alobakin, jonathan.lemon, Willem de Bruijn, pabeni, vvs, cong.wang Cc: netdev, LKML, Jason Xing On Tue, Oct 26, 2021 at 9:19 PM <kerneljasonxing@gmail.com> wrote: > > From: Jason Xing <xingwanli@kuaishou.com> > > Setting the @next of the last skb to NULL to prevent the panic in future > when someone does something to the last of the gro list but its @next is > invalid. > > For example, without the fix (commit: ece23711dd95), a panic could happen > with the clsact loaded when skb is redirected and then validated in > validate_xmit_skb_list() which could access the error addr of the @next > of the last skb. Thus, "general protection fault" would appear after that. > > Signed-off-by: Jason Xing <xingwanli@kuaishou.com> > --- > net/core/skbuff.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/net/core/skbuff.c b/net/core/skbuff.c > index 2170bea..7b248f1 100644 > --- a/net/core/skbuff.c > +++ b/net/core/skbuff.c > @@ -4396,6 +4396,7 @@ int skb_gro_receive(struct sk_buff *p, struct sk_buff *skb) > skb_shinfo(p)->frag_list = skb; > else > NAPI_GRO_CB(p)->last->next = skb; > + skb->next = NULL; > NAPI_GRO_CB(p)->last = skb; Besides, I'm a little bit confused that this operation inserts the newest skb into the tail of the flow, so the tail of flow is the newest, head oldest. The patch (commit: 600adc18) introduces the flush of the oldest when the flow is full to lower the latency, but actually it fetches the tail of the flow. Do I get something wrong here? I feel it is really odd. Thanks, Jason > __skb_header_release(skb); > lp = p; > -- > 1.8.3.1 > ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH net] net: gro: set the last skb->next to NULL when it get merged 2021-10-27 7:23 ` Jason Xing @ 2021-10-27 8:07 ` Jason Xing 2021-10-27 8:56 ` Jason Xing 2021-10-27 19:25 ` Eric Dumazet 0 siblings, 2 replies; 9+ messages in thread From: Jason Xing @ 2021-10-27 8:07 UTC (permalink / raw) To: David Miller, kuba, alobakin, jonathan.lemon, Willem de Bruijn, pabeni, vvs, cong.wang Cc: netdev, LKML, Jason Xing On Wed, Oct 27, 2021 at 3:23 PM Jason Xing <kerneljasonxing@gmail.com> wrote: > > On Tue, Oct 26, 2021 at 9:19 PM <kerneljasonxing@gmail.com> wrote: > > > > From: Jason Xing <xingwanli@kuaishou.com> > > > > Setting the @next of the last skb to NULL to prevent the panic in future > > when someone does something to the last of the gro list but its @next is > > invalid. > > > > For example, without the fix (commit: ece23711dd95), a panic could happen > > with the clsact loaded when skb is redirected and then validated in > > validate_xmit_skb_list() which could access the error addr of the @next > > of the last skb. Thus, "general protection fault" would appear after that. > > > > Signed-off-by: Jason Xing <xingwanli@kuaishou.com> > > --- > > net/core/skbuff.c | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/net/core/skbuff.c b/net/core/skbuff.c > > index 2170bea..7b248f1 100644 > > --- a/net/core/skbuff.c > > +++ b/net/core/skbuff.c > > @@ -4396,6 +4396,7 @@ int skb_gro_receive(struct sk_buff *p, struct sk_buff *skb) > > skb_shinfo(p)->frag_list = skb; > > else > > NAPI_GRO_CB(p)->last->next = skb; > > + skb->next = NULL; > > NAPI_GRO_CB(p)->last = skb; > > Besides, I'm a little bit confused that this operation inserts the > newest skb into the tail of the flow, so the tail of flow is the > newest, head oldest. The patch (commit: 600adc18) introduces the flush > of the oldest when the flow is full to lower the latency, but actually > it fetches the tail of the flow. Do I get something wrong here? I feel I have to update this part. The commit 600adc18 evicts and flushes the oldest flow. But for the current kernel, when "napi->gro_hash[hash].count >= MAX_GRO_SKBS" happens, the gro_flush_oldest() flushes the oldest skb of one certain flow, actually it is the newest skb because it is at the end of the list. > it is really odd. > > Thanks, > Jason > > > __skb_header_release(skb); > > lp = p; > > -- > > 1.8.3.1 > > ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH net] net: gro: set the last skb->next to NULL when it get merged 2021-10-27 8:07 ` Jason Xing @ 2021-10-27 8:56 ` Jason Xing 2021-10-27 12:40 ` Yunsheng Lin 2021-10-27 19:25 ` Eric Dumazet 1 sibling, 1 reply; 9+ messages in thread From: Jason Xing @ 2021-10-27 8:56 UTC (permalink / raw) To: David Miller, kuba, alobakin, jonathan.lemon, Willem de Bruijn, pabeni, vvs, cong.wang Cc: netdev, LKML, Jason Xing On Wed, Oct 27, 2021 at 4:07 PM Jason Xing <kerneljasonxing@gmail.com> wrote: > > On Wed, Oct 27, 2021 at 3:23 PM Jason Xing <kerneljasonxing@gmail.com> wrote: > > > > On Tue, Oct 26, 2021 at 9:19 PM <kerneljasonxing@gmail.com> wrote: > > > > > > From: Jason Xing <xingwanli@kuaishou.com> > > > > > > Setting the @next of the last skb to NULL to prevent the panic in future > > > when someone does something to the last of the gro list but its @next is > > > invalid. > > > > > > For example, without the fix (commit: ece23711dd95), a panic could happen > > > with the clsact loaded when skb is redirected and then validated in > > > validate_xmit_skb_list() which could access the error addr of the @next > > > of the last skb. Thus, "general protection fault" would appear after that. > > > > > > Signed-off-by: Jason Xing <xingwanli@kuaishou.com> > > > --- > > > net/core/skbuff.c | 1 + > > > 1 file changed, 1 insertion(+) > > > > > > diff --git a/net/core/skbuff.c b/net/core/skbuff.c > > > index 2170bea..7b248f1 100644 > > > --- a/net/core/skbuff.c > > > +++ b/net/core/skbuff.c > > > @@ -4396,6 +4396,7 @@ int skb_gro_receive(struct sk_buff *p, struct sk_buff *skb) > > > skb_shinfo(p)->frag_list = skb; > > > else > > > NAPI_GRO_CB(p)->last->next = skb; > > > + skb->next = NULL; > > > NAPI_GRO_CB(p)->last = skb; > > > > Besides, I'm a little bit confused that this operation inserts the > > newest skb into the tail of the flow, so the tail of flow is the > > newest, head oldest. The patch (commit: 600adc18) introduces the flush > > of the oldest when the flow is full to lower the latency, but actually > > it fetches the tail of the flow. Do I get something wrong here? I feel > > I have to update this part. The commit 600adc18 evicts and flushes the > oldest flow. But for the current kernel, when > "napi->gro_hash[hash].count >= MAX_GRO_SKBS" happens, the > gro_flush_oldest() flushes the oldest skb of one certain flow, > actually it is the newest skb because it is at the end of the list. I just submitted another patch to explain how it happens, please help me review both patches. Link: https://lore.kernel.org/lkml/20211027084944.4508-1-kerneljasonxing@gmail.com/ Thanks again, Jason > > > it is really odd. > > > > Thanks, > > Jason > > > > > __skb_header_release(skb); > > > lp = p; > > > -- > > > 1.8.3.1 > > > ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH net] net: gro: set the last skb->next to NULL when it get merged 2021-10-27 8:56 ` Jason Xing @ 2021-10-27 12:40 ` Yunsheng Lin 2021-10-27 12:54 ` Jason Xing 0 siblings, 1 reply; 9+ messages in thread From: Yunsheng Lin @ 2021-10-27 12:40 UTC (permalink / raw) To: Jason Xing, David Miller, kuba, alobakin, jonathan.lemon, Willem de Bruijn, pabeni, vvs, cong.wang Cc: netdev, LKML, Jason Xing On 2021/10/27 16:56, Jason Xing wrote: > On Wed, Oct 27, 2021 at 4:07 PM Jason Xing <kerneljasonxing@gmail.com> wrote: >> >> On Wed, Oct 27, 2021 at 3:23 PM Jason Xing <kerneljasonxing@gmail.com> wrote: >>> >>> On Tue, Oct 26, 2021 at 9:19 PM <kerneljasonxing@gmail.com> wrote: >>>> >>>> From: Jason Xing <xingwanli@kuaishou.com> >>>> >>>> Setting the @next of the last skb to NULL to prevent the panic in future >>>> when someone does something to the last of the gro list but its @next is >>>> invalid. >>>> >>>> For example, without the fix (commit: ece23711dd95), a panic could happen >>>> with the clsact loaded when skb is redirected and then validated in >>>> validate_xmit_skb_list() which could access the error addr of the @next >>>> of the last skb. Thus, "general protection fault" would appear after that. >>>> >>>> Signed-off-by: Jason Xing <xingwanli@kuaishou.com> >>>> --- >>>> net/core/skbuff.c | 1 + >>>> 1 file changed, 1 insertion(+) >>>> >>>> diff --git a/net/core/skbuff.c b/net/core/skbuff.c >>>> index 2170bea..7b248f1 100644 >>>> --- a/net/core/skbuff.c >>>> +++ b/net/core/skbuff.c >>>> @@ -4396,6 +4396,7 @@ int skb_gro_receive(struct sk_buff *p, struct sk_buff *skb) >>>> skb_shinfo(p)->frag_list = skb; >>>> else >>>> NAPI_GRO_CB(p)->last->next = skb; >>>> + skb->next = NULL; >>>> NAPI_GRO_CB(p)->last = skb; >>> >>> Besides, I'm a little bit confused that this operation inserts the >>> newest skb into the tail of the flow, so the tail of flow is the >>> newest, head oldest. The patch (commit: 600adc18) introduces the flush >>> of the oldest when the flow is full to lower the latency, but actually >>> it fetches the tail of the flow. Do I get something wrong here? I feel >> >> I have to update this part. The commit 600adc18 evicts and flushes the >> oldest flow. But for the current kernel, when >> "napi->gro_hash[hash].count >= MAX_GRO_SKBS" happens, the >> gro_flush_oldest() flushes the oldest skb of one certain flow, >> actually it is the newest skb because it is at the end of the list. it seems the below is more matched with the gro_flush_oldest() instead of the above code block: https://elixir.bootlin.com/linux/v5.15-rc3/source/net/core/dev.c#L6118 > > I just submitted another patch to explain how it happens, please help > me review both patches. > > Link: https://lore.kernel.org/lkml/20211027084944.4508-1-kerneljasonxing@gmail.com/ > > Thanks again, > Jason > >> >>> it is really odd. >>> >>> Thanks, >>> Jason >>> >>>> __skb_header_release(skb); >>>> lp = p; >>>> -- >>>> 1.8.3.1 >>>> > . > ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH net] net: gro: set the last skb->next to NULL when it get merged 2021-10-27 12:40 ` Yunsheng Lin @ 2021-10-27 12:54 ` Jason Xing 2021-10-27 13:57 ` Jason Xing 0 siblings, 1 reply; 9+ messages in thread From: Jason Xing @ 2021-10-27 12:54 UTC (permalink / raw) To: Yunsheng Lin Cc: David Miller, kuba, alobakin, jonathan.lemon, Willem de Bruijn, pabeni, vvs, cong.wang, netdev, LKML, Jason Xing On Wed, Oct 27, 2021 at 8:40 PM Yunsheng Lin <linyunsheng@huawei.com> wrote: > > On 2021/10/27 16:56, Jason Xing wrote: > > On Wed, Oct 27, 2021 at 4:07 PM Jason Xing <kerneljasonxing@gmail.com> wrote: > >> > >> On Wed, Oct 27, 2021 at 3:23 PM Jason Xing <kerneljasonxing@gmail.com> wrote: > >>> > >>> On Tue, Oct 26, 2021 at 9:19 PM <kerneljasonxing@gmail.com> wrote: > >>>> > >>>> From: Jason Xing <xingwanli@kuaishou.com> > >>>> > >>>> Setting the @next of the last skb to NULL to prevent the panic in future > >>>> when someone does something to the last of the gro list but its @next is > >>>> invalid. > >>>> > >>>> For example, without the fix (commit: ece23711dd95), a panic could happen > >>>> with the clsact loaded when skb is redirected and then validated in > >>>> validate_xmit_skb_list() which could access the error addr of the @next > >>>> of the last skb. Thus, "general protection fault" would appear after that. > >>>> > >>>> Signed-off-by: Jason Xing <xingwanli@kuaishou.com> > >>>> --- > >>>> net/core/skbuff.c | 1 + > >>>> 1 file changed, 1 insertion(+) > >>>> > >>>> diff --git a/net/core/skbuff.c b/net/core/skbuff.c > >>>> index 2170bea..7b248f1 100644 > >>>> --- a/net/core/skbuff.c > >>>> +++ b/net/core/skbuff.c > >>>> @@ -4396,6 +4396,7 @@ int skb_gro_receive(struct sk_buff *p, struct sk_buff *skb) > >>>> skb_shinfo(p)->frag_list = skb; > >>>> else > >>>> NAPI_GRO_CB(p)->last->next = skb; > >>>> + skb->next = NULL; > >>>> NAPI_GRO_CB(p)->last = skb; > >>> > >>> Besides, I'm a little bit confused that this operation inserts the > >>> newest skb into the tail of the flow, so the tail of flow is the > >>> newest, head oldest. The patch (commit: 600adc18) introduces the flush > >>> of the oldest when the flow is full to lower the latency, but actually > >>> it fetches the tail of the flow. Do I get something wrong here? I feel > >> > >> I have to update this part. The commit 600adc18 evicts and flushes the > >> oldest flow. But for the current kernel, when > >> "napi->gro_hash[hash].count >= MAX_GRO_SKBS" happens, the > >> gro_flush_oldest() flushes the oldest skb of one certain flow, > >> actually it is the newest skb because it is at the end of the list. > > it seems the below is more matched with the gro_flush_oldest() instead > of the above code block: > https://elixir.bootlin.com/linux/v5.15-rc3/source/net/core/dev.c#L6118 > What you said is the @skb->list but not the list between skbs which is connected by skb->next when the new incoming skb needs to get merged. The @skb->list->next/prev is not the same as @skb->next. > > > > I just submitted another patch to explain how it happens, please help > > me review both patches. > > > > Link: https://lore.kernel.org/lkml/20211027084944.4508-1-kerneljasonxing@gmail.com/ > > > > Thanks again, > > Jason > > > >> > >>> it is really odd. > >>> > >>> Thanks, > >>> Jason > >>> > >>>> __skb_header_release(skb); > >>>> lp = p; > >>>> -- > >>>> 1.8.3.1 > >>>> > > . > > ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH net] net: gro: set the last skb->next to NULL when it get merged 2021-10-27 12:54 ` Jason Xing @ 2021-10-27 13:57 ` Jason Xing 0 siblings, 0 replies; 9+ messages in thread From: Jason Xing @ 2021-10-27 13:57 UTC (permalink / raw) To: Yunsheng Lin Cc: David Miller, kuba, alobakin, jonathan.lemon, Willem de Bruijn, pabeni, vvs, cong.wang, netdev, LKML, Jason Xing On Wed, Oct 27, 2021 at 8:54 PM Jason Xing <kerneljasonxing@gmail.com> wrote: > > On Wed, Oct 27, 2021 at 8:40 PM Yunsheng Lin <linyunsheng@huawei.com> wrote: > > > > On 2021/10/27 16:56, Jason Xing wrote: > > > On Wed, Oct 27, 2021 at 4:07 PM Jason Xing <kerneljasonxing@gmail.com> wrote: > > >> > > >> On Wed, Oct 27, 2021 at 3:23 PM Jason Xing <kerneljasonxing@gmail.com> wrote: > > >>> > > >>> On Tue, Oct 26, 2021 at 9:19 PM <kerneljasonxing@gmail.com> wrote: > > >>>> > > >>>> From: Jason Xing <xingwanli@kuaishou.com> > > >>>> > > >>>> Setting the @next of the last skb to NULL to prevent the panic in future > > >>>> when someone does something to the last of the gro list but its @next is > > >>>> invalid. > > >>>> > > >>>> For example, without the fix (commit: ece23711dd95), a panic could happen > > >>>> with the clsact loaded when skb is redirected and then validated in > > >>>> validate_xmit_skb_list() which could access the error addr of the @next > > >>>> of the last skb. Thus, "general protection fault" would appear after that. > > >>>> > > >>>> Signed-off-by: Jason Xing <xingwanli@kuaishou.com> > > >>>> --- > > >>>> net/core/skbuff.c | 1 + > > >>>> 1 file changed, 1 insertion(+) > > >>>> > > >>>> diff --git a/net/core/skbuff.c b/net/core/skbuff.c > > >>>> index 2170bea..7b248f1 100644 > > >>>> --- a/net/core/skbuff.c > > >>>> +++ b/net/core/skbuff.c > > >>>> @@ -4396,6 +4396,7 @@ int skb_gro_receive(struct sk_buff *p, struct sk_buff *skb) > > >>>> skb_shinfo(p)->frag_list = skb; > > >>>> else > > >>>> NAPI_GRO_CB(p)->last->next = skb; > > >>>> + skb->next = NULL; > > >>>> NAPI_GRO_CB(p)->last = skb; > > >>> > > >>> Besides, I'm a little bit confused that this operation inserts the > > >>> newest skb into the tail of the flow, so the tail of flow is the > > >>> newest, head oldest. The patch (commit: 600adc18) introduces the flush > > >>> of the oldest when the flow is full to lower the latency, but actually > > >>> it fetches the tail of the flow. Do I get something wrong here? I feel > > >> > > >> I have to update this part. The commit 600adc18 evicts and flushes the > > >> oldest flow. But for the current kernel, when > > >> "napi->gro_hash[hash].count >= MAX_GRO_SKBS" happens, the > > >> gro_flush_oldest() flushes the oldest skb of one certain flow, > > >> actually it is the newest skb because it is at the end of the list. > > > > it seems the below is more matched with the gro_flush_oldest() instead > > of the above code block: > > https://elixir.bootlin.com/linux/v5.15-rc3/source/net/core/dev.c#L6118 > > > > What you said is the @skb->list but not the list between skbs which is > connected by skb->next when the new incoming skb needs to get merged. > The @skb->list->next/prev is not the same as @skb->next. > > > > > > > I just submitted another patch to explain how it happens, please help > > > me review both patches. > > > > > > Link: https://lore.kernel.org/lkml/20211027084944.4508-1-kerneljasonxing@gmail.com/ > > > Emm, I think you're right, Yunsheng. The gro_flush_oldest() fetches the list of @skb->list. Do you think the tail of skb's next pointer should be set to NULL? Thanks, Jason > > > Thanks again, > > > Jason > > > > > >> > > >>> it is really odd. > > >>> > > >>> Thanks, > > >>> Jason > > >>> > > >>>> __skb_header_release(skb); > > >>>> lp = p; > > >>>> -- > > >>>> 1.8.3.1 > > >>>> > > > . > > > ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH net] net: gro: set the last skb->next to NULL when it get merged 2021-10-27 8:07 ` Jason Xing 2021-10-27 8:56 ` Jason Xing @ 2021-10-27 19:25 ` Eric Dumazet 1 sibling, 0 replies; 9+ messages in thread From: Eric Dumazet @ 2021-10-27 19:25 UTC (permalink / raw) To: Jason Xing, David Miller, kuba, alobakin, jonathan.lemon, Willem de Bruijn, pabeni, vvs, cong.wang Cc: netdev, LKML, Jason Xing On 10/27/21 1:07 AM, Jason Xing wrote: > On Wed, Oct 27, 2021 at 3:23 PM Jason Xing <kerneljasonxing@gmail.com> wrote: >> >> On Tue, Oct 26, 2021 at 9:19 PM <kerneljasonxing@gmail.com> wrote: >>> >>> From: Jason Xing <xingwanli@kuaishou.com> >>> >>> Setting the @next of the last skb to NULL to prevent the panic in future >>> when someone does something to the last of the gro list but its @next is >>> invalid. >>> >>> For example, without the fix (commit: ece23711dd95), a panic could happen >>> with the clsact loaded when skb is redirected and then validated in >>> validate_xmit_skb_list() which could access the error addr of the @next >>> of the last skb. Thus, "general protection fault" would appear after that. >>> >>> Signed-off-by: Jason Xing <xingwanli@kuaishou.com> >>> --- >>> net/core/skbuff.c | 1 + >>> 1 file changed, 1 insertion(+) >>> >>> diff --git a/net/core/skbuff.c b/net/core/skbuff.c >>> index 2170bea..7b248f1 100644 >>> --- a/net/core/skbuff.c >>> +++ b/net/core/skbuff.c >>> @@ -4396,6 +4396,7 @@ int skb_gro_receive(struct sk_buff *p, struct sk_buff *skb) >>> skb_shinfo(p)->frag_list = skb; >>> else >>> NAPI_GRO_CB(p)->last->next = skb; >>> + skb->next = NULL; >>> NAPI_GRO_CB(p)->last = skb; >> >> Besides, I'm a little bit confused that this operation inserts the >> newest skb into the tail of the flow, so the tail of flow is the >> newest, head oldest. The patch (commit: 600adc18) introduces the flush >> of the oldest when the flow is full to lower the latency, but actually >> it fetches the tail of the flow. Do I get something wrong here? I feel > > I have to update this part. The commit 600adc18 evicts and flushes the > oldest flow. But for the current kernel, when > "napi->gro_hash[hash].count >= MAX_GRO_SKBS" happens, the > gro_flush_oldest() flushes the oldest skb of one certain flow, > actually it is the newest skb because it is at the end of the list. GRO only keeps one skb per flow in the main hash/lru. I think you are not understanding GRO correctly. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH net] net: gro: set the last skb->next to NULL when it get merged 2021-10-26 13:18 [PATCH net] net: gro: set the last skb->next to NULL when it get merged kerneljasonxing 2021-10-27 7:23 ` Jason Xing @ 2021-10-27 19:20 ` Eric Dumazet 1 sibling, 0 replies; 9+ messages in thread From: Eric Dumazet @ 2021-10-27 19:20 UTC (permalink / raw) To: kerneljasonxing, davem, kuba, alobakin, jonathan.lemon, willemb, pabeni, vvs, cong.wang Cc: netdev, linux-kernel, Jason Xing On 10/26/21 6:18 AM, kerneljasonxing@gmail.com wrote: > From: Jason Xing <xingwanli@kuaishou.com> > > Setting the @next of the last skb to NULL to prevent the panic in future > when someone does something to the last of the gro list but its @next is > invalid. > > For example, without the fix (commit: ece23711dd95), a panic could happen > with the clsact loaded when skb is redirected and then validated in > validate_xmit_skb_list() which could access the error addr of the @next > of the last skb. Thus, "general protection fault" would appear after that. > If this a bug, please provide a Fixes: tag > Signed-off-by: Jason Xing <xingwanli@kuaishou.com> > --- > net/core/skbuff.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/net/core/skbuff.c b/net/core/skbuff.c > index 2170bea..7b248f1 100644 > --- a/net/core/skbuff.c > +++ b/net/core/skbuff.c > @@ -4396,6 +4396,7 @@ int skb_gro_receive(struct sk_buff *p, struct sk_buff *skb) > skb_shinfo(p)->frag_list = skb; > else > NAPI_GRO_CB(p)->last->next = skb; > + skb->next = NULL; Really at this point skb->next must be already NULL. Please provide a stack trace so that we fix the caller instead of adding more code in GRO layer. > NAPI_GRO_CB(p)->last = skb; > __skb_header_release(skb); > lp = p; > ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2021-10-27 19:25 UTC | newest] Thread overview: 9+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2021-10-26 13:18 [PATCH net] net: gro: set the last skb->next to NULL when it get merged kerneljasonxing 2021-10-27 7:23 ` Jason Xing 2021-10-27 8:07 ` Jason Xing 2021-10-27 8:56 ` Jason Xing 2021-10-27 12:40 ` Yunsheng Lin 2021-10-27 12:54 ` Jason Xing 2021-10-27 13:57 ` Jason Xing 2021-10-27 19:25 ` Eric Dumazet 2021-10-27 19:20 ` Eric Dumazet
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox