From: "Svenning Sørensen" <sss@secomea.com>
To: "David S. Miller" <davem@davemloft.net>
Cc: <linux-kernel@vger.kernel.org>, <netdev@vger.kernel.org>
Subject: [PATCH] net: guard against coalescing packets from buggy network drivers
Date: Fri, 25 Apr 2014 17:02:05 +0200 [thread overview]
Message-ID: <535A78ED.3020309@secomea.com> (raw)
This patch adds a guard against coalescing packets received by buggy network
drivers that don't initialize skb->tail properly.
Coalescing such packets will corrupt data in a way that makes it hard to
track down the real cause of the problem. Observed symptoms are a flood of
WARNs by tcp_recvmsg at random times, leaving no clear indication as to why
the packet buffers were corrupted. See for example this thread:
https://groups.google.com/forum/#!topic/linux.kernel/A8ZI9aXooSU
Obviously the correct thing to do is fixing the drivers in question (eg. by
using skb_put() instead of just setting skb->len) - this patch will
hopefully
help to track them down with less effort than I had to put into it :)
NB: in my case it was an out-of-tree Bluegiga WiFi driver; a quick look
indicates
that there are in-tree drivers (for hardware that I don't own) with the
same bug.
Signed-off-by: Svenning Soerensen <sss@secomea.com>
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 1b62343..188a60a 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -3833,6 +3833,19 @@ bool skb_try_coalesce(struct sk_buff *to, struct
sk_buff *from,
return false;
if (len <= skb_tailroom(to)) {
+ /* Guard against buggy network drivers that don't initialize
+ * skb properly: if they manipulate skb->len directly without
+ * setting skb->tail, the skb_put below may return a pointer to
+ * live data (such as TCP headers) that (without this guard)
+ * would get overwritten by coalescing.
+ * The correct thing to do is fixing the network drivers - but
+ * this guard should give us a chance to spot them before they
+ * cause real hard-to-debug problems :)
+ */
+ if (WARN_ONCE(skb_tail_pointer(to) < to->data,
+ "skb inconsistency: tail below data\n"))
+ return false;
+
BUG_ON(skb_copy_bits(from, 0, skb_put(to, len), len));
*delta_truesize = 0;
return true;
next reply other threads:[~2014-04-25 15:07 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-25 15:02 Svenning Sørensen [this message]
2014-04-25 15:43 ` [PATCH] net: guard against coalescing packets from buggy network drivers Eric Dumazet
2014-04-25 16:01 ` Svenning Sørensen
2014-04-25 16:49 ` Eric Dumazet
2014-04-25 19:32 ` Svenning Sørensen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=535A78ED.3020309@secomea.com \
--to=sss@secomea.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox