From: David Miller <davem@davemloft.net>
To: herbert@gondor.apana.org.au
Cc: netdev@vger.kernel.org
Subject: Re: [NET]: Update frag_list in pskb_trim
Date: Thu, 13 Jul 2006 19:22:10 -0700 (PDT) [thread overview]
Message-ID: <20060713.192210.35014155.davem@davemloft.net> (raw)
In-Reply-To: <20060713090341.GA28426@gondor.apana.org.au>
From: Herbert Xu <herbert@gondor.apana.org.au>
Date: Thu, 13 Jul 2006 19:03:41 +1000
> [NET]: Update frag_list in pskb_trim
>
> When pskb_trim has to defer to ___pksb_trim to trim the frag_list part of
> the packet, the frag_list is not updated to reflect the trimming. This
> will usually work fine until you hit something that uses the packet length
> or tail from the frag_list.
>
> Examples include esp_output and ip_fragment.
>
> Another problem caused by this is that you can end up with a linear packet
> with a frag_list attached.
>
> It is possible to get away with this if we audit everything to make sure
> that they always consult skb->len before going down onto frag_list. In
> fact we can do the samething for the paged part as well to avoid copying
> the data area of the skb. For now though, let's do the conservative fix
> and update frag_list.
>
> Many thanks to Marco Berizzi for helping me to track down this bug.
>
> This 4-year old bug took 3 months to track down. Marco was very patient
> indeed :)
>
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
I happened to be looking at this function just the other day
and said to myself: "It only drops the fraglist if the whole
thing is trimmed, lazy and inefficient but seems to work"
Even the existing check for when to drop the whole fraglist
seems to be buggy, it only drops if the length drops below
headlen. Paged and fraglist skbs are legal, so the proper
check would be to drop the entire fraglist when len drops
to headlen + the length of the paged portion (if any).
In any event leaving stale chunks there on the fraglist is
certainly a major bug, thanks for fixing this Herbert.
I bet a suitably placed assertion or two would have caught this
sooner. One good spot would have been skb_cow_data(), where it has to
mince the fragments due to the presence of a frag_list.
next prev parent reply other threads:[~2006-07-14 2:22 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-07-13 9:03 [NET]: Update frag_list in pskb_trim Herbert Xu
2006-07-14 2:22 ` David Miller [this message]
2006-07-14 5:05 ` David Miller
2006-07-15 0:10 ` Herbert Xu
2006-07-17 15:22 ` [stable] " Greg KH
2006-07-17 18:13 ` Herbert Xu
2006-07-30 22:50 ` Herbert Xu
2006-08-03 7:19 ` Greg KH
2006-07-29 11:45 ` [NET]: Fix ___pskb_trim when entire frag_list needs dropping Herbert Xu
2006-07-30 22:46 ` David Miller
2006-08-02 15:01 ` Marco Berizzi
2006-08-02 21:15 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060713.192210.35014155.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).