From: Michal Schmidt <mschmidt@redhat.com>
To: David Miller <davem@davemloft.net>
Cc: netdev@vger.kernel.org, Herbert Xu <herbert@gondor.hengli.com.au>,
Ben Hutchings <bhutchings@solarflare.com>
Subject: [PATCH] GRO: fix merging a paged skb after non-paged skbs
Date: Mon, 24 Jan 2011 18:47:52 +0100 [thread overview]
Message-ID: <20110124184752.1d0947dd@delilah> (raw)
Suppose that several linear skbs of the same flow were received by GRO. They
were thus merged into one skb with a frag_list. Then a new skb of the same flow
arrives, but it is a paged skb with data starting in its frags[].
Before adding the skb to the frag_list skb_gro_receive() will of course adjust
the skb to throw away the headers. It correctly modifies the page_offset and
size of the frag, but it leaves incorrect information in the skb:
->data_len is not decreased at all.
->len is decreased only by headlen, as if no change were done to the frag.
Later in a receiving process this causes skb_copy_datagram_iovec() to return
-EFAULT and this is seen in userspace as the result of the recv() syscall.
In practice the bug can be reproduced with the sfc driver. By default the
driver uses an adaptive scheme when it switches between using
napi_gro_receive() (with skbs) and napi_gro_frags() (with pages). The bug is
reproduced when under rx load with enough successful GRO merging the driver
decides to switch from the former to the latter.
Manual control is also possible, so reproducing this is easy with netcat:
- on machine1 (with sfc): nc -l 12345 > /dev/null
- on machine2: nc machine1 12345 < /dev/zero
- on machine1:
echo 1 > /sys/module/sfc/parameters/rx_alloc_method # use skbs
echo 2 > /sys/module/sfc/parameters/rx_alloc_method # use pages
- See that nc has quit suddenly.
Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
---
net/core/skbuff.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index d31bb36..c231f5b 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2746,7 +2746,7 @@ merge:
if (offset > headlen) {
skbinfo->frags[0].page_offset += offset - headlen;
skbinfo->frags[0].size -= offset - headlen;
- offset = headlen;
+ skb->data_len -= offset - headlen;
}
__skb_pull(skb, offset);
--
1.7.1
next reply other threads:[~2011-01-24 17:48 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-01-24 17:47 Michal Schmidt [this message]
2011-01-24 18:44 ` [PATCH] GRO: fix merging a paged skb after non-paged skbs Eric Dumazet
2011-01-24 22:08 ` [PATCH v2] " Michal Schmidt
2011-01-24 22:22 ` Eric Dumazet
2011-01-24 22:27 ` David Miller
2011-01-25 1:24 ` [PATCH] " Ben Hutchings
2011-02-07 20:39 ` Ben Hutchings
2011-02-08 8:49 ` Herbert Xu
2011-02-08 15:04 ` Ben Hutchings
2011-02-08 20:54 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110124184752.1d0947dd@delilah \
--to=mschmidt@redhat.com \
--cc=bhutchings@solarflare.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.hengli.com.au \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).