[PATCH net] atl1c: reserve min skb headroom

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH net] atl1c: reserve min skb headroom
@ 2018-07-20 17:30 Florian Westphal
  2018-07-20 17:48 ` Eric Dumazet
  2018-07-22 17:29 ` David Miller
  0 siblings, 2 replies; 3+ messages in thread
From: Florian Westphal @ 2018-07-20 17:30 UTC (permalink / raw)
  To: netdev; +Cc: eric.dumazet, Florian Westphal

Got crash report with following backtrace:
BUG: unable to handle kernel paging request at ffff8801869daffe
RIP: 0010:[<ffffffff816429c4>]  [<ffffffff816429c4>] ip6_finish_output2+0x394/0x4c0
RSP: 0018:ffff880186c83a98  EFLAGS: 00010283
RAX: ffff8801869db00e ...
  [<ffffffff81644cdc>] ip6_finish_output+0x8c/0xf0
  [<ffffffff81644d97>] ip6_output+0x57/0x100
  [<ffffffff81643dc9>] ip6_forward+0x4b9/0x840
  [<ffffffff81645566>] ip6_rcv_finish+0x66/0xc0
  [<ffffffff81645db9>] ipv6_rcv+0x319/0x530
  [<ffffffff815892ac>] netif_receive_skb+0x1c/0x70
  [<ffffffffc0060bec>] atl1c_clean+0x1ec/0x310 [atl1c]
  ...

The bad access is in neigh_hh_output(), at skb->data - 16 (HH_DATA_MOD).
atl1c driver provided skb with no headroom, so 14 bytes (ethernet
header) got pulled, but then 16 are copied.

Reserve NET_SKB_PAD bytes headroom, like netdev_alloc_skb().

Compile tested only; I lack hardware.

Fixes: 7b7017642199 ("atl1c: Fix misuse of netdev_alloc_skb in refilling rx ring")
Signed-off-by: Florian Westphal <fw@strlen.de>
---
diff --git a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
index 94270f654b3b..7087b88550db 100644
--- a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
+++ b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
@@ -1686,6 +1686,7 @@ static struct sk_buff *atl1c_alloc_skb(struct atl1c_adapter *adapter)
 	skb = build_skb(page_address(page) + adapter->rx_page_offset,
 			adapter->rx_frag_size);
 	if (likely(skb)) {
+		skb_reserve(skb, NET_SKB_PAD);
 		adapter->rx_page_offset += adapter->rx_frag_size;
 		if (adapter->rx_page_offset >= PAGE_SIZE)
 			adapter->rx_page = NULL;
-- 
2.16.4

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH net] atl1c: reserve min skb headroom
  2018-07-20 17:30 [PATCH net] atl1c: reserve min skb headroom Florian Westphal
@ 2018-07-20 17:48 ` Eric Dumazet
  2018-07-22 17:29 ` David Miller
  1 sibling, 0 replies; 3+ messages in thread
From: Eric Dumazet @ 2018-07-20 17:48 UTC (permalink / raw)
  To: Florian Westphal, netdev; +Cc: eric.dumazet



On 07/20/2018 10:30 AM, Florian Westphal wrote:
> Got crash report with following backtrace:
> BUG: unable to handle kernel paging request at ffff8801869daffe
> RIP: 0010:[<ffffffff816429c4>]  [<ffffffff816429c4>] ip6_finish_output2+0x394/0x4c0
> RSP: 0018:ffff880186c83a98  EFLAGS: 00010283
> RAX: ffff8801869db00e ...
>   [<ffffffff81644cdc>] ip6_finish_output+0x8c/0xf0
>   [<ffffffff81644d97>] ip6_output+0x57/0x100
>   [<ffffffff81643dc9>] ip6_forward+0x4b9/0x840
>   [<ffffffff81645566>] ip6_rcv_finish+0x66/0xc0
>   [<ffffffff81645db9>] ipv6_rcv+0x319/0x530
>   [<ffffffff815892ac>] netif_receive_skb+0x1c/0x70
>   [<ffffffffc0060bec>] atl1c_clean+0x1ec/0x310 [atl1c]
>   ...
> 
> The bad access is in neigh_hh_output(), at skb->data - 16 (HH_DATA_MOD).
> atl1c driver provided skb with no headroom, so 14 bytes (ethernet
> header) got pulled, but then 16 are copied.
> 
> Reserve NET_SKB_PAD bytes headroom, like netdev_alloc_skb().
> 
> Compile tested only; I lack hardware.
> 
> Fixes: 7b7017642199 ("atl1c: Fix misuse of netdev_alloc_skb in refilling rx ring")
> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
> diff --git a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
> index 94270f654b3b..7087b88550db 100644
> --- a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
> +++ b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
> @@ -1686,6 +1686,7 @@ static struct sk_buff *atl1c_alloc_skb(struct atl1c_adapter *adapter)
>  	skb = build_skb(page_address(page) + adapter->rx_page_offset,
>  			adapter->rx_frag_size);
>  	if (likely(skb)) {
> +		skb_reserve(skb, NET_SKB_PAD);
>  		adapter->rx_page_offset += adapter->rx_frag_size;
>  		if (adapter->rx_page_offset >= PAGE_SIZE)
>  			adapter->rx_page = NULL;
> 

Yes, it is interesting IPv4 has code to deal with that( in ip_finish_output2()),
not IPv6 :/

Reviewed-by: Eric Dumazet <edumazet@google.com>

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH net] atl1c: reserve min skb headroom
  2018-07-20 17:30 [PATCH net] atl1c: reserve min skb headroom Florian Westphal
  2018-07-20 17:48 ` Eric Dumazet
@ 2018-07-22 17:29 ` David Miller
  1 sibling, 0 replies; 3+ messages in thread
From: David Miller @ 2018-07-22 17:29 UTC (permalink / raw)
  To: fw; +Cc: netdev, eric.dumazet

From: Florian Westphal <fw@strlen.de>
Date: Fri, 20 Jul 2018 19:30:57 +0200

> Got crash report with following backtrace:
> BUG: unable to handle kernel paging request at ffff8801869daffe
> RIP: 0010:[<ffffffff816429c4>]  [<ffffffff816429c4>] ip6_finish_output2+0x394/0x4c0
> RSP: 0018:ffff880186c83a98  EFLAGS: 00010283
> RAX: ffff8801869db00e ...
>   [<ffffffff81644cdc>] ip6_finish_output+0x8c/0xf0
>   [<ffffffff81644d97>] ip6_output+0x57/0x100
>   [<ffffffff81643dc9>] ip6_forward+0x4b9/0x840
>   [<ffffffff81645566>] ip6_rcv_finish+0x66/0xc0
>   [<ffffffff81645db9>] ipv6_rcv+0x319/0x530
>   [<ffffffff815892ac>] netif_receive_skb+0x1c/0x70
>   [<ffffffffc0060bec>] atl1c_clean+0x1ec/0x310 [atl1c]
>   ...
> 
> The bad access is in neigh_hh_output(), at skb->data - 16 (HH_DATA_MOD).
> atl1c driver provided skb with no headroom, so 14 bytes (ethernet
> header) got pulled, but then 16 are copied.
> 
> Reserve NET_SKB_PAD bytes headroom, like netdev_alloc_skb().
> 
> Compile tested only; I lack hardware.
> 
> Fixes: 7b7017642199 ("atl1c: Fix misuse of netdev_alloc_skb in refilling rx ring")
> Signed-off-by: Florian Westphal <fw@strlen.de>

Ancient bug :-/

Applied and queued up for -stable, thanks Florian.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2018-07-22 18:26 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-07-20 17:30 [PATCH net] atl1c: reserve min skb headroom Florian Westphal
2018-07-20 17:48 ` Eric Dumazet
2018-07-22 17:29 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).