From: Willy Tarreau <w@1wt.eu>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Neil Horman <nhorman@tuxdriver.com>,
Andy Gospodarek <andy@greyhouse.net>,
Jay Vosburgh <fubar@us.ibm.com>,
"David S. Miller" <davem@davemloft.net>,
Greg KH <gregkh@linuxfoundation.org>
Subject: [PATCH 76/91] bonding: Ensure that we unshare skbs prior to calling pskb_may_pull
Date: Sun, 05 Feb 2012 23:11:05 +0100 [thread overview]
Message-ID: <20120205220952.698841788@pcw.home.local> (raw)
In-Reply-To: <0635750f5f06ed2ca212b91fcb5c4483@local>
2.6.27-longterm review patch. If anyone has any objections, please let us know.
------------------
commit b30532515f0a62bfe17207ab00883dd262497006 upstream.
Recently reported oops:
kernel BUG at net/core/skbuff.c:813!
invalid opcode: 0000 [#1] SMP
last sysfs file: /sys/devices/virtual/net/bond0/broadcast
CPU 8
Modules linked in: sit tunnel4 cpufreq_ondemand acpi_cpufreq freq_table bonding
ipv6 dm_mirror dm_region_hash dm_log cdc_ether usbnet mii serio_raw i2c_i801
i2c_core iTCO_wdt iTCO_vendor_support shpchp ioatdma i7core_edac edac_core bnx2
ixgbe dca mdio sg ext4 mbcache jbd2 sd_mod crc_t10dif mptsas mptscsih mptbase
scsi_transport_sas dm_mod [last unloaded: microcode]
Modules linked in: sit tunnel4 cpufreq_ondemand acpi_cpufreq freq_table bonding
ipv6 dm_mirror dm_region_hash dm_log cdc_ether usbnet mii serio_raw i2c_i801
i2c_core iTCO_wdt iTCO_vendor_support shpchp ioatdma i7core_edac edac_core bnx2
ixgbe dca mdio sg ext4 mbcache jbd2 sd_mod crc_t10dif mptsas mptscsih mptbase
scsi_transport_sas dm_mod [last unloaded: microcode]
Pid: 0, comm: swapper Not tainted 2.6.32-71.el6.x86_64 #1 BladeCenter HS22
-[7870AC1]-
RIP: 0010:[<ffffffff81405b16>] [<ffffffff81405b16>]
pskb_expand_head+0x36/0x1e0
RSP: 0018:ffff880028303b70 EFLAGS: 00010202
RAX: 0000000000000002 RBX: ffff880c6458ec80 RCX: 0000000000000020
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff880c6458ec80
RBP: ffff880028303bc0 R08: ffffffff818a6180 R09: ffff880c6458ed64
R10: ffff880c622b36c0 R11: 0000000000000400 R12: 0000000000000000
R13: 0000000000000180 R14: ffff880c622b3000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff880028300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b
CR2: 00000038653452a4 CR3: 0000000001001000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process swapper (pid: 0, threadinfo ffff8806649c2000, task ffff880c64f16ab0)
Stack:
ffff880028303bc0 ffffffff8104fff9 000000000000001c 0000000100000000
<0> ffff880000047d80 ffff880c6458ec80 000000000000001c ffff880c6223da00
<0> ffff880c622b3000 0000000000000000 ffff880028303c10 ffffffff81407f7a
Call Trace:
<IRQ>
[<ffffffff8104fff9>] ? __wake_up_common+0x59/0x90
[<ffffffff81407f7a>] __pskb_pull_tail+0x2aa/0x360
[<ffffffffa0244530>] bond_arp_rcv+0x2c0/0x2e0 [bonding]
[<ffffffff814a0857>] ? packet_rcv+0x377/0x440
[<ffffffff8140f21b>] netif_receive_skb+0x2db/0x670
[<ffffffff8140f788>] napi_skb_finish+0x58/0x70
[<ffffffff8140fc89>] napi_gro_receive+0x39/0x50
[<ffffffffa01286eb>] ixgbe_clean_rx_irq+0x35b/0x900 [ixgbe]
[<ffffffffa01290f6>] ixgbe_clean_rxtx_many+0x136/0x240 [ixgbe]
[<ffffffff8140fe53>] net_rx_action+0x103/0x210
[<ffffffff81073bd7>] __do_softirq+0xb7/0x1e0
[<ffffffff810d8740>] ? handle_IRQ_event+0x60/0x170
[<ffffffff810142cc>] call_softirq+0x1c/0x30
[<ffffffff81015f35>] do_softirq+0x65/0xa0
[<ffffffff810739d5>] irq_exit+0x85/0x90
[<ffffffff814cf915>] do_IRQ+0x75/0xf0
[<ffffffff81013ad3>] ret_from_intr+0x0/0x11
<EOI>
[<ffffffff8101bc01>] ? mwait_idle+0x71/0xd0
[<ffffffff814cd80a>] ? atomic_notifier_call_chain+0x1a/0x20
[<ffffffff81011e96>] cpu_idle+0xb6/0x110
[<ffffffff814c17c8>] start_secondary+0x1fc/0x23f
Resulted from bonding driver registering packet handlers via dev_add_pack and
then trying to call pskb_may_pull. If another packet handler (like for AF_PACKET
sockets) gets called first, the delivered skb will have a user count > 1, which
causes pskb_may_pull to BUG halt when it does its skb_shared check. Fix this by
calling skb_share_check prior to the may_pull call sites in the bonding driver
to clone the skb when needed. Tested by myself and the reported successfully.
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
CC: Andy Gospodarek <andy@greyhouse.net>
CC: Jay Vosburgh <fubar@us.ibm.com>
CC: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
Signed-off-by: Andy Gospodarek <andy@greyhouse.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/net/bonding/bond_3ad.c | 4 ++++
drivers/net/bonding/bond_alb.c | 4 ++++
drivers/net/bonding/bond_main.c | 4 ++++
3 files changed, 12 insertions(+), 0 deletions(-)
Index: longterm-2.6.27/drivers/net/bonding/bond_3ad.c
===================================================================
--- longterm-2.6.27.orig/drivers/net/bonding/bond_3ad.c 2012-02-05 22:34:45.523916489 +0100
+++ longterm-2.6.27/drivers/net/bonding/bond_3ad.c 2012-02-05 22:34:45.677916635 +0100
@@ -2436,6 +2436,10 @@
if (!(dev->flags & IFF_MASTER))
goto out;
+ skb = skb_share_check(skb, GFP_ATOMIC);
+ if (!skb)
+ goto out;
+
if (!pskb_may_pull(skb, sizeof(struct lacpdu)))
goto out;
Index: longterm-2.6.27/drivers/net/bonding/bond_alb.c
===================================================================
--- longterm-2.6.27.orig/drivers/net/bonding/bond_alb.c 2012-02-05 22:34:45.528915452 +0100
+++ longterm-2.6.27/drivers/net/bonding/bond_alb.c 2012-02-05 22:34:45.682915651 +0100
@@ -359,6 +359,10 @@
goto out;
}
+ skb = skb_share_check(skb, GFP_ATOMIC);
+ if (!skb)
+ goto out;
+
if (!pskb_may_pull(skb, arp_hdr_len(bond_dev)))
goto out;
Index: longterm-2.6.27/drivers/net/bonding/bond_main.c
===================================================================
--- longterm-2.6.27.orig/drivers/net/bonding/bond_main.c 2012-02-05 22:34:32.651914903 +0100
+++ longterm-2.6.27/drivers/net/bonding/bond_main.c 2012-02-05 22:34:45.691916958 +0100
@@ -2699,6 +2699,10 @@
if (!slave || !slave_do_arp_validate(bond, slave))
goto out_unlock;
+ skb = skb_share_check(skb, GFP_ATOMIC);
+ if (!skb)
+ goto out_unlock;
+
if (!pskb_may_pull(skb, arp_hdr_len(dev)))
goto out_unlock;
next prev parent reply other threads:[~2012-02-05 22:11 UTC|newest]
Thread overview: 106+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <0635750f5f06ed2ca212b91fcb5c4483@local>
2012-02-05 22:09 ` [PATCH 00/91] 2.6.27.60-longterm review Willy Tarreau
2012-02-05 22:09 ` [PATCH 01/91] UBIFS: fix master node recovery Willy Tarreau
2012-02-05 22:09 ` [PATCH 02/91] slub: fix panic with DISCONTIGMEM Willy Tarreau
2012-02-06 21:58 ` David Rientjes
2012-02-07 6:13 ` Willy Tarreau
2012-02-05 22:09 ` [PATCH 03/91] set memory ranges in N_NORMAL_MEMORY when onlined Willy Tarreau
2012-02-05 22:09 ` [PATCH 04/91] agp: fix arbitrary kernel memory writes Willy Tarreau
2012-02-05 22:09 ` [PATCH 05/91] agp: fix OOM and buffer overflow Willy Tarreau
2012-02-05 22:09 ` [PATCH 06/91] put stricter guards on queue dead checks Willy Tarreau
2012-02-05 22:09 ` [PATCH 07/91] mmc: sdhci-pci: Fix error case in sdhci_pci_probe_slot() Willy Tarreau
2012-02-05 22:09 ` [PATCH 08/91] mmc: sdhci: Check mrq->cmd in sdhci_tasklet_finish Willy Tarreau
2012-02-05 22:09 ` [PATCH 09/91] mmc: sdhci: Check mrq != NULL " Willy Tarreau
2012-02-05 22:09 ` [PATCH 10/91] af_unix: Only allow recv on connected seqpacket sockets Willy Tarreau
2012-02-05 22:10 ` [PATCH 11/91] ARM: 6891/1: prevent heap corruption in OABI semtimedop Willy Tarreau
2012-02-05 22:10 ` [PATCH 12/91] Open with O_CREAT flag set fails to open existing files on non writable directories Willy Tarreau
2012-02-05 22:10 ` [PATCH 13/91] fs/partitions/ldm.c: fix oops caused by corrupted partition table Willy Tarreau
2012-02-05 22:10 ` [PATCH 14/91] SUNRPC: fix NFS client over TCP hangs due to packet loss (Bug 16494) Willy Tarreau
2012-02-05 22:10 ` [PATCH 15/91] Fix corrupted OSF partition table parsing Willy Tarreau
2012-02-05 22:10 ` [PATCH 16/91] sata_via: Delay on vt6420 when starting ATAPI DMA write Willy Tarreau
2012-02-05 22:10 ` [PATCH 17/91] libata: set queue DMA alignment to sector size for ATAPI too Willy Tarreau
2012-02-05 22:10 ` [PATCH 18/91] usb: musb: core: set has_tt flag Willy Tarreau
2012-02-05 22:10 ` [PATCH 19/91] Validate size of EFI GUID partition entries Willy Tarreau
2012-02-05 22:10 ` [PATCH 20/91] libertas: fix cmdpendingq locking Willy Tarreau
2012-02-05 22:10 ` [PATCH 21/91] powerpc/oprofile: Handle events that raise an exception without overflowing Willy Tarreau
2012-02-05 22:10 ` [PATCH 22/91] ext3: Fix fs corruption when make_indexed_dir() fails Willy Tarreau
2012-02-05 22:10 ` [PATCH 23/91] Fix for buffer overflow in ldm_frag_add not sufficient Willy Tarreau
2012-02-05 22:10 ` [PATCH 24/91] seqlock: Dont smp_rmb in seqlock reader spin loop Willy Tarreau
2012-02-05 22:10 ` [PATCH 25/91] x86/amd-iommu: Fix 3 possible endless loops Willy Tarreau
2012-02-05 22:10 ` [PATCH 26/91] md: check ->hot_remove_disk when removing disk Willy Tarreau
2012-02-05 22:10 ` [PATCH 27/91] uvcvideo: Remove buffers from the queues when freeing Willy Tarreau
2012-02-05 22:10 ` [PATCH 28/91] cfq-iosched: fix locking around ioc->ioc_data assignment Willy Tarreau
2012-02-05 22:10 ` [PATCH 29/91] cfq-iosched: fix a rcu warning Willy Tarreau
2012-02-05 22:10 ` [PATCH 30/91] SUNRPC: Fix use of static variable in rpcb_getport_async Willy Tarreau
2012-02-05 22:10 ` [PATCH 31/91] x86: Make Dell Latitude E5420 use reboot=pci Willy Tarreau
2012-02-05 22:10 ` [PATCH 32/91] libsas: remove expander from dev list on error Willy Tarreau
2012-02-05 23:48 ` Luben Tuikov
2012-02-06 0:52 ` Wanlong Gao
2012-02-06 1:14 ` Luben Tuikov
2012-02-06 6:25 ` Willy Tarreau
2012-02-05 22:10 ` [PATCH 33/91] powerpc/kdump: Fix timeout in crash_kexec_wait_realmode Willy Tarreau
2012-02-05 22:10 ` [PATCH 34/91] ext3: Fix oops in ext3_try_to_allocate_with_rsv() Willy Tarreau
2012-02-05 22:10 ` [PATCH 35/91] svcrpc: fix list-corrupting race on nfsd shutdown Willy Tarreau
2012-02-05 22:10 ` [PATCH 36/91] powerpc/pseries/hvconsole: Fix dropped console output Willy Tarreau
2012-02-05 22:10 ` [PATCH 37/91] alpha: fix several security issues Willy Tarreau
2012-02-05 22:10 ` [PATCH 38/91] ALSA: timer - Fix Oops at closing slave timer Willy Tarreau
2012-02-05 22:10 ` [PATCH 39/91] powerpc: Fix device tree claim code Willy Tarreau
2012-02-05 22:10 ` [PATCH 40/91] powerpc: pseries: Fix kexec on machines with more than 4TB of RAM Willy Tarreau
2012-02-05 22:10 ` [PATCH 41/91] xen/smp: Warn user why they keel over - nosmp or noapic and what to use instead Willy Tarreau
2012-02-06 16:50 ` Konrad Rzeszutek Wilk
2012-02-06 18:30 ` Willy Tarreau
2012-02-05 22:10 ` [PATCH 42/91] cifs: fix possible memory corruption in CIFSFindNext Willy Tarreau
2012-02-05 22:10 ` [PATCH 43/91] TPM: Call tpm_transmit with correct size Willy Tarreau
2012-02-05 22:10 ` [PATCH 44/91] TPM: Zero buffer after copying to userspace Willy Tarreau
2012-02-05 22:10 ` [PATCH 45/91] aacraid: reset should disable MSI interrupt Willy Tarreau
2012-02-05 22:10 ` [PATCH 46/91] libsas: fix panic when single phy is disabled on a wide port Willy Tarreau
2012-02-05 22:10 ` [PATCH 47/91] KVM: s390: check cpu_id prior to using it Willy Tarreau
2012-02-05 22:10 ` [PATCH 48/91] carminefb: Fix module parameters permissions Willy Tarreau
2012-02-05 22:10 ` [PATCH 49/91] um: fix ubd cow size Willy Tarreau
2012-02-05 22:10 ` [PATCH 50/91] NLM: Dont hang forever on NLM unlock requests Willy Tarreau
2012-02-05 22:10 ` [PATCH 51/91] Bluetooth: Prevent buffer overflow in l2cap config request Willy Tarreau
2012-02-05 22:10 ` [PATCH 52/91] net_sched: Fix qdisc_notify() Willy Tarreau
2012-02-05 22:10 ` [PATCH 53/91] ext4: fix BUG_ON() in ext4_ext_insert_extent() Willy Tarreau
2012-02-05 22:10 ` [PATCH 54/91] drivers/net/rionet.c: fix ethernet address macros for LE platforms Willy Tarreau
2012-02-05 22:10 ` [PATCH 55/91] Make scsi_free_queue() kill pending SCSI commands Willy Tarreau
2012-02-06 7:28 ` Bart Van Assche
2012-02-06 7:37 ` Willy Tarreau
2012-02-05 22:10 ` [PATCH 56/91] hfs: add sanity check for file name length Willy Tarreau
2012-02-05 22:10 ` [PATCH 57/91] USB: Fix Corruption issue in USB ftdi driver ftdi_sio.c Willy Tarreau
2012-02-05 22:10 ` [PATCH 58/91] oprofile, x86: Fix crash when unloading module (nmi timer mode) Willy Tarreau
2012-02-05 22:10 ` [PATCH 59/91] jbd/jbd2: validate sb->s_first in journal_get_superblock() Willy Tarreau
2012-02-05 22:10 ` [PATCH 60/91] Make TASKSTATS require root access Willy Tarreau
2012-02-05 22:10 ` [PATCH 61/91] hfs: fix hfs_find_init() sb->ext_tree NULL ptr oops Willy Tarreau
2012-02-05 22:10 ` [PATCH 62/91] [PATCH] x86, mm: Add __get_user_pages_fast() Willy Tarreau
2012-02-05 22:10 ` [PATCH 63/91] export __get_user_pages_fast() function Willy Tarreau
2012-02-05 22:10 ` [PATCH 64/91] oprofile, x86: Fix nmi-unsafe callgraph support Willy Tarreau
2012-02-05 22:10 ` [PATCH 65/91] ext4: avoid hangs in ext4_da_should_update_i_disksize() Willy Tarreau
2012-02-05 22:10 ` [PATCH 66/91] offb: Fix setting of the pseudo-palette for >8bpp Willy Tarreau
2012-02-05 22:10 ` [PATCH 67/91] offb: Fix bug in calculating requested vram size Willy Tarreau
2012-02-05 22:10 ` [PATCH 68/91] usb: usb-storage doesnt support dynamic id currently, the patch disables the feature to fix an oops Willy Tarreau
2012-02-05 22:10 ` [PATCH 69/91] SCSI: scsi_dh: check queuedata pointer before proceeding further Willy Tarreau
2012-02-05 22:10 ` [PATCH 70/91] ALSA: ice1724 - Check for ac97 to avoid kernel oops Willy Tarreau
2012-02-05 22:11 ` [PATCH 71/91] UBI: fix nameless volumes handling Willy Tarreau
2012-02-05 22:11 ` [PATCH 72/91] svcrpc: fix double-free on shutdown of nfsd after changing pool mode Willy Tarreau
2012-02-05 22:11 ` [PATCH 73/91] nfsd: Fix oops when parsing a 0 length export Willy Tarreau
2012-02-05 22:11 ` [PATCH 74/91] sym53c8xx: Fix NULL pointer dereference in slave_destroy Willy Tarreau
2012-02-05 22:11 ` [PATCH 75/91] [PATCH] bonding: correctly process non-linear skbs Willy Tarreau
2012-02-05 22:11 ` Willy Tarreau [this message]
2012-02-05 22:11 ` [PATCH 77/91] block: add proper state guards to __elv_next_request Willy Tarreau
2012-02-05 22:11 ` [PATCH 78/91] x86, 64-bit: Fix copy_[to/from]_user() checks for the userspace address limit Willy Tarreau
2012-02-05 22:11 ` [PATCH 79/91] SCSI: scsi_lib: fix potential NULL dereference Willy Tarreau
2012-02-05 22:11 ` [PATCH 80/91] MAINTAINERS: stable: Update address Willy Tarreau
2012-02-05 22:11 ` [PATCH 81/91] af_packet: prevent information leak Willy Tarreau
2012-02-05 22:11 ` [PATCH 82/91] Fix time() inconsistencies caused by intermediate xtime_cache values being read Willy Tarreau
2012-02-05 22:11 ` [PATCH 83/91] net/ipv4: Check for mistakenly passed in non-IPv4 address Willy Tarreau
2012-02-05 22:11 ` [PATCH 84/91] x86: Fix mmap random address range Willy Tarreau
2012-02-05 22:11 ` [PATCH 85/91] i8k: Tell gcc that *regs gets clobbered Willy Tarreau
2012-02-05 22:11 ` [PATCH 86/91] Fix gcc 4.5.1 miscompiling drivers/char/i8k.c (again) Willy Tarreau
2012-02-05 22:11 ` [PATCH 87/91] kbuild: Disable -Wunused-but-set-variable for gcc 4.6.0 Willy Tarreau
2012-02-05 22:11 ` [PATCH 88/91] kbuild: Fix passing -Wno-* options to gcc 4.4+ Willy Tarreau
2012-02-05 22:11 ` [PATCH 89/91] i8k: Avoid lahf in 64-bit code Willy Tarreau
2012-02-05 22:11 ` [PATCH 90/91] block: fail SCSI passthrough ioctls on partition devices Willy Tarreau
2012-02-05 22:44 ` Paolo Bonzini
2012-02-05 22:53 ` Willy Tarreau
2012-02-07 10:03 ` Paolo Bonzini
2012-02-07 10:21 ` Willy Tarreau
2012-02-05 22:11 ` [PATCH 91/91] dm: do not forward ioctls from logical volumes to the underlying device Willy Tarreau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120205220952.698841788@pcw.home.local \
--to=w@1wt.eu \
--cc=andy@greyhouse.net \
--cc=davem@davemloft.net \
--cc=fubar@us.ibm.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).