linux/drivers/net/usb
Bjørn Mork 49c2c3f246 cdc_ncm: avoid padding beyond end of skb
Commit 4a0e3e989d ("cdc_ncm: Add support for moving NDP to end
of NCM frame") added logic to reserve space for the NDP at the
end of the NTB/skb.  This reservation did not take the final
alignment of the NDP into account, causing us to reserve too
little space. Additionally the padding prior to NDP addition did
not ensure there was enough space for the NDP.

The NTB/skb with the NDP appended would then exceed the configured
max size. This caused the final padding of the NTB to use a
negative count, padding to almost INT_MAX, and resulting in:

[60103.825970] BUG: unable to handle kernel paging request at ffff9641f2004000
[60103.825998] IP: __memset+0x24/0x30
[60103.826001] PGD a6a06067 P4D a6a06067 PUD 4f65a063 PMD 72003063 PTE 0
[60103.826013] Oops: 0002 [#1] SMP NOPTI
[60103.826018] Modules linked in: (removed(
[60103.826158] CPU: 0 PID: 5990 Comm: Chrome_DevTools Tainted: G           O 4.14.0-3-amd64 #1 Debian 4.14.17-1
[60103.826162] Hardware name: LENOVO 20081 BIOS 41CN28WW(V2.04) 05/03/2012
[60103.826166] task: ffff964193484fc0 task.stack: ffffb2890137c000
[60103.826171] RIP: 0010:__memset+0x24/0x30
[60103.826174] RSP: 0000:ffff964316c03b68 EFLAGS: 00010216
[60103.826178] RAX: 0000000000000000 RBX: 00000000fffffffd RCX: 000000001ffa5000
[60103.826181] RDX: 0000000000000005 RSI: 0000000000000000 RDI: ffff9641f2003ffc
[60103.826184] RBP: ffff964192f6c800 R08: 00000000304d434e R09: ffff9641f1d2c004
[60103.826187] R10: 0000000000000002 R11: 00000000000005ae R12: ffff9642e6957a80
[60103.826190] R13: ffff964282ff2ee8 R14: 000000000000000d R15: ffff9642e4843900
[60103.826194] FS:  00007f395aaf6700(0000) GS:ffff964316c00000(0000) knlGS:0000000000000000
[60103.826197] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[60103.826200] CR2: ffff9641f2004000 CR3: 0000000013b0c000 CR4: 00000000000006f0
[60103.826204] Call Trace:
[60103.826212]  <IRQ>
[60103.826225]  cdc_ncm_fill_tx_frame+0x5e3/0x740 [cdc_ncm]
[60103.826236]  cdc_ncm_tx_fixup+0x57/0x70 [cdc_ncm]
[60103.826246]  usbnet_start_xmit+0x5d/0x710 [usbnet]
[60103.826254]  ? netif_skb_features+0x119/0x250
[60103.826259]  dev_hard_start_xmit+0xa1/0x200
[60103.826267]  sch_direct_xmit+0xf2/0x1b0
[60103.826273]  __dev_queue_xmit+0x5e3/0x7c0
[60103.826280]  ? ip_finish_output2+0x263/0x3c0
[60103.826284]  ip_finish_output2+0x263/0x3c0
[60103.826289]  ? ip_output+0x6c/0xe0
[60103.826293]  ip_output+0x6c/0xe0
[60103.826298]  ? ip_forward_options+0x1a0/0x1a0
[60103.826303]  tcp_transmit_skb+0x516/0x9b0
[60103.826309]  tcp_write_xmit+0x1aa/0xee0
[60103.826313]  ? sch_direct_xmit+0x71/0x1b0
[60103.826318]  tcp_tasklet_func+0x177/0x180
[60103.826325]  tasklet_action+0x5f/0x110
[60103.826332]  __do_softirq+0xde/0x2b3
[60103.826337]  irq_exit+0xae/0xb0
[60103.826342]  do_IRQ+0x81/0xd0
[60103.826347]  common_interrupt+0x98/0x98
[60103.826351]  </IRQ>
[60103.826355] RIP: 0033:0x7f397bdf2282
[60103.826358] RSP: 002b:00007f395aaf57d8 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff6e
[60103.826362] RAX: 0000000000000000 RBX: 00002f07bc6d0900 RCX: 00007f39752d7fe7
[60103.826365] RDX: 0000000000000022 RSI: 0000000000000147 RDI: 00002f07baea02c0
[60103.826368] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[60103.826371] R10: 00000000ffffffff R11: 0000000000000000 R12: 00002f07baea02c0
[60103.826373] R13: 00002f07bba227a0 R14: 00002f07bc6d090c R15: 0000000000000000
[60103.826377] Code: 90 90 90 90 90 90 90 0f 1f 44 00 00 49 89 f9 48 89 d1 83
e2 07 48 c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 <f3> 48
ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1
[60103.826442] RIP: __memset+0x24/0x30 RSP: ffff964316c03b68
[60103.826444] CR2: ffff9641f2004000

Commit e1069bbfcf ("net: cdc_ncm: Reduce memory use when kernel
memory low") made this bug much more likely to trigger by reducing
the NTB size under memory pressure.

Link: https://bugs.debian.org/893393
Reported-by: Горбешко Богдан <bodqhrohro@gmail.com>
Reported-and-tested-by: Dennis Wassenberg <dennis.wassenberg@secunet.com>
Cc: Enrico Mioso <mrkiko.rs@gmail.com>
Fixes: 4a0e3e989d ("cdc_ncm: Add support for moving NDP to end of NCM frame")
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-06-08 19:50:01 -04:00
..
asix_common.c net: Remove useless function skb_header_release 2017-09-22 20:43:13 -07:00
asix_devices.c net: usb: asix: fill null-ptr-deref in asix_suspend 2017-11-09 09:22:13 +09:00
asix.h asix: Fix small memory leak in ax88772_unbind() 2017-08-07 10:10:19 -07:00
ax88172a.c
ax88179_178a.c Revert "net: usb: asix88179_178a: de-duplicate code" 2018-04-01 14:04:58 -04:00
catc.c net: usb: Convert timers to use timer_setup() 2017-10-18 12:40:26 +01:00
cdc_eem.c net: cdc_eem: clean up bind error path 2018-03-07 15:39:27 -05:00
cdc_ether.c cdc_ether: flag the Cinterion AHS8 modem by gemalto as WWAN 2018-04-11 10:36:38 -04:00
cdc_mbim.c net: usb: cdc_mbim: add flag FLAG_SEND_ZLP 2018-06-01 14:01:42 -04:00
cdc_ncm.c cdc_ncm: avoid padding beyond end of skb 2018-06-08 19:50:01 -04:00
cdc_subset.c
cdc-phonet.c net: usb: cdc-phonet: constify usb_device_id 2017-08-08 17:47:58 -07:00
ch9200.c
cx82310_eth.c
dm9601.c
gl620a.c networking: make skb_push & __skb_push return void pointers 2017-06-16 11:48:40 -04:00
hso.c drivers/net: Use octal not symbolic permissions 2018-03-26 12:07:49 -04:00
huawei_cdc_ncm.c cdc_ncm: Set NTB format again after altsetting switch for Huawei devices 2017-07-14 08:15:05 -07:00
int51x1.c net: introduce __skb_put_[zero, data, u8] 2017-06-20 13:30:14 -04:00
ipheth.c usbnet: ipheth: fix potential null pointer dereference in ipheth_carrier_set 2017-11-19 12:23:57 +09:00
kalmia.c net: kalmia: clean up bind error path 2018-03-07 15:39:27 -05:00
kaweth.c net: usb: kaweth: constify usb_device_id 2017-08-08 17:47:59 -07:00
Kconfig lan78xx: Lan7801 Support for Fixed PHY 2018-04-29 21:41:01 -04:00
lan78xx.c drivers: net: Remove device_node checks with of_mdiobus_register() 2018-05-16 14:20:36 -04:00
lan78xx.h
lg-vl600.c net: drivers/net: Remove unnecessary skb_copy_expand OOM messages 2018-03-15 14:28:03 -04:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mcs7830.c
net1080.c networking: add and use skb_put_u8() 2017-06-16 11:48:40 -04:00
pegasus.c
pegasus.h
plusb.c
qmi_wwan.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-06-03 09:31:58 -04:00
r8152.c r8152: fix tx packets accounting 2018-02-26 21:01:53 -05:00
rndis_host.c rndis_host: support Novatel Verizon USB730L 2017-10-03 14:30:46 -07:00
rtl8150.c net: usb: rtl8150: constify usb_device_id 2017-08-08 17:47:59 -07:00
sierra_net.c net: usb: Convert timers to use timer_setup() 2017-10-18 12:40:26 +01:00
smsc75xx.c smsc75xx: fix smsc75xx_set_features() 2018-02-22 14:05:15 -05:00
smsc75xx.h
smsc95xx.c smsc95xx: Configure pause time to 0xffff when tx flow control enabled 2017-09-12 20:36:30 -07:00
smsc95xx.h
sr9700.c
sr9700.h
sr9800.c
sr9800.h
usbnet.c net: usbnet: fix potential deadlock on 32bit hosts 2018-03-07 11:46:39 -05:00
zaurus.c networking: add and use skb_put_u8() 2017-06-16 11:48:40 -04:00