leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
d1dc7abf2f
linux/net/core
History
Michal Schmidt d1dc7abf2f GRO: fix merging a paged skb after non-paged skbs 
Suppose that several linear skbs of the same flow were received by GRO. They
were thus merged into one skb with a frag_list. Then a new skb of the same flow
arrives, but it is a paged skb with data starting in its frags[].

Before adding the skb to the frag_list skb_gro_receive() will of course adjust
the skb to throw away the headers. It correctly modifies the page_offset and
size of the frag, but it leaves incorrect information in the skb:
 ->data_len is not decreased at all.
 ->len is decreased only by headlen, as if no change were done to the frag.
Later in a receiving process this causes skb_copy_datagram_iovec() to return
-EFAULT and this is seen in userspace as the result of the recv() syscall.

In practice the bug can be reproduced with the sfc driver. By default the
driver uses an adaptive scheme when it switches between using
napi_gro_receive() (with skbs) and napi_gro_frags() (with pages). The bug is
reproduced when under rx load with enough successful GRO merging the driver
decides to switch from the former to the latter.

Manual control is also possible, so reproducing this is easy with netcat:
 - on machine1 (with sfc): nc -l 12345 > /dev/null
 - on machine2: nc machine1 12345 < /dev/zero
 - on machine1:
   echo 1 > /sys/module/sfc/parameters/rx_alloc_method  # use skbs
   echo 2 > /sys/module/sfc/parameters/rx_alloc_method  # use pages
 - See that nc has quit suddenly.

[v2: Modified by Eric Dumazet to avoid advancing skb->data past the end
     and to use a temporary variable.]

Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-01-24 14:27:18 -08:00
..
datagram.c Fix a typo in datagram.c and sctp/socket.c. 2010-12-06 13:10:11 -08:00
dev_addr_lists.c
dev.c Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/torvalds/linux-2.6 2011-01-24 13:17:06 -08:00
drop_monitor.c
dst.c net/dst: dst_dev_event() called after other notifiers 2010-11-09 12:17:16 -08:00
ethtool.c ethtool: Report link-down while interface is down 2010-12-10 15:55:23 -08:00
fib_rules.c Revert "ipv4: Allow configuring subnets as local addresses" 2010-12-23 12:03:57 -08:00
filter.c net: fix kernel-doc warning in core/filter.c 2011-01-09 16:26:51 -08:00
flow.c
gen_estimator.c
gen_stats.c
iovec.c net: Limit socket I/O iovec total length to INT_MAX. 2010-10-28 11:47:52 -07:00
kmap_skb.h
link_watch.c
Makefile
neighbour.c net: kill unused macros 2010-12-19 21:59:35 -08:00
net_namespace.c net_ns: add __rcu annotations 2010-10-25 14:18:27 -07:00
net-sysfs.c net: use NUMA_NO_NODE instead of the magic number -1 2010-12-16 13:16:06 -08:00
net-sysfs.h xps: Add CONFIG_XPS 2010-11-28 18:24:14 -08:00
net-traces.c
netevent.c
netpoll.c Merge branch 'for-2.6.38' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq 2011-01-07 16:58:04 -08:00
pktgen.c pktgen: Remove unnecessary prefix from pr_<level> 2010-12-20 10:30:06 -08:00
request_sock.c Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-12-08 13:47:38 -08:00
rtnetlink.c Revert "netlink: test for all flags of the NLM_F_DUMP composite" 2011-01-19 13:34:20 -08:00
scm.c scm: lower SCM_MAX_FD 2010-11-24 11:16:43 -08:00
skbuff.c GRO: fix merging a paged skb after non-paged skbs 2011-01-24 14:27:18 -08:00
sock.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2011-01-13 10:25:58 -08:00
stream.c
sysctl_net_core.c rps: add __rcu annotations 2010-10-25 14:18:27 -07:00
timestamping.c Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-12-17 12:27:22 -08:00
user_dma.c
utils.c