| Message ID | 20241022085759.1328477-1-wangliang74@huawei.com (mailing list archive) |
|---|---|
| State | New |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [net] net: fix crash when config small gso_max_size/gso_ipv4_max_size | expand |
On Tue, Oct 22, 2024 at 10:40 AM Wang Liang <wangliang74@huawei.com> wrote: > > Config a small gso_max_size/gso_ipv4_max_size can lead to large skb len, > which may trigger a BUG_ON crash. > > If the gso_max_size/gso_ipv4_max_size is smaller than MAX_TCP_HEADER + 1, > the sk->sk_gso_max_size is overflowed: > sk_setup_caps > // dst->dev->gso_ipv4_max_size = 252, MAX_TCP_HEADER = 320 > // GSO_LEGACY_MAX_SIZE = 65536, sk_is_tcp(sk) = 1 > sk->sk_gso_max_size = sk_dst_gso_max_size(sk, dst); > max_size = dst->dev->gso_ipv4_max_size; > sk->sk_gso_max_size = max_size - (MAX_TCP_HEADER + 1); > sk->sk_gso_max_size = 252-(320+1) = -69 > > When send tcp msg, the wrong sk_gso_max_size can lead to a very large > size_goal, which cause large skb length: > tcp_sendmsg_locked > tcp_send_mss(sk, &size_goal, flags); > tcp_xmit_size_goal(sk, mss_now, !(flags & MSG_OOB)); > > // tp->max_window = 65536, TCP_MSS_DEFAULT = 536 > new_size_goal = tcp_bound_to_half_wnd(tp, sk->sk_gso_max_size); > new_size_goal = sk->sk_gso_max_size = -69 > > // tp->gso_segs = 0, mss_now = 32768 > size_goal = tp->gso_segs * mss_now; > size_goal = 0*32768 = 0 > > // sk->sk_gso_max_segs = 65535, new_size_goal = -69 > new_size_goal < size_goal: > tp->gso_segs = min_t(u16, new_size_goal / mss_now, > sk->sk_gso_max_segs); > // new_size_goal / mss_now = 0x1FFFF -> 65535 > // tp->gso_segs = 65535 > size_goal = tp->gso_segs * mss_now; > size_goal = 65535*32768 = 2147450880 > > if new_segment: > skb = tcp_stream_alloc_skb() > copy = size_goal; // copy = 2147450880 > if (copy > msg_data_left(msg)) // msg_data_left(msg) = 2147479552 > copy = msg_data_left(msg); // copy = 2147450880 > copy = min_t(int, copy, pfrag->size - pfrag->offset); // copy = 21360 > skb_copy_to_page_nocache > skb_len_add > skb->len += copy; // skb->len add to 524288 > I find this explanation way too long. No one will bother to double check your claims. I would simply point out that an underflow in sk_dst_gso_max_size() leads to a crash, because sk->sk_gso_max_size would be much bigger than device limits. > The large skb length may load to a overflowed tso_segs, which can trigger > a BUG_ON crash: > tcp_write_xmit > tso_segs = tcp_init_tso_segs(skb, mss_now); > tcp_set_skb_tso_segs > tcp_skb_pcount_set > // skb->len = 524288, mss_now = 8 > // u16 tso_segs = 524288/8 = 65535 -> 0 > tso_segs = DIV_ROUND_UP(skb->len, mss_now) > BUG_ON(!tso_segs) > > To solve this issue, the minimum value of gso_max_size/gso_ipv4_max_size > should be checked. > > Fixes: 46e6b992c250 ("rtnetlink: allow GSO maximums to be set on device creation") > Fixes: 9eefedd58ae1 ("net: add gso_ipv4_max_size and gro_ipv4_max_size per device") > Signed-off-by: Wang Liang <wangliang74@huawei.com> > --- > net/core/rtnetlink.c | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > > diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c > index e30e7ea0207d..a0df1da5a0a6 100644 > --- a/net/core/rtnetlink.c > +++ b/net/core/rtnetlink.c > @@ -2466,6 +2466,12 @@ static int validate_linkmsg(struct net_device *dev, struct nlattr *tb[], > return -EINVAL; > } > > + if (tb[IFLA_GSO_MAX_SIZE] && > + (nla_get_u32(tb[IFLA_GSO_MAX_SIZE]) < MAX_TCP_HEADER + 1)) { > + NL_SET_ERR_MSG(extack, "too small gso_max_size"); > + return -EINVAL; > + } Modern way would be to change ifla_policy[] : This is where we put such limits. Look for NLA_POLICY_MIN() uses in the tree. > + > if (tb[IFLA_GSO_MAX_SEGS] && > (nla_get_u32(tb[IFLA_GSO_MAX_SEGS]) > GSO_MAX_SEGS || > nla_get_u32(tb[IFLA_GSO_MAX_SEGS]) > dev->tso_max_segs)) { > @@ -2485,6 +2491,12 @@ static int validate_linkmsg(struct net_device *dev, struct nlattr *tb[], > return -EINVAL; > } > > + if (tb[IFLA_GSO_IPV4_MAX_SIZE] && > + (nla_get_u32(tb[IFLA_GSO_IPV4_MAX_SIZE]) < MAX_TCP_HEADER + 1)) { > + NL_SET_ERR_MSG(extack, "too small gso_ipv4_max_size"); > + return -EINVAL; > + } Same here. > + > if (tb[IFLA_GRO_IPV4_MAX_SIZE] && > nla_get_u32(tb[IFLA_GRO_IPV4_MAX_SIZE]) > GRO_MAX_SIZE) { > NL_SET_ERR_MSG(extack, "too big gro_ipv4_max_size"); > -- > 2.34.1 >
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index e30e7ea0207d..a0df1da5a0a6 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -2466,6 +2466,12 @@ static int validate_linkmsg(struct net_device *dev, struct nlattr *tb[], return -EINVAL; } + if (tb[IFLA_GSO_MAX_SIZE] && + (nla_get_u32(tb[IFLA_GSO_MAX_SIZE]) < MAX_TCP_HEADER + 1)) { + NL_SET_ERR_MSG(extack, "too small gso_max_size"); + return -EINVAL; + } + if (tb[IFLA_GSO_MAX_SEGS] && (nla_get_u32(tb[IFLA_GSO_MAX_SEGS]) > GSO_MAX_SEGS || nla_get_u32(tb[IFLA_GSO_MAX_SEGS]) > dev->tso_max_segs)) { @@ -2485,6 +2491,12 @@ static int validate_linkmsg(struct net_device *dev, struct nlattr *tb[], return -EINVAL; } + if (tb[IFLA_GSO_IPV4_MAX_SIZE] && + (nla_get_u32(tb[IFLA_GSO_IPV4_MAX_SIZE]) < MAX_TCP_HEADER + 1)) { + NL_SET_ERR_MSG(extack, "too small gso_ipv4_max_size"); + return -EINVAL; + } + if (tb[IFLA_GRO_IPV4_MAX_SIZE] && nla_get_u32(tb[IFLA_GRO_IPV4_MAX_SIZE]) > GRO_MAX_SIZE) { NL_SET_ERR_MSG(extack, "too big gro_ipv4_max_size");
Config a small gso_max_size/gso_ipv4_max_size can lead to large skb len, which may trigger a BUG_ON crash. If the gso_max_size/gso_ipv4_max_size is smaller than MAX_TCP_HEADER + 1, the sk->sk_gso_max_size is overflowed: sk_setup_caps // dst->dev->gso_ipv4_max_size = 252, MAX_TCP_HEADER = 320 // GSO_LEGACY_MAX_SIZE = 65536, sk_is_tcp(sk) = 1 sk->sk_gso_max_size = sk_dst_gso_max_size(sk, dst); max_size = dst->dev->gso_ipv4_max_size; sk->sk_gso_max_size = max_size - (MAX_TCP_HEADER + 1); sk->sk_gso_max_size = 252-(320+1) = -69 When send tcp msg, the wrong sk_gso_max_size can lead to a very large size_goal, which cause large skb length: tcp_sendmsg_locked tcp_send_mss(sk, &size_goal, flags); tcp_xmit_size_goal(sk, mss_now, !(flags & MSG_OOB)); // tp->max_window = 65536, TCP_MSS_DEFAULT = 536 new_size_goal = tcp_bound_to_half_wnd(tp, sk->sk_gso_max_size); new_size_goal = sk->sk_gso_max_size = -69 // tp->gso_segs = 0, mss_now = 32768 size_goal = tp->gso_segs * mss_now; size_goal = 0*32768 = 0 // sk->sk_gso_max_segs = 65535, new_size_goal = -69 new_size_goal < size_goal: tp->gso_segs = min_t(u16, new_size_goal / mss_now, sk->sk_gso_max_segs); // new_size_goal / mss_now = 0x1FFFF -> 65535 // tp->gso_segs = 65535 size_goal = tp->gso_segs * mss_now; size_goal = 65535*32768 = 2147450880 if new_segment: skb = tcp_stream_alloc_skb() copy = size_goal; // copy = 2147450880 if (copy > msg_data_left(msg)) // msg_data_left(msg) = 2147479552 copy = msg_data_left(msg); // copy = 2147450880 copy = min_t(int, copy, pfrag->size - pfrag->offset); // copy = 21360 skb_copy_to_page_nocache skb_len_add skb->len += copy; // skb->len add to 524288 The large skb length may load to a overflowed tso_segs, which can trigger a BUG_ON crash: tcp_write_xmit tso_segs = tcp_init_tso_segs(skb, mss_now); tcp_set_skb_tso_segs tcp_skb_pcount_set // skb->len = 524288, mss_now = 8 // u16 tso_segs = 524288/8 = 65535 -> 0 tso_segs = DIV_ROUND_UP(skb->len, mss_now) BUG_ON(!tso_segs) To solve this issue, the minimum value of gso_max_size/gso_ipv4_max_size should be checked. Fixes: 46e6b992c250 ("rtnetlink: allow GSO maximums to be set on device creation") Fixes: 9eefedd58ae1 ("net: add gso_ipv4_max_size and gro_ipv4_max_size per device") Signed-off-by: Wang Liang <wangliang74@huawei.com> --- net/core/rtnetlink.c | 12 ++++++++++++ 1 file changed, 12 insertions(+)