[net-next] net: add missing check for TCP fraglist GRO

Message ID	20240507094114.67716-1-nbd@nbd.name (mailing list archive)
State	Changes Requested
Delegated to:	Netdev Maintainers
Headers	show Received: from nbd.name (nbd.name [46.4.11.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 75FFA14EC62; Tue, 7 May 2024 09:41:30 +0000 (UTC) From: Felix Fietkau <nbd@nbd.name> To: netdev@vger.kernel.org, Eric Dumazet <edumazet@google.com>, "David S. Miller" <davem@davemloft.net>, David Ahern <dsahern@kernel.org>, Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>, Willem de Bruijn <willemb@google.com> Cc: linux-kernel@vger.kernel.org Subject: [PATCH net-next] net: add missing check for TCP fraglist GRO Date: Tue, 7 May 2024 11:41:13 +0200 Message-ID: <20240507094114.67716-1-nbd@nbd.name> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[net-next] net: add missing check for TCP fraglist GRO \| expand [net-next] net: add missing check for TCP fraglist GRO

Context	Check	Description
netdev/series_format	success	Single patches do not need cover letters
netdev/tree_selection	success	Clearly marked for net-next
netdev/ynl	success	Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present	success	Fixes tag not required for -next series
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	success	Errors and warnings before: 932 this patch: 932
netdev/build_tools	success	No tools touched, skip
netdev/cc_maintainers	success	CCed 7 of 7 maintainers
netdev/build_clang	success	Errors and warnings before: 938 this patch: 938
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/deprecated_api	success	None detected
netdev/check_selftest	success	No net selftest shell script
netdev/verify_fixes	success	Fixes tag looks correct
netdev/build_allmodconfig_warn	success	Errors and warnings before: 943 this patch: 943
netdev/checkpatch	success	total: 0 errors, 0 warnings, 0 checks, 7 lines checked
netdev/build_clang_rust	success	No Rust files in patch. Skipping build
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/source_inline	success	Was 0 now: 0
netdev/contest	fail	net-next-2024-05-07--12-00 (tests: 667)

Felix Fietkau May 7, 2024, 9:41 a.m. UTC

It turns out that the existing checks do not guarantee that the skb can be
pulled up to the GRO offset. When using the usb r8152 network driver with
GRO fraglist, the BUG() in __skb_pull is often triggered.
Fix the crash by adding the missing check.

Fixes: 8d95dc474f85 ("net: add code for TCP fraglist GRO")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
---
 net/ipv4/tcp_offload.c | 1 +
 1 file changed, 1 insertion(+)

Suman Ghosh May 7, 2024, 11:33 a.m. UTC | #1

>----------------------------------------------------------------------
>It turns out that the existing checks do not guarantee that the skb can be
>pulled up to the GRO offset. When using the usb r8152 network driver with
>GRO fraglist, the BUG() in __skb_pull is often triggered.
>Fix the crash by adding the missing check.
>
>Fixes: 8d95dc474f85 ("net: add code for TCP fraglist GRO")
[Suman] Since this is a fix, this should be pushed to "net".
>Signed-off-by: Felix Fietkau <nbd@nbd.name>
>---
> net/ipv4/tcp_offload.c | 1 +
> 1 file changed, 1 insertion(+)
>
>diff --git a/net/ipv4/tcp_offload.c b/net/ipv4/tcp_offload.c index
>c90704befd7b..a71d2e623f0c 100644
>--- a/net/ipv4/tcp_offload.c
>+++ b/net/ipv4/tcp_offload.c
>@@ -353,6 +353,7 @@ struct sk_buff *tcp_gro_receive(struct list_head *head,
>struct sk_buff *skb,
> 		flush |= (__force int)(flags ^ tcp_flag_word(th2));
> 		flush |= skb->ip_summed != p->ip_summed;
> 		flush |= skb->csum_level != p->csum_level;
>+		flush |= !pskb_may_pull(skb, skb_gro_offset(skb));
> 		flush |= NAPI_GRO_CB(p)->count >= 64;
>
> 		if (flush || skb_gro_receive_list(p, skb))
>--
>2.44.0
>

Felix Fietkau May 7, 2024, 11:43 a.m. UTC | #2

On 07.05.24 13:33, Suman Ghosh wrote:
>>----------------------------------------------------------------------
>>It turns out that the existing checks do not guarantee that the skb can be
>>pulled up to the GRO offset. When using the usb r8152 network driver with
>>GRO fraglist, the BUG() in __skb_pull is often triggered.
>>Fix the crash by adding the missing check.
>>
>>Fixes: 8d95dc474f85 ("net: add code for TCP fraglist GRO")
> [Suman] Since this is a fix, this should be pushed to "net".

No, it is fixing a commit that was just pulled into -next.

- Felix

Willem de Bruijn May 7, 2024, 11:51 a.m. UTC | #3

Suman Ghosh wrote:
> >----------------------------------------------------------------------
> >It turns out that the existing checks do not guarantee that the skb can be
> >pulled up to the GRO offset. When using the usb r8152 network driver with
> >GRO fraglist, the BUG() in __skb_pull is often triggered.
> >Fix the crash by adding the missing check.
> >
> >Fixes: 8d95dc474f85 ("net: add code for TCP fraglist GRO")

> [Suman] Since this is a fix, this should be pushed to "net".

The referenced patch has only landed in net-next yet.

> >Signed-off-by: Felix Fietkau <nbd@nbd.name>

Reviewed-by: Willem de Bruijn <willemb@google.com>

> >---
> > net/ipv4/tcp_offload.c | 1 +
> > 1 file changed, 1 insertion(+)
> >
> >diff --git a/net/ipv4/tcp_offload.c b/net/ipv4/tcp_offload.c index
> >c90704befd7b..a71d2e623f0c 100644
> >--- a/net/ipv4/tcp_offload.c
> >+++ b/net/ipv4/tcp_offload.c
> >@@ -353,6 +353,7 @@ struct sk_buff *tcp_gro_receive(struct list_head *head,
> >struct sk_buff *skb,
> > 		flush |= (__force int)(flags ^ tcp_flag_word(th2));
> > 		flush |= skb->ip_summed != p->ip_summed;
> > 		flush |= skb->csum_level != p->csum_level;
> >+		flush |= !pskb_may_pull(skb, skb_gro_offset(skb));
> > 		flush |= NAPI_GRO_CB(p)->count >= 64;

The same check already exists in udp_gro_receive, which has for longer
been calling skb_gro_receive_list:

       if (!pskb_may_pull(skb, skb_gro_offset(skb))) {
               NAPI_GRO_CB(skb)->flush = 1;
               return NULL;
       }
 
Alternatively it would make sense to deduplicate the check and move it
to skb_gro_receive_list itself, before

        skb_pull(skb, skb_gro_offset(skb));

Suman Ghosh May 7, 2024, 11:57 a.m. UTC | #4

> [Suman] Since this is a fix, this should be pushed to "net".
>
>No, it is fixing a commit that was just pulled into -next.
>
>- Felix
[Suman] Got it. Thank you.

Eric Dumazet May 7, 2024, 12:08 p.m. UTC | #5

On Tue, May 7, 2024 at 11:41 AM Felix Fietkau <nbd@nbd.name> wrote:
>
> It turns out that the existing checks do not guarantee that the skb can be
> pulled up to the GRO offset. When using the usb r8152 network driver with
> GRO fraglist, the BUG() in __skb_pull is often triggered.

Why is it crashing ? I would expect tcp_gro_pull_header() to perform this early.

Please include a stack trace.

> Fix the crash by adding the missing check.
>
> Fixes: 8d95dc474f85 ("net: add code for TCP fraglist GRO")
> Signed-off-by: Felix Fietkau <nbd@nbd.name>
> ---
>  net/ipv4/tcp_offload.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/net/ipv4/tcp_offload.c b/net/ipv4/tcp_offload.c
> index c90704befd7b..a71d2e623f0c 100644
> --- a/net/ipv4/tcp_offload.c
> +++ b/net/ipv4/tcp_offload.c
> @@ -353,6 +353,7 @@ struct sk_buff *tcp_gro_receive(struct list_head *head, struct sk_buff *skb,
>                 flush |= (__force int)(flags ^ tcp_flag_word(th2));
>                 flush |= skb->ip_summed != p->ip_summed;
>                 flush |= skb->csum_level != p->csum_level;
> +               flush |= !pskb_may_pull(skb, skb_gro_offset(skb));
>                 flush |= NAPI_GRO_CB(p)->count >= 64;
>
>                 if (flush || skb_gro_receive_list(p, skb))
> --
> 2.44.0
>

[net-next] net: add missing check for TCP fraglist GRO

Checks

Commit Message

Comments

Patch