| Message ID | b5d31a81-a089-146b-d04f-569710e6b14b@sberdevices.ru (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | fix header length on skb merging | expand |
On Sun, Mar 26, 2023 at 01:08:22AM +0300, Arseniy Krasnov wrote: >This fixes appending newly arrived skbuff to the last skbuff of the >socket's queue. Problem fires when we are trying to append data to skbuff >which was already processed in dequeue callback at least once. Dequeue >callback calls function 'skb_pull()' which changes 'skb->len'. In current >implementation 'skb->len' is used to update length in header of the last >skbuff after new data was copied to it. This is bug, because value in >header is used to calculate 'rx_bytes'/'fwd_cnt' and thus must be not >be changed during skbuff's lifetime. > >Bug starts to fire since: > >commit 077706165717 >("virtio/vsock: don't use skbuff state to account credit") > >It presents before, but didn't triggered due to a little bit buggy >implementation of credit calculation logic. So use Fixes tag for it. > >Fixes: 077706165717 ("virtio/vsock: don't use skbuff state to account credit") >Signed-off-by: Arseniy Krasnov <AVKrasnov@sberdevices.ru> >--- > net/vmw_vsock/virtio_transport_common.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c >index 7fc178c3ee07..b9144af71553 100644 >--- a/net/vmw_vsock/virtio_transport_common.c >+++ b/net/vmw_vsock/virtio_transport_common.c >@@ -1101,7 +1101,7 @@ virtio_transport_recv_enqueue(struct vsock_sock *vsk, > memcpy(skb_put(last_skb, skb->len), skb->data, skb->len); > free_pkt = true; > last_hdr->flags |= hdr->flags; >- last_hdr->len = cpu_to_le32(last_skb->len); >+ le32_add_cpu(&last_hdr->len, len); > goto out; > } > } >-- >2.25.1 > LGTM! Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c index 7fc178c3ee07..b9144af71553 100644 --- a/net/vmw_vsock/virtio_transport_common.c +++ b/net/vmw_vsock/virtio_transport_common.c @@ -1101,7 +1101,7 @@ virtio_transport_recv_enqueue(struct vsock_sock *vsk, memcpy(skb_put(last_skb, skb->len), skb->data, skb->len); free_pkt = true; last_hdr->flags |= hdr->flags; - last_hdr->len = cpu_to_le32(last_skb->len); + le32_add_cpu(&last_hdr->len, len); goto out; } }
This fixes appending newly arrived skbuff to the last skbuff of the socket's queue. Problem fires when we are trying to append data to skbuff which was already processed in dequeue callback at least once. Dequeue callback calls function 'skb_pull()' which changes 'skb->len'. In current implementation 'skb->len' is used to update length in header of the last skbuff after new data was copied to it. This is bug, because value in header is used to calculate 'rx_bytes'/'fwd_cnt' and thus must be not be changed during skbuff's lifetime. Bug starts to fire since: commit 077706165717 ("virtio/vsock: don't use skbuff state to account credit") It presents before, but didn't triggered due to a little bit buggy implementation of credit calculation logic. So use Fixes tag for it. Fixes: 077706165717 ("virtio/vsock: don't use skbuff state to account credit") Signed-off-by: Arseniy Krasnov <AVKrasnov@sberdevices.ru> --- net/vmw_vsock/virtio_transport_common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)