aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichal Schmidt <mschmidt@redhat.com>2011-01-24 07:08:48 -0500
committerDavid S. Miller <davem@davemloft.net>2011-01-24 17:27:18 -0500
commitd1dc7abf2fafa34b0ffcd070fd59405aa9c0a4d8 (patch)
treec527ec6ca85cae2243d172b28e41369ef0e514ac
parente92427b289d252cfbd4cb5282d92f4ce1a5bb1fb (diff)
GRO: fix merging a paged skb after non-paged skbs
Suppose that several linear skbs of the same flow were received by GRO. They were thus merged into one skb with a frag_list. Then a new skb of the same flow arrives, but it is a paged skb with data starting in its frags[]. Before adding the skb to the frag_list skb_gro_receive() will of course adjust the skb to throw away the headers. It correctly modifies the page_offset and size of the frag, but it leaves incorrect information in the skb: ->data_len is not decreased at all. ->len is decreased only by headlen, as if no change were done to the frag. Later in a receiving process this causes skb_copy_datagram_iovec() to return -EFAULT and this is seen in userspace as the result of the recv() syscall. In practice the bug can be reproduced with the sfc driver. By default the driver uses an adaptive scheme when it switches between using napi_gro_receive() (with skbs) and napi_gro_frags() (with pages). The bug is reproduced when under rx load with enough successful GRO merging the driver decides to switch from the former to the latter. Manual control is also possible, so reproducing this is easy with netcat: - on machine1 (with sfc): nc -l 12345 > /dev/null - on machine2: nc machine1 12345 < /dev/zero - on machine1: echo 1 > /sys/module/sfc/parameters/rx_alloc_method # use skbs echo 2 > /sys/module/sfc/parameters/rx_alloc_method # use pages - See that nc has quit suddenly. [v2: Modified by Eric Dumazet to avoid advancing skb->data past the end and to use a temporary variable.] Signed-off-by: Michal Schmidt <mschmidt@redhat.com> Acked-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/core/skbuff.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index d31bb36ae0dc..7cd1bc86d591 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2744,8 +2744,12 @@ int skb_gro_receive(struct sk_buff **head, struct sk_buff *skb)
2744 2744
2745merge: 2745merge:
2746 if (offset > headlen) { 2746 if (offset > headlen) {
2747 skbinfo->frags[0].page_offset += offset - headlen; 2747 unsigned int eat = offset - headlen;
2748 skbinfo->frags[0].size -= offset - headlen; 2748
2749 skbinfo->frags[0].page_offset += eat;
2750 skbinfo->frags[0].size -= eat;
2751 skb->data_len -= eat;
2752 skb->len -= eat;
2749 offset = headlen; 2753 offset = headlen;
2750 } 2754 }
2751 2755