aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDaniel Borkmann <dborkman@redhat.com>2014-11-05 14:27:38 -0500
committerDavid S. Miller <davem@davemloft.net>2014-11-05 22:12:30 -0500
commit4c672e4b42bc8046d63a6eb0a2c6a450a501af32 (patch)
treea6f7f031f6c1995c8854775599919eb18fdfecc6
parent1744bea1fa382f67263fdd9fee51d603fddb3da6 (diff)
ipv6: mld: fix add_grhead skb_over_panic for devs with large MTUs
It has been reported that generating an MLD listener report on devices with large MTUs (e.g. 9000) and a high number of IPv6 addresses can trigger a skb_over_panic(): skbuff: skb_over_panic: text:ffffffff80612a5d len:3776 put:20 head:ffff88046d751000 data:ffff88046d751010 tail:0xed0 end:0xec0 dev:port1 ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:100! invalid opcode: 0000 [#1] SMP Modules linked in: ixgbe(O) CPU: 3 PID: 0 Comm: swapper/3 Tainted: G O 3.14.23+ #4 [...] Call Trace: <IRQ> [<ffffffff80578226>] ? skb_put+0x3a/0x3b [<ffffffff80612a5d>] ? add_grhead+0x45/0x8e [<ffffffff80612e3a>] ? add_grec+0x394/0x3d4 [<ffffffff80613222>] ? mld_ifc_timer_expire+0x195/0x20d [<ffffffff8061308d>] ? mld_dad_timer_expire+0x45/0x45 [<ffffffff80255b5d>] ? call_timer_fn.isra.29+0x12/0x68 [<ffffffff80255d16>] ? run_timer_softirq+0x163/0x182 [<ffffffff80250e6f>] ? __do_softirq+0xe0/0x21d [<ffffffff8025112b>] ? irq_exit+0x4e/0xd3 [<ffffffff802214bb>] ? smp_apic_timer_interrupt+0x3b/0x46 [<ffffffff8063f10a>] ? apic_timer_interrupt+0x6a/0x70 mld_newpack() skb allocations are usually requested with dev->mtu in size, since commit 72e09ad107e7 ("ipv6: avoid high order allocations") we have changed the limit in order to be less likely to fail. However, in MLD/IGMP code, we have some rather ugly AVAILABLE(skb) macros, which determine if we may end up doing an skb_put() for adding another record. To avoid possible fragmentation, we check the skb's tailroom as skb->dev->mtu - skb->len, which is a wrong assumption as the actual max allocation size can be much smaller. The IGMP case doesn't have this issue as commit 57e1ab6eaddc ("igmp: refine skb allocations") stores the allocation size in the cb[]. Set a reserved_tailroom to make it fit into the MTU and use skb_availroom() helper instead. This also allows to get rid of igmp_skb_size(). Reported-by: Wei Liu <lw1a2.jing@gmail.com> Fixes: 72e09ad107e7 ("ipv6: avoid high order allocations") Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Cc: Eric Dumazet <edumazet@google.com> Cc: Hannes Frederic Sowa <hannes@stressinduktion.org> Cc: David L Stevens <david.stevens@oracle.com> Acked-by: Eric Dumazet <edumazet@google.com> Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/ipv4/igmp.c11
-rw-r--r--net/ipv6/mcast.c9
2 files changed, 10 insertions, 10 deletions
diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
index 1e4adae2bde0..666cf364df86 100644
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -318,9 +318,7 @@ igmp_scount(struct ip_mc_list *pmc, int type, int gdeleted, int sdeleted)
318 return scount; 318 return scount;
319} 319}
320 320
321#define igmp_skb_size(skb) (*(unsigned int *)((skb)->cb)) 321static struct sk_buff *igmpv3_newpack(struct net_device *dev, unsigned int mtu)
322
323static struct sk_buff *igmpv3_newpack(struct net_device *dev, int size)
324{ 322{
325 struct sk_buff *skb; 323 struct sk_buff *skb;
326 struct rtable *rt; 324 struct rtable *rt;
@@ -330,6 +328,7 @@ static struct sk_buff *igmpv3_newpack(struct net_device *dev, int size)
330 struct flowi4 fl4; 328 struct flowi4 fl4;
331 int hlen = LL_RESERVED_SPACE(dev); 329 int hlen = LL_RESERVED_SPACE(dev);
332 int tlen = dev->needed_tailroom; 330 int tlen = dev->needed_tailroom;
331 unsigned int size = mtu;
333 332
334 while (1) { 333 while (1) {
335 skb = alloc_skb(size + hlen + tlen, 334 skb = alloc_skb(size + hlen + tlen,
@@ -341,7 +340,6 @@ static struct sk_buff *igmpv3_newpack(struct net_device *dev, int size)
341 return NULL; 340 return NULL;
342 } 341 }
343 skb->priority = TC_PRIO_CONTROL; 342 skb->priority = TC_PRIO_CONTROL;
344 igmp_skb_size(skb) = size;
345 343
346 rt = ip_route_output_ports(net, &fl4, NULL, IGMPV3_ALL_MCR, 0, 344 rt = ip_route_output_ports(net, &fl4, NULL, IGMPV3_ALL_MCR, 0,
347 0, 0, 345 0, 0,
@@ -354,6 +352,8 @@ static struct sk_buff *igmpv3_newpack(struct net_device *dev, int size)
354 skb_dst_set(skb, &rt->dst); 352 skb_dst_set(skb, &rt->dst);
355 skb->dev = dev; 353 skb->dev = dev;
356 354
355 skb->reserved_tailroom = skb_end_offset(skb) -
356 min(mtu, skb_end_offset(skb));
357 skb_reserve(skb, hlen); 357 skb_reserve(skb, hlen);
358 358
359 skb_reset_network_header(skb); 359 skb_reset_network_header(skb);
@@ -423,8 +423,7 @@ static struct sk_buff *add_grhead(struct sk_buff *skb, struct ip_mc_list *pmc,
423 return skb; 423 return skb;
424} 424}
425 425
426#define AVAILABLE(skb) ((skb) ? ((skb)->dev ? igmp_skb_size(skb) - (skb)->len : \ 426#define AVAILABLE(skb) ((skb) ? skb_availroom(skb) : 0)
427 skb_tailroom(skb)) : 0)
428 427
429static struct sk_buff *add_grec(struct sk_buff *skb, struct ip_mc_list *pmc, 428static struct sk_buff *add_grec(struct sk_buff *skb, struct ip_mc_list *pmc,
430 int type, int gdeleted, int sdeleted) 429 int type, int gdeleted, int sdeleted)
diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
index e04f184b783a..5ce107c8aab3 100644
--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -1550,7 +1550,7 @@ static void ip6_mc_hdr(struct sock *sk, struct sk_buff *skb,
1550 hdr->daddr = *daddr; 1550 hdr->daddr = *daddr;
1551} 1551}
1552 1552
1553static struct sk_buff *mld_newpack(struct inet6_dev *idev, int size) 1553static struct sk_buff *mld_newpack(struct inet6_dev *idev, unsigned int mtu)
1554{ 1554{
1555 struct net_device *dev = idev->dev; 1555 struct net_device *dev = idev->dev;
1556 struct net *net = dev_net(dev); 1556 struct net *net = dev_net(dev);
@@ -1561,13 +1561,13 @@ static struct sk_buff *mld_newpack(struct inet6_dev *idev, int size)
1561 const struct in6_addr *saddr; 1561 const struct in6_addr *saddr;
1562 int hlen = LL_RESERVED_SPACE(dev); 1562 int hlen = LL_RESERVED_SPACE(dev);
1563 int tlen = dev->needed_tailroom; 1563 int tlen = dev->needed_tailroom;
1564 unsigned int size = mtu + hlen + tlen;
1564 int err; 1565 int err;
1565 u8 ra[8] = { IPPROTO_ICMPV6, 0, 1566 u8 ra[8] = { IPPROTO_ICMPV6, 0,
1566 IPV6_TLV_ROUTERALERT, 2, 0, 0, 1567 IPV6_TLV_ROUTERALERT, 2, 0, 0,
1567 IPV6_TLV_PADN, 0 }; 1568 IPV6_TLV_PADN, 0 };
1568 1569
1569 /* we assume size > sizeof(ra) here */ 1570 /* we assume size > sizeof(ra) here */
1570 size += hlen + tlen;
1571 /* limit our allocations to order-0 page */ 1571 /* limit our allocations to order-0 page */
1572 size = min_t(int, size, SKB_MAX_ORDER(0, 0)); 1572 size = min_t(int, size, SKB_MAX_ORDER(0, 0));
1573 skb = sock_alloc_send_skb(sk, size, 1, &err); 1573 skb = sock_alloc_send_skb(sk, size, 1, &err);
@@ -1576,6 +1576,8 @@ static struct sk_buff *mld_newpack(struct inet6_dev *idev, int size)
1576 return NULL; 1576 return NULL;
1577 1577
1578 skb->priority = TC_PRIO_CONTROL; 1578 skb->priority = TC_PRIO_CONTROL;
1579 skb->reserved_tailroom = skb_end_offset(skb) -
1580 min(mtu, skb_end_offset(skb));
1579 skb_reserve(skb, hlen); 1581 skb_reserve(skb, hlen);
1580 1582
1581 if (__ipv6_get_lladdr(idev, &addr_buf, IFA_F_TENTATIVE)) { 1583 if (__ipv6_get_lladdr(idev, &addr_buf, IFA_F_TENTATIVE)) {
@@ -1690,8 +1692,7 @@ static struct sk_buff *add_grhead(struct sk_buff *skb, struct ifmcaddr6 *pmc,
1690 return skb; 1692 return skb;
1691} 1693}
1692 1694
1693#define AVAILABLE(skb) ((skb) ? ((skb)->dev ? (skb)->dev->mtu - (skb)->len : \ 1695#define AVAILABLE(skb) ((skb) ? skb_availroom(skb) : 0)
1694 skb_tailroom(skb)) : 0)
1695 1696
1696static struct sk_buff *add_grec(struct sk_buff *skb, struct ifmcaddr6 *pmc, 1697static struct sk_buff *add_grec(struct sk_buff *skb, struct ifmcaddr6 *pmc,
1697 int type, int gdeleted, int sdeleted, int crsend) 1698 int type, int gdeleted, int sdeleted, int crsend)