Re: net: BUG in __skb_gso_segment

From: Eric Dumazet
Date: Mon Feb 13 2017 - 16:56:11 EST

Next message: Shanker Donthineni: "Re: [RFC PATCH 06/33] irqchip/gic-v3-its: Add probing for VLPI properties"
Previous message: Peter Zijlstra: "Re: [PATCH v2] x86/paravirt: Don't make vcpu_is_preempted() a callee-save function"
In reply to: Andrey Konovalov: "net: BUG in __skb_gso_segment"
Next in thread: Andrey Konovalov: "Re: net: BUG in __skb_gso_segment"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Feb 13, 2017 at 11:54 AM, Andrey Konovalov
<andreyknvl@xxxxxxxxxx> wrote:
> Hi,
>
> I've got the following error report while fuzzing the kernel with syzkaller.
>
> A reproducer and .config are attached.
>
> On commit 926af6273fc683cd98cd0ce7bf0d04a02eed6742.
>
> kernel BUG at ./include/linux/skbuff.h:1942!
> invalid opcode: 0000 [#1] SMP KASAN
> Dumping ftrace buffer:
> (ftrace buffer empty)
> Modules linked in:
> CPU: 1 PID: 5922 Comm: syz-executor5 Not tainted 4.10.0-rc7+ #127
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> task: ffff88003ba72dc0 task.stack: ffff880033ed0000
> RIP: 0010:__skb_pull include/linux/skbuff.h:1942 [inline]
> RIP: 0010:skb_mac_gso_segment+0x5ae/0x690 net/core/dev.c:2634
> RSP: 0018:ffff880033ed6c48 EFLAGS: 00010216
> RAX: 0000000000010000 RBX: 000000000000113e RCX: ffffc90003f74000
> RDX: 0000000000000223 RSI: ffffffff833cfbfe RDI: ffff88003e305244
> RBP: ffff880033ed6d98 R08: 0000000000000000 R09: 0000000000000000
> R10: c66e14bf8d4328e9 R11: 0000000000000000 R12: 000000000000000e
> R13: ffff88003e3051c0 R14: ffff880033ed6d70 R15: 0000000000000000
> FS: 00007faa035db700(0000) GS:ffff88003ed00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00000000203dd000 CR3: 000000003c165000 CR4: 00000000000006e0
> Call Trace:
> __skb_gso_segment+0x3d2/0x780 net/core/dev.c:2710
> skb_gso_segment include/linux/netdevice.h:3914 [inline]
> validate_xmit_skb+0x5c9/0xc20 net/core/dev.c:2944
> __dev_queue_xmit+0x102e/0x2860 net/core/dev.c:3364
> dev_queue_xmit+0x17/0x20 net/core/dev.c:3405
> packet_snd net/packet/af_packet.c:2872 [inline]
> packet_sendmsg+0x40bc/0x58b0 net/packet/af_packet.c:2897
> sock_sendmsg_nosec net/socket.c:635 [inline]
> sock_sendmsg+0xca/0x110 net/socket.c:645
> ___sys_sendmsg+0x4a3/0xae0 net/socket.c:1985
> __sys_sendmmsg+0x25c/0x750 net/socket.c:2075
> SYSC_sendmmsg net/socket.c:2106 [inline]
> SyS_sendmmsg+0x35/0x60 net/socket.c:2101
> entry_SYSCALL_64_fastpath+0x1f/0xc2
> RIP: 0033:0x4458b9
> RSP: 002b:00007faa035dab58 EFLAGS: 00000292 ORIG_RAX: 0000000000000133
> RAX: ffffffffffffffda RBX: 0000000000000016 RCX: 00000000004458b9
> RDX: 0000000000000001 RSI: 0000000020bc7fc8 RDI: 0000000000000016
> RBP: 00000000006e1ad0 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000708000
> R13: 0000000020fcc000 R14: 0000000000001000 R15: 0000000000000003
> Code: 00 00 48 c7 c7 00 4b 23 85 c6 05 b6 6f b2 02 01 e8 58 7a 04 fe
> e9 ae fc ff ff 48 c7 c3 ea ff ff ff e9 dc fe ff ff e8 82 f0 1d fe <0f>
> 0b 48 8b bd e0 fe ff ff e8 a4 30 48 fe e9 ef fd ff ff e8 9a
> RIP: __skb_pull include/linux/skbuff.h:1942 [inline] RSP: ffff880033ed6c48
> RIP: skb_mac_gso_segment+0x5ae/0x690 net/core/dev.c:2634 RSP: ffff880033ed6c48
> ---[ end trace 2214c8475331c97c ]---
> Kernel panic - not syncing: Fatal exception in interrupt
> Dumping ftrace buffer:
> (ftrace buffer empty)
> Kernel Offset: disabled
> Rebooting in 86400 seconds..

Hi Andrey.

926af6273fc683cd98cd0ce7bf0d04a02eed6 is quite old ;)

Probably already fixed ?

commit 57031eb794906eea4e1c7b31dc1e2429c0af0c66
Author: Willem de Bruijn <willemb@xxxxxxxxxx>
Date: Tue Feb 7 15:57:21 2017 -0500

packet: round up linear to header len

Link layer protocols may unconditionally pull headers, as Ethernet
does in eth_type_trans. Ensure that the entire link layer header
always lies in the skb linear segment. tpacket_snd has such a check.
Extend this to packet_snd.

Variable length link layer headers complicate the computation
somewhat. Here skb->len may be smaller than dev->hard_header_len.

Round up the linear length to be at least as long as the smallest of
the two.

Reported-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx>
Signed-off-by: Willem de Bruijn <willemb@xxxxxxxxxx>
Acked-by: Eric Dumazet <edumazet@xxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>

commit 217e6fa24ce28ec87fca8da93c9016cb78028612
Author: Willem de Bruijn <willemb@xxxxxxxxxx>
Date: Tue Feb 7 15:57:20 2017 -0500

net: introduce device min_header_len

The stack must not pass packets to device drivers that are shorter
than the minimum link layer header length.

Previously, packet sockets would drop packets smaller than or equal
to dev->hard_header_len, but this has false positives. Zero length
payload is used over Ethernet. Other link layer protocols support
variable length headers. Support for validation of these protocols
removed the min length check for all protocols.

Introduce an explicit dev->min_header_len parameter and drop all
packets below this value. Initially, set it to non-zero only for
Ethernet and loopback. Other protocols can follow in a patch to
net-next.

Fixes: 9ed988cd5915 ("packet: validate variable length ll headers")
Reported-by: Sowmini Varadhan <sowmini.varadhan@xxxxxxxxxx>
Signed-off-by: Willem de Bruijn <willemb@xxxxxxxxxx>
Acked-by: Eric Dumazet <edumazet@xxxxxxxxxx>
Acked-by: Sowmini Varadhan <sowmini.varadhan@xxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>

Next message: Shanker Donthineni: "Re: [RFC PATCH 06/33] irqchip/gic-v3-its: Add probing for VLPI properties"
Previous message: Peter Zijlstra: "Re: [PATCH v2] x86/paravirt: Don't make vcpu_is_preempted() a callee-save function"
In reply to: Andrey Konovalov: "net: BUG in __skb_gso_segment"
Next in thread: Andrey Konovalov: "Re: net: BUG in __skb_gso_segment"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]