forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
linux-uconsole/drivers/net
History
Bjørn Mork 9d4c1d93a5 cdc_ncm: avoid padding beyond end of skb 
commit 49c2c3f246 upstream.

Commit 4a0e3e989d ("cdc_ncm: Add support for moving NDP to end
of NCM frame") added logic to reserve space for the NDP at the
end of the NTB/skb.  This reservation did not take the final
alignment of the NDP into account, causing us to reserve too
little space. Additionally the padding prior to NDP addition did
not ensure there was enough space for the NDP.

The NTB/skb with the NDP appended would then exceed the configured
max size. This caused the final padding of the NTB to use a
negative count, padding to almost INT_MAX, and resulting in:

[60103.825970] BUG: unable to handle kernel paging request at ffff9641f2004000
[60103.825998] IP: __memset+0x24/0x30
[60103.826001] PGD a6a06067 P4D a6a06067 PUD 4f65a063 PMD 72003063 PTE 0
[60103.826013] Oops: 0002 [#1] SMP NOPTI
[60103.826018] Modules linked in: (removed(
[60103.826158] CPU: 0 PID: 5990 Comm: Chrome_DevTools Tainted: G           O 4.14.0-3-amd64 #1 Debian 4.14.17-1
[60103.826162] Hardware name: LENOVO 20081 BIOS 41CN28WW(V2.04) 05/03/2012
[60103.826166] task: ffff964193484fc0 task.stack: ffffb2890137c000
[60103.826171] RIP: 0010:__memset+0x24/0x30
[60103.826174] RSP: 0000:ffff964316c03b68 EFLAGS: 00010216
[60103.826178] RAX: 0000000000000000 RBX: 00000000fffffffd RCX: 000000001ffa5000
[60103.826181] RDX: 0000000000000005 RSI: 0000000000000000 RDI: ffff9641f2003ffc
[60103.826184] RBP: ffff964192f6c800 R08: 00000000304d434e R09: ffff9641f1d2c004
[60103.826187] R10: 0000000000000002 R11: 00000000000005ae R12: ffff9642e6957a80
[60103.826190] R13: ffff964282ff2ee8 R14: 000000000000000d R15: ffff9642e4843900
[60103.826194] FS:  00007f395aaf6700(0000) GS:ffff964316c00000(0000) knlGS:0000000000000000
[60103.826197] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[60103.826200] CR2: ffff9641f2004000 CR3: 0000000013b0c000 CR4: 00000000000006f0
[60103.826204] Call Trace:
[60103.826212]  <IRQ>
[60103.826225]  cdc_ncm_fill_tx_frame+0x5e3/0x740 [cdc_ncm]
[60103.826236]  cdc_ncm_tx_fixup+0x57/0x70 [cdc_ncm]
[60103.826246]  usbnet_start_xmit+0x5d/0x710 [usbnet]
[60103.826254]  ? netif_skb_features+0x119/0x250
[60103.826259]  dev_hard_start_xmit+0xa1/0x200
[60103.826267]  sch_direct_xmit+0xf2/0x1b0
[60103.826273]  __dev_queue_xmit+0x5e3/0x7c0
[60103.826280]  ? ip_finish_output2+0x263/0x3c0
[60103.826284]  ip_finish_output2+0x263/0x3c0
[60103.826289]  ? ip_output+0x6c/0xe0
[60103.826293]  ip_output+0x6c/0xe0
[60103.826298]  ? ip_forward_options+0x1a0/0x1a0
[60103.826303]  tcp_transmit_skb+0x516/0x9b0
[60103.826309]  tcp_write_xmit+0x1aa/0xee0
[60103.826313]  ? sch_direct_xmit+0x71/0x1b0
[60103.826318]  tcp_tasklet_func+0x177/0x180
[60103.826325]  tasklet_action+0x5f/0x110
[60103.826332]  __do_softirq+0xde/0x2b3
[60103.826337]  irq_exit+0xae/0xb0
[60103.826342]  do_IRQ+0x81/0xd0
[60103.826347]  common_interrupt+0x98/0x98
[60103.826351]  </IRQ>
[60103.826355] RIP: 0033:0x7f397bdf2282
[60103.826358] RSP: 002b:00007f395aaf57d8 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff6e
[60103.826362] RAX: 0000000000000000 RBX: 00002f07bc6d0900 RCX: 00007f39752d7fe7
[60103.826365] RDX: 0000000000000022 RSI: 0000000000000147 RDI: 00002f07baea02c0
[60103.826368] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[60103.826371] R10: 00000000ffffffff R11: 0000000000000000 R12: 00002f07baea02c0
[60103.826373] R13: 00002f07bba227a0 R14: 00002f07bc6d090c R15: 0000000000000000
[60103.826377] Code: 90 90 90 90 90 90 90 0f 1f 44 00 00 49 89 f9 48 89 d1 83
e2 07 48 c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 <f3> 48
ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1
[60103.826442] RIP: __memset+0x24/0x30 RSP: ffff964316c03b68
[60103.826444] CR2: ffff9641f2004000

Commit e1069bbfcf ("net: cdc_ncm: Reduce memory use when kernel
memory low") made this bug much more likely to trigger by reducing
the NTB size under memory pressure.

Link: https://bugs.debian.org/893393
Reported-by: Горбешко Богдан <bodqhrohro@gmail.com>
Reported-and-tested-by: Dennis Wassenberg <dennis.wassenberg@secunet.com>
Cc: Enrico Mioso <mrkiko.rs@gmail.com>
Fixes: 4a0e3e989d ("cdc_ncm: Add support for moving NDP to end of NCM frame")
[ bmork:  tx_curr_size => tx_max and context fixup for v4.12 and older ]
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-07-03 11:21:35 +02:00
..
appletalk net/appletalk: Fix kernel memory disclosure 2017-12-09 18:42:42 +01:00
arcnet
bonding bonding: re-evaluate force_primary when the primary slave name changes 2018-07-03 11:21:25 +02:00
caif
can can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg() 2018-05-16 10:06:51 +02:00
cris
dsa net: dsa: bcm_sf2: Ensure we re-negotiate EEE during after link change 2016-12-10 19:07:23 +01:00
ethernet net/sonic: Use dma_mapping_error() 2018-07-03 11:21:24 +02:00
fddi
fjes fjes: Fix wrong netdevice feature flags 2017-12-20 10:04:55 +01:00
hamradio hdlcdrv: Fix divide by zero in hdlcdrv_ioctl 2018-04-13 19:50:14 +02:00
hippi hippi: Fix a Fix a possible sleep-in-atomic bug in rr_close 2018-02-25 11:03:42 +01:00
hyperv hv_netvsc: use skb_get_hash() instead of a homegrown implementation 2017-03-26 12:13:18 +02:00
ieee802154 fakelb: fix schedule while atomic 2017-03-15 09:57:15 +08:00
ipvlan ipvlan: add L2 check for packets arriving via virtual devices 2018-03-22 09:23:30 +01:00
irda irda: fix overly long udelay() 2018-06-06 16:46:21 +02:00
phy net: phy: broadcom: Fix bcm_write_exp() 2018-06-13 16:15:29 +02:00
plip
ppp pppoe: check sockaddr length in pppoe_connect() 2018-04-29 07:50:05 +02:00
slip slip: Check if rstate is initialized before uncompressing 2018-04-24 09:32:04 +02:00
team team: use netdev_features_t instead of u32 2018-06-13 16:15:29 +02:00
usb cdc_ncm: avoid padding beyond end of skb 2018-07-03 11:21:35 +02:00
vmxnet3 vmxnet3: ensure that adapter is in proper state during force_close 2018-04-13 19:50:04 +02:00
wan wan: pc300too: abort path on failure 2018-03-24 10:58:43 +01:00
wimax net: wimax/i2400m: fix NULL-deref at probe 2017-12-20 10:04:54 +01:00
wireless brcmfmac: Fix check for ISO3166 code 2018-06-13 16:15:27 +02:00
xen-netback xen/netback: set default upper limit of tx/rx queues to 8 2017-11-15 17:13:09 +01:00
dummy.c
eql.c
geneve.c geneve: avoid use-after-free of skb->data 2016-12-10 19:07:24 +01:00
ifb.c
Kconfig vmxnet3: prevent building with 64K pages 2018-02-25 11:03:42 +01:00
LICENSE.SRC
loopback.c net: introduce device min_header_len 2017-02-18 16:39:27 +01:00
macvlan.c macvlan: Only deliver one copy of the frame to the macvlan interface 2017-12-20 10:05:01 +01:00
macvtap.c tun/tap: sanitize TUNSETSNDBUF input 2017-11-18 11:11:05 +01:00
Makefile
mdio.c
mii.c
netconsole.c
nlmon.c
ntb_netdev.c
rionet.c rapidio/rionet: fix deadlock on SMP 2016-04-12 09:08:58 -07:00
sb1000.c
Space.c
sungem_phy.c
tun.c tun: allow positive return values on dev_get_valid_name() call 2017-11-18 11:11:06 +01:00
veth.c veth: set peer GSO values 2018-03-22 09:23:29 +01:00
virtio_net.c virtio-net: Fix operstate for virtio when no VIRTIO_NET_F_STATUS 2018-05-30 07:49:11 +02:00
vrf.c vrf: Fix use after free and double free in vrf_finish_output 2018-04-13 19:50:27 +02:00
vxlan.c vxlan: dont migrate permanent fdb entries during learn 2018-04-13 19:50:21 +02:00
xen-netfront.c xen-netfront: Fix race between device setup and open 2018-05-30 07:48:56 +02:00