All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH net 0/2] bonding/team: basic dev->needed_headroom support
@ 2020-09-25 13:38 Eric Dumazet
  2020-09-25 13:38 ` [PATCH net 1/2] bonding: set dev->needed_headroom in bond_setup_by_slave() Eric Dumazet
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Eric Dumazet @ 2020-09-25 13:38 UTC (permalink / raw)
  To: David S . Miller; +Cc: netdev, Eric Dumazet, Eric Dumazet

Both bonding and team drivers support non-ethernet devices,
but missed proper dev->needed_headroom initializations.

syzbot found a crash caused by bonding, I mirrored the fix in team as well.

Eric Dumazet (2):
  bonding: set dev->needed_headroom in bond_setup_by_slave()
  team: set dev->needed_headroom in team_setup_by_port()

 drivers/net/bonding/bond_main.c | 1 +
 drivers/net/team/team.c         | 1 +
 2 files changed, 2 insertions(+)

-- 
2.28.0.681.g6f77f65b4e-goog


^ permalink raw reply	[flat|nested] 4+ messages in thread
* [PATCH net 1/2] bonding: set dev->needed_headroom in bond_setup_by_slave()
  2020-09-25 13:38 [PATCH net 0/2] bonding/team: basic dev->needed_headroom support Eric Dumazet
@ 2020-09-25 13:38 ` Eric Dumazet
  2020-09-25 13:38 ` [PATCH net 2/2] team: set dev->needed_headroom in team_setup_by_port() Eric Dumazet
  2020-09-26  0:06 ` [PATCH net 0/2] bonding/team: basic dev->needed_headroom support David Miller
  2 siblings, 0 replies; 4+ messages in thread
From: Eric Dumazet @ 2020-09-25 13:38 UTC (permalink / raw)
  To: David S . Miller; +Cc: netdev, Eric Dumazet, Eric Dumazet, syzbot

syzbot managed to crash a host by creating a bond
with a GRE device.

For non Ethernet device, bonding calls bond_setup_by_slave()
instead of ether_setup(), and unfortunately dev->needed_headroom
was not copied from the new added member.

[  171.243095] skbuff: skb_under_panic: text:ffffffffa184b9ea len:116 put:20 head:ffff883f84012dc0 data:ffff883f84012dbc tail:0x70 end:0xd00 dev:bond0
[  171.243111] ------------[ cut here ]------------
[  171.243112] kernel BUG at net/core/skbuff.c:112!
[  171.243117] invalid opcode: 0000 [#1] SMP KASAN PTI
[  171.243469] gsmi: Log Shutdown Reason 0x03
[  171.243505] Call Trace:
[  171.243506]  <IRQ>
[  171.243512]  [<ffffffffa171be59>] skb_push+0x49/0x50
[  171.243516]  [<ffffffffa184b9ea>] ipgre_header+0x2a/0xf0
[  171.243520]  [<ffffffffa17452d7>] neigh_connected_output+0xb7/0x100
[  171.243524]  [<ffffffffa186f1d3>] ip6_finish_output2+0x383/0x490
[  171.243528]  [<ffffffffa186ede2>] __ip6_finish_output+0xa2/0x110
[  171.243531]  [<ffffffffa186acbc>] ip6_finish_output+0x2c/0xa0
[  171.243534]  [<ffffffffa186abe9>] ip6_output+0x69/0x110
[  171.243537]  [<ffffffffa186ac90>] ? ip6_output+0x110/0x110
[  171.243541]  [<ffffffffa189d952>] mld_sendpack+0x1b2/0x2d0
[  171.243544]  [<ffffffffa189d290>] ? mld_send_report+0xf0/0xf0
[  171.243548]  [<ffffffffa189c797>] mld_ifc_timer_expire+0x2d7/0x3b0
[  171.243551]  [<ffffffffa189c4c0>] ? mld_gq_timer_expire+0x50/0x50
[  171.243556]  [<ffffffffa0fea270>] call_timer_fn+0x30/0x130
[  171.243559]  [<ffffffffa0fea17c>] expire_timers+0x4c/0x110
[  171.243563]  [<ffffffffa0fea0e3>] __run_timers+0x213/0x260
[  171.243566]  [<ffffffffa0fecb7d>] ? ktime_get+0x3d/0xa0
[  171.243570]  [<ffffffffa0ff9c4e>] ? clockevents_program_event+0x7e/0xe0
[  171.243574]  [<ffffffffa0f7e5d5>] ? sched_clock_cpu+0x15/0x190
[  171.243577]  [<ffffffffa0fe973d>] run_timer_softirq+0x1d/0x40
[  171.243581]  [<ffffffffa1c00152>] __do_softirq+0x152/0x2f0
[  171.243585]  [<ffffffffa0f44e1f>] irq_exit+0x9f/0xb0
[  171.243588]  [<ffffffffa1a02e1d>] smp_apic_timer_interrupt+0xfd/0x1a0
[  171.243591]  [<ffffffffa1a01ea6>] apic_timer_interrupt+0x86/0x90

Fixes: f5184d267c1a ("net: Allow netdevices to specify needed head/tailroom")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
---
 drivers/net/bonding/bond_main.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 42ef25ec0af5b089365c5a0b0378c40c22db1afe..14740d3053b8ad2b0b0fcbe6666a44bca384bb7d 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -1315,6 +1315,7 @@ static void bond_setup_by_slave(struct net_device *bond_dev,
 
 	bond_dev->type		    = slave_dev->type;
 	bond_dev->hard_header_len   = slave_dev->hard_header_len;
+	bond_dev->needed_headroom   = slave_dev->needed_headroom;
 	bond_dev->addr_len	    = slave_dev->addr_len;
 
 	memcpy(bond_dev->broadcast, slave_dev->broadcast,
-- 
2.28.0.681.g6f77f65b4e-goog


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH net 2/2] team: set dev->needed_headroom in team_setup_by_port()
  2020-09-25 13:38 [PATCH net 0/2] bonding/team: basic dev->needed_headroom support Eric Dumazet
  2020-09-25 13:38 ` [PATCH net 1/2] bonding: set dev->needed_headroom in bond_setup_by_slave() Eric Dumazet
@ 2020-09-25 13:38 ` Eric Dumazet
  2020-09-26  0:06 ` [PATCH net 0/2] bonding/team: basic dev->needed_headroom support David Miller
  2 siblings, 0 replies; 4+ messages in thread
From: Eric Dumazet @ 2020-09-25 13:38 UTC (permalink / raw)
  To: David S . Miller; +Cc: netdev, Eric Dumazet, Eric Dumazet

Some devices set needed_headroom. If we ignore it, we might
end up crashing in various skb_push() for example in ipgre_header()
since some layers assume enough headroom has been reserved.

Fixes: 1d76efe1577b ("team: add support for non-ethernet devices")
Signed-off-by: Eric Dumazet <edumazet@google.com>
---
 drivers/net/team/team.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
index 8c1e02752ff61f8752df7b435ced4ef376dbe682..69dfb1a49cc8532004f80c30359b7ab36e9630b8 100644
--- a/drivers/net/team/team.c
+++ b/drivers/net/team/team.c
@@ -2112,6 +2112,7 @@ static void team_setup_by_port(struct net_device *dev,
 	dev->header_ops	= port_dev->header_ops;
 	dev->type = port_dev->type;
 	dev->hard_header_len = port_dev->hard_header_len;
+	dev->needed_headroom = port_dev->needed_headroom;
 	dev->addr_len = port_dev->addr_len;
 	dev->mtu = port_dev->mtu;
 	memcpy(dev->broadcast, port_dev->broadcast, port_dev->addr_len);
-- 
2.28.0.681.g6f77f65b4e-goog


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH net 0/2] bonding/team: basic dev->needed_headroom support
  2020-09-25 13:38 [PATCH net 0/2] bonding/team: basic dev->needed_headroom support Eric Dumazet
  2020-09-25 13:38 ` [PATCH net 1/2] bonding: set dev->needed_headroom in bond_setup_by_slave() Eric Dumazet
  2020-09-25 13:38 ` [PATCH net 2/2] team: set dev->needed_headroom in team_setup_by_port() Eric Dumazet
@ 2020-09-26  0:06 ` David Miller
  2 siblings, 0 replies; 4+ messages in thread
From: David Miller @ 2020-09-26  0:06 UTC (permalink / raw)
  To: edumazet; +Cc: netdev, eric.dumazet

From: Eric Dumazet <edumazet@google.com>
Date: Fri, 25 Sep 2020 06:38:06 -0700

> Both bonding and team drivers support non-ethernet devices,
> but missed proper dev->needed_headroom initializations.
> 
> syzbot found a crash caused by bonding, I mirrored the fix in team as well.

Series applied, thanks Eric.

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-09-26  0:06 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-25 13:38 [PATCH net 0/2] bonding/team: basic dev->needed_headroom support Eric Dumazet
2020-09-25 13:38 ` [PATCH net 1/2] bonding: set dev->needed_headroom in bond_setup_by_slave() Eric Dumazet
2020-09-25 13:38 ` [PATCH net 2/2] team: set dev->needed_headroom in team_setup_by_port() Eric Dumazet
2020-09-26  0:06 ` [PATCH net 0/2] bonding/team: basic dev->needed_headroom support David Miller

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.