* [PATCH v2] brcmfmac: Don't grow SKB by negative size
@ 2017-07-26 8:49 Daniel Stone
2017-07-26 9:32 ` Arend van Spriel
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Daniel Stone @ 2017-07-26 8:49 UTC (permalink / raw)
To: linux-wireless
Cc: brcm80211-dev-list.pdl, brcm80211-dev-list, Arend Van Spriel,
James Hughes, Hante Meuleman, Pieter-Paul Giesberts, Franky Lin
The commit to rework the headroom check in start_xmit() now calls
pxskb_expand_head() unconditionally if the header is CoW. Unfortunately,
it does so with the delta between the extant headroom and the header
length, which may be negative if there is already sufficient headroom.
pskb_expand_head() does allow for size being 0, in which case it just
copies, so clamp the header delta to zero.
Opening Chrome (and all my tabs) on a PCIE device was enough to reliably
hit this.
Fixes: 270a6c1f65fe ("brcmfmac: rework headroom check in .start_xmit()")
Signed-off-by: Daniel Stone <daniels@collabora.com>
Cc: Arend Van Spriel <arend.vanspriel@broadcom.com>
Cc: James Hughes <james.hughes@raspberrypi.org>
Cc: Hante Meuleman <hante.meuleman@broadcom.com>
Cc: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Cc: Franky Lin <franky.lin@broadcom.com>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 1 +
1 file changed, 1 insertion(+)
Really sorry, I forgot to re-run format-patch after fixing the initial
patch. I've run out of coffee. :(
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
index 2153e8062b4c..42dbd5a8c220 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
@@ -215,6 +215,7 @@ static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb,
/* Make sure there's enough writeable headroom */
if (skb_headroom(skb) < drvr->hdrlen || skb_header_cloned(skb)) {
head_delta = drvr->hdrlen - skb_headroom(skb);
+ head_delta = max(head_delta, 0);
brcmf_dbg(INFO, "%s: insufficient headroom (%d)\n",
brcmf_ifname(ifp), head_delta);
--
2.13.2
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH v2] brcmfmac: Don't grow SKB by negative size
2017-07-26 8:49 [PATCH v2] brcmfmac: Don't grow SKB by negative size Daniel Stone
@ 2017-07-26 9:32 ` Arend van Spriel
2017-07-26 11:03 ` [PATCH for-4.13 V3] " Daniel Stone
2017-07-26 11:24 ` [PATCH for-v4.13 V4] " Daniel Stone
2 siblings, 0 replies; 8+ messages in thread
From: Arend van Spriel @ 2017-07-26 9:32 UTC (permalink / raw)
To: Daniel Stone
Cc: linux-wireless, brcm80211-dev-list.pdl, brcm80211-dev-list,
James Hughes, Hante Meuleman, Pieter-Paul Giesberts, Franky Lin
On 7/26/2017 10:49 AM, Daniel Stone wrote:
> The commit to rework the headroom check in start_xmit() now calls
> pxskb_expand_head() unconditionally if the header is CoW. Unfortunately,
> it does so with the delta between the extant headroom and the header
> length, which may be negative if there is already sufficient headroom.
>
> pskb_expand_head() does allow for size being 0, in which case it just
> copies, so clamp the header delta to zero.
>
> Opening Chrome (and all my tabs) on a PCIE device was enough to reliably
> hit this.
>
> Fixes: 270a6c1f65fe ("brcmfmac: rework headroom check in .start_xmit()")
> Signed-off-by: Daniel Stone <daniels@collabora.com>
> Cc: Arend Van Spriel <arend.vanspriel@broadcom.com>
> Cc: James Hughes <james.hughes@raspberrypi.org>
> Cc: Hante Meuleman <hante.meuleman@broadcom.com>
> Cc: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
> Cc: Franky Lin <franky.lin@broadcom.com>
> ---
> drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 1 +
> 1 file changed, 1 insertion(+)
>
> Really sorry, I forgot to re-run format-patch after fixing the initial
> patch. I've run out of coffee. :(
Sufficient coffee over here so I have no excuse. You are obviously
right. Please tag this patch for 4.13, ie.:
[PATCH for-4.13 V3] brcmfmac: ....
> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
> index 2153e8062b4c..42dbd5a8c220 100644
> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
> @@ -215,6 +215,7 @@ static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb,
> /* Make sure there's enough writeable headroom */
> if (skb_headroom(skb) < drvr->hdrlen || skb_header_cloned(skb)) {
> head_delta = drvr->hdrlen - skb_headroom(skb);
> + head_delta = max(head_delta, 0);
minor nit, but can you make it:
- head_delta = drvr->hdrlen - skb_headroom(skb);
+ head_delta = max(drvr->hdrlen - skb_headroom(skb), 0);
Regards,
Arend
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH for-4.13 V3] brcmfmac: Don't grow SKB by negative size
2017-07-26 8:49 [PATCH v2] brcmfmac: Don't grow SKB by negative size Daniel Stone
2017-07-26 9:32 ` Arend van Spriel
@ 2017-07-26 11:03 ` Daniel Stone
2017-07-26 11:15 ` Arend van Spriel
2017-07-26 11:24 ` [PATCH for-v4.13 V4] " Daniel Stone
2 siblings, 1 reply; 8+ messages in thread
From: Daniel Stone @ 2017-07-26 11:03 UTC (permalink / raw)
To: linux-wireless
Cc: brcm80211-dev-list.pdl, brcm80211-dev-list, Arend Van Spriel,
James Hughes, Hante Meuleman, Pieter-Paul Giesberts, Franky Lin
The commit to rework the headroom check in start_xmit() now calls
pxskb_expand_head() unconditionally if the header is CoW. Unfortunately,
it does so with the delta between the extant headroom and the header
length, which may be negative if there is already sufficient headroom.
pskb_expand_head() does allow for size being 0, in which case it just
copies, so clamp the header delta to zero.
Opening Chrome (and all my tabs) on a PCIE device was enough to reliably
hit this.
Fixes: 270a6c1f65fe ("brcmfmac: rework headroom check in .start_xmit()")
Signed-off-by: Daniel Stone <daniels@collabora.com>
Cc: Arend Van Spriel <arend.vanspriel@broadcom.com>
Cc: James Hughes <james.hughes@raspberrypi.org>
Cc: Hante Meuleman <hante.meuleman@broadcom.com>
Cc: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Cc: Franky Lin <franky.lin@broadcom.com>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
v2: Correct thinko.
v3: Bring assignment on to one line.
Thanks for the quick response Arend. It's not quite as simple as the
form you suggested, since both hdrlen and skb_headroom() are unsigned,
so it needs need an explicit cast to signed, which was previously
implicit from the head_delta lvalue.
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
index 2153e8062b4c..0b7db8798214 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
@@ -214,7 +214,7 @@ static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb,
/* Make sure there's enough writeable headroom */
if (skb_headroom(skb) < drvr->hdrlen || skb_header_cloned(skb)) {
- head_delta = drvr->hdrlen - skb_headroom(skb);
+ head_delta = max((int) (drvr->hdrlen - skb_headroom(skb)), 0);
brcmf_dbg(INFO, "%s: insufficient headroom (%d)\n",
brcmf_ifname(ifp), head_delta);
--
2.13.2
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH for-4.13 V3] brcmfmac: Don't grow SKB by negative size
2017-07-26 11:03 ` [PATCH for-4.13 V3] " Daniel Stone
@ 2017-07-26 11:15 ` Arend van Spriel
0 siblings, 0 replies; 8+ messages in thread
From: Arend van Spriel @ 2017-07-26 11:15 UTC (permalink / raw)
To: Daniel Stone
Cc: linux-wireless, brcm80211-dev-list.pdl, brcm80211-dev-list,
James Hughes, Hante Meuleman, Pieter-Paul Giesberts, Franky Lin
On 7/26/2017 1:03 PM, Daniel Stone wrote:
> The commit to rework the headroom check in start_xmit() now calls
> pxskb_expand_head() unconditionally if the header is CoW. Unfortunately,
> it does so with the delta between the extant headroom and the header
> length, which may be negative if there is already sufficient headroom.
>
> pskb_expand_head() does allow for size being 0, in which case it just
> copies, so clamp the header delta to zero.
>
> Opening Chrome (and all my tabs) on a PCIE device was enough to reliably
> hit this.
>
> Fixes: 270a6c1f65fe ("brcmfmac: rework headroom check in .start_xmit()")
> Signed-off-by: Daniel Stone <daniels@collabora.com>
> Cc: Arend Van Spriel <arend.vanspriel@broadcom.com>
> Cc: James Hughes <james.hughes@raspberrypi.org>
> Cc: Hante Meuleman <hante.meuleman@broadcom.com>
> Cc: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
> Cc: Franky Lin <franky.lin@broadcom.com>
> ---
> drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> v2: Correct thinko.
> v3: Bring assignment on to one line.
>
> Thanks for the quick response Arend. It's not quite as simple as the
> form you suggested, since both hdrlen and skb_headroom() are unsigned,
> so it needs need an explicit cast to signed, which was previously
> implicit from the head_delta lvalue.
Oops. That makes me realize that use of max_t() is preferred which would
take care of it.
Thanks,
Arend
> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
> index 2153e8062b4c..0b7db8798214 100644
> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
> @@ -214,7 +214,7 @@ static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb,
>
> /* Make sure there's enough writeable headroom */
> if (skb_headroom(skb) < drvr->hdrlen || skb_header_cloned(skb)) {
> - head_delta = drvr->hdrlen - skb_headroom(skb);
> + head_delta = max((int) (drvr->hdrlen - skb_headroom(skb)), 0);
>
> brcmf_dbg(INFO, "%s: insufficient headroom (%d)\n",
> brcmf_ifname(ifp), head_delta);
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH for-v4.13 V4] brcmfmac: Don't grow SKB by negative size
2017-07-26 8:49 [PATCH v2] brcmfmac: Don't grow SKB by negative size Daniel Stone
2017-07-26 9:32 ` Arend van Spriel
2017-07-26 11:03 ` [PATCH for-4.13 V3] " Daniel Stone
@ 2017-07-26 11:24 ` Daniel Stone
2017-07-26 21:59 ` [for-v4.13,V4] " Hans de Goede
` (2 more replies)
2 siblings, 3 replies; 8+ messages in thread
From: Daniel Stone @ 2017-07-26 11:24 UTC (permalink / raw)
To: linux-wireless
Cc: brcm80211-dev-list.pdl, brcm80211-dev-list, Arend Van Spriel,
James Hughes, Hante Meuleman, Pieter-Paul Giesberts, Franky Lin
The commit to rework the headroom check in start_xmit() now calls
pxskb_expand_head() unconditionally if the header is CoW. Unfortunately,
it does so with the delta between the extant headroom and the header
length, which may be negative if there is already sufficient headroom.
pskb_expand_head() does allow for size being 0, in which case it just
copies, so clamp the header delta to zero.
Opening Chrome (and all my tabs) on a PCIE device was enough to reliably
hit this.
Fixes: 270a6c1f65fe ("brcmfmac: rework headroom check in .start_xmit()")
Signed-off-by: Daniel Stone <daniels@collabora.com>
Cc: Arend Van Spriel <arend.vanspriel@broadcom.com>
Cc: James Hughes <james.hughes@raspberrypi.org>
Cc: Hante Meuleman <hante.meuleman@broadcom.com>
Cc: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Cc: Franky Lin <franky.lin@broadcom.com>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
v2: Correct thinko.
v3: Bring assignment on to one line.
v4: Use max_t rather than max.
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
index 2153e8062b4c..5cc3a07dda9e 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
@@ -214,7 +214,7 @@ static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb,
/* Make sure there's enough writeable headroom */
if (skb_headroom(skb) < drvr->hdrlen || skb_header_cloned(skb)) {
- head_delta = drvr->hdrlen - skb_headroom(skb);
+ head_delta = max_t(int, drvr->hdrlen - skb_headroom(skb), 0);
brcmf_dbg(INFO, "%s: insufficient headroom (%d)\n",
brcmf_ifname(ifp), head_delta);
--
2.13.2
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [for-v4.13,V4] brcmfmac: Don't grow SKB by negative size
2017-07-26 11:24 ` [PATCH for-v4.13 V4] " Daniel Stone
@ 2017-07-26 21:59 ` Hans de Goede
2017-07-27 6:15 ` [PATCH for-v4.13 V4] " Kalle Valo
2017-07-27 11:03 ` [for-v4.13,V4] " Kalle Valo
2 siblings, 0 replies; 8+ messages in thread
From: Hans de Goede @ 2017-07-26 21:59 UTC (permalink / raw)
To: Daniel Stone, linux-wireless
Cc: brcm80211-dev-list.pdl, brcm80211-dev-list, Arend Van Spriel,
James Hughes, Hante Meuleman, Pieter-Paul Giesberts, Franky Lin
Hi,
On 26-07-17 13:24, Daniel Stone wrote:
> The commit to rework the headroom check in start_xmit() now calls
> pxskb_expand_head() unconditionally if the header is CoW. Unfortunately,
> it does so with the delta between the extant headroom and the header
> length, which may be negative if there is already sufficient headroom.
>
> pskb_expand_head() does allow for size being 0, in which case it just
> copies, so clamp the header delta to zero.
>
> Opening Chrome (and all my tabs) on a PCIE device was enough to reliably
> hit this.
>
> Fixes: 270a6c1f65fe ("brcmfmac: rework headroom check in .start_xmit()")
> Signed-off-by: Daniel Stone <daniels@collabora.com>
> Cc: Arend Van Spriel <arend.vanspriel@broadcom.com>
> Cc: James Hughes <james.hughes@raspberrypi.org>
> Cc: Hante Meuleman <hante.meuleman@broadcom.com>
> Cc: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
> Cc: Franky Lin <franky.lin@broadcom.com>
> ---
> drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> v2: Correct thinko.
> v3: Bring assignment on to one line.
> v4: Use max_t rather than max.
I can confirm that this fixes a brcmfmac kernel panic for me:
Tested-by: Hans de Goede <hdegoede@redhat.com>
Regards,
Hans
>
> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
> index 2153e8062b4c..5cc3a07dda9e 100644
> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
> @@ -214,7 +214,7 @@ static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb,
>
> /* Make sure there's enough writeable headroom */
> if (skb_headroom(skb) < drvr->hdrlen || skb_header_cloned(skb)) {
> - head_delta = drvr->hdrlen - skb_headroom(skb);
> + head_delta = max_t(int, drvr->hdrlen - skb_headroom(skb), 0);
>
> brcmf_dbg(INFO, "%s: insufficient headroom (%d)\n",
> brcmf_ifname(ifp), head_delta);
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH for-v4.13 V4] brcmfmac: Don't grow SKB by negative size
2017-07-26 11:24 ` [PATCH for-v4.13 V4] " Daniel Stone
2017-07-26 21:59 ` [for-v4.13,V4] " Hans de Goede
@ 2017-07-27 6:15 ` Kalle Valo
2017-07-27 11:03 ` [for-v4.13,V4] " Kalle Valo
2 siblings, 0 replies; 8+ messages in thread
From: Kalle Valo @ 2017-07-27 6:15 UTC (permalink / raw)
To: Daniel Stone
Cc: linux-wireless, brcm80211-dev-list.pdl, brcm80211-dev-list,
Arend Van Spriel, James Hughes, Hante Meuleman,
Pieter-Paul Giesberts, Franky Lin
Daniel Stone <daniels@collabora.com> writes:
> The commit to rework the headroom check in start_xmit() now calls
> pxskb_expand_head() unconditionally if the header is CoW. Unfortunately,
> it does so with the delta between the extant headroom and the header
> length, which may be negative if there is already sufficient headroom.
>
> pskb_expand_head() does allow for size being 0, in which case it just
> copies, so clamp the header delta to zero.
>
> Opening Chrome (and all my tabs) on a PCIE device was enough to reliably
> hit this.
>
> Fixes: 270a6c1f65fe ("brcmfmac: rework headroom check in .start_xmit()")
> Signed-off-by: Daniel Stone <daniels@collabora.com>
> Cc: Arend Van Spriel <arend.vanspriel@broadcom.com>
> Cc: James Hughes <james.hughes@raspberrypi.org>
> Cc: Hante Meuleman <hante.meuleman@broadcom.com>
> Cc: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
> Cc: Franky Lin <franky.lin@broadcom.com>
I'll queue this for 4.13.
--
Kalle Valo
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [for-v4.13,V4] brcmfmac: Don't grow SKB by negative size
2017-07-26 11:24 ` [PATCH for-v4.13 V4] " Daniel Stone
2017-07-26 21:59 ` [for-v4.13,V4] " Hans de Goede
2017-07-27 6:15 ` [PATCH for-v4.13 V4] " Kalle Valo
@ 2017-07-27 11:03 ` Kalle Valo
2 siblings, 0 replies; 8+ messages in thread
From: Kalle Valo @ 2017-07-27 11:03 UTC (permalink / raw)
To: Daniel Stone
Cc: linux-wireless, brcm80211-dev-list.pdl, brcm80211-dev-list,
Arend Van Spriel, James Hughes, Hante Meuleman,
Pieter-Paul Giesberts, Franky Lin
Daniel Stone <daniels@collabora.com> wrote:
> The commit to rework the headroom check in start_xmit() now calls
> pxskb_expand_head() unconditionally if the header is CoW. Unfortunately,
> it does so with the delta between the extant headroom and the header
> length, which may be negative if there is already sufficient headroom.
>
> pskb_expand_head() does allow for size being 0, in which case it just
> copies, so clamp the header delta to zero.
>
> Opening Chrome (and all my tabs) on a PCIE device was enough to reliably
> hit this.
>
> Fixes: 270a6c1f65fe ("brcmfmac: rework headroom check in .start_xmit()")
> Signed-off-by: Daniel Stone <daniels@collabora.com>
> Cc: Arend Van Spriel <arend.vanspriel@broadcom.com>
> Cc: James Hughes <james.hughes@raspberrypi.org>
> Cc: Hante Meuleman <hante.meuleman@broadcom.com>
> Cc: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
> Cc: Franky Lin <franky.lin@broadcom.com>
> Tested-by: Hans de Goede <hdegoede@redhat.com>
Patch applied to wireless-drivers.git, thanks.
58f36b4526ad brcmfmac: Don't grow SKB by negative size
--
https://patchwork.kernel.org/patch/9864575/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2017-07-27 11:03 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-07-26 8:49 [PATCH v2] brcmfmac: Don't grow SKB by negative size Daniel Stone
2017-07-26 9:32 ` Arend van Spriel
2017-07-26 11:03 ` [PATCH for-4.13 V3] " Daniel Stone
2017-07-26 11:15 ` Arend van Spriel
2017-07-26 11:24 ` [PATCH for-v4.13 V4] " Daniel Stone
2017-07-26 21:59 ` [for-v4.13,V4] " Hans de Goede
2017-07-27 6:15 ` [PATCH for-v4.13 V4] " Kalle Valo
2017-07-27 11:03 ` [for-v4.13,V4] " Kalle Valo
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).