| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 1 Dec 2014 13:36:54 +0000 From: David Vrabel <david.vrabel@...rix.com> To: Stefan Bader <stefan.bader@...onical.com>, Zoltan Kiss <zoltan.kiss@...rix.com>, Konrad Rzeszutek Wilk <konrad.wilk@...cle.com>, Boris Ostrovsky <boris.ostrovsky@...cle.com>, David Vrabel <david.vrabel@...rix.com> CC: Wei Liu <wei.liu2@...rix.com>, Ian Campbell <Ian.Campbell@...rix.com>, <netdev@...r.kernel.org>, <linux-kernel@...r.kernel.org>, Paul Durrant <paul.durrant@...rix.com>, <xen-devel@...ts.xenproject.org> Subject: Re: [Xen-devel] [PATCH] xen-netfront: Fix handling packets on compound pages with skb_linearize On 01/12/14 08:55, Stefan Bader wrote: > On 11.08.2014 19:32, Zoltan Kiss wrote: >> There is a long known problem with the netfront/netback interface: if the guest >> tries to send a packet which constitues more than MAX_SKB_FRAGS + 1 ring slots, >> it gets dropped. The reason is that netback maps these slots to a frag in the >> frags array, which is limited by size. Having so many slots can occur since >> compound pages were introduced, as the ring protocol slice them up into >> individual (non-compound) page aligned slots. The theoretical worst case >> scenario looks like this (note, skbs are limited to 64 Kb here): >> linear buffer: at most PAGE_SIZE - 17 * 2 bytes, overlapping page boundary, >> using 2 slots >> first 15 frags: 1 + PAGE_SIZE + 1 bytes long, first and last bytes are at the >> end and the beginning of a page, therefore they use 3 * 15 = 45 slots >> last 2 frags: 1 + 1 bytes, overlapping page boundary, 2 * 2 = 4 slots >> Although I don't think this 51 slots skb can really happen, we need a solution >> which can deal with every scenario. In real life there is only a few slots >> overdue, but usually it causes the TCP stream to be blocked, as the retry will >> most likely have the same buffer layout. >> This patch solves this problem by linearizing the packet. This is not the >> fastest way, and it can fail much easier as it tries to allocate a big linear >> area for the whole packet, but probably easier by an order of magnitude than >> anything else. Probably this code path is not touched very frequently anyway. >> >> Signed-off-by: Zoltan Kiss <zoltan.kiss@...rix.com> >> Cc: Wei Liu <wei.liu2@...rix.com> >> Cc: Ian Campbell <Ian.Campbell@...rix.com> >> Cc: Paul Durrant <paul.durrant@...rix.com> >> Cc: netdev@...r.kernel.org >> Cc: linux-kernel@...r.kernel.org >> Cc: xen-devel@...ts.xenproject.org > > This does not seem to be marked explicitly as stable. Has someone already asked > David Miller to put it on his stable queue? IMO it qualifies quite well and the > actual change should be simple to pick/backport. I think it's a candidate, yes. Can you expand on the user visible impact of the bug this patch fixes? I think it results in certain types of traffic not working (because the domU always generates skb's with the problematic frag layout), but I can't remember the details. David -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists