lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20071021045601.GA8427@gondor.apana.org.au>
Date:	Sun, 21 Oct 2007 12:56:01 +0800
From:	Herbert Xu <herbert@...dor.apana.org.au>
To:	John Heffner <jheffner@....edu>
Cc:	shemminger@...ux-foundation.org, davem@...emloft.net,
	netdev@...r.kernel.org, bugme-daemon@...zilla.kernel.org
Subject: Re: Fw: [Bug 9189] New: Oops in kernel 2.6.21-rc4 through 2.6.23, page allocation failure

On Sat, Oct 20, 2007 at 12:00:15AM +0800, Herbert Xu wrote:
> >> 
> >> Backtrace #1:
> >> page allocation failure. order:1, mode:0x20
> >>  [<c0131581>] __alloc_pages+0x2e1/0x300   
> >>  [<c0144bee>] cache_alloc_refill+0x29e/0x4b0
> >>  [<c0144e6e>] __kmalloc+0x6e/0x80
> >>  [<c0227103>] __alloc_skb+0x53/0x110
> >>  [<c024de5c>] tcp_collapse+0x1ac/0x370
> >>  [<c024e11d>] tcp_prune_queue+0xfd/0x2c0
> >>  [<c024eaad>] tcp_data_queue+0x7cd/0xbb0
> >>  [<c0225c2d>] skb_checksum+0x4d/0x2a0
> >>  [<c02504ee>] tcp_rcv_established+0x36e/0x6a0
> >>  [<c02561e4>] tcp_v4_do_rcv+0xb4/0x2a0
> >>  [<c0131379>] __alloc_pages+0xd9/0x300
> >>  [<c0258269>] tcp_v4_rcv+0x6a9/0x6c0
> >>  [<c023ddb1>] ip_local_deliver+0x91/0x110
> >>  [<c023e130>] ip_rcv+0x230/0x3c0
> >>  [<c0227103>] __alloc_skb+0x53/0x110
> >>  [<c022b742>] netif_receive_skb+0x152/0x1e0
> >>  [<c022ce6f>] process_backlog+0x6f/0xe0
> >>  [<c022cf3c>] net_rx_action+0x5c/0xf0
> >>  [<c0115af2>] __do_softirq+0x42/0x90
> >>  [<c0115b67>] do_softirq+0x27/0x30
> >>  [<c01044fd>] do_IRQ+0x3d/0x70
> >>  [<c0115818>] sys_gettimeofday+0x28/0x80
> >>  [<c0102967>] common_interrupt+0x23/0x28
> >>  =======================

I knew this looked familiar.  In fact I'd already sent a patch
to fix this back in June 2006 but it seems to have been lost.

Here it is again rediffed against today's kernel:

[NET]: Fix SKB_WITH_OVERHEAD calculation

The calculation in SKB_WITH_OVERHEAD is incorrect in that it can cause
an overflow across a page boundary which is what it's meant to prevent.
In particular, the header length (X) should not be lumped together with
skb_shared_info.  The latter needs to be aligned properly while the header
has no choice but to sit in front of wherever the payload is.

Therefore the correct calculation is to take away the aligned size of
skb_shared_info, and then subtract the header length.  The resulting
quantity L satisfies the following inequality:

	SKB_DATA_ALIGN(L + X) + sizeof(struct skb_shared_info) <= PAGE_SIZE

This is the quantity used by alloc_skb to do the actual allocation.

Signed-off-by: Herbert Xu <herbert@...dor.apana.org.au>

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@...dor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index f93f22b..369f60a 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -41,8 +41,7 @@
 #define SKB_DATA_ALIGN(X)	(((X) + (SMP_CACHE_BYTES - 1)) & \
 				 ~(SMP_CACHE_BYTES - 1))
 #define SKB_WITH_OVERHEAD(X)	\
-	(((X) - sizeof(struct skb_shared_info)) & \
-	 ~(SMP_CACHE_BYTES - 1))
+	((X) - SKB_DATA_ALIGN(sizeof(struct skb_shared_info)))
 #define SKB_MAX_ORDER(X, ORDER) \
 	SKB_WITH_OVERHEAD((PAGE_SIZE << (ORDER)) - (X))
 #define SKB_MAX_HEAD(X)		(SKB_MAX_ORDER((X), 0))
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ