diff mbox

Fw: [Bug 47021] New: kernel panic with l2tpv3 & mtu > 1500

Message ID 1346788334.13121.82.camel@edumazet-glaptop
State Accepted, archived
Delegated to: David Miller
Headers show

Commit Message

Eric Dumazet Sept. 4, 2012, 7:52 p.m. UTC 
From: Eric Dumazet <edumazet@google.com>

On Tue, 2012-09-04 at 09:07 -0700, Stephen Hemminger wrote:
> 
> Begin forwarded message:
> 
> Date: Tue,  4 Sep 2012 16:06:06 +0000 (UTC)
> From: bugzilla-daemon@bugzilla.kernel.org
> To: shemminger@linux-foundation.org
> Subject: [Bug 47021] New: kernel panic with l2tpv3 & mtu > 1500
> 
> 
> https://bugzilla.kernel.org/show_bug.cgi?id=47021
> 
>            Summary: kernel panic with l2tpv3 & mtu > 1500
>            Product: Networking
>            Version: 2.5
>     Kernel Version: 3.2.28
>           Platform: All
>         OS/Version: Linux
>               Tree: Mainline
>             Status: NEW
>           Severity: normal
>           Priority: P1
>          Component: Other
>         AssignedTo: shemminger@linux-foundation.org
>         ReportedBy: a1bert@atlas.cz
>         Regression: No
> 
> 
> first l2tpv3 packet that enters physical device with MTU > 1500 causes kernel
> panic
> 
> tunel created using:
> 
> l2tpv3tun add tunnel tunnel_id 1 peer_tunnel_id 1 encap udp udp_sport 5001
> udp_dport 5001 local 192.168.1.1 remote 192.168.1.2
> 
> l2tpv3tun add session tunnel_id 1 session_id 1 peer_session_id 1 dev l2tpeth1
> 
> 
> reproducible: always
> 

Seems following patch is needed, not sure if it helps

[PATCH] l2tp: fix a typo in l2tp_eth_dev_recv()

While investigating l2tp bug, I hit a bug in eth_type_trans(),
because not enough bytes were pulled in skb head.

Signed-off-by: Eric Dumazet <edumazet@google.com>
---
 net/l2tp/l2tp_eth.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

stephen hemminger Sept. 4, 2012, 7:54 p.m. UTC | #1 
On Tue, 04 Sep 2012 21:52:14 +0200
Eric Dumazet <eric.dumazet@gmail.com> wrote:

> From: Eric Dumazet <edumazet@google.com>
> 
> On Tue, 2012-09-04 at 09:07 -0700, Stephen Hemminger wrote:
> > 
> > Begin forwarded message:
> > 
> > Date: Tue,  4 Sep 2012 16:06:06 +0000 (UTC)
> > From: bugzilla-daemon@bugzilla.kernel.org
> > To: shemminger@linux-foundation.org
> > Subject: [Bug 47021] New: kernel panic with l2tpv3 & mtu > 1500
> > 
> > 
> > https://bugzilla.kernel.org/show_bug.cgi?id=47021
> > 
> >            Summary: kernel panic with l2tpv3 & mtu > 1500
> >            Product: Networking
> >            Version: 2.5
> >     Kernel Version: 3.2.28
> >           Platform: All
> >         OS/Version: Linux
> >               Tree: Mainline
> >             Status: NEW
> >           Severity: normal
> >           Priority: P1
> >          Component: Other
> >         AssignedTo: shemminger@linux-foundation.org
> >         ReportedBy: a1bert@atlas.cz
> >         Regression: No
> > 
> > 
> > first l2tpv3 packet that enters physical device with MTU > 1500 causes kernel
> > panic
> > 
> > tunel created using:
> > 
> > l2tpv3tun add tunnel tunnel_id 1 peer_tunnel_id 1 encap udp udp_sport 5001
> > udp_dport 5001 local 192.168.1.1 remote 192.168.1.2
> > 
> > l2tpv3tun add session tunnel_id 1 session_id 1 peer_session_id 1 dev l2tpeth1
> > 
> > 
> > reproducible: always
> > 
> 
> Seems following patch is needed, not sure if it helps
> 
> [PATCH] l2tp: fix a typo in l2tp_eth_dev_recv()
> 
> While investigating l2tp bug, I hit a bug in eth_type_trans(),
> because not enough bytes were pulled in skb head.
> 
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> ---
>  net/l2tp/l2tp_eth.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/l2tp/l2tp_eth.c b/net/l2tp/l2tp_eth.c
> index f9ee74d..3bfb34a 100644
> --- a/net/l2tp/l2tp_eth.c
> +++ b/net/l2tp/l2tp_eth.c
> @@ -153,7 +153,7 @@ static void l2tp_eth_dev_recv(struct l2tp_session *session, struct sk_buff *skb,
>  		print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, skb->data, length);
>  	}
>  
> -	if (!pskb_may_pull(skb, sizeof(ETH_HLEN)))
> +	if (!pskb_may_pull(skb, ETH_HLEN))
>  		goto error;

I guess nobody ever looked inside this code. That seems like an obvious bug.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
David Miller Sept. 4, 2012, 7:55 p.m. UTC | #2 
From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Tue, 04 Sep 2012 21:52:14 +0200

> [PATCH] l2tp: fix a typo in l2tp_eth_dev_recv()
> 
> While investigating l2tp bug, I hit a bug in eth_type_trans(),
> because not enough bytes were pulled in skb head.
> 
> Signed-off-by: Eric Dumazet <edumazet@google.com>

LoL, applied and queued up for -stable.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Eric Dumazet Sept. 4, 2012, 8:57 p.m. UTC | #3 
On Tue, 2012-09-04 at 12:54 -0700, Stephen Hemminger wrote:

> 
> I guess nobody ever looked inside this code. That seems like an obvious bug.

It seems that l2tp lacks ECN support as well.


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
a1 Sept. 5, 2012, 7:45 a.m. UTC | #4 
Thanks, it definitely helped, no more panics now...

jn

>>>
>>
>> Seems following patch is needed, not sure if it helps
>>
>> [PATCH] l2tp: fix a typo in l2tp_eth_dev_recv()
>>
>> While investigating l2tp bug, I hit a bug in eth_type_trans(),
>> because not enough bytes were pulled in skb head.
>>
>> Signed-off-by: Eric Dumazet <edumazet@google.com>
>> ---
>>  net/l2tp/l2tp_eth.c |    2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/net/l2tp/l2tp_eth.c b/net/l2tp/l2tp_eth.c
>> index f9ee74d..3bfb34a 100644
>> --- a/net/l2tp/l2tp_eth.c
>> +++ b/net/l2tp/l2tp_eth.c
>> @@ -153,7 +153,7 @@ static void l2tp_eth_dev_recv(struct l2tp_session *session, struct sk_buff *skb,
>>  		print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, skb->data, length);
>>  	}
>>  
>> -	if (!pskb_may_pull(skb, sizeof(ETH_HLEN)))
>> +	if (!pskb_may_pull(skb, ETH_HLEN))
>>  		goto error;
> 
> I guess nobody ever looked inside this code. That seems like an obvious bug.
> 
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Eric Dumazet Sept. 5, 2012, 8:34 a.m. UTC | #5 
On Wed, 2012-09-05 at 09:45 +0200, a1 wrote:
> Thanks, it definitely helped, no more panics now...

It seems MTU of device is wrong, and lot of packets are fragmented...

Its currently 1488, but it really should be less than that (accounting
for the IP+UDP header)

I wonder if anybody ever used this code ?



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/net/l2tp/l2tp_eth.c b/net/l2tp/l2tp_eth.c
index f9ee74d..3bfb34a 100644
--- a/net/l2tp/l2tp_eth.c
+++ b/net/l2tp/l2tp_eth.c
@@ -153,7 +153,7 @@  static void l2tp_eth_dev_recv(struct l2tp_session *session, struct sk_buff *skb,
 		print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, skb->data, length);
 	}
 
-	if (!pskb_may_pull(skb, sizeof(ETH_HLEN)))
+	if (!pskb_may_pull(skb, ETH_HLEN))
 		goto error;
 
 	secpath_reset(skb);