Patchwork [natty/oneiric,SRU] bug #905219 - Linux Kernel crash in Netfilter

login
register
mail settings
Submitter Chris J Arges
Date June 27, 2012, 4:55 p.m.
Message ID <4FEB3B00.4050603@canonical.com>
Download mbox | patch
Permalink /patch/167715/
State New
Headers show

Comments

Chris J Arges - June 27, 2012, 4:55 p.m.
BugLink: https://bugs.launchpad.net/bugs/905219

== Natty/Oneiric SRU Justification ==

    Impact: When running KVM with a few VM's with physical eth bridges
and TAP interfaces connected between KVM (via libvirt) and the bridge,
occasionally kernel panics will occur.

== Fix ==

Cherry-pick from a504b86e718a425ea4a34e2f95b5cf0545ddfd8d. This is
present in Precise onwards. This fixes an issue in netfilter/tun where
tun's allocation is problematic and requires additional padding.


== Testcase ==

See bug for reproducible testcase.

Thanks,
--chris j arges
Tim Gardner - June 27, 2012, 5:03 p.m.

Seth Forshee - June 27, 2012, 6:24 p.m.
On Wed, Jun 27, 2012 at 11:55:28AM -0500, Chris J Arges wrote:
> BugLink: https://bugs.launchpad.net/bugs/905219
> 
> == Natty/Oneiric SRU Justification ==
> 
>     Impact: When running KVM with a few VM's with physical eth bridges
> and TAP interfaces connected between KVM (via libvirt) and the bridge,
> occasionally kernel panics will occur.
> 
> == Fix ==
> 
> Cherry-pick from a504b86e718a425ea4a34e2f95b5cf0545ddfd8d. This is
> present in Precise onwards. This fixes an issue in netfilter/tun where
> tun's allocation is problematic and requires additional padding.
> 
> 
> == Testcase ==
> 
> See bug for reproducible testcase.
> 
> Thanks,
> --chris j arges
> 

> From 74f15d9eecd8fd4e2537b9f51e68ee89d9e411a3 Mon Sep 17 00:00:00 2001
> From: stephen hemminger <shemminger@vyatta.com>
> Date: Wed, 8 Jun 2011 14:33:07 +0000
> Subject: [PATCH 1/2] tun: reserves space for network in skb
> 
> The tun driver allocates skb's to hold data from user and then passes
> the data into the network stack as received data. Most network devices
> allocate the receive skb with routines like dev_alloc_skb() that reserves
> additional space for use by network protocol stack but tun does not.
> 
> Because of the lack of padding, when the packet is passed through bridge
> netfilter a new skb has to be allocated.
> 
> Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> (cherry picked from commit a504b86e718a425ea4a34e2f95b5cf0545ddfd8d)
> 
> BugLink: http://launchpad.net/bugs/905219
> 
> Signed-off-by: Chris J Arges <chris.j.arges@canonical.com>
> ---
>  drivers/net/tun.c |    4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/tun.c b/drivers/net/tun.c
> index b100bd5..2bf9fb4 100644
> --- a/drivers/net/tun.c
> +++ b/drivers/net/tun.c
> @@ -554,7 +554,7 @@ static __inline__ ssize_t tun_get_user(struct tun_struct *tun,
>  {
>  	struct tun_pi pi = { 0, cpu_to_be16(ETH_P_IP) };
>  	struct sk_buff *skb;
> -	size_t len = count, align = 0;
> +	size_t len = count, align = NET_SKB_PAD;
>  	struct virtio_net_hdr gso = { 0 };
>  	int offset = 0;
>  
> @@ -584,7 +584,7 @@ static __inline__ ssize_t tun_get_user(struct tun_struct *tun,
>  	}
>  
>  	if ((tun->flags & TUN_TYPE_MASK) == TUN_TAP_DEV) {
> -		align = NET_IP_ALIGN;
> +		align += NET_IP_ALIGN;
>  		if (unlikely(len < ETH_HLEN ||
>  			     (gso.hdr_len && gso.hdr_len < ETH_HLEN)))
>  			return -EINVAL;
> -- 
> 1.7.9.5
> 

> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
Tim Gardner - June 27, 2012, 6:44 p.m.

Patch

From 74f15d9eecd8fd4e2537b9f51e68ee89d9e411a3 Mon Sep 17 00:00:00 2001
From: stephen hemminger <shemminger@vyatta.com>
Date: Wed, 8 Jun 2011 14:33:07 +0000
Subject: [PATCH 1/2] tun: reserves space for network in skb

The tun driver allocates skb's to hold data from user and then passes
the data into the network stack as received data. Most network devices
allocate the receive skb with routines like dev_alloc_skb() that reserves
additional space for use by network protocol stack but tun does not.

Because of the lack of padding, when the packet is passed through bridge
netfilter a new skb has to be allocated.

Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit a504b86e718a425ea4a34e2f95b5cf0545ddfd8d)

BugLink: http://launchpad.net/bugs/905219

Signed-off-by: Chris J Arges <chris.j.arges@canonical.com>
---
 drivers/net/tun.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index b100bd5..2bf9fb4 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -554,7 +554,7 @@  static __inline__ ssize_t tun_get_user(struct tun_struct *tun,
 {
 	struct tun_pi pi = { 0, cpu_to_be16(ETH_P_IP) };
 	struct sk_buff *skb;
-	size_t len = count, align = 0;
+	size_t len = count, align = NET_SKB_PAD;
 	struct virtio_net_hdr gso = { 0 };
 	int offset = 0;
 
@@ -584,7 +584,7 @@  static __inline__ ssize_t tun_get_user(struct tun_struct *tun,
 	}
 
 	if ((tun->flags & TUN_TYPE_MASK) == TUN_TAP_DEV) {
-		align = NET_IP_ALIGN;
+		align += NET_IP_ALIGN;
 		if (unlikely(len < ETH_HLEN ||
 			     (gso.hdr_len && gso.hdr_len < ETH_HLEN)))
 			return -EINVAL;
-- 
1.7.9.5