From patchwork Fri Aug 24 13:58:34 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tim Gardner X-Patchwork-Id: 179842 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id E25712C00E7 for ; Fri, 24 Aug 2012 23:58:53 +1000 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1T4uOu-0005mx-SQ; Fri, 24 Aug 2012 13:58:16 +0000 Received: from mail.tpi.com ([70.99.223.143]) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1T4uOs-0005mN-A5 for kernel-team@lists.ubuntu.com; Fri, 24 Aug 2012 13:58:14 +0000 Received: from [10.0.2.6] (host-174-45-43-11.hln-mt.client.bresnan.net [174.45.43.11]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.tpi.com (Postfix) with ESMTP id 3113032895F; Fri, 24 Aug 2012 06:57:29 -0700 (PDT) Message-ID: <5037888A.8000001@canonical.com> Date: Fri, 24 Aug 2012 07:58:34 -0600 From: Tim Gardner User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:14.0) Gecko/20120714 Thunderbird/14.0 MIME-Version: 1.0 To: Herton Ronaldo Krzesinski Subject: Re: Lucid CVE-2012-3412 References: <503659DD.6070708@canonical.com> <20120823192448.GC3004@herton-Z68MA-D2H-B3> <50368F1F.8030804@canonical.com> <20120824004642.GD3004@herton-Z68MA-D2H-B3> In-Reply-To: <20120824004642.GD3004@herton-Z68MA-D2H-B3> X-Enigmail-Version: 1.5a1pre Cc: kernel-team X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.13 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com On 08/23/2012 06:46 PM, Herton Ronaldo Krzesinski wrote: > On Thu, Aug 23, 2012 at 02:14:23PM -0600, Tim Gardner wrote: > [...] >> I've repushed with an update to "net: Allow driver to limit number of >> GSO segments per skb" > > This one still doesn't look ok. You clear dev->features, but the > behaviour of the upstream patch is different: they copy dev->features to > a local variable, and clear that, passing to netif_needs_gso, otherwise > after you clear first time, dev->features will have always the flags > cleared, and the checks are per skb, shouldn't be cleared globally in > dev->features. Fixing this, Ack from me for the patch series, the other > things I just wanted to point out but should be benign or style issues. > Doh, how about this? Also repushed. rtg From 791f2fa97593d1c2ca0e05f835276b558835f5aa Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Thu, 23 Aug 2012 08:20:13 -0600 Subject: [PATCH] net: Allow driver to limit number of GSO segments per skb CVE-2012-3412 BugLink: http://bugs.launchpad.net/bugs/1037456 A peer (or local user) may cause TCP to use a nominal MSS of as little as 88 (actual MSS of 76 with timestamps). Given that we have a sufficiently prodigious local sender and the peer ACKs quickly enough, it is nevertheless possible to grow the window for such a connection to the point that we will try to send just under 64K at once. This results in a single skb that expands to 861 segments. In some drivers with TSO support, such an skb will require hundreds of DMA descriptors; a substantial fraction of a TX ring or even more than a full ring. The TX queue selected for the skb may stall and trigger the TX watchdog repeatedly (since the problem skb will be retried after the TX reset). This particularly affects sfc, for which the issue is designated as CVE-2012-3412. Therefore: 1. Add the field net_device::gso_max_segs holding the device-specific limit. 2. In netif_skb_features(), if the number of segments is too high then mask out GSO features to force fall back to software GSO. Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller (back ported from commit 30b678d844af3305cda5953467005cebb5d7b687) Signed-off-by: Tim Gardner --- include/linux/netdevice.h | 6 ++++++ net/core/dev.c | 1 + 2 files changed, 7 insertions(+) diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h index ea6187c..9e5d0d0 100644 --- a/include/linux/netdevice.h +++ b/include/linux/netdevice.h @@ -907,6 +907,8 @@ struct net_device /* for setting kernel sock attribute on TCP connection setup */ #define GSO_MAX_SIZE 65536 unsigned int gso_max_size; +#define GSO_MAX_SEGS 65535 + u16 gso_max_segs; #ifdef CONFIG_DCB /* Data Center Bridging netlink ops */ @@ -1935,6 +1937,10 @@ static inline int skb_gso_ok(struct sk_buff *skb, int features) static inline int netif_needs_gso(struct net_device *dev, struct sk_buff *skb) { + if (skb_is_gso(skb) && + skb_shinfo(skb)->gso_segs > skb->dev->gso_max_segs) + return 0; + return skb_is_gso(skb) && (!skb_gso_ok(skb, dev->features) || unlikely(skb->ip_summed != CHECKSUM_PARTIAL)); diff --git a/net/core/dev.c b/net/core/dev.c index f32f98a..7b315a2 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -5195,6 +5195,7 @@ struct net_device *alloc_netdev_mq(int sizeof_priv, const char *name, dev->real_num_tx_queues = queue_count; dev->gso_max_size = GSO_MAX_SIZE; + dev->gso_max_segs = GSO_MAX_SEGS; netdev_init_queues(dev); -- 1.7.9.5