sonic-net · lguohan · Jan 15, 2020 · Jan 14, 2020 · Jan 14, 2020
@@ -0,0 +1,92 @@
+From 7eb9d7675c08937cd11d32b0b40442d4d731c5ee Mon Sep 17 00:00:00 2001
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Wed, 27 Nov 2019 00:16:44 +0200
+Subject: [PATCH] net: psample: fix skb_over_panic
+
+We need to calculate the skb size correctly otherwise we risk triggering
+skb_over_panic[1]. The issue is that data_len is added to the skb in a
+nl attribute, but we don't account for its header size (nlattr 4 bytes)
+and alignment. We account for it when calculating the total size in
+the > PSAMPLE_MAX_PACKET_SIZE comparison correctly, but not when
+allocating after that. The fix is simple - use nla_total_size() for
+data_len when allocating.
+
+To reproduce:
+ $ tc qdisc add dev eth1 clsact
+ $ tc filter add dev eth1 egress matchall action sample rate 1 group 1 trunc 129
+ $ mausezahn eth1 -b bcast -a rand -c 1 -p 129
+ < skb_over_panic BUG(), tail is 4 bytes past skb->end >
+
+[1] Trace:
+ [   50.459526][ T3480] skbuff: skb_over_panic: text:(____ptrval____) len:196 put:136 head:(____ptrval____) data:(____ptrval____) tail:0xc4 end:0xc0 dev:<NULL>
+ [   50.474339][ T3480] ------------[ cut here ]------------
+ [   50.481132][ T3480] kernel BUG at net/core/skbuff.c:108!
+ [   50.486059][ T3480] invalid opcode: 0000 [#1] PREEMPT SMP
+ [   50.489463][ T3480] CPU: 3 PID: 3480 Comm: mausezahn Not tainted 5.4.0-rc7 #108
+ [   50.492844][ T3480] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014
+ [   50.496551][ T3480] RIP: 0010:skb_panic+0x79/0x7b
+ [   50.498261][ T3480] Code: bc 00 00 00 41 57 4c 89 e6 48 c7 c7 90 29 9a 83 4c 8b 8b c0 00 00 00 50 8b 83 b8 00 00 00 50 ff b3 c8 00 00 00 e8 ae ef c0 fe <0f> 0b e8 2f df c8 fe 48 8b 55 08 44 89 f6 4c 89 e7 48 c7 c1 a0 22
+ [   50.504111][ T3480] RSP: 0018:ffffc90000447a10 EFLAGS: 00010282
+ [   50.505835][ T3480] RAX: 0000000000000087 RBX: ffff888039317d00 RCX: 0000000000000000
+ [   50.507900][ T3480] RDX: 0000000000000000 RSI: ffffffff812716e1 RDI: 00000000ffffffff
+ [   50.509820][ T3480] RBP: ffffc90000447a60 R08: 0000000000000001 R09: 0000000000000000
+ [   50.511735][ T3480] R10: ffffffff81d4f940 R11: 0000000000000000 R12: ffffffff834a22b0
+ [   50.513494][ T3480] R13: ffffffff82c10433 R14: 0000000000000088 R15: ffffffff838a8084
+ [   50.515222][ T3480] FS:  00007f3536462700(0000) GS:ffff88803eac0000(0000) knlGS:0000000000000000
+ [   50.517135][ T3480] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [   50.518583][ T3480] CR2: 0000000000442008 CR3: 000000003b222000 CR4: 00000000000006e0
+ [   50.520723][ T3480] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ [   50.522709][ T3480] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ [   50.524450][ T3480] Call Trace:
+ [   50.525214][ T3480]  skb_put.cold+0x1b/0x1b
+ [   50.526171][ T3480]  psample_sample_packet+0x1d3/0x340
+ [   50.527307][ T3480]  tcf_sample_act+0x178/0x250
+ [   50.528339][ T3480]  tcf_action_exec+0xb1/0x190
+ [   50.529354][ T3480]  mall_classify+0x67/0x90
+ [   50.530332][ T3480]  tcf_classify+0x72/0x160
+ [   50.531286][ T3480]  __dev_queue_xmit+0x3db/0xd50
+ [   50.532327][ T3480]  dev_queue_xmit+0x18/0x20
+ [   50.533299][ T3480]  packet_sendmsg+0xee7/0x2090
+ [   50.534331][ T3480]  sock_sendmsg+0x54/0x70
+ [   50.535271][ T3480]  __sys_sendto+0x148/0x1f0
+ [   50.536252][ T3480]  ? tomoyo_file_ioctl+0x23/0x30
+ [   50.537334][ T3480]  ? ksys_ioctl+0x5e/0xb0
+ [   50.540068][ T3480]  __x64_sys_sendto+0x2a/0x30
+ [   50.542810][ T3480]  do_syscall_64+0x73/0x1f0
+ [   50.545383][ T3480]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
+ [   50.548477][ T3480] RIP: 0033:0x7f35357d6fb3
+ [   50.551020][ T3480] Code: 48 8b 0d 18 90 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d f9 d3 20 00 00 75 13 49 89 ca b8 2c 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 34 c3 48 83 ec 08 e8 eb f6 ff ff 48 89 04 24
+ [   50.558547][ T3480] RSP: 002b:00007ffe0c7212c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+ [   50.561870][ T3480] RAX: ffffffffffffffda RBX: 0000000001dac010 RCX: 00007f35357d6fb3
+ [   50.565142][ T3480] RDX: 0000000000000082 RSI: 0000000001dac2a2 RDI: 0000000000000003
+ [   50.568469][ T3480] RBP: 00007ffe0c7212f0 R08: 00007ffe0c7212d0 R09: 0000000000000014
+ [   50.571731][ T3480] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000082
+ [   50.574961][ T3480] R13: 0000000001dac2a2 R14: 0000000000000001 R15: 0000000000000003
+ [   50.578170][ T3480] Modules linked in: sch_ingress virtio_net
+ [   50.580976][ T3480] ---[ end trace 61a515626a595af6 ]---
+
+CC: Yotam Gigi <yotamg@mellanox.com>
+CC: Jiri Pirko <jiri@mellanox.com>
+CC: Jamal Hadi Salim <jhs@mojatatu.com>
+CC: Simon Horman <simon.horman@netronome.com>
+CC: Roopa Prabhu <roopa@cumulusnetworks.com>
+Fixes: 6ae0a6286171 ("net: Introduce psample, a new genetlink channel for packet sampling")
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/psample/psample.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/psample/psample.c b/net/psample/psample.c
+index a6ceb0533b5bb..6f2fbc6b9eb2e 100644
+--- a/net/psample/psample.c
++++ b/net/psample/psample.c
+@@ -229,7 +229,7 @@ void psample_sample_packet(struct psample_group *group, struct sk_buff *skb,
+ 		data_len = PSAMPLE_MAX_PACKET_SIZE - meta_len - NLA_HDRLEN
+ 			    - NLA_ALIGNTO;
+
+-	nl_skb = genlmsg_new(meta_len + data_len, GFP_ATOMIC);
++	nl_skb = genlmsg_new(meta_len + nla_total_size(data_len), GFP_ATOMIC);
+ 	if (unlikely(!nl_skb))
+ 		return;
+
@@ -92,6 +92,7 @@ linux-4.16-firmware-dmi-handle-missing-DMI-data-gracefully.patch
 mellanox-backport-introduce-psample-a-new-genetlink-channel.patch
 mellanox-backport-introduce-tc-sample-action.patch
 kernel-enable-psample-and-act_sample-drivers.patch
+net-psample-fix-skb-over-panic.patch
 0000-net-Fix-netdev-adjacency-tracking.patch
 0000-net-ipv6-ll-anycast-mcast-routes-on-dev.patch
 0001-net-ipv6-Allow-shorthand-delete-of-all-nexthops-in-m.patch