UbiquitousOS
/
OpenCloudOS-Kernel
mirror of https://gitee.com/OpenCloudOS/OpenCloudOS-Kernel.git
11
0
Fork 0
Code Issues Projects Releases Wiki Activity
OpenCloudOS-Kernel/drivers
History
Bjørn Mork 49c2c3f246 cdc_ncm: avoid padding beyond end of skb 
Commit 4a0e3e989d ("cdc_ncm: Add support for moving NDP to end
of NCM frame") added logic to reserve space for the NDP at the
end of the NTB/skb.  This reservation did not take the final
alignment of the NDP into account, causing us to reserve too
little space. Additionally the padding prior to NDP addition did
not ensure there was enough space for the NDP.

The NTB/skb with the NDP appended would then exceed the configured
max size. This caused the final padding of the NTB to use a
negative count, padding to almost INT_MAX, and resulting in:

[60103.825970] BUG: unable to handle kernel paging request at ffff9641f2004000
[60103.825998] IP: __memset+0x24/0x30
[60103.826001] PGD a6a06067 P4D a6a06067 PUD 4f65a063 PMD 72003063 PTE 0
[60103.826013] Oops: 0002 [#1] SMP NOPTI
[60103.826018] Modules linked in: (removed(
[60103.826158] CPU: 0 PID: 5990 Comm: Chrome_DevTools Tainted: G           O 4.14.0-3-amd64 #1 Debian 4.14.17-1
[60103.826162] Hardware name: LENOVO 20081 BIOS 41CN28WW(V2.04) 05/03/2012
[60103.826166] task: ffff964193484fc0 task.stack: ffffb2890137c000
[60103.826171] RIP: 0010:__memset+0x24/0x30
[60103.826174] RSP: 0000:ffff964316c03b68 EFLAGS: 00010216
[60103.826178] RAX: 0000000000000000 RBX: 00000000fffffffd RCX: 000000001ffa5000
[60103.826181] RDX: 0000000000000005 RSI: 0000000000000000 RDI: ffff9641f2003ffc
[60103.826184] RBP: ffff964192f6c800 R08: 00000000304d434e R09: ffff9641f1d2c004
[60103.826187] R10: 0000000000000002 R11: 00000000000005ae R12: ffff9642e6957a80
[60103.826190] R13: ffff964282ff2ee8 R14: 000000000000000d R15: ffff9642e4843900
[60103.826194] FS:  00007f395aaf6700(0000) GS:ffff964316c00000(0000) knlGS:0000000000000000
[60103.826197] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[60103.826200] CR2: ffff9641f2004000 CR3: 0000000013b0c000 CR4: 00000000000006f0
[60103.826204] Call Trace:
[60103.826212]  <IRQ>
[60103.826225]  cdc_ncm_fill_tx_frame+0x5e3/0x740 [cdc_ncm]
[60103.826236]  cdc_ncm_tx_fixup+0x57/0x70 [cdc_ncm]
[60103.826246]  usbnet_start_xmit+0x5d/0x710 [usbnet]
[60103.826254]  ? netif_skb_features+0x119/0x250
[60103.826259]  dev_hard_start_xmit+0xa1/0x200
[60103.826267]  sch_direct_xmit+0xf2/0x1b0
[60103.826273]  __dev_queue_xmit+0x5e3/0x7c0
[60103.826280]  ? ip_finish_output2+0x263/0x3c0
[60103.826284]  ip_finish_output2+0x263/0x3c0
[60103.826289]  ? ip_output+0x6c/0xe0
[60103.826293]  ip_output+0x6c/0xe0
[60103.826298]  ? ip_forward_options+0x1a0/0x1a0
[60103.826303]  tcp_transmit_skb+0x516/0x9b0
[60103.826309]  tcp_write_xmit+0x1aa/0xee0
[60103.826313]  ? sch_direct_xmit+0x71/0x1b0
[60103.826318]  tcp_tasklet_func+0x177/0x180
[60103.826325]  tasklet_action+0x5f/0x110
[60103.826332]  __do_softirq+0xde/0x2b3
[60103.826337]  irq_exit+0xae/0xb0
[60103.826342]  do_IRQ+0x81/0xd0
[60103.826347]  common_interrupt+0x98/0x98
[60103.826351]  </IRQ>
[60103.826355] RIP: 0033:0x7f397bdf2282
[60103.826358] RSP: 002b:00007f395aaf57d8 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff6e
[60103.826362] RAX: 0000000000000000 RBX: 00002f07bc6d0900 RCX: 00007f39752d7fe7
[60103.826365] RDX: 0000000000000022 RSI: 0000000000000147 RDI: 00002f07baea02c0
[60103.826368] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[60103.826371] R10: 00000000ffffffff R11: 0000000000000000 R12: 00002f07baea02c0
[60103.826373] R13: 00002f07bba227a0 R14: 00002f07bc6d090c R15: 0000000000000000
[60103.826377] Code: 90 90 90 90 90 90 90 0f 1f 44 00 00 49 89 f9 48 89 d1 83
e2 07 48 c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 <f3> 48
ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1
[60103.826442] RIP: __memset+0x24/0x30 RSP: ffff964316c03b68
[60103.826444] CR2: ffff9641f2004000

Commit e1069bbfcf ("net: cdc_ncm: Reduce memory use when kernel
memory low") made this bug much more likely to trigger by reducing
the NTB size under memory pressure.

Link: https://bugs.debian.org/893393
Reported-by: Горбешко Богдан <bodqhrohro@gmail.com>
Reported-and-tested-by: Dennis Wassenberg <dennis.wassenberg@secunet.com>
Cc: Enrico Mioso <mrkiko.rs@gmail.com>
Fixes: 4a0e3e989d ("cdc_ncm: Add support for moving NDP to end of NCM frame")
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
 		2018-06-08 19:50:01 -04:00
..
accessibility
acpi * Stratix10 SDRAM support to altera_edac (Thor Thayer) 2018-06-06 15:36:13 -07:00
amba Merge branch 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm 2018-06-06 13:49:25 -07:00
android
ata Merge branch 'for-4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata 2018-06-05 17:01:41 -07:00
atm atm: zatm: fix memcmp casting 2018-05-29 09:59:53 -04:00
auxdisplay
base - Introduce arithmetic overflow test helper functions (Rasmus) 2018-06-06 17:27:14 -07:00
bcma dma-mapping updates for 4.18: 2018-06-04 10:58:12 -07:00
block Merge branch 'hch.procfs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2018-06-04 10:00:01 -07:00
bluetooth Bluetooth: btusb: Add additional device ID for RTL8822BE 2018-05-30 15:45:01 +02:00
bus
cdrom
char It's been a busy release for the IPMI driver. Some notable changes: 2018-06-06 15:48:10 -07:00
clk - Introduce arithmetic overflow test helper functions (Rasmus) 2018-06-06 17:27:14 -07:00
clocksource clocksource/drivers/mxs_timer: Switch to SPDX identifier 2018-05-23 07:39:09 +02:00
connector Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2018-06-06 18:39:49 -07:00
cpufreq ACPI updates for 4.18-rc1 2018-06-05 10:08:27 -07:00
cpuidle powerpc updates for 4.18 2018-06-07 10:23:33 -07:00
crypto Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2018-06-05 15:51:21 -07:00
dax - Introduce arithmetic overflow test helper functions (Rasmus) 2018-06-06 17:27:14 -07:00
dca
devfreq
dio
dma - Introduce arithmetic overflow test helper functions (Rasmus) 2018-06-06 17:27:14 -07:00
dma-buf
edac EDAC, ghes: Make platform-based whitelisting x86-only 2018-05-21 12:18:57 +02:00
eisa
extcon
firewire treewide: Use struct_size() for kmalloc()-family 2018-06-06 11:15:43 -07:00
firmware Char/Misc driver patches for 4.18-rc1 2018-06-05 16:20:22 -07:00
fmc
fpga fpga: clarify that unregister functions also free 2018-05-25 18:23:56 +02:00
fsi
gpio - Introduce arithmetic overflow test helper functions (Rasmus) 2018-06-06 17:27:14 -07:00
gpu media updates for v4.18-rc1 2018-06-07 12:34:37 -07:00
hid
hsi
hv
hwmon powerpc updates for 4.18 2018-06-07 10:23:33 -07:00
hwspinlock treewide: Use struct_size() for devm_kmalloc() and friends 2018-06-06 11:15:43 -07:00
hwtracing Char/Misc driver patches for 4.18-rc1 2018-06-05 16:20:22 -07:00
i2c USB/PHY patches for 4.18-rc1 2018-06-05 16:14:12 -07:00
ide dma-mapping updates for 4.18: 2018-06-04 10:58:12 -07:00
idle
iio
infiniband Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2018-06-06 18:39:49 -07:00
input - Introduce arithmetic overflow test helper functions (Rasmus) 2018-06-06 17:27:14 -07:00
iommu dma-mapping updates for 4.18: 2018-06-04 10:58:12 -07:00
ipack
irqchip irqchip/stm32: Add suspend/resume support for hierarchy domain 2018-05-24 12:38:22 +01:00
isdn Merge branch 'work.aio-1' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2018-06-04 13:57:43 -07:00
leds leds: class: ensure workqueue is initialized before setting brightness 2018-05-24 22:08:26 +02:00
lightnvm lightnvm: pblk: take bitmap alloc. out of critical section 2018-06-01 09:02:53 -06:00
macintosh powerpc updates for 4.18 2018-06-07 10:23:33 -07:00
mailbox
mcb
md - Introduce arithmetic overflow test helper functions (Rasmus) 2018-06-06 17:27:14 -07:00
media media updates for v4.18-rc1 2018-06-07 12:34:37 -07:00
memory
memstick
message Merge branch 'hch.procfs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2018-06-04 10:00:01 -07:00
mfd - Introduce arithmetic overflow test helper functions (Rasmus) 2018-06-06 17:27:14 -07:00
misc powerpc updates for 4.18 2018-06-07 10:23:33 -07:00
mmc MMC core: 2018-06-05 16:11:43 -07:00
mtd - Introduce arithmetic overflow test helper functions (Rasmus) 2018-06-06 17:27:14 -07:00
mux
net cdc_ncm: avoid padding beyond end of skb 2018-06-08 19:50:01 -04:00
nfc NFC: pn533: don't send USB data off of the stack 2018-05-31 12:43:14 +02:00
ntb
nubus Char/Misc driver patches for 4.18-rc1 2018-06-05 16:20:22 -07:00
nvdimm
nvme Merge branch 'core-rcu-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2018-06-04 15:54:04 -07:00
nvmem
of Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2018-06-06 18:39:49 -07:00
opp OPP: Allow same OPP table to be used for multiple genpd 2018-05-30 15:38:21 +05:30
oprofile
parisc dma-mapping updates for 4.18: 2018-06-04 10:58:12 -07:00
parport
pci Power management updates for 4.18-rc1 2018-06-05 09:38:39 -07:00
pcmcia
perf
phy Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2018-06-06 18:39:49 -07:00
pinctrl - Introduce arithmetic overflow test helper functions (Rasmus) 2018-06-06 17:27:14 -07:00
platform USB/PHY patches for 4.18-rc1 2018-06-05 16:14:12 -07:00
pnp media updates for v4.18-rc1 2018-06-07 12:34:37 -07:00
power USB/PHY patches for 4.18-rc1 2018-06-05 16:14:12 -07:00
powercap
pps
ps3
ptp ptp_qoriq: move some definitions to header file 2018-05-28 23:05:11 -04:00
pwm
rapidio
ras
regulator treewide: Use struct_size() for devm_kmalloc() and friends 2018-06-06 11:15:43 -07:00
remoteproc
reset - Introduce arithmetic overflow test helper functions (Rasmus) 2018-06-06 17:27:14 -07:00
rpmsg
rtc - Introduce arithmetic overflow test helper functions (Rasmus) 2018-06-06 17:27:14 -07:00
s390 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2018-06-06 18:39:49 -07:00
sbus
scsi Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2018-06-06 18:39:49 -07:00
sfi
sh
siox
slimbus
sn
soc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2018-06-06 18:39:49 -07:00
soundwire Char/Misc driver patches for 4.18-rc1 2018-06-05 16:20:22 -07:00
spi Power management updates for 4.18-rc1 2018-06-05 09:38:39 -07:00
spmi
ssb
staging media updates for v4.18-rc1 2018-06-07 12:34:37 -07:00
target for-4.18/block-20180603 2018-06-04 07:58:06 -07:00
tc
tee
thermal - Introduce arithmetic overflow test helper functions (Rasmus) 2018-06-06 17:27:14 -07:00
thunderbolt
tty powerpc updates for 4.18 2018-06-07 10:23:33 -07:00
uio
usb - Introduce arithmetic overflow test helper functions (Rasmus) 2018-06-06 17:27:14 -07:00
uwb
vfio Merge branch 'work.aio-1' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2018-06-04 13:57:43 -07:00
vhost Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2018-06-06 18:39:49 -07:00
video media updates for v4.18-rc1 2018-06-07 12:34:37 -07:00
virt
virtio
visorbus
vlynq
vme
w1 Char/Misc driver patches for 4.18-rc1 2018-06-05 16:20:22 -07:00
watchdog
xen
zorro - Introduce arithmetic overflow test helper functions (Rasmus) 2018-06-06 17:27:14 -07:00
Kconfig
Makefile