7ec318feee
When a GSO skb of truesize O is segmented into 2 new skbs of truesize N1 and N2, we want to transfer socket ownership to the new fresh skbs. In order to avoid expensive atomic operations on a cache line subject to cache bouncing, we replace the sequence : refcount_add(N1, &sk->sk_wmem_alloc); refcount_add(N2, &sk->sk_wmem_alloc); // repeated by number of segments refcount_sub(O, &sk->sk_wmem_alloc); by a single refcount_add(sum_of(N) - O, &sk->sk_wmem_alloc); Problem is : In some pathological cases, sum(N) - O might be a negative number, and syzkaller bot was apparently able to trigger this trace [1] atomic_t was ok with this construct, but we need to take care of the negative delta with refcount_t [1] refcount_t: saturated; leaking memory. ------------[ cut here ]------------ WARNING: CPU: 0 PID: 8404 at lib/refcount.c:77 refcount_add_not_zero+0x198/0x200 lib/refcount.c:77 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 8404 Comm: syz-executor2 Not tainted 4.14.0-rc5-mm1+ #20 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:52 panic+0x1e4/0x41c kernel/panic.c:183 __warn+0x1c4/0x1e0 kernel/panic.c:546 report_bug+0x211/0x2d0 lib/bug.c:183 fixup_bug+0x40/0x90 arch/x86/kernel/traps.c:177 do_trap_no_signal arch/x86/kernel/traps.c:211 [inline] do_trap+0x260/0x390 arch/x86/kernel/traps.c:260 do_error_trap+0x120/0x390 arch/x86/kernel/traps.c:297 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:310 invalid_op+0x18/0x20 arch/x86/entry/entry_64.S:905 RIP: 0010:refcount_add_not_zero+0x198/0x200 lib/refcount.c:77 RSP: 0018:ffff8801c606e3a0 EFLAGS: 00010282 RAX: 0000000000000026 RBX: 0000000000001401 RCX: 0000000000000000 RDX: 0000000000000026 RSI: ffffc900036fc000 RDI: ffffed0038c0dc68 RBP: ffff8801c606e430 R08: 0000000000000001 R09: 0000000000000000 R10: ffff8801d97f5eba R11: 0000000000000000 R12: ffff8801d5acf73c R13: 1ffff10038c0dc75 R14: 00000000ffffffff R15: 00000000fffff72f refcount_add+0x1b/0x60 lib/refcount.c:101 tcp_gso_segment+0x10d0/0x16b0 net/ipv4/tcp_offload.c:155 tcp4_gso_segment+0xd4/0x310 net/ipv4/tcp_offload.c:51 inet_gso_segment+0x60c/0x11c0 net/ipv4/af_inet.c:1271 skb_mac_gso_segment+0x33f/0x660 net/core/dev.c:2749 __skb_gso_segment+0x35f/0x7f0 net/core/dev.c:2821 skb_gso_segment include/linux/netdevice.h:3971 [inline] validate_xmit_skb+0x4ba/0xb20 net/core/dev.c:3074 __dev_queue_xmit+0xe49/0x2070 net/core/dev.c:3497 dev_queue_xmit+0x17/0x20 net/core/dev.c:3538 neigh_hh_output include/net/neighbour.h:471 [inline] neigh_output include/net/neighbour.h:479 [inline] ip_finish_output2+0xece/0x1460 net/ipv4/ip_output.c:229 ip_finish_output+0x85e/0xd10 net/ipv4/ip_output.c:317 NF_HOOK_COND include/linux/netfilter.h:238 [inline] ip_output+0x1cc/0x860 net/ipv4/ip_output.c:405 dst_output include/net/dst.h:459 [inline] ip_local_out+0x95/0x160 net/ipv4/ip_output.c:124 ip_queue_xmit+0x8c6/0x18e0 net/ipv4/ip_output.c:504 tcp_transmit_skb+0x1ab7/0x3840 net/ipv4/tcp_output.c:1137 tcp_write_xmit+0x663/0x4de0 net/ipv4/tcp_output.c:2341 __tcp_push_pending_frames+0xa0/0x250 net/ipv4/tcp_output.c:2513 tcp_push_pending_frames include/net/tcp.h:1722 [inline] tcp_data_snd_check net/ipv4/tcp_input.c:5050 [inline] tcp_rcv_established+0x8c7/0x18a0 net/ipv4/tcp_input.c:5497 tcp_v4_do_rcv+0x2ab/0x7d0 net/ipv4/tcp_ipv4.c:1460 sk_backlog_rcv include/net/sock.h:909 [inline] __release_sock+0x124/0x360 net/core/sock.c:2264 release_sock+0xa4/0x2a0 net/core/sock.c:2776 tcp_sendmsg+0x3a/0x50 net/ipv4/tcp.c:1462 inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:763 sock_sendmsg_nosec net/socket.c:632 [inline] sock_sendmsg+0xca/0x110 net/socket.c:642 ___sys_sendmsg+0x31c/0x890 net/socket.c:2048 __sys_sendmmsg+0x1e6/0x5f0 net/socket.c:2138 Fixes: 14afee4b6092 ("net: convert sock.sk_wmem_alloc from atomic_t to refcount_t") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: David S. Miller <davem@davemloft.net>
344 lines
8.1 KiB
C
344 lines
8.1 KiB
C
/*
|
|
* IPV4 GSO/GRO offload support
|
|
* Linux INET implementation
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License
|
|
* as published by the Free Software Foundation; either version
|
|
* 2 of the License, or (at your option) any later version.
|
|
*
|
|
* TCPv4 GSO/GRO support
|
|
*/
|
|
|
|
#include <linux/skbuff.h>
|
|
#include <net/tcp.h>
|
|
#include <net/protocol.h>
|
|
|
|
static void tcp_gso_tstamp(struct sk_buff *skb, unsigned int ts_seq,
|
|
unsigned int seq, unsigned int mss)
|
|
{
|
|
while (skb) {
|
|
if (before(ts_seq, seq + mss)) {
|
|
skb_shinfo(skb)->tx_flags |= SKBTX_SW_TSTAMP;
|
|
skb_shinfo(skb)->tskey = ts_seq;
|
|
return;
|
|
}
|
|
|
|
skb = skb->next;
|
|
seq += mss;
|
|
}
|
|
}
|
|
|
|
static struct sk_buff *tcp4_gso_segment(struct sk_buff *skb,
|
|
netdev_features_t features)
|
|
{
|
|
if (!pskb_may_pull(skb, sizeof(struct tcphdr)))
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
if (unlikely(skb->ip_summed != CHECKSUM_PARTIAL)) {
|
|
const struct iphdr *iph = ip_hdr(skb);
|
|
struct tcphdr *th = tcp_hdr(skb);
|
|
|
|
/* Set up checksum pseudo header, usually expect stack to
|
|
* have done this already.
|
|
*/
|
|
|
|
th->check = 0;
|
|
skb->ip_summed = CHECKSUM_PARTIAL;
|
|
__tcp_v4_send_check(skb, iph->saddr, iph->daddr);
|
|
}
|
|
|
|
return tcp_gso_segment(skb, features);
|
|
}
|
|
|
|
struct sk_buff *tcp_gso_segment(struct sk_buff *skb,
|
|
netdev_features_t features)
|
|
{
|
|
struct sk_buff *segs = ERR_PTR(-EINVAL);
|
|
unsigned int sum_truesize = 0;
|
|
struct tcphdr *th;
|
|
unsigned int thlen;
|
|
unsigned int seq;
|
|
__be32 delta;
|
|
unsigned int oldlen;
|
|
unsigned int mss;
|
|
struct sk_buff *gso_skb = skb;
|
|
__sum16 newcheck;
|
|
bool ooo_okay, copy_destructor;
|
|
|
|
th = tcp_hdr(skb);
|
|
thlen = th->doff * 4;
|
|
if (thlen < sizeof(*th))
|
|
goto out;
|
|
|
|
if (!pskb_may_pull(skb, thlen))
|
|
goto out;
|
|
|
|
oldlen = (u16)~skb->len;
|
|
__skb_pull(skb, thlen);
|
|
|
|
mss = skb_shinfo(skb)->gso_size;
|
|
if (unlikely(skb->len <= mss))
|
|
goto out;
|
|
|
|
if (skb_gso_ok(skb, features | NETIF_F_GSO_ROBUST)) {
|
|
/* Packet is from an untrusted source, reset gso_segs. */
|
|
|
|
skb_shinfo(skb)->gso_segs = DIV_ROUND_UP(skb->len, mss);
|
|
|
|
segs = NULL;
|
|
goto out;
|
|
}
|
|
|
|
copy_destructor = gso_skb->destructor == tcp_wfree;
|
|
ooo_okay = gso_skb->ooo_okay;
|
|
/* All segments but the first should have ooo_okay cleared */
|
|
skb->ooo_okay = 0;
|
|
|
|
segs = skb_segment(skb, features);
|
|
if (IS_ERR(segs))
|
|
goto out;
|
|
|
|
/* Only first segment might have ooo_okay set */
|
|
segs->ooo_okay = ooo_okay;
|
|
|
|
/* GSO partial and frag_list segmentation only requires splitting
|
|
* the frame into an MSS multiple and possibly a remainder, both
|
|
* cases return a GSO skb. So update the mss now.
|
|
*/
|
|
if (skb_is_gso(segs))
|
|
mss *= skb_shinfo(segs)->gso_segs;
|
|
|
|
delta = htonl(oldlen + (thlen + mss));
|
|
|
|
skb = segs;
|
|
th = tcp_hdr(skb);
|
|
seq = ntohl(th->seq);
|
|
|
|
if (unlikely(skb_shinfo(gso_skb)->tx_flags & SKBTX_SW_TSTAMP))
|
|
tcp_gso_tstamp(segs, skb_shinfo(gso_skb)->tskey, seq, mss);
|
|
|
|
newcheck = ~csum_fold((__force __wsum)((__force u32)th->check +
|
|
(__force u32)delta));
|
|
|
|
while (skb->next) {
|
|
th->fin = th->psh = 0;
|
|
th->check = newcheck;
|
|
|
|
if (skb->ip_summed == CHECKSUM_PARTIAL)
|
|
gso_reset_checksum(skb, ~th->check);
|
|
else
|
|
th->check = gso_make_checksum(skb, ~th->check);
|
|
|
|
seq += mss;
|
|
if (copy_destructor) {
|
|
skb->destructor = gso_skb->destructor;
|
|
skb->sk = gso_skb->sk;
|
|
sum_truesize += skb->truesize;
|
|
}
|
|
skb = skb->next;
|
|
th = tcp_hdr(skb);
|
|
|
|
th->seq = htonl(seq);
|
|
th->cwr = 0;
|
|
}
|
|
|
|
/* Following permits TCP Small Queues to work well with GSO :
|
|
* The callback to TCP stack will be called at the time last frag
|
|
* is freed at TX completion, and not right now when gso_skb
|
|
* is freed by GSO engine
|
|
*/
|
|
if (copy_destructor) {
|
|
int delta;
|
|
|
|
swap(gso_skb->sk, skb->sk);
|
|
swap(gso_skb->destructor, skb->destructor);
|
|
sum_truesize += skb->truesize;
|
|
delta = sum_truesize - gso_skb->truesize;
|
|
/* In some pathological cases, delta can be negative.
|
|
* We need to either use refcount_add() or refcount_sub_and_test()
|
|
*/
|
|
if (likely(delta >= 0))
|
|
refcount_add(delta, &skb->sk->sk_wmem_alloc);
|
|
else
|
|
WARN_ON_ONCE(refcount_sub_and_test(-delta, &skb->sk->sk_wmem_alloc));
|
|
}
|
|
|
|
delta = htonl(oldlen + (skb_tail_pointer(skb) -
|
|
skb_transport_header(skb)) +
|
|
skb->data_len);
|
|
th->check = ~csum_fold((__force __wsum)((__force u32)th->check +
|
|
(__force u32)delta));
|
|
if (skb->ip_summed == CHECKSUM_PARTIAL)
|
|
gso_reset_checksum(skb, ~th->check);
|
|
else
|
|
th->check = gso_make_checksum(skb, ~th->check);
|
|
out:
|
|
return segs;
|
|
}
|
|
|
|
struct sk_buff **tcp_gro_receive(struct sk_buff **head, struct sk_buff *skb)
|
|
{
|
|
struct sk_buff **pp = NULL;
|
|
struct sk_buff *p;
|
|
struct tcphdr *th;
|
|
struct tcphdr *th2;
|
|
unsigned int len;
|
|
unsigned int thlen;
|
|
__be32 flags;
|
|
unsigned int mss = 1;
|
|
unsigned int hlen;
|
|
unsigned int off;
|
|
int flush = 1;
|
|
int i;
|
|
|
|
off = skb_gro_offset(skb);
|
|
hlen = off + sizeof(*th);
|
|
th = skb_gro_header_fast(skb, off);
|
|
if (skb_gro_header_hard(skb, hlen)) {
|
|
th = skb_gro_header_slow(skb, hlen, off);
|
|
if (unlikely(!th))
|
|
goto out;
|
|
}
|
|
|
|
thlen = th->doff * 4;
|
|
if (thlen < sizeof(*th))
|
|
goto out;
|
|
|
|
hlen = off + thlen;
|
|
if (skb_gro_header_hard(skb, hlen)) {
|
|
th = skb_gro_header_slow(skb, hlen, off);
|
|
if (unlikely(!th))
|
|
goto out;
|
|
}
|
|
|
|
skb_gro_pull(skb, thlen);
|
|
|
|
len = skb_gro_len(skb);
|
|
flags = tcp_flag_word(th);
|
|
|
|
for (; (p = *head); head = &p->next) {
|
|
if (!NAPI_GRO_CB(p)->same_flow)
|
|
continue;
|
|
|
|
th2 = tcp_hdr(p);
|
|
|
|
if (*(u32 *)&th->source ^ *(u32 *)&th2->source) {
|
|
NAPI_GRO_CB(p)->same_flow = 0;
|
|
continue;
|
|
}
|
|
|
|
goto found;
|
|
}
|
|
|
|
goto out_check_final;
|
|
|
|
found:
|
|
/* Include the IP ID check below from the inner most IP hdr */
|
|
flush = NAPI_GRO_CB(p)->flush;
|
|
flush |= (__force int)(flags & TCP_FLAG_CWR);
|
|
flush |= (__force int)((flags ^ tcp_flag_word(th2)) &
|
|
~(TCP_FLAG_CWR | TCP_FLAG_FIN | TCP_FLAG_PSH));
|
|
flush |= (__force int)(th->ack_seq ^ th2->ack_seq);
|
|
for (i = sizeof(*th); i < thlen; i += 4)
|
|
flush |= *(u32 *)((u8 *)th + i) ^
|
|
*(u32 *)((u8 *)th2 + i);
|
|
|
|
/* When we receive our second frame we can made a decision on if we
|
|
* continue this flow as an atomic flow with a fixed ID or if we use
|
|
* an incrementing ID.
|
|
*/
|
|
if (NAPI_GRO_CB(p)->flush_id != 1 ||
|
|
NAPI_GRO_CB(p)->count != 1 ||
|
|
!NAPI_GRO_CB(p)->is_atomic)
|
|
flush |= NAPI_GRO_CB(p)->flush_id;
|
|
else
|
|
NAPI_GRO_CB(p)->is_atomic = false;
|
|
|
|
mss = skb_shinfo(p)->gso_size;
|
|
|
|
flush |= (len - 1) >= mss;
|
|
flush |= (ntohl(th2->seq) + skb_gro_len(p)) ^ ntohl(th->seq);
|
|
|
|
if (flush || skb_gro_receive(head, skb)) {
|
|
mss = 1;
|
|
goto out_check_final;
|
|
}
|
|
|
|
p = *head;
|
|
th2 = tcp_hdr(p);
|
|
tcp_flag_word(th2) |= flags & (TCP_FLAG_FIN | TCP_FLAG_PSH);
|
|
|
|
out_check_final:
|
|
flush = len < mss;
|
|
flush |= (__force int)(flags & (TCP_FLAG_URG | TCP_FLAG_PSH |
|
|
TCP_FLAG_RST | TCP_FLAG_SYN |
|
|
TCP_FLAG_FIN));
|
|
|
|
if (p && (!NAPI_GRO_CB(skb)->same_flow || flush))
|
|
pp = head;
|
|
|
|
out:
|
|
NAPI_GRO_CB(skb)->flush |= (flush != 0);
|
|
|
|
return pp;
|
|
}
|
|
|
|
int tcp_gro_complete(struct sk_buff *skb)
|
|
{
|
|
struct tcphdr *th = tcp_hdr(skb);
|
|
|
|
skb->csum_start = (unsigned char *)th - skb->head;
|
|
skb->csum_offset = offsetof(struct tcphdr, check);
|
|
skb->ip_summed = CHECKSUM_PARTIAL;
|
|
|
|
skb_shinfo(skb)->gso_segs = NAPI_GRO_CB(skb)->count;
|
|
|
|
if (th->cwr)
|
|
skb_shinfo(skb)->gso_type |= SKB_GSO_TCP_ECN;
|
|
|
|
return 0;
|
|
}
|
|
EXPORT_SYMBOL(tcp_gro_complete);
|
|
|
|
static struct sk_buff **tcp4_gro_receive(struct sk_buff **head, struct sk_buff *skb)
|
|
{
|
|
/* Don't bother verifying checksum if we're going to flush anyway. */
|
|
if (!NAPI_GRO_CB(skb)->flush &&
|
|
skb_gro_checksum_validate(skb, IPPROTO_TCP,
|
|
inet_gro_compute_pseudo)) {
|
|
NAPI_GRO_CB(skb)->flush = 1;
|
|
return NULL;
|
|
}
|
|
|
|
return tcp_gro_receive(head, skb);
|
|
}
|
|
|
|
static int tcp4_gro_complete(struct sk_buff *skb, int thoff)
|
|
{
|
|
const struct iphdr *iph = ip_hdr(skb);
|
|
struct tcphdr *th = tcp_hdr(skb);
|
|
|
|
th->check = ~tcp_v4_check(skb->len - thoff, iph->saddr,
|
|
iph->daddr, 0);
|
|
skb_shinfo(skb)->gso_type |= SKB_GSO_TCPV4;
|
|
|
|
if (NAPI_GRO_CB(skb)->is_atomic)
|
|
skb_shinfo(skb)->gso_type |= SKB_GSO_TCP_FIXEDID;
|
|
|
|
return tcp_gro_complete(skb);
|
|
}
|
|
|
|
static const struct net_offload tcpv4_offload = {
|
|
.callbacks = {
|
|
.gso_segment = tcp4_gso_segment,
|
|
.gro_receive = tcp4_gro_receive,
|
|
.gro_complete = tcp4_gro_complete,
|
|
},
|
|
};
|
|
|
|
int __init tcpv4_offload_init(void)
|
|
{
|
|
return inet_add_offload(&tcpv4_offload, IPPROTO_TCP);
|
|
}
|