FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Kernel Team

 
 
LinkBack Thread Tools
 
Old 08-23-2012, 02:20 PM
Ben Hutchings
 
Default net: Allow driver to limit number of GSO segments per skb

CVE-2012-3412

BugLink: http://bugs.launchpad.net/bugs/1037456

A peer (or local user) may cause TCP to use a nominal MSS of as little
as 88 (actual MSS of 76 with timestamps). Given that we have a
sufficiently prodigious local sender and the peer ACKs quickly enough,
it is nevertheless possible to grow the window for such a connection
to the point that we will try to send just under 64K at once. This
results in a single skb that expands to 861 segments.

In some drivers with TSO support, such an skb will require hundreds of
DMA descriptors; a substantial fraction of a TX ring or even more than
a full ring. The TX queue selected for the skb may stall and trigger
the TX watchdog repeatedly (since the problem skb will be retried
after the TX reset). This particularly affects sfc, for which the
issue is designated as CVE-2012-3412.

Therefore:
1. Add the field net_device::gso_max_segs holding the device-specific
limit.
2. In netif_skb_features(), if the number of segments is too high then
mask out GSO features to force fall back to software GSO.

Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(back ported from commit 30b678d844af3305cda5953467005cebb5d7b687)

Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
---
include/linux/netdevice.h | 6 ++++++
net/core/dev.c | 1 +
2 files changed, 7 insertions(+)

diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index ea6187c..9e5d0d0 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -907,6 +907,8 @@ struct net_device
/* for setting kernel sock attribute on TCP connection setup */
#define GSO_MAX_SIZE 65536
unsigned int gso_max_size;
+#define GSO_MAX_SEGS 65535
+ u16 gso_max_segs;

#ifdef CONFIG_DCB
/* Data Center Bridging netlink ops */
@@ -1935,6 +1937,10 @@ static inline int skb_gso_ok(struct sk_buff *skb, int features)

static inline int netif_needs_gso(struct net_device *dev, struct sk_buff *skb)
{
+ if (skb_is_gso(skb) &&
+ skb_shinfo(skb)->gso_segs > skb->dev->gso_max_segs)
+ return 0;
+
return skb_is_gso(skb) &&
(!skb_gso_ok(skb, dev->features) ||
unlikely(skb->ip_summed != CHECKSUM_PARTIAL));
diff --git a/net/core/dev.c b/net/core/dev.c
index f32f98a..7b315a2 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -5195,6 +5195,7 @@ struct net_device *alloc_netdev_mq(int sizeof_priv, const char *name,
dev->real_num_tx_queues = queue_count;

dev->gso_max_size = GSO_MAX_SIZE;
+ dev->gso_max_segs = GSO_MAX_SEGS;

netdev_init_queues(dev);

--
1.7.9.5


--------------020804000905000607090701
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

--------------020804000905000607090701--
 
Old 08-27-2012, 02:54 PM
Ben Hutchings
 
Default net: Allow driver to limit number of GSO segments per skb

CVE-2012-3412

BugLink: http://bugs.launchpad.net/bugs/1037456

A peer (or local user) may cause TCP to use a nominal MSS of as little
as 88 (actual MSS of 76 with timestamps). Given that we have a
sufficiently prodigious local sender and the peer ACKs quickly enough,
it is nevertheless possible to grow the window for such a connection
to the point that we will try to send just under 64K at once. This
results in a single skb that expands to 861 segments.

In some drivers with TSO support, such an skb will require hundreds of
DMA descriptors; a substantial fraction of a TX ring or even more than
a full ring. The TX queue selected for the skb may stall and trigger
the TX watchdog repeatedly (since the problem skb will be retried
after the TX reset). This particularly affects sfc, for which the
issue is designated as CVE-2012-3412.
Therefore:
1. Add the field net_device::gso_max_segs holding the device-specific
limit.
2. In netif_skb_features(), if the number of segments is too high then
mask out GSO features to force fall back to software GSO.

Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(back ported from commit 30b678d844af3305cda5953467005cebb5d7b687)

Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Herton Krzesinski <herton.krzesinski@canonical.com>
---
drivers/net/xen-netfront.c | 2 +-
include/linux/netdevice.h | 16 ++++++++++++++--
net/core/dev.c | 16 ++++++++++------
3 files changed, 25 insertions(+), 9 deletions(-)

diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
index 1a11d95..422001f 100644
--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -486,7 +486,7 @@ static int xennet_start_xmit(struct sk_buff *skb, struct net_device *dev)

if (unlikely(!netif_carrier_ok(dev) ||
(frags > 1 && !xennet_can_sg(dev)) ||
- netif_needs_gso(dev, skb))) {
+ netif_needs_gso(skb, netif_skb_features(dev, skb)))) {
spin_unlock_irq(&np->tx_lock);
goto drop;
}
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index ea6187c..41e689e 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -907,6 +907,8 @@ struct net_device
/* for setting kernel sock attribute on TCP connection setup */
#define GSO_MAX_SIZE 65536
unsigned int gso_max_size;
+#define GSO_MAX_SEGS 65535
+ u16 gso_max_segs;

#ifdef CONFIG_DCB
/* Data Center Bridging netlink ops */
@@ -1933,10 +1935,10 @@ static inline int skb_gso_ok(struct sk_buff *skb, int features)
(!skb_has_frags(skb) || (features & NETIF_F_FRAGLIST));
}

-static inline int netif_needs_gso(struct net_device *dev, struct sk_buff *skb)
+static inline int netif_needs_gso(struct sk_buff *skb, int features)
{
return skb_is_gso(skb) &&
- (!skb_gso_ok(skb, dev->features) ||
+ (!skb_gso_ok(skb, features) ||
unlikely(skb->ip_summed != CHECKSUM_PARTIAL));
}

@@ -1956,6 +1958,16 @@ static inline void skb_bond_set_mac_by_master(struct sk_buff *skb,
}
}

+static inline int netif_skb_features(struct net_device *dev, struct sk_buff *skb)
+{
+ int features = dev->features;
+
+ if (skb_shinfo(skb)->gso_segs > skb->dev->gso_max_segs)
+ features &= ~NETIF_F_GSO_MASK;
+
+ return features;
+}
+
/* On bonding slaves other than the currently active slave, suppress
* duplicates except for 802.3ad ETH_P_SLOW, alb non-mcast/bcast, and
* ARP on active-backup slaves with arp_validate enabled.
diff --git a/net/core/dev.c b/net/core/dev.c
index f32f98a..b250f81 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1682,13 +1682,12 @@ static void dev_gso_skb_destructor(struct sk_buff *skb)
* This function segments the given skb and stores the list of segments
* in skb->next.
*/
-static int dev_gso_segment(struct sk_buff *skb)
+static int dev_gso_segment(struct sk_buff *skb, int features)
{
struct net_device *dev = skb->dev;
struct sk_buff *segs;
- int features = dev->features & ~(illegal_highdma(dev, skb) ?
- NETIF_F_SG : 0);

+ features &= ~(illegal_highdma(dev, skb) ? NETIF_F_SG : 0);
segs = skb_gso_segment(skb, features);

/* Verifying header integrity only. */
@@ -1712,11 +1711,15 @@ int dev_hard_start_xmit(struct sk_buff *skb, struct net_device *dev,
int rc;

if (likely(!skb->next)) {
+ int features;
+
if (!list_empty(&ptype_all))
dev_queue_xmit_nit(skb, dev);

- if (netif_needs_gso(dev, skb)) {
- if (unlikely(dev_gso_segment(skb)))
+ features = netif_skb_features(dev, skb);
+
+ if (netif_needs_gso(skb, features)) {
+ if (unlikely(dev_gso_segment(skb, features)))
goto out_kfree_skb;
if (skb->next)
goto gso;
@@ -1887,7 +1890,7 @@ int dev_queue_xmit(struct sk_buff *skb)
int rc = -ENOMEM;

/* GSO will handle the following emulations directly. */
- if (netif_needs_gso(dev, skb))
+ if (netif_needs_gso(skb, netif_skb_features(dev, skb)))
goto gso;

if (skb_has_frags(skb) &&
@@ -5195,6 +5198,7 @@ struct net_device *alloc_netdev_mq(int sizeof_priv, const char *name,
dev->real_num_tx_queues = queue_count;

dev->gso_max_size = GSO_MAX_SIZE;
+ dev->gso_max_segs = GSO_MAX_SEGS;

netdev_init_queues(dev);

--
1.7.9.5


--------------070500010902090408000709
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

--------------070500010902090408000709--
 

Thread Tools




All times are GMT. The time now is 09:36 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org