On Fri, Jun 29, 2018 at 10:53:55AM +0200, Bjørn Mork wrote: > [ Upstream commit 49c2c3f246e2fc3009039e31a826333dcd0283cd ] > > Commit 4a0e3e989d66 ("cdc_ncm: Add support for moving NDP to end > of NCM frame") added logic to reserve space for the NDP at the > end of the NTB/skb. This reservation did not take the final > alignment of the NDP into account, causing us to reserve too > little space. Additionally the padding prior to NDP addition did > not ensure there was enough space for the NDP. > > The NTB/skb with the NDP appended would then exceed the configured > max size. This caused the final padding of the NTB to use a > negative count, padding to almost INT_MAX, and resulting in: > > [60103.825970] BUG: unable to handle kernel paging request at ffff9641f2004000 > [60103.825998] IP: __memset+0x24/0x30 > [60103.826001] PGD a6a06067 P4D a6a06067 PUD 4f65a063 PMD 72003063 PTE 0 > [60103.826013] Oops: 0002 [#1] SMP NOPTI > [60103.826018] Modules linked in: (removed( > [60103.826158] CPU: 0 PID: 5990 Comm: Chrome_DevTools Tainted: G O 4.14.0-3-amd64 #1 Debian 4.14.17-1 > [60103.826162] Hardware name: LENOVO 20081 BIOS 41CN28WW(V2.04) 05/03/2012 > [60103.826166] task: ffff964193484fc0 task.stack: ffffb2890137c000 > [60103.826171] RIP: 0010:__memset+0x24/0x30 > [60103.826174] RSP: 0000:ffff964316c03b68 EFLAGS: 00010216 > [60103.826178] RAX: 0000000000000000 RBX: 00000000fffffffd RCX: 000000001ffa5000 > [60103.826181] RDX: 0000000000000005 RSI: 0000000000000000 RDI: ffff9641f2003ffc > [60103.826184] RBP: ffff964192f6c800 R08: 00000000304d434e R09: ffff9641f1d2c004 > [60103.826187] R10: 0000000000000002 R11: 00000000000005ae R12: ffff9642e6957a80 > [60103.826190] R13: ffff964282ff2ee8 R14: 000000000000000d R15: ffff9642e4843900 > [60103.826194] FS: 00007f395aaf6700(0000) GS:ffff964316c00000(0000) knlGS:0000000000000000 > [60103.826197] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [60103.826200] CR2: ffff9641f2004000 CR3: 0000000013b0c000 CR4: 00000000000006f0 > [60103.826204] Call Trace: > [60103.826212] <IRQ> > [60103.826225] cdc_ncm_fill_tx_frame+0x5e3/0x740 [cdc_ncm] > [60103.826236] cdc_ncm_tx_fixup+0x57/0x70 [cdc_ncm] > [60103.826246] usbnet_start_xmit+0x5d/0x710 [usbnet] > [60103.826254] ? netif_skb_features+0x119/0x250 > [60103.826259] dev_hard_start_xmit+0xa1/0x200 > [60103.826267] sch_direct_xmit+0xf2/0x1b0 > [60103.826273] __dev_queue_xmit+0x5e3/0x7c0 > [60103.826280] ? ip_finish_output2+0x263/0x3c0 > [60103.826284] ip_finish_output2+0x263/0x3c0 > [60103.826289] ? ip_output+0x6c/0xe0 > [60103.826293] ip_output+0x6c/0xe0 > [60103.826298] ? ip_forward_options+0x1a0/0x1a0 > [60103.826303] tcp_transmit_skb+0x516/0x9b0 > [60103.826309] tcp_write_xmit+0x1aa/0xee0 > [60103.826313] ? sch_direct_xmit+0x71/0x1b0 > [60103.826318] tcp_tasklet_func+0x177/0x180 > [60103.826325] tasklet_action+0x5f/0x110 > [60103.826332] __do_softirq+0xde/0x2b3 > [60103.826337] irq_exit+0xae/0xb0 > [60103.826342] do_IRQ+0x81/0xd0 > [60103.826347] common_interrupt+0x98/0x98 > [60103.826351] </IRQ> > [60103.826355] RIP: 0033:0x7f397bdf2282 > [60103.826358] RSP: 002b:00007f395aaf57d8 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff6e > [60103.826362] RAX: 0000000000000000 RBX: 00002f07bc6d0900 RCX: 00007f39752d7fe7 > [60103.826365] RDX: 0000000000000022 RSI: 0000000000000147 RDI: 00002f07baea02c0 > [60103.826368] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 > [60103.826371] R10: 00000000ffffffff R11: 0000000000000000 R12: 00002f07baea02c0 > [60103.826373] R13: 00002f07bba227a0 R14: 00002f07bc6d090c R15: 0000000000000000 > [60103.826377] Code: 90 90 90 90 90 90 90 0f 1f 44 00 00 49 89 f9 48 89 d1 83 > e2 07 48 c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 <f3> 48 > ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1 > [60103.826442] RIP: __memset+0x24/0x30 RSP: ffff964316c03b68 > [60103.826444] CR2: ffff9641f2004000 > > Commit e1069bbfcf3b ("net: cdc_ncm: Reduce memory use when kernel > memory low") made this bug much more likely to trigger by reducing > the NTB size under memory pressure. > > Link: https://bugs.debian.org/893393 > Reported-by: Горбешко Богдан <bodqhrohro@xxxxxxxxx> > Reported-and-tested-by: Dennis Wassenberg <dennis.wassenberg@xxxxxxxxxxx> > Cc: Enrico Mioso <mrkiko.rs@xxxxxxxxx> > Fixes: 4a0e3e989d66 ("cdc_ncm: Add support for moving NDP to end of NCM frame") > [ bmork: tx_curr_size => tx_max and context fixup for v4.12 and older ] > Signed-off-by: Bjørn Mork <bjorn@xxxxxxx> > Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> > --- > > This has already been applied to stable 4.14 and newer, but needed two minor > changes for anything older than v4.13. The bug is only present in v4.3 and > and newer, so there is no need to consider this backport for anything older > than stable 4.4. > > Please apply to 4.4 and 4.9 stable. Now applied, thanks. greg k-h