On Fri, Jun 29, 2018 at 10:53:55AM +0200, Bjørn Mork wrote:
> [ Upstream commit 49c2c3f246e2fc3009039e31a826333dcd0283cd ]
>
> Commit 4a0e3e989d66 ("cdc_ncm: Add support for moving NDP to end
> of NCM frame") added logic to reserve space for the NDP at the
> end of the NTB/skb. This reservation did not take the final
> alignment of the NDP into account, causing us to reserve too
> little space. Additionally the padding prior to NDP addition did
> not ensure there was enough space for the NDP.
>
> The NTB/skb with the NDP appended would then exceed the configured
> max size. This caused the final padding of the NTB to use a
> negative count, padding to almost INT_MAX, and resulting in:
>
> [60103.825970] BUG: unable to handle kernel paging request at ffff9641f2004000
> [60103.825998] IP: __memset+0x24/0x30
> [60103.826001] PGD a6a06067 P4D a6a06067 PUD 4f65a063 PMD 72003063 PTE 0
> [60103.826013] Oops: 0002 [#1] SMP NOPTI
> [60103.826018] Modules linked in: (removed(
> [60103.826158] CPU: 0 PID: 5990 Comm: Chrome_DevTools Tainted: G O 4.14.0-3-amd64 #1 Debian 4.14.17-1
> [60103.826162] Hardware name: LENOVO 20081 BIOS 41CN28WW(V2.04) 05/03/2012
> [60103.826166] task: ffff964193484fc0 task.stack: ffffb2890137c000
> [60103.826171] RIP: 0010:__memset+0x24/0x30
> [60103.826174] RSP: 0000:ffff964316c03b68 EFLAGS: 00010216
> [60103.826178] RAX: 0000000000000000 RBX: 00000000fffffffd RCX: 000000001ffa5000
> [60103.826181] RDX: 0000000000000005 RSI: 0000000000000000 RDI: ffff9641f2003ffc
> [60103.826184] RBP: ffff964192f6c800 R08: 00000000304d434e R09: ffff9641f1d2c004
> [60103.826187] R10: 0000000000000002 R11: 00000000000005ae R12: ffff9642e6957a80
> [60103.826190] R13: ffff964282ff2ee8 R14: 000000000000000d R15: ffff9642e4843900
> [60103.826194] FS: 00007f395aaf6700(0000) GS:ffff964316c00000(0000) knlGS:0000000000000000
> [60103.826197] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [60103.826200] CR2: ffff9641f2004000 CR3: 0000000013b0c000 CR4: 00000000000006f0
> [60103.826204] Call Trace:
> [60103.826212] <IRQ>
> [60103.826225] cdc_ncm_fill_tx_frame+0x5e3/0x740 [cdc_ncm]
> [60103.826236] cdc_ncm_tx_fixup+0x57/0x70 [cdc_ncm]
> [60103.826246] usbnet_start_xmit+0x5d/0x710 [usbnet]
> [60103.826254] ? netif_skb_features+0x119/0x250
> [60103.826259] dev_hard_start_xmit+0xa1/0x200
> [60103.826267] sch_direct_xmit+0xf2/0x1b0
> [60103.826273] __dev_queue_xmit+0x5e3/0x7c0
> [60103.826280] ? ip_finish_output2+0x263/0x3c0
> [60103.826284] ip_finish_output2+0x263/0x3c0
> [60103.826289] ? ip_output+0x6c/0xe0
> [60103.826293] ip_output+0x6c/0xe0
> [60103.826298] ? ip_forward_options+0x1a0/0x1a0
> [60103.826303] tcp_transmit_skb+0x516/0x9b0
> [60103.826309] tcp_write_xmit+0x1aa/0xee0
> [60103.826313] ? sch_direct_xmit+0x71/0x1b0
> [60103.826318] tcp_tasklet_func+0x177/0x180
> [60103.826325] tasklet_action+0x5f/0x110
> [60103.826332] __do_softirq+0xde/0x2b3
> [60103.826337] irq_exit+0xae/0xb0
> [60103.826342] do_IRQ+0x81/0xd0
> [60103.826347] common_interrupt+0x98/0x98
> [60103.826351] </IRQ>
> [60103.826355] RIP: 0033:0x7f397bdf2282
> [60103.826358] RSP: 002b:00007f395aaf57d8 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff6e
> [60103.826362] RAX: 0000000000000000 RBX: 00002f07bc6d0900 RCX: 00007f39752d7fe7
> [60103.826365] RDX: 0000000000000022 RSI: 0000000000000147 RDI: 00002f07baea02c0
> [60103.826368] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
> [60103.826371] R10: 00000000ffffffff R11: 0000000000000000 R12: 00002f07baea02c0
> [60103.826373] R13: 00002f07bba227a0 R14: 00002f07bc6d090c R15: 0000000000000000
> [60103.826377] Code: 90 90 90 90 90 90 90 0f 1f 44 00 00 49 89 f9 48 89 d1 83
> e2 07 48 c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 <f3> 48
> ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1
> [60103.826442] RIP: __memset+0x24/0x30 RSP: ffff964316c03b68
> [60103.826444] CR2: ffff9641f2004000
>
> Commit e1069bbfcf3b ("net: cdc_ncm: Reduce memory use when kernel
> memory low") made this bug much more likely to trigger by reducing
> the NTB size under memory pressure.
>
> Link: https://bugs.debian.org/893393
> Reported-by: Горбешко Богдан <bodqhrohro@xxxxxxxxx>
> Reported-and-tested-by: Dennis Wassenberg <dennis.wassenberg@xxxxxxxxxxx>
> Cc: Enrico Mioso <mrkiko.rs@xxxxxxxxx>
> Fixes: 4a0e3e989d66 ("cdc_ncm: Add support for moving NDP to end of NCM frame")
> [ bmork: tx_curr_size => tx_max and context fixup for v4.12 and older ]
> Signed-off-by: Bjørn Mork <bjorn@xxxxxxx>
> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
> ---
>
> This has already been applied to stable 4.14 and newer, but needed two minor
> changes for anything older than v4.13. The bug is only present in v4.3 and
> and newer, so there is no need to consider this backport for anything older
> than stable 4.4.
>
> Please apply to 4.4 and 4.9 stable.
Now applied, thanks.
greg k-h
