Fix oops in skb_segment for Bionic series
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Invalid
|
Medium
|
Guilherme G. Piccoli | ||
Bionic |
Fix Released
|
Medium
|
Guilherme G. Piccoli |
Bug Description
[Impact]
* It was reported upstream [0] that an eBPF NAT64 filter caused an oops due to bad handling of GRO headers length on SKB segmentation path; the discussion is rich in details, and eventually the reporter sent a fix patch for that [1], as well as a test scenario in test_bpf kernel module that reproduces the issue.
[0] https://<email address hidden>/
[1] https://<email address hidden>/
* The fix patch landed on v4.17 and for some reason didn't reach the stable kernels; by testing our Bionic v4.15 kernel I was able to reproduce the issue, observing the following stack trace (details in the testing section below):
kernel BUG at net/core/
Modules linked in: test_bpf(E+) isofs nls_iso8859_1 dm_multipath scsi_dh_rdac scsi_dh_emc ...
RIP: 0010:skb_
[...]
Call Trace:
test_bpf_
test_bpf_
do_one_
[...]
* Interesting to mention that this fix is not complete in the sense there was another corner case reported after that [2], which was fixed by another patch [3], this one released in kernel v5.3 and present in the stable tree (hence backported to our Bionic 4.15 kernels).
[2] https:/
[3] http://
* So we are hereby backporting both the original fix patch [4] as well as the test_bpf patch (and a fix for it) [5] [6] for Ubuntu Bionic v4.15-based kernels
[4] http://
[5] http://
[6] http://
[Test Case]
* One could use a NAT64 filter, but with the aforementioned patches [5] [6] hereby backported, one can also use the kernel infrastructure, by loading the test_bpf module:
insmod /lib/modules/
If patches [5] [6] are included and kernel doesn't contain the fix [4], an oops will be observed.
[Where problems could occur]
* The backported patches are present upstream since v4.17, and no fixes were released for them (other than [6], included here), so from the testing point-of-view, these patches are being exercised for a while with no issues.
* That said, if a problem would be triggered by these patches, hypothetically it would affect SKB segmentation, the net/core code - a bad check could case an oops in this code or they could present a pretty small overhead due to more checks in the hot path.
Changed in linux-azure (Ubuntu Bionic): | |
status: | New → In Progress |
assignee: | nobody → Guilherme G. Piccoli (gpiccoli) |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Bionic): | |
status: | In Progress → Fix Committed |
The patches were submitted to Bionic main.