Kernel bridge driver dropping packets as "invalid header"

Bug #1065150 reported by Sarveshwar Bandi on 2012-10-10
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
The Emulex project
Medium
Jesse Sung
linux (Ubuntu)
Undecided
Jesse Sung
Precise
Undecided
Jesse Sung
Quantal
Undecided
Jesse Sung

Bug Description

When the upstream patch mentioned below was applied to 12.04 , it exposed a bug in kernel bridge driver in linux-image-3.2.0-31-generic.

commit ac1ae5f33fd225f46da0072e2091962410a0431b
Author: Eric Dumazet <email address hidden>
Date: Fri Jul 13 03:19:41 2012 +0000

    be2net: dont pull too much data in skb linear part

This caused the bridge driver to drop ip packets as "invalid header". I have sent patch which fixes this issue in upstream kernel (net tree). This patch will need to be pulled into ubuntu once it is accepted upstream.

Thanks,
Sarvesh

Here is the patch submitted to upstream net tree. Waiting for it to be accepted:

From: Sarveshwar Bandi <email address hidden>

If lower layer driver leaves the ip header in the skb fragment, it needs to be first pulled into skb->data before inspecting ip header length or ip version number.

Signed-off-by: Sarveshwar Bandi <email address hidden>
---
 net/bridge/br_netfilter.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c index 68e8f36..fe43bc7 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -265,6 +265,9 @@ static int br_parse_ip_options(struct sk_buff *skb)
  struct net_device *dev = skb->dev;
  u32 len;

+ if (!pskb_may_pull(skb, sizeof(struct iphdr)))
+ goto inhdr_error;
+
  iph = ip_hdr(skb);
  opt = &(IPCB(skb)->opt);

--
1.7.9.5

visibility: private → public
Chris Van Hoof (vanhoof) on 2012-10-11
Changed in emulex:
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Jesse Sung (wenchien)

The patch submitted to upstream net tree has been applied. Please pull this patch to fix this issue.

Details of the commit are here:

http://git.kernel.org/?p=linux/kernel/git/davem/net.git;a=commit;h=6caab7b0544e83e6c160b5e80f5a4a7dd69545c7

Thanks,
Sarvesh

Jesse Sung (wenchien) on 2012-10-11
Changed in emulex:
status: Confirmed → In Progress
Tim Gardner (timg-tpi) on 2012-10-11
Changed in linux (Ubuntu Precise):
assignee: nobody → Jesse Sung (wenchien)
status: New → Fix Committed
Changed in linux (Ubuntu Quantal):
assignee: nobody → Jesse Sung (wenchien)
status: New → Fix Committed
Jesse Sung (wenchien) on 2012-10-15
Changed in emulex:
status: In Progress → Fix Committed
Luis Henriques (henrix) wrote :

This bug is awaiting verification that the kernel for Precise in -proposed solves the problem (3.2.0-33.52). Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-precise' to 'verification-done-precise'.

If verification is not done by one week from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-precise
Luis Henriques (henrix) wrote :

This bug is awaiting verification that the kernel for Quantal in -proposed solves the problem (3.5.0-18.29). Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-quantal' to 'verification-done-quantal'.

If verification is not done by one week from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-quantal
Mark Petersen (mpetersen-peak6) wrote :

I tested this and it is working for me in precise.

tags: added: verification-done-precise
removed: verification-needed-precise
tags: added: verification-done-quantal
removed: verification-needed-quantal
Launchpad Janitor (janitor) wrote :
Download full text (16.4 KiB)

This bug was fixed in the package linux - 3.5.0-18.29

---------------
linux (3.5.0-18.29) quantal-proposed; urgency=low

  [Luis Henriques]

  * Release Tracking Bug
    - LP: #1068224

  [ Andy Whitcroft ]

  * [packaging] do not fail secure copy on older kernels
  * SAUCE: efivarfs: efivarfs_file_read ensure we free data in error paths
    - LP: #1063061
  * SAUCE: efivars: efivarfs_create() ensure we drop our reference on inode
    on error
    - LP: #1063061
  * SAUCE: efivarfs: efivarfs_fill_super() fix inode reference counts
    - LP: #1063061
  * SAUCE: efivarfs: efivarfs_fill_super() ensure we free our temporary
    name
    - LP: #1063061
  * SAUCE: efivarfs: efivarfs_fill_super() ensure we clean up correctly on
    error
    - LP: #1063061
  * [Config] add fs/udf to linux-image to support DVD/CD formats in virtual
    instances
    - LP: #1066921

  [ Jeremy Kerr ]

  * SAUCE: efi: Handle deletions and size changes in efivarfs_write_file
    - LP: #1063061
  * SAUCE: efivarfs: Implement exclusive access for {get, set}_variable
    - LP: #1063061

  [ Kamal Mostafa ]

  * SAUCE: input: Cypress PS/2 Trackpad list additional contributors

  [ Kyle Fazzari ]

  * SAUCE: input: Cypress PS/2 Trackpad fix lost sync upon palm contact
    - LP: #1048258
  * SAUCE: input: Cypress PS/2 Trackpad fix taps turning into hardware
    clicks
    - LP: #1064086

  [ Leann Ogasawara ]

  * Revert "SAUCE: ext4: fix crash when accessing /proc/mounts
    concurrently"
    - LP: #1066176
  * Revert "SAUCE: ALSA: hda/realtek - Fix detection of ALC271X codec"
    - LP: #1066176

  [ Lee, Chun-Yi ]

  * SAUCE: efi: add efivars kobject to efi sysfs folder
    - LP: #1063061

  [ Matt Fleming ]

  * SAUCE: efivarfs: Add documentation for the EFI variable filesystem
    - LP: #1063061

  [ Matthew Garrett ]

  * SAUCE: efi: Add support for a UEFI variable filesystem
    - LP: #1063061

  [ Sarveshwar Bandi ]

  * SAUCE: bridge: Pull ip header into skb->data before looking into ip
    header.
    - LP: #1065150

  [ Upstream Kernel Changes ]

  * Revert "drm/i915: correctly order the ring init sequence"
    - LP: #1066176
  * vfs: dcache: fix deadlock in tree traversal
    - LP: #1063761
  * dm mpath: only retry ioctl when no paths if queue_if_no_path set
    - LP: #1063761
  * dm: handle requests beyond end of device instead of using BUG_ON
    - LP: #1063761
  * dm table: clear add_random unless all devices have it set
    - LP: #1063761
  * dm verity: fix overflow check
    - LP: #1063761
  * usb: gadget: make g_printer enumerate again
    - LP: #1063761
  * usb: gadget: initialize the strings in tcm_usb_gadget properly
    - LP: #1063761
  * USB: option: blacklist QMI interface on ZTE MF683
    - LP: #1063761
  * USB: ftdi_sio: add TIAO USB Multi-Protocol Adapter (TUMPA) support
    - LP: #1063761
  * USB: qcaux: add Pantech vendor class match
    - LP: #1063761
  * usb: host: xhci: Fix Null pointer dereferencing with 71c731a for
    non-x86 systems
    - LP: #1063761
  * USB: serial: fix up bug with missing {}
    - LP: #1063761
  * staging: speakup_soft: Fix reading of init string
    - LP: #1063761
  * tty: keyboard.c: Remove locking from vt_get_leds.
  ...

Changed in linux (Ubuntu Quantal):
status: Fix Committed → Fix Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Launchpad Janitor (janitor) wrote :
Download full text (9.1 KiB)

This bug was fixed in the package linux - 3.2.0-33.52

---------------
linux (3.2.0-33.52) precise-proposed; urgency=low

  [Luis Henriques]

  * Release Tracking Bug
    - LP: #1067666

  [ Andy Whitcroft ]

  * [Config] add fs/udf to linux-image to support DVD/CD formats in virtual
    instances
    - LP: #1066921

  [ James M Leddy ]

  * SAUCE: input: fix weird issue of synaptics psmouse sync lost after
    resume
    - LP: #717970

  [ Paolo Pisati ]

  * [SRU] [Config] enable TIDSPBRIDGE for omap arm[el|hf] flavours
    - LP: #1058022

  [ Sarveshwar Bandi ]

  * SAUCE: bridge: Pull ip header into skb->data before looking into ip
    header.
    - LP: #1065150

  [ Upstream Kernel Changes ]

  * Revert "drm/radeon: rework pll selection (v3)"
    - LP: #1065047
  * sched: Fix migration thread runtime bogosity
    - LP: #1057593
  * Bluetooth: Add support for Sony Vaio T-Series
    - LP: #1054307
  * drm/radeon: properly handle mc_stop/mc_resume on evergreen+ (v2)
    - LP: #1058303
  * Bluetooth: Use USB_VENDOR_AND_INTERFACE() for Broadcom devices
    - LP: #1058303
  * Bluetooth: Add USB_VENDOR_AND_INTERFACE_INFO() for Broadcom/Foxconn
    - LP: #1030233, #1058303
  * target: Fix ->data_length re-assignment bug with SCSI overflow
    - LP: #1065047
  * ASoC: samsung dma - Don't indicate support for pause/resume.
    - LP: #1065047
  * fs/proc: fix potential unregister_sysctl_table hang
    - LP: #1065047
  * mm/ia64: fix a memory block size bug
    - LP: #1065047
  * nbd: clear waiting_queue on shutdown
    - LP: #1065047
  * drivers/rtc/rtc-twl.c: ensure all interrupts are disabled during probe
    - LP: #1065047
  * mm/page_alloc: fix the page address of higher page's buddy calculation
    - LP: #1065047
  * memory hotplug: fix section info double registration bug
    - LP: #1065047
  * cciss: fix handling of protocol error
    - LP: #1065047
  * vfs: dcache: use DCACHE_DENTRY_KILLED instead of DCACHE_DISCONNECTED in
    d_kill()
    - LP: #1065047
  * workqueue: reimplement work_on_cpu() using system_wq
    - LP: #1065047
  * cpufreq/powernow-k8: workqueue user shouldn't migrate the kworker to
    another CPU
    - LP: #1065047
  * sched: Fix ancient race in do_exit()
    - LP: #1065047
  * hpwdt: Fix kdump issue in hpwdt
    - LP: #1065047
  * rtlwifi: rtl8192ce: Log message that B_CUT device may not work
    - LP: #1065047
  * brcmfmac: fix big endian bug in i-scan.
    - LP: #1065047
  * brcmfmac: Fix big endian host configuration data.
    - LP: #1065047
  * dmaengine: at_hdmac: fix comment in atc_prep_slave_sg()
    - LP: #1065047
  * dmaengine: at_hdmac: check that each sg data length is non-null
    - LP: #1065047
  * ARM: 7532/1: decompressor: reset SCTLR.TRE for VMSA ARMv7 cores
    - LP: #1065047
  * drm/i915: Reduce a pin-leak BUG into a WARN
    - LP: #1065047
  * bnx2i: Fixed NULL ptr deference for 1G bnx2 Linux iSCSI offload
    - LP: #1065047
  * mpt2sas: Fix for issue - Unable to boot from the drive connected to HBA
    - LP: #1065047
  * hwmon: (ads7871) Add 'name' sysfs attribute
    - LP: #1065047
  * DMA: PL330: Check the pointer returned by kzalloc
    - LP: #1065047
  * hpsa: fix handling of protocol error
    -...

Read more...

Changed in linux (Ubuntu Precise):
status: Fix Committed → Fix Released
Changed in linux (Ubuntu):
status: Fix Committed → Fix Released
Jesse Sung (wenchien) on 2012-11-19
Changed in emulex:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers