kernel backtrace when receiving large UDP packages

Bug #1772031 reported by Martin Habets on 2018-05-18
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Medium
Unassigned
Artful
Medium
Joseph Salisbury

Bug Description

== SRU Justification ==
Artful is missing commit a90bcb86ae70, which was sent
to upstream stable. Since upstream 4.13 is EOL, Artful never got it.

Because Artful does not have this commit when receiving large UDP packages
with a small MTU there are backtraces, examples posted in the bug.

Commit a90bcb86ae70 is in mainline as ov v4.14-rc2 and is only needed in
Artful.

== Fix ==
a90bcb86ae70 ("iov_iter: fix page_copy_sane for compound pages")

== Regression Potential ==
Low. This commit fixes a current regression in Artful. It was also
cc'd to stable, so it has had additional upstream review.

== Test Case ==
A test kernel was built with this patch and tested by the original bug reporter.
The bug reporter states the test kernel resolved the bug.

kernel 4.13.0-41-generic is missing commit a90bcb86ae70:

Author: Petar Penkov <email address hidden>
Date: Tue Aug 29 11:20:32 2017 -0700

    iov_iter: fix page_copy_sane for compound pages

    Issue is that if the data crosses a page boundary inside a compound
    page, this check will incorrectly trigger a WARN_ON.

    To fix this, compute the order using the head of the compound page and
    adjust the offset to be relative to that head.

    Fixes: 72e809ed81ed ("iov_iter: sanity checks for copy to/from page
    primitives")

    Signed-off-by: Petar Penkov <email address hidden>
    CC: Al Viro <email address hidden>
    CC: Eric Dumazet <email address hidden>
    Signed-off-by: Al Viro <email address hidden>

Commit 72e809ed81ed is in kernel 4.13.0-41-generic.
As a result, when receiving large UDP packages with a small MTU we get backtraces like:

[ 361.260969] ------------[ cut here ]------------
[ 361.260974] WARNING: CPU: 4 PID: 2541 at /build/linux-hwe-v6kHHF/linux-hwe-4.13.0/lib/iov_iter.c:693 copy_page_to_iter+0x194/0x2d0
[ 361.260975] Modules linked in: cmdlinepart sfc(OE) hwmon_vid crc32_generic mii rpcsec_gss_krb5 auth_rpcgss nfsv4 nfs lockd grace fscache 8021q garp mrp stp llc intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm i]
[ 361.261002] CPU: 4 PID: 2541 Comm: udp_recv Tainted: G OE 4.13.0-39-generic #44~16.04.1-Ubuntu
[ 361.261003] Hardware name: Dell Inc. PowerEdge R220/05Y15N, BIOS 1.4.0 10/23/2014
[ 361.261004] task: ffff91630b2bae80 task.stack: ffffbb19c2bfc000
[ 361.261005] RIP: 0010:copy_page_to_iter+0x194/0x2d0
[ 361.261006] RSP: 0018:ffffbb19c2bffc60 EFLAGS: 00010202
[ 361.261007] RAX: 0000000000001000 RBX: 00000000000000df RCX: 0017ffffc0000000
[ 361.261008] RDX: 00000000000000df RSI: 0000000000000f8e RDI: fffff666895279c0
[ 361.261009] RBP: ffffbb19c2bffca0 R08: 000000000000106d R09: 0000000000001024
[ 361.261009] R10: 0000000000000000 R11: ffff91630ccc9b00 R12: ffff91630d27a300
[ 361.261010] R13: ffffbb19c2bffde0 R14: 00000000000000df R15: 0000000000000175
[ 361.261011] FS: 00007fb8e7649700(0000) GS:ffff91631fd00000(0000) knlGS:0000000000000000
[ 361.261012] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 361.261013] CR2: 000014588da85624 CR3: 000000024bad2002 CR4: 00000000001606e0
[ 361.261013] Call Trace:
[ 361.261017] ? proto_init_net+0x40/0x40
[ 361.261019] skb_copy_datagram_iter+0x171/0x270
[ 361.261022] udp_recvmsg+0x108/0x490
[ 361.261024] inet_recvmsg+0x51/0xc0
[ 361.261026] sock_recvmsg+0x43/0x50
[ 361.261028] sock_read_iter+0x90/0xe0
[ 361.261030] new_sync_read+0xe2/0x130
[ 361.261032] __vfs_read+0x29/0x40
[ 361.261033] vfs_read+0x93/0x130
[ 361.261034] SyS_read+0x55/0xc0
[ 361.261037] entry_SYSCALL_64_fastpath+0x24/0xab
[ 361.261038] RIP: 0033:0x7fb8e7160260
[ 361.261039] RSP: 002b:00007ffed9dd9e38 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 361.261040] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb8e7160260
[ 361.261041] RDX: 000000000000ffe3 RSI: 00005622ad02f0a0 RDI: 0000000000000003
[ 361.261041] RBP: 00007ffed9dd9e70 R08: 0000000000000000 R09: 0000000000000011
[ 361.261042] R10: 0000000000000000 R11: 0000000000000246 R12: 00005622ace2e800
[ 361.261043] R13: 00007ffed9dd9f50 R14: 0000000000000000 R15: 0000000000000000
[ 361.261044] Code: de 4c 89 e7 e8 be fa ff ff 41 83 af a0 12 00 00 01 48 83 c4 18 5b 41 5c 41 5d 41 5e 41 5f 5d c3 8b 4f 6c 48 d3 e0 e9 9d fe ff ff <0f> ff 48 83 c4 18 31 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 49 83
[ 361.261064] ---[ end trace c0b23bf37be9874d ]---

This is a request to pull in commit a90bcb86ae70.

# lsb_release -rd
Description: Ubuntu 17.10
Release: 17.10
# uname -a
Linux c6320f 4.13.0-41-generic #46-Ubuntu SMP Wed May 2 13:38:30 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
# cat /proc/version_signature
Ubuntu 4.13.0-41.46-generic 4.13.16

Martin Habets (mhabets1) wrote :
Martin Habets (mhabets1) wrote :
affects: linux-meta (Ubuntu) → linux (Ubuntu)

This change was made by a bot.

Changed in linux (Ubuntu):
status: New → Confirmed
tags: added: artful
Changed in linux (Ubuntu):
importance: Undecided → Medium
Changed in linux (Ubuntu Artful):
importance: Undecided → Medium
status: New → In Progress
Changed in linux (Ubuntu):
status: Confirmed → Invalid
Changed in linux (Ubuntu Artful):
assignee: nobody → Joseph Salisbury (jsalisbury)
Joseph Salisbury (jsalisbury) wrote :

I built a test kernel with commit a90bcb86ae70. The test kernel can be downloaded from:
http://kernel.ubuntu.com/~jsalisbury/lp1772031

Can you test this kernel and see if it resolves this bug?

Note about installing test kernels:
• If the test kernel is prior to 4.15(Bionic) you need to install the linux-image and linux-image-extra .deb packages.
• If the test kernel is 4.15(Bionic) or newer, you need to install the linux-modules, linux-modules-extra and linux-image-unsigned .deb packages.

Thanks in advance!

Martin Habets (mhabets1) wrote :

Many thanks Joseph, I'll give this a try soon.

Martin Habets (mhabets1) wrote :

Hi Joseph,
Sorry it took so long to get back to you. With the test kernel I no longer see the issue.
Thanks!
Martin

Joseph Salisbury (jsalisbury) wrote :
description: updated
Changed in linux (Ubuntu Artful):
status: In Progress → Fix Committed
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-artful' to 'verification-done-artful'. If the problem still exists, change the tag 'verification-needed-artful' to 'verification-failed-artful'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-artful
Martin Habets (mhabets1) wrote :

With the proposed kernel I no longer see the issue.

tags: added: verification-done-artful
removed: verification-needed-artful
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.13.0-46.51

---------------
linux (4.13.0-46.51) artful; urgency=medium

  * linux: 4.13.0-46.51 -proposed tracker (LP: #1776333)

  * register on binfmt_misc may overflow and crash the system (LP: #1775856)
    - fs/binfmt_misc.c: do not allow offset overflow

  * CVE-2018-11508
    - compat: fix 4-byte infoleak via uninitialized struct field

  * rfi-flush: Switch to new linear fallback flush (LP: #1744173)
    - SAUCE: rfi-flush: Factor out init_fallback_flush()
    - SAUCE: rfi-flush: Move rfi_flush_fallback_area to end of paca
    - powerpc/64s: Improve RFI L1-D cache flush fallback
    - powerpc/rfi-flush: Make it possible to call setup_rfi_flush() again
    - powerpc/rfi-flush: Differentiate enabled and patched flush types
    - powerpc/rfi-flush: Call setup_rfi_flush() after LPM migration

  * Fix enabling bridge MMIO windows (LP: #1771344)
    - powerpc/eeh: Fix enabling bridge MMIO windows

  * CVE-2018-1130
    - dccp: check sk for closed state in dccp_sendmsg()

  * CVE-2018-7757
    - scsi: libsas: fix memory leak in sas_smp_get_phy_events()

  * cpum_sf: ensure sample freq is non-zero (LP: #1772593)
    - s390/cpum_sf: ensure sample frequency of perf event attributes is non-zero

  * wlp3s0: failed to remove key (1, ff:ff:ff:ff:ff:ff) from hardware (-22)
    (LP: #1720930)
    - iwlwifi: mvm: fix "failed to remove key" message

  * CVE-2018-6927
    - futex: Prevent overflow by strengthen input validation

  * After update to 4.13-43 Intel Graphics are Laggy (LP: #1773520)
    - SAUCE: Revert "drm/i915/edp: Allow alternate fixed mode for eDP if
      available."

  * ELANPAD ELAN0612 does not work, patch available (LP: #1773509)
    - SAUCE: Input: elan_i2c - add ELAN0612 to the ACPI table

  * kernel backtrace when receiving large UDP packages (LP: #1772031)
    - iov_iter: fix page_copy_sane for compound pages

  * FS-Cache: Assertion failed: FS-Cache: 6 == 5 is false (LP: #1774336)
    - SAUCE: CacheFiles: fix a read_waiter/read_copier race

  * CVE-2018-5803
    - sctp: verify size of a new chunk in _sctp_make_chunk()

  * enable mic-mute hotkey and led on Lenovo M820z and M920z (LP: #1774306)
    - ALSA: hda/realtek - Enable mic-mute hotkey for several Lenovo AIOs

  * CVE-2018-7755
    - SAUCE: floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl

  * CVE-2018-5750
    - ACPI: sbshc: remove raw pointer from printk() message

 -- Khalid Elmously <email address hidden> Mon, 11 Jun 2018 23:25:30 +0000

Changed in linux (Ubuntu Artful):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers