• Alexey Kodanev's avatar
    net: sysctl_net_core: check SNDBUF and RCVBUF for min length · 2d6dfb10
    Alexey Kodanev authored
    [ Upstream commit b1cb59cf ]
    
    sysctl has sysctl.net.core.rmem_*/wmem_* parameters which can be
    set to incorrect values. Given that 'struct sk_buff' allocates from
    rcvbuf, incorrectly set buffer length could result to memory
    allocation failures. For example, set them as follows:
    
        # sysctl net.core.rmem_default=64
          net.core.wmem_default = 64
        # sysctl net.core.wmem_default=64
          net.core.wmem_default = 64
        # ping localhost -s 1024 -i 0 > /dev/null
    
    This could result to the following failure:
    
    skbuff: skb_over_panic: text:ffffffff81628db4 len:-32 put:-32
    head:ffff88003a1cc200 data:ffff88003a1cc200 tail:0xffffffe0 end:0xc0 dev:<NULL>
    kernel BUG at net/core/skbuff.c:102!
    invalid opcode: 0000 [#1] SMP
    ...
    task: ffff88003b7f5550 ti: ffff88003ae88000 task.ti: ffff88003ae88000
    RIP: 0010:[<ffffffff8155fbd1>]  [<ffffffff8155fbd1>] skb_put+0xa1/0xb0
    RSP: 0018:ffff88003ae8bc68  EFLAGS: 00010296
    RAX: 000000000000008d RBX: 00000000ffffffe0 RCX: 0000000000000000
    RDX: ffff88003fdcf598 RSI: ffff88003fdcd9c8 RDI: ffff88003fdcd9c8
    RBP: ffff88003ae8bc88 R08: 0000000000000001 R09: 0000000000000000
    R10: 0000000000000001 R11: 00000000000002b2 R12: 0000000000000000
    R13: 0000000000000000 R14: ffff88003d3f7300 R15: ffff88000012a900
    FS:  00007fa0e2b4a840(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000000d0f7e0 CR3: 000000003b8fb000 CR4: 00000000000006f0
    Stack:
     ffff88003a1cc200 00000000ffffffe0 00000000000000c0 ffffffff818cab1d
     ffff88003ae8bd68 ffffffff81628db4 ffff88003ae8bd48 ffff88003b7f5550
     ffff880031a09408 ffff88003b7f5550 ffff88000012aa48 ffff88000012ab00
    Call Trace:
     [<ffffffff81628db4>] unix_stream_sendmsg+0x2c4/0x470
     [<ffffffff81556f56>] sock_write_iter+0x146/0x160
     [<ffffffff811d9612>] new_sync_write+0x92/0xd0
     [<ffffffff811d9cd6>] vfs_write+0xd6/0x180
     [<ffffffff811da499>] SyS_write+0x59/0xd0
     [<ffffffff81651532>] system_call_fastpath+0x12/0x17
    Code: 00 00 48 89 44 24 10 8b 87 c8 00 00 00 48 89 44 24 08 48 8b 87 d8 00
          00 00 48 c7 c7 30 db 91 81 48 89 04 24 31 c0 e8 4f a8 0e 00 <0f> 0b
          eb fe 66 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 48 83
    RIP  [<ffffffff8155fbd1>] skb_put+0xa1/0xb0
    RSP <ffff88003ae8bc68>
    Kernel panic - not syncing: Fatal exception
    
    Moreover, the possible minimum is 1, so we can get another kernel panic:
    ...
    BUG: unable to handle kernel paging request at ffff88013caee5c0
    IP: [<ffffffff815604cf>] __alloc_skb+0x12f/0x1f0
    ...
    Signed-off-by: default avatarAlexey Kodanev <alexey.kodanev@oracle.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    [bwh: Backported to 3.2: delete now-unused 'one' variable]
    Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
    2d6dfb10
sysctl_net_core.c 5.76 KB