Bug 195059

Summary: UDP skb_over_panic over 6lowpan / fakelb
Product: Networking Reporter: Palma (david.palma)
Component: IPV6Assignee: Hideaki YOSHIFUJI (yoshfuji)
Status: RESOLVED PATCH_ALREADY_AVAILABLE    
Severity: normal    
Priority: P1    
Hardware: x86-64   
OS: Linux   
URL: https://github.com/PalmaITEM/6lowpan-skb_over_panic
Kernel Version: 4.9 and 4.10 amd64 Subsystem:
Regression: No Bisected commit-id:
Attachments: [wpan,1/2] net: 6lowpan: fix reserved space for single frames
[wpan,2/2] net: mac802154: tx: expand tailroom if necessary

Description Palma 2017-03-27 09:09:45 UTC
Sending a simple UDP packet, with 39 bytes of length, over a 6lowpan interface (using fakelb), creates a kernel panic

Steps to reproduce can be found here: https://github.com/PalmaITEM/6lowpan-skb_over_panic

I have found that lengths around 39 bytes can also trigger this behaviour and that longer packets are handled without problem.

Verified in:

- Linux version 4.9.0-0.bpo.2-amd64 (debian-kernel@lists.debian.org) (gcc version 4.9.2 (Debian 4.9.2-10) ) #1 SMP Debian 4.9.13-1~bpo8+1 (2017-02-27)
- Linux version 4.10.4-1-ARCH (builduser@tobias) (gcc version 6.3.1 20170306 (GCC) ) #1 SMP PREEMPT Sat Mar 18 19:39:18 CET 2017
Comment 1 Palma 2017-03-30 07:09:05 UTC
Update to the previous information (also on github link).

Could not reproduce this problem on a 32bit kernel.

For example

ip netns exec wpan0 ping6 -s 39 b:1::2

*Kernel Panic:* Linux version 4.9.0-0.bpo.2-amd64 (debian-kernel@lists.debian.org) (gcc version 4.9.2 (Debian 4.9.2-10) ) #1 SMP Debian 4.9.13-1~bpo8+1 (2017-02-27)

*No Problem:* Linux version 4.9.0-0.bpo.2-686 (debian-kernel@lists.debian.org) (gcc version 4.9.2 (Debian 4.9.2-10) ) #1 SMP Debian 4.9.13-1~bpo8+1 (2017-02-27)
Comment 2 Palma 2018-07-06 08:02:28 UTC
Created attachment 277211 [details]
[wpan,1/2] net: 6lowpan: fix reserved space for single frames

This patch fixes patch add handling to take care tail and headroom for
single 6lowpan frames. We need to be sure we have a skb with the right
head and tailroom for single frames. This patch do it by using
skb_copy_expand() if head and tailroom is not enough allocated by upper
layer.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195059
Reported-by: David Palma <david.palma@ntnu.no>
Reported-by: Rabi Narayan Sahoo <rabinarayans0828@gmail.com>
Signed-off-by: Alexander Aring <aring@mojatatu.com>
Comment 3 Palma 2018-07-06 08:03:35 UTC
Created attachment 277213 [details]
[wpan,2/2] net: mac802154: tx: expand tailroom if necessary

This patch is necessary if case of AF_PACKET or other socket interface
which I am aware of it and didn't allocated the necessary room.

Reported-by: David Palma <david.palma@ntnu.no>
Reported-by: Rabi Narayan Sahoo <rabinarayans0828@gmail.com>
Signed-off-by: Alexander Aring <aring@mojatatu.com>
---
 net/mac802154/tx.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)
Comment 4 Palma 2018-07-06 08:04:46 UTC
Problem fixed by the following (also attached) patches created by Alexander Aring:

- https://patchwork.kernel.org/patch/10502357/
- https://patchwork.kernel.org/patch/10502359/