On Wed, Jan 30, 2019 at 3:09 PM Ivan Babrou <i...@cloudflare.com> wrote:
>
> Eric,
>
> Are you going to propose the change then?
>
> I'm happy to test it out.
>
This is indeed a bug in linux stable tree only.
The err=-EINVAL move was part of a patch that was not backported
(since it was not a bug fix)
commit 0ff89efb524631ac9901b81446b453c29711c376
Author: Peter Oskolkov <p...@google.com>
Date: Tue Aug 28 11:36:19 2018 -0700
ip: fail fast on IP defrag errors
> On Wed, Jan 30, 2019 at 3:00 PM Michal Kubecek <mkube...@suse.cz> wrote:
> >
> > On Wed, Jan 30, 2019 at 02:26:32PM -0800, Ivan Babrou wrote:
> > > Hey,
> > >
> > > Continuing from this thread earlier today:
> > >
> > > * https://marc.info/?t=154886729100001&r=1&w=2
> > >
> > > We fired up KASAN enabled kernel one one of those machine and this is
> > > what we saw:
> > ...
> > > This commit from 4.19.14 seems relevant:
> > >
> > > *
> > > https://github.com/torvalds/linux/commit/d5f9565c8d5ad3cf94982223cfcef1169b0bb60f
> > >
> > > As a reminder, we upgraded from 4.19.13 and started seeing crashes.
> >
> > Unfortunately I'm on vacation this week so that my capability to look
> > deeper into this is limited but there seems to be one obvious problem
> > with the 4.19.y backport: in mainline, there is
> >
> > err = -EINVAL;
> >
> > right on top of the "Find out where to put this fragment." comment which
> > had been added by commit 0ff89efb5246 ("ip: fail fast on IP defrag
> > errors"). In 4.19.y backport of the commit, this assignment is missing
> > so that the value of err at this point comes from earlier
> > pskb_trim_rcsum() call so that it must be zero and if we take any of the
> > "goto err" added by commit d5f9565c8d5a, we drop the packet by calling
> > kfree_skb() but return zero so that caller doesn't know about it.
> >
> > Michal Kubecek
> >
