From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pg0-x236.google.com (mail-pg0-x236.google.com [IPv6:2607:f8b0:400e:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 8134B3B29E for ; Fri, 27 Apr 2018 09:17:21 -0400 (EDT) Received: by mail-pg0-x236.google.com with SMTP id i194-v6so1573067pgd.0 for ; Fri, 27 Apr 2018 06:17:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=wNib87gesFCUugiQwDwX8HS87Fya2/EaWXoe1lE+Cm0=; b=W/vyENcoJbH8TZoBZQBw8DZv3OThGi08bFzM6+fkvrgpNoDRUBgnhyQA9N0rRMfqxw xDThY+9irwolJXwyacwJ67PjVIxJBVcOkLTEqTSsHgZXidYfSyIyYksg+jpx9ygCzuvh 6+Ah5rkoKkrZajNdLU2ySsyY2WKnyX3PybVhHtyshXij4eeeakXH/seBcZ6TCKQEYFNa QGh0stqilp4eRsiUfAuMKtaAIycMyiHqF9Kke2sxc7UlPOyBy1fOuxZCzjsPxkD8QBwD 13kpZFYjeOHI9xEBO6RprcHl1gpanyOyfztli9/mbuqLDL0UvPJ1bKJC7lQcyay5ifRN F2nQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=wNib87gesFCUugiQwDwX8HS87Fya2/EaWXoe1lE+Cm0=; b=O5FG8jZM/+0dWqN2t1tMtr+dIMbp3Ah78RRueHML22Wh2arw35sPXK2+P3vvXZUeQB t44jd7vRtMB0s7hehsUglFJRxbCJHFI2LvXDsHHTr06jgY9sZ0w/xHkzca7W/P5lgkol la9k0DLfkYbjTpQ2fN77BfzQN0bPjausunx4g0ZJN4epTxmZ6qJUTACtCRBqHVFjGHlZ kgJ5eMLyoO3ZDcxjwkuJsI4/q9rbdP3HlmJJsy/L7gYAB4jd9ZbnprxKTBksxzKGuof1 ldWIrbnzPbTHD+ZFJrlBPILFg0GCGzWrY7+MiLai1a64geqj2uLe/zkEgvSMdl5rN1Md usCw== X-Gm-Message-State: ALQs6tD/cJtH73HRSpQBol03rvNKaKXMAsmQAn4ULo6pwdhNWpIRVpNq tK5a7tVjyyL8XAS0CnkXT/w= X-Google-Smtp-Source: AB8JxZpMfyyPtycRDEgx2mbqb8XwOP0LVDfXQiK2DdmMIl8bTIE2OA64IM8jpxb6ZzW9UVjvUkQxwA== X-Received: by 2002:a63:6dcb:: with SMTP id i194-v6mr2067024pgc.402.1524835040828; Fri, 27 Apr 2018 06:17:20 -0700 (PDT) Received: from [192.168.86.235] (c-67-180-167-114.hsd1.ca.comcast.net. [67.180.167.114]) by smtp.gmail.com with ESMTPSA id v16sm2969478pfl.12.2018.04.27.06.17.19 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 27 Apr 2018 06:17:19 -0700 (PDT) To: =?UTF-8?Q?Toke_H=c3=b8iland-J=c3=b8rgensen?= , netdev@vger.kernel.org Cc: cake@lists.bufferbloat.net, Dave Taht References: <20180427121706.23273-1-toke@toke.dk> From: Eric Dumazet Message-ID: Date: Fri, 27 Apr 2018 06:17:17 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <20180427121706.23273-1-toke@toke.dk> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Subject: Re: [Cake] [PATCH net-next v4] Add Common Applications Kept Enhanced (cake) qdisc X-BeenThere: cake@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Cake - FQ_codel the next generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Apr 2018 13:17:21 -0000 On 04/27/2018 05:17 AM, Toke Høiland-Jørgensen wrote: ... > + > +static struct sk_buff *cake_ack_filter(struct cake_sched_data *q, > + struct cake_flow *flow) > +{ > + int seglen; > + struct sk_buff *skb = flow->tail, *skb_check, *skb_check_prev; > + struct iphdr *iph, *iph_check; > + struct ipv6hdr *ipv6h, *ipv6h_check; > + struct tcphdr *tcph, *tcph_check; > + bool otherconn_ack_seen = false; > + struct sk_buff *otherconn_checked_to = NULL; > + bool thisconn_redundant_seen = false, thisconn_seen_last = false; > + struct sk_buff *thisconn_checked_to = NULL, *thisconn_ack = NULL; > + bool aggressive = q->ack_filter == CAKE_ACK_AGGRESSIVE; > + > + /* no other possible ACKs to filter */ > + if (flow->head == skb) > + return NULL; > + > + iph = skb->encapsulation ? inner_ip_hdr(skb) : ip_hdr(skb); > + ipv6h = skb->encapsulation ? inner_ipv6_hdr(skb) : ipv6_hdr(skb); > + > + /* check that the innermost network header is v4/v6, and contains TCP */ > + if (pskb_may_pull(skb, ((unsigned char *)iph - skb->head) + sizeof(struct iphdr)) && > + iph->version == 4) { > + if (iph->protocol != IPPROTO_TCP) > + return NULL; > + seglen = ntohs(iph->tot_len) - (4 * iph->ihl); > + tcph = (struct tcphdr *)((void *)iph + (4 * iph->ihl)); > + if (!pskb_may_pull(skb, ((unsigned char *)tcph - skb->head) + sizeof(struct tcphdr))) > + return NULL; > + } else if (pskb_may_pull(skb, ((unsigned char *)ipv6h - skb->head) + sizeof(struct ipv6hdr) + sizeof(struct tcphdr)) && > + ipv6h->version == 6) { > + if (ipv6h->nexthdr != IPPROTO_TCP) > + return NULL; > + seglen = ntohs(ipv6h->payload_len); > + tcph = (struct tcphdr *)((void *)ipv6h + > + sizeof(struct ipv6hdr)); > + } else { > + return NULL; > + } > + This is still broken. After pskb_may_pull(), skb->head might have been reallocated. You need to recompute iph , ipv6h, tcph, otherwise you are reading freed memory and crash kernels with sufficient debugging (KASAN and other CONFIG_DEBUG_PAGEALLOC / CONFIG_DEBUG_SLAB like options)