[Saucy] [PATCH] SRU: zerocopy LSO segmenting fixed
Tim Gardner
tim.gardner at canonical.com
Mon Jun 23 14:06:29 UTC 2014
On 06/23/2014 07:53 AM, Luis Henriques wrote:
> On Sun, Jun 22, 2014 at 11:07:42AM +0300, Anton Nayshtut wrote:
>> BugLink: https://bugs.launchpad.net/bugs/1328973
>>
>> [SRU Justification]
>>
>> [Setup]
>> - 2 or more QEMU Guest VMs sharing the the same host
>> - the Guests are communicating using virtio-net-pci devices
>> - vhost-net is enabled
>>
>> [Explanation]
>> If one Guest VM sends GSO packets to another while GRO is disabled for receiver,
>> so these packets are segmented by net/core.
>> In this case, if zero-copy is enabled in vhost-net, the GSO packets TX
>> completion is reported to userspace as before the TX is actually done.
>> The vhost-net's zero-copy mechanism is enabled by default since v3.8-rc1
>> (f9611c43).
>>
>> [Impact]
>> Incorrect/junk data sent in case the transmitting Guest OS re-uses/frees the TX
>> buffer immediately upon TX completion.
>>
>> [Test Case]
>> Windows 2008R2 Guest VMs running MS HCK Offload LSO test.
>> NOTE1: GRO is always disabled in this case because it's not supported by Windows
>> Guest virtio-net-pci drivers.
>> NOTE2: MS HCK re-uses the GSO (LSO) buffers, so it reproduces the issue every
>> time.
>>
>> skbuff: skb_segment: orphan frags before copying
>>
>> skb_segment copies frags around, so we need
>> to copy them carefully to avoid accessing
>> user memory after reporting completion to userspace
>> through a callback.
>>
>> skb_segment doesn't normally happen on datapath:
>> TSO needs to be disabled - so disabling zero copy
>> in this case does not look like a big deal.
>>
>> OriginalAuthor: Michael S. Tsirkin <mst at redhat.com>
>> Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
>> Acked-by: Herbert Xu <herbert at gondor.apana.org.au>
>> Signed-off-by: David S. Miller <davem at davemloft.net>
>>
>> (cherry picked from commit 1fd819ecb90cc9b822cd84d3056ddba315d3340f)
>> CVE-2014-0131
>> Signed-off-by: Andy Whitcroft <apw at canonical.com>
>> (backported from 0f860fb4f583909ed999df58abf57ff40ec94d6d ubuntu-trusty)
>> Signed-off-by: Anton Nayshtut <anton at swortex.com>
>>
>
> This patch is included in the 3.11 extended stable currently under
> review[1]. Since Saucy picks the 3.11 extended stable releases, this
> patch would be included in the Saucy kernel anyway (Note:
> lts-backport-saucy kernels are about to reach EOL!).
>
> However, the backport is I have for the 3.11 kernel is different[2]
> from this one and I am not able to decide which is correct one.
>
> For the 3.11 kernel I have picked the version provided by Ben Hutching
> to the stable mailing list[3]. This version is currently being used
> in the Lucid kernel, and has been released on the 3.8 extended
> stable.
>
> [1] https://lkml.org/lkml/2014/6/23/368
> [2] https://lkml.org/lkml/2014/6/23/400
> [3] http://thread.gmane.org/gmane.linux.kernel.stable/93422
>
> Cheers,
> --
> Luís
>
There does seem to be a small, but fundamental, difference.
Anton - could you have a look to see if the upstream patch will suffice
? I'd prefer to go with what is coming up in stable because its been
tested in Lucid.
rtg
--
Tim Gardner tim.gardner at canonical.com
More information about the kernel-team
mailing list