[PATCH net] net: ip6_gre: access skb data after skb_cow_head()

[PATCH net] net: ip6_gre: access skb data after skb_cow_head()

[William Tu]

When increases the headroom, skb's pointer might get re-allocated.
Fix it by moving skb_cow_head before accessing the skb->data pointer.

Fixes: 01b8d064d58b4 ("net: ip6_gre: Request headroom in __gre6_xmit()")
Reported-by: Haichao Ma <haichaom@vmware.com>
Signed-off-by: William Tu <u9012063@gmail.com>
---
 net/ipv6/ip6_gre.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index 655e46b227f9..90b2b129b105 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -714,6 +714,9 @@ static netdev_tx_t __gre6_xmit(struct sk_buff *skb,
 	struct ip6_tnl *tunnel = netdev_priv(dev);
 	__be16 protocol;
 
+	if (skb_cow_head(skb, dev->needed_headroom ?: tunnel->hlen))
+		return -ENOMEM;
+
 	if (dev->type == ARPHRD_ETHER)
 		IPCB(skb)->flags = 0;
 
@@ -722,9 +725,6 @@ static netdev_tx_t __gre6_xmit(struct sk_buff *skb,
 	else
 		fl6->daddr = tunnel->parms.raddr;
 
-	if (skb_cow_head(skb, dev->needed_headroom ?: tunnel->hlen))
-		return -ENOMEM;
-
 	/* Push GRE header. */
 	protocol = (dev->type == ARPHRD_ETHER) ? htons(ETH_P_TEB) : proto;
 
-- 
2.7.4

Re: [PATCH net] net: ip6_gre: access skb data after skb_cow_head()

[David Miller]

From: William Tu <u9012063@gmail.com>
Date: Thu, 16 May 2019 09:25:48 -0700

> When increases the headroom, skb's pointer might get re-allocated.
> Fix it by moving skb_cow_head before accessing the skb->data pointer.
> 
> Fixes: 01b8d064d58b4 ("net: ip6_gre: Request headroom in __gre6_xmit()")
> Reported-by: Haichao Ma <haichaom@vmware.com>
> Signed-off-by: William Tu <u9012063@gmail.com>

I don't understand the problem.

The fl6->daddr assignments are object copies, not pointer assignments.

So there are no dangling pointer references I can see.

Also, you need to explain exactly what dangling pointer is the problem
in your commit message.