From mboxrd@z Thu Jan  1 00:00:00 1970
From: Maxim Mikityanskiy <maximmi@mellanox.com>
Subject: [PATCH 1/7] net: Don't set transport offset to invalid value
Date: Mon, 14 Jan 2019 13:18:56 +0000
Message-ID: <20190114131841.1932-2-maximmi@mellanox.com>
References: <20190114131841.1932-1-maximmi@mellanox.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
        Eran Ben Elisha <eranbe@mellanox.com>,
        Tariq Toukan <tariqt@mellanox.com>,
        Maxim Mikityanskiy <maximmi@mellanox.com>
To: "David S. Miller" <davem@davemloft.net>,
        Saeed Mahameed <saeedm@mellanox.com>,
        Willem de Bruijn <willemb@google.com>,
        Jason Wang <jasowang@redhat.com>,
        Eric Dumazet <edumazet@google.com>
Return-path: <netdev-owner@vger.kernel.org>
Received: from mail-eopbgr40073.outbound.protection.outlook.com ([40.107.4.73]:63632
        "EHLO EUR03-DB5-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1726513AbfANNTC (ORCPT <rfc822;netdev@vger.kernel.org>);
        Mon, 14 Jan 2019 08:19:02 -0500
In-Reply-To: <20190114131841.1932-1-maximmi@mellanox.com>
Content-Language: en-US
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

If the socket was created with socket(AF_PACKET, SOCK_RAW, 0),
skb->protocol will be unset, __skb_flow_dissect() will fail, and
skb_probe_transport_header() will fall back to the offset_hint, making
the resulting skb_transport_offset incorrect.

If, however, there is no transport header in the packet,
transport_header shouldn't be set to an arbitrary value.

Fix it by leaving the transport offset unset if it couldn't be found, to
be explicit rather than to fill it with some wrong value. It changes the
behavior, but if some code relied on the old behavior, it would be
broken anyway, as the old one is incorrect.

Signed-off-by: Maxim Mikityanskiy <maximmi@mellanox.com>
---
 drivers/net/tap.c                 |  4 ++--
 drivers/net/tun.c                 |  4 ++--
 drivers/net/xen-netback/netback.c | 19 +++++++++++--------
 include/linux/skbuff.h            | 14 +++++++-------
 net/packet/af_packet.c            |  6 +++---
 5 files changed, 25 insertions(+), 22 deletions(-)

diff --git a/drivers/net/tap.c b/drivers/net/tap.c
index 443b2694130c..a35b44b13a34 100644
--- a/drivers/net/tap.c
+++ b/drivers/net/tap.c
@@ -712,7 +712,7 @@ static ssize_t tap_get_user(struct tap_queue *q, void *=
msg_control,
 			goto err_kfree;
 	}
=20
-	skb_probe_transport_header(skb, ETH_HLEN);
+	skb_try_probe_transport_header(skb);
=20
 	/* Move network header to the right position for VLAN tagged packets */
 	if ((skb->protocol =3D=3D htons(ETH_P_8021Q) ||
@@ -1177,7 +1177,7 @@ static int tap_get_user_xdp(struct tap_queue *q, stru=
ct xdp_buff *xdp)
 			goto err_kfree;
 	}
=20
-	skb_probe_transport_header(skb, ETH_HLEN);
+	skb_try_probe_transport_header(skb);
=20
 	/* Move network header to the right position for VLAN tagged packets */
 	if ((skb->protocol =3D=3D htons(ETH_P_8021Q) ||
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index a4fdad475594..f73a156379e6 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -1927,7 +1927,7 @@ static ssize_t tun_get_user(struct tun_struct *tun, s=
truct tun_file *tfile,
 	}
=20
 	skb_reset_network_header(skb);
-	skb_probe_transport_header(skb, 0);
+	skb_try_probe_transport_header(skb);
=20
 	if (skb_xdp) {
 		struct bpf_prog *xdp_prog;
@@ -2480,7 +2480,7 @@ static int tun_xdp_one(struct tun_struct *tun,
=20
 	skb->protocol =3D eth_type_trans(skb, tun->dev);
 	skb_reset_network_header(skb);
-	skb_probe_transport_header(skb, 0);
+	skb_try_probe_transport_header(skb);
=20
 	if (skb_xdp) {
 		err =3D do_xdp_generic(xdp_prog, skb);
diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/ne=
tback.c
index 80aae3a32c2a..b49b6e56ca47 100644
--- a/drivers/net/xen-netback/netback.c
+++ b/drivers/net/xen-netback/netback.c
@@ -1105,6 +1105,7 @@ static int xenvif_tx_submit(struct xenvif_queue *queu=
e)
 		struct xen_netif_tx_request *txp;
 		u16 pending_idx;
 		unsigned data_len;
+		bool th_set;
=20
 		pending_idx =3D XENVIF_TX_CB(skb)->pending_idx;
 		txp =3D &queue->pending_tx_info[pending_idx].req;
@@ -1169,20 +1170,22 @@ static int xenvif_tx_submit(struct xenvif_queue *qu=
eue)
 			continue;
 		}
=20
-		skb_probe_transport_header(skb, 0);
+		th_set =3D skb_try_probe_transport_header(skb);
=20
 		/* If the packet is GSO then we will have just set up the
 		 * transport header offset in checksum_setup so it's now
 		 * straightforward to calculate gso_segs.
 		 */
 		if (skb_is_gso(skb)) {
-			int mss =3D skb_shinfo(skb)->gso_size;
-			int hdrlen =3D skb_transport_header(skb) -
-				skb_mac_header(skb) +
-				tcp_hdrlen(skb);
-
-			skb_shinfo(skb)->gso_segs =3D
-				DIV_ROUND_UP(skb->len - hdrlen, mss);
+			if (likely(th_set)) { /* GSO implies having L4 header */
+				int mss =3D skb_shinfo(skb)->gso_size;
+				int hdrlen =3D skb_transport_header(skb) -
+					skb_mac_header(skb) +
+					tcp_hdrlen(skb);
+
+				skb_shinfo(skb)->gso_segs =3D
+					DIV_ROUND_UP(skb->len - hdrlen, mss);
+			}
 		}
=20
 		queue->stats.rx_bytes +=3D skb->len;
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 2a57a365c711..b3aa2be1afb3 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -2424,18 +2424,18 @@ static inline void skb_pop_mac_header(struct sk_buf=
f *skb)
 	skb->mac_header =3D skb->network_header;
 }
=20
-static inline void skb_probe_transport_header(struct sk_buff *skb,
-					      const int offset_hint)
+static inline bool skb_try_probe_transport_header(struct sk_buff *skb)
 {
 	struct flow_keys_basic keys;
=20
 	if (skb_transport_header_was_set(skb))
-		return;
+		return true;
=20
-	if (skb_flow_dissect_flow_keys_basic(skb, &keys, NULL, 0, 0, 0, 0))
-		skb_set_transport_header(skb, keys.control.thoff);
-	else
-		skb_set_transport_header(skb, offset_hint);
+	if (!skb_flow_dissect_flow_keys_basic(skb, &keys, NULL, 0, 0, 0, 0))
+		return false;
+
+	skb_set_transport_header(skb, keys.control.thoff);
+	return true;
 }
=20
 static inline void skb_mac_header_rebuild(struct sk_buff *skb)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index eedacdebcd4c..8fc76e68777a 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1970,7 +1970,7 @@ static int packet_sendmsg_spkt(struct socket *sock, s=
truct msghdr *msg,
 	if (unlikely(extra_len =3D=3D 4))
 		skb->no_fcs =3D 1;
=20
-	skb_probe_transport_header(skb, 0);
+	skb_try_probe_transport_header(skb);
=20
 	dev_queue_xmit(skb);
 	rcu_read_unlock();
@@ -2519,7 +2519,7 @@ static int tpacket_fill_skb(struct packet_sock *po, s=
truct sk_buff *skb,
 		len =3D ((to_write > len_max) ? len_max : to_write);
 	}
=20
-	skb_probe_transport_header(skb, 0);
+	skb_try_probe_transport_header(skb);
=20
 	return tp_len;
 }
@@ -2924,7 +2924,7 @@ static int packet_snd(struct socket *sock, struct msg=
hdr *msg, size_t len)
 		virtio_net_hdr_set_proto(skb, &vnet_hdr);
 	}
=20
-	skb_probe_transport_header(skb, reserve);
+	skb_try_probe_transport_header(skb);
=20
 	if (unlikely(extra_len =3D=3D 4))
 		skb->no_fcs =3D 1;
--=20
2.19.1