* [PATCH net] net: ip6_gre: set dev->hard_header_len when using header_ops
@ 2020-11-30 16:19 Antoine Tenart
2020-12-02 19:16 ` Jakub Kicinski
0 siblings, 1 reply; 2+ messages in thread
From: Antoine Tenart @ 2020-11-30 16:19 UTC (permalink / raw)
To: kuba; +Cc: Antoine Tenart, netdev, davem, kuznet, yoshfuji, Maria Pasechnik
syzkaller managed to crash the kernel using an NBMA ip6gre interface. I
could reproduce it creating an NBMA ip6gre interface and forwarding
traffic to it:
skbuff: skb_under_panic: text:ffffffff8250e927 len:148 put:44 head:ffff8c03c7a33
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:109!
Call Trace:
skb_push+0x10/0x10
ip6gre_header+0x47/0x1b0
neigh_connected_output+0xae/0xf0
ip6gre tunnel provides its own header_ops->create, and sets it
conditionally when initializing the tunnel in NBMA mode. When
header_ops->create is used, dev->hard_header_len should reflect the
length of the header created. Otherwise, when not used,
dev->needed_headroom should be used.
Fixes: eb95f52fc72d ("net: ipv6_gre: Fix GRO to work on IPv6 over GRE tap")
Cc: Maria Pasechnik <mariap@mellanox.com>
Signed-off-by: Antoine Tenart <atenart@kernel.org>
---
net/ipv6/ip6_gre.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index 8cf659994412..c3bc89b6b1a1 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -1133,8 +1133,13 @@ static void ip6gre_tnl_link_config_route(struct ip6_tnl *t, int set_mtu,
return;
if (rt->dst.dev) {
- dev->needed_headroom = rt->dst.dev->hard_header_len +
- t_hlen;
+ unsigned short dst_len = rt->dst.dev->hard_header_len +
+ t_hlen;
+
+ if (t->dev->header_ops)
+ dev->hard_header_len = dst_len;
+ else
+ dev->needed_headroom = dst_len;
if (set_mtu) {
dev->mtu = rt->dst.dev->mtu - t_hlen;
@@ -1159,7 +1164,12 @@ static int ip6gre_calc_hlen(struct ip6_tnl *tunnel)
tunnel->hlen = tunnel->tun_hlen + tunnel->encap_hlen;
t_hlen = tunnel->hlen + sizeof(struct ipv6hdr);
- tunnel->dev->needed_headroom = LL_MAX_HEADER + t_hlen;
+
+ if (tunnel->dev->header_ops)
+ tunnel->dev->hard_header_len = LL_MAX_HEADER + t_hlen;
+ else
+ tunnel->dev->needed_headroom = LL_MAX_HEADER + t_hlen;
+
return t_hlen;
}
--
2.28.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH net] net: ip6_gre: set dev->hard_header_len when using header_ops
2020-11-30 16:19 [PATCH net] net: ip6_gre: set dev->hard_header_len when using header_ops Antoine Tenart
@ 2020-12-02 19:16 ` Jakub Kicinski
0 siblings, 0 replies; 2+ messages in thread
From: Jakub Kicinski @ 2020-12-02 19:16 UTC (permalink / raw)
To: Antoine Tenart; +Cc: netdev, davem, kuznet, yoshfuji, Maria Pasechnik
On Mon, 30 Nov 2020 17:19:11 +0100 Antoine Tenart wrote:
> syzkaller managed to crash the kernel using an NBMA ip6gre interface. I
> could reproduce it creating an NBMA ip6gre interface and forwarding
> traffic to it:
>
> skbuff: skb_under_panic: text:ffffffff8250e927 len:148 put:44 head:ffff8c03c7a33
> ------------[ cut here ]------------
> kernel BUG at net/core/skbuff.c:109!
> Call Trace:
> skb_push+0x10/0x10
> ip6gre_header+0x47/0x1b0
> neigh_connected_output+0xae/0xf0
>
> ip6gre tunnel provides its own header_ops->create, and sets it
> conditionally when initializing the tunnel in NBMA mode. When
> header_ops->create is used, dev->hard_header_len should reflect the
> length of the header created. Otherwise, when not used,
> dev->needed_headroom should be used.
>
> Fixes: eb95f52fc72d ("net: ipv6_gre: Fix GRO to work on IPv6 over GRE tap")
> Cc: Maria Pasechnik <mariap@mellanox.com>
> Signed-off-by: Antoine Tenart <atenart@kernel.org>
Applied, thank you!
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-12-02 19:17 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-30 16:19 [PATCH net] net: ip6_gre: set dev->hard_header_len when using header_ops Antoine Tenart
2020-12-02 19:16 ` Jakub Kicinski
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.