[PATCH] drivers/net/wan/lapbether.c: Fixed kernel panic when used with AF_PACKET sockets

[PATCH] drivers/net/wan/lapbether.c: Fixed kernel panic when used with AF_PACKET sockets

[Xie He]

When we use "AF_PACKET" sockets to send data directly over LAPB over
Ethernet using this driver, the kernel will panic because of
insufficient header space allocated in the "sk_buff" struct.

The header space needs 18 bytes because:
  the lapbether driver will remove a pseudo header of 1 byte;
  the lapb module will prepend the LAPB header of 2 or 3 bytes;
  the lapbether driver will prepend a length field of 2 bytes and the
Ethernet header of 14 bytes.

So -1 + 3 + 16 = 18.

Signed-off-by: Xie He <hexie3605@gmail.com>
---
 drivers/net/wan/lapbether.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c
index e30d91a38cfb..619413f5d432 100644
--- a/drivers/net/wan/lapbether.c
+++ b/drivers/net/wan/lapbether.c
@@ -303,7 +303,8 @@ static void lapbeth_setup(struct net_device *dev)
 	dev->netdev_ops	     = &lapbeth_netdev_ops;
 	dev->needs_free_netdev = true;
 	dev->type            = ARPHRD_X25;
-	dev->hard_header_len = 3;
+	/* 18 = -1 (lapbether) + 3 (lapb) + 16 (lapbether) */
+	dev->hard_header_len = 18;
 	dev->mtu             = 1000;
 	dev->addr_len        = 0;
 }
-- 
2.25.1

Re: [PATCH] drivers/net/wan/lapbether.c: Fixed kernel panic when used with AF_PACKET sockets

[David Miller]

From: Xie He <hexie3605@gmail.com>
Date: Wed, 27 May 2020 20:21:33 -0700

> When we use "AF_PACKET" sockets to send data directly over LAPB over
> Ethernet using this driver, the kernel will panic because of
> insufficient header space allocated in the "sk_buff" struct.
> 
> The header space needs 18 bytes because:
>   the lapbether driver will remove a pseudo header of 1 byte;
>   the lapb module will prepend the LAPB header of 2 or 3 bytes;
>   the lapbether driver will prepend a length field of 2 bytes and the
> Ethernet header of 14 bytes.
> 
> So -1 + 3 + 16 = 18.
> 
> Signed-off-by: Xie He <hexie3605@gmail.com>

This is not the real problem.

The real problem is that this is a stacked, layered, device and the
lapbether driver does not take the inner device's header length into
consideration.  It should take this from the child device's netdev
structure rather than use constants.

Your test case will still fail when lapbether is stacked on top of a
VLAN device or similar, even with your changes.

Re: [PATCH] drivers/net/wan/lapbether.c: Fixed kernel panic when used with AF_PACKET sockets

[Xie He]

From: David Miller <davem@davemloft.net>
Date: Mon, Jun 1, 2020 at 11:32 AM -0700
>
> From: Xie He <hexie3605@gmail.com>
> Date: Wed, 27 May 2020 20:21:33 -0700
>
> > When we use "AF_PACKET" sockets to send data directly over LAPB over
> > Ethernet using this driver, the kernel will panic because of
> > insufficient header space allocated in the "sk_buff" struct.
> >
> > The header space needs 18 bytes because:
> >   the lapbether driver will remove a pseudo header of 1 byte;
> >   the lapb module will prepend the LAPB header of 2 or 3 bytes;
> >   the lapbether driver will prepend a length field of 2 bytes and the
> > Ethernet header of 14 bytes.
> >
> > So -1 + 3 + 16 = 18.
> >
> > Signed-off-by: Xie He <hexie3605@gmail.com>
>
> This is not the real problem.
>
> The real problem is that this is a stacked, layered, device and the
> lapbether driver does not take the inner device's header length into
> consideration.  It should take this from the child device's netdev
> structure rather than use constants.
>
> Your test case will still fail when lapbether is stacked on top of a
> VLAN device or similar, even with your changes.

Thank you for your email! I'm sorry I didn't see your email previously
because of problems with my mailbox.

Yes, you are right. I'll use better ways to improve this and re-submit
my patch. Thanks for pointing this out.