* [PATCH] Signed-off-by: Peter Kosyh <p.kosyh@gmail.com> @ 2019-07-18 9:41 Peter Kosyh 2019-07-18 14:02 ` David Ahern 0 siblings, 1 reply; 6+ messages in thread From: Peter Kosyh @ 2019-07-18 9:41 UTC (permalink / raw) To: p.kosyh; +Cc: davem, David Ahern, Shrijeet Mukherjee, netdev, linux-kernel vrf_process_v4_outbound() and vrf_process_v6_outbound() do routing using ip/ipv6 addresses, but don't make sure the header is available in skb->data[] (skb_headlen() is less then header size). The situation may occures while forwarding from MPLS layer to vrf, for example. So, this patch adds pskb_may_pull() calls in is_ip_tx_frame(), just before call to vrf_process_... functions. Signed-off-by: Peter Kosyh <p.kosyh@gmail.com> --- drivers/net/vrf.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c index 54edf8956a25..d552f29a58d1 100644 --- a/drivers/net/vrf.c +++ b/drivers/net/vrf.c @@ -292,13 +292,16 @@ static netdev_tx_t is_ip_tx_frame(struct sk_buff *skb, struct net_device *dev) { switch (skb->protocol) { case htons(ETH_P_IP): + if (!pskb_may_pull(skb, ETH_HLEN + sizeof(struct iphdr)) + break; return vrf_process_v4_outbound(skb, dev); case htons(ETH_P_IPV6): + if (!pskb_may_pull(skb, ETH_HLEN + sizeof(struct ipv6hdr)) + break; return vrf_process_v6_outbound(skb, dev); - default: - vrf_tx_error(dev, skb); - return NET_XMIT_DROP; } + vrf_tx_error(dev, skb); + return NET_XMIT_DROP; } static netdev_tx_t vrf_xmit(struct sk_buff *skb, struct net_device *dev) -- 2.11.0 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] Signed-off-by: Peter Kosyh <p.kosyh@gmail.com> 2019-07-18 9:41 [PATCH] Signed-off-by: Peter Kosyh <p.kosyh@gmail.com> Peter Kosyh @ 2019-07-18 14:02 ` David Ahern 2019-07-18 18:44 ` David Miller 2019-07-19 8:11 ` [PATCH v2] vrf: make sure skb->data contains ip header to make routing Peter Kosyh 0 siblings, 2 replies; 6+ messages in thread From: David Ahern @ 2019-07-18 14:02 UTC (permalink / raw) To: Peter Kosyh; +Cc: davem, Shrijeet Mukherjee, netdev, linux-kernel your subject line needs a proper Subject - a one-line summary of the change starting with 'vrf:'. See examples from 'git log drivers/net/vrf.c' On 7/18/19 3:41 AM, Peter Kosyh wrote: > vrf_process_v4_outbound() and vrf_process_v6_outbound() do routing > using ip/ipv6 addresses, but don't make sure the header is available in > skb->data[] (skb_headlen() is less then header size). > > The situation may occures while forwarding from MPLS layer to vrf, for > example. so the use case is a label pop with the nexthop as the VRF device? > > So, this patch adds pskb_may_pull() calls in is_ip_tx_frame(), just before > call to vrf_process_... functions. > > Signed-off-by: Peter Kosyh <p.kosyh@gmail.com> > --- > drivers/net/vrf.c | 9 ++++++--- > 1 file changed, 6 insertions(+), 3 deletions(-) > > diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c > index 54edf8956a25..d552f29a58d1 100644 > --- a/drivers/net/vrf.c > +++ b/drivers/net/vrf.c > @@ -292,13 +292,16 @@ static netdev_tx_t is_ip_tx_frame(struct sk_buff *skb, struct net_device *dev) > { > switch (skb->protocol) { > case htons(ETH_P_IP): > + if (!pskb_may_pull(skb, ETH_HLEN + sizeof(struct iphdr)) > + break; that check goes in vrf_process_v4_outbound. > return vrf_process_v4_outbound(skb, dev); > case htons(ETH_P_IPV6): > + if (!pskb_may_pull(skb, ETH_HLEN + sizeof(struct ipv6hdr)) > + break; that check goes in vrf_process_v6_outbound leave this higher level sorter untouched. > return vrf_process_v6_outbound(skb, dev); > - default: > - vrf_tx_error(dev, skb); > - return NET_XMIT_DROP; > } > + vrf_tx_error(dev, skb); > + return NET_XMIT_DROP; > } > > static netdev_tx_t vrf_xmit(struct sk_buff *skb, struct net_device *dev) > ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] Signed-off-by: Peter Kosyh <p.kosyh@gmail.com> 2019-07-18 14:02 ` David Ahern @ 2019-07-18 18:44 ` David Miller 2019-07-19 8:11 ` [PATCH v2] vrf: make sure skb->data contains ip header to make routing Peter Kosyh 1 sibling, 0 replies; 6+ messages in thread From: David Miller @ 2019-07-18 18:44 UTC (permalink / raw) To: dsa; +Cc: p.kosyh, shrijeet, netdev, linux-kernel From: David Ahern <dsa@cumulusnetworks.com> Date: Thu, 18 Jul 2019 08:02:45 -0600 > your subject line needs a proper Subject - a one-line summary of the > change starting with 'vrf:'. See examples from 'git log drivers/net/vrf.c' Indeed, you really need to fix this even for your second submission as it had the same exact problem. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH v2] vrf: make sure skb->data contains ip header to make routing 2019-07-18 14:02 ` David Ahern 2019-07-18 18:44 ` David Miller @ 2019-07-19 8:11 ` Peter Kosyh 2019-07-19 19:17 ` David Ahern 2019-07-21 20:33 ` David Miller 1 sibling, 2 replies; 6+ messages in thread From: Peter Kosyh @ 2019-07-19 8:11 UTC (permalink / raw) To: David Ahern; +Cc: davem, Peter Kosyh, Shrijeet Mukherjee, netdev, linux-kernel vrf_process_v4_outbound() and vrf_process_v6_outbound() do routing using ip/ipv6 addresses, but don't make sure the header is available in skb->data[] (skb_headlen() is less then header size). Case: 1) igb driver from intel. 2) Packet size is greater then 255. 3) MPLS forwards to VRF device. So, patch adds pskb_may_pull() calls in vrf_process_v4/v6_outbound() functions. Signed-off-by: Peter Kosyh <p.kosyh@gmail.com> --- drivers/net/vrf.c | 58 +++++++++++++++++++++++++++++++++---------------------- 1 file changed, 35 insertions(+), 23 deletions(-) diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c index 54edf8956a25..6e84328bdd40 100644 --- a/drivers/net/vrf.c +++ b/drivers/net/vrf.c @@ -165,23 +165,29 @@ static int vrf_ip6_local_out(struct net *net, struct sock *sk, static netdev_tx_t vrf_process_v6_outbound(struct sk_buff *skb, struct net_device *dev) { - const struct ipv6hdr *iph = ipv6_hdr(skb); + const struct ipv6hdr *iph; struct net *net = dev_net(skb->dev); - struct flowi6 fl6 = { - /* needed to match OIF rule */ - .flowi6_oif = dev->ifindex, - .flowi6_iif = LOOPBACK_IFINDEX, - .daddr = iph->daddr, - .saddr = iph->saddr, - .flowlabel = ip6_flowinfo(iph), - .flowi6_mark = skb->mark, - .flowi6_proto = iph->nexthdr, - .flowi6_flags = FLOWI_FLAG_SKIP_NH_OIF, - }; + struct flowi6 fl6; int ret = NET_XMIT_DROP; struct dst_entry *dst; struct dst_entry *dst_null = &net->ipv6.ip6_null_entry->dst; + if (!pskb_may_pull(skb, ETH_HLEN + sizeof(struct ipv6hdr))) + goto err; + + iph = ipv6_hdr(skb); + + memset(&fl6, 0, sizeof(fl6)); + /* needed to match OIF rule */ + fl6.flowi6_oif = dev->ifindex; + fl6.flowi6_iif = LOOPBACK_IFINDEX; + fl6.daddr = iph->daddr; + fl6.saddr = iph->saddr; + fl6.flowlabel = ip6_flowinfo(iph); + fl6.flowi6_mark = skb->mark; + fl6.flowi6_proto = iph->nexthdr; + fl6.flowi6_flags = FLOWI_FLAG_SKIP_NH_OIF; + dst = ip6_route_output(net, NULL, &fl6); if (dst == dst_null) goto err; @@ -237,21 +243,27 @@ static int vrf_ip_local_out(struct net *net, struct sock *sk, static netdev_tx_t vrf_process_v4_outbound(struct sk_buff *skb, struct net_device *vrf_dev) { - struct iphdr *ip4h = ip_hdr(skb); + struct iphdr *ip4h; int ret = NET_XMIT_DROP; - struct flowi4 fl4 = { - /* needed to match OIF rule */ - .flowi4_oif = vrf_dev->ifindex, - .flowi4_iif = LOOPBACK_IFINDEX, - .flowi4_tos = RT_TOS(ip4h->tos), - .flowi4_flags = FLOWI_FLAG_ANYSRC | FLOWI_FLAG_SKIP_NH_OIF, - .flowi4_proto = ip4h->protocol, - .daddr = ip4h->daddr, - .saddr = ip4h->saddr, - }; + struct flowi4 fl4; struct net *net = dev_net(vrf_dev); struct rtable *rt; + if (!pskb_may_pull(skb, ETH_HLEN + sizeof(struct iphdr))) + goto err; + + ip4h = ip_hdr(skb); + + memset(&fl4, 0, sizeof(fl4)); + /* needed to match OIF rule */ + fl4.flowi4_oif = vrf_dev->ifindex; + fl4.flowi4_iif = LOOPBACK_IFINDEX; + fl4.flowi4_tos = RT_TOS(ip4h->tos); + fl4.flowi4_flags = FLOWI_FLAG_ANYSRC | FLOWI_FLAG_SKIP_NH_OIF; + fl4.flowi4_proto = ip4h->protocol; + fl4.daddr = ip4h->daddr; + fl4.saddr = ip4h->saddr; + rt = ip_route_output_flow(net, &fl4, NULL); if (IS_ERR(rt)) goto err; -- 2.11.0 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH v2] vrf: make sure skb->data contains ip header to make routing 2019-07-19 8:11 ` [PATCH v2] vrf: make sure skb->data contains ip header to make routing Peter Kosyh @ 2019-07-19 19:17 ` David Ahern 2019-07-21 20:33 ` David Miller 1 sibling, 0 replies; 6+ messages in thread From: David Ahern @ 2019-07-19 19:17 UTC (permalink / raw) To: Peter Kosyh; +Cc: davem, Shrijeet Mukherjee, netdev, linux-kernel On 7/19/19 2:11 AM, Peter Kosyh wrote: > vrf_process_v4_outbound() and vrf_process_v6_outbound() do routing > using ip/ipv6 addresses, but don't make sure the header is available > in skb->data[] (skb_headlen() is less then header size). > > Case: > > 1) igb driver from intel. > 2) Packet size is greater then 255. > 3) MPLS forwards to VRF device. > > So, patch adds pskb_may_pull() calls in vrf_process_v4/v6_outbound() > functions. > > Signed-off-by: Peter Kosyh <p.kosyh@gmail.com> > --- > drivers/net/vrf.c | 58 +++++++++++++++++++++++++++++++++---------------------- > 1 file changed, 35 insertions(+), 23 deletions(-) > Reviewed-by: David Ahern <dsa@cumulusnetworks.com> ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v2] vrf: make sure skb->data contains ip header to make routing 2019-07-19 8:11 ` [PATCH v2] vrf: make sure skb->data contains ip header to make routing Peter Kosyh 2019-07-19 19:17 ` David Ahern @ 2019-07-21 20:33 ` David Miller 1 sibling, 0 replies; 6+ messages in thread From: David Miller @ 2019-07-21 20:33 UTC (permalink / raw) To: p.kosyh; +Cc: dsa, shrijeet, netdev, linux-kernel From: Peter Kosyh <p.kosyh@gmail.com> Date: Fri, 19 Jul 2019 11:11:47 +0300 > vrf_process_v4_outbound() and vrf_process_v6_outbound() do routing > using ip/ipv6 addresses, but don't make sure the header is available > in skb->data[] (skb_headlen() is less then header size). > > Case: > > 1) igb driver from intel. > 2) Packet size is greater then 255. > 3) MPLS forwards to VRF device. > > So, patch adds pskb_may_pull() calls in vrf_process_v4/v6_outbound() > functions. > > Signed-off-by: Peter Kosyh <p.kosyh@gmail.com> Applied and queued up for -stable, thanks. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-07-21 20:33 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-07-18 9:41 [PATCH] Signed-off-by: Peter Kosyh <p.kosyh@gmail.com> Peter Kosyh 2019-07-18 14:02 ` David Ahern 2019-07-18 18:44 ` David Miller 2019-07-19 8:11 ` [PATCH v2] vrf: make sure skb->data contains ip header to make routing Peter Kosyh 2019-07-19 19:17 ` David Ahern 2019-07-21 20:33 ` David Miller
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).