[PATCH net-next] mpls: drop skb's dst in mpls_forward()

[PATCH net-next] mpls: drop skb's dst in mpls_forward()

[Guillaume Nault]

Commit 394de110a733 ("net: Added pointer check for
dst->ops->neigh_lookup in dst_neigh_lookup_skb") added a test in
dst_neigh_lookup_skb() to avoid a NULL pointer dereference. The root
cause was the MPLS forwarding code, which doesn't call skb_dst_drop()
on incoming packets. That is, if the packet is received from a
collect_md device, it has a metadata_dst attached to it that doesn't
implement any dst_ops function.

To align the MPLS behaviour with IPv4 and IPv6, let's drop the dst in
mpls_forward(). This way, dst_neigh_lookup_skb() doesn't need to test
->neigh_lookup any more. Let's keep a WARN condition though, to
document the precondition and to ease detection of such problems in the
future.

Signed-off-by: Guillaume Nault <gnault@redhat.com>
---
 include/net/dst.h  | 12 +++++-------
 net/mpls/af_mpls.c |  2 ++
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/include/net/dst.h b/include/net/dst.h
index 8ea8812b0b41..10f0a8399867 100644
--- a/include/net/dst.h
+++ b/include/net/dst.h
@@ -400,14 +400,12 @@ static inline struct neighbour *dst_neigh_lookup(const struct dst_entry *dst, co
 static inline struct neighbour *dst_neigh_lookup_skb(const struct dst_entry *dst,
 						     struct sk_buff *skb)
 {
-	struct neighbour *n = NULL;
+	struct neighbour *n;
 
-	/* The packets from tunnel devices (eg bareudp) may have only
-	 * metadata in the dst pointer of skb. Hence a pointer check of
-	 * neigh_lookup is needed.
-	 */
-	if (dst->ops->neigh_lookup)
-		n = dst->ops->neigh_lookup(dst, skb, NULL);
+	if (WARN_ON_ONCE(!dst->ops->neigh_lookup))
+		return NULL;
+
+	n = dst->ops->neigh_lookup(dst, skb, NULL);
 
 	return IS_ERR(n) ? NULL : n;
 }
diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c
index f2868a8a50c3..47bab701555f 100644
--- a/net/mpls/af_mpls.c
+++ b/net/mpls/af_mpls.c
@@ -377,6 +377,8 @@ static int mpls_forward(struct sk_buff *skb, struct net_device *dev,
 	if (!pskb_may_pull(skb, sizeof(*hdr)))
 		goto err;
 
+	skb_dst_drop(skb);
+
 	/* Read and decode the label */
 	hdr = mpls_hdr(skb);
 	dec = mpls_entry_decode(hdr);
-- 
2.21.3

Re: [PATCH net-next] mpls: drop skb's dst in mpls_forward()

[Jakub Kicinski]

On Sat, 31 Oct 2020 01:07:25 +0100 Guillaume Nault wrote:
> Commit 394de110a733 ("net: Added pointer check for
> dst->ops->neigh_lookup in dst_neigh_lookup_skb") added a test in
> dst_neigh_lookup_skb() to avoid a NULL pointer dereference. The root
> cause was the MPLS forwarding code, which doesn't call skb_dst_drop()
> on incoming packets. That is, if the packet is received from a
> collect_md device, it has a metadata_dst attached to it that doesn't
> implement any dst_ops function.
> 
> To align the MPLS behaviour with IPv4 and IPv6, let's drop the dst in
> mpls_forward(). This way, dst_neigh_lookup_skb() doesn't need to test
> ->neigh_lookup any more. Let's keep a WARN condition though, to  
> document the precondition and to ease detection of such problems in the
> future.
> 
> Signed-off-by: Guillaume Nault <gnault@redhat.com>

Applied, thanks!