[PATCH net-next] net: fix GSO for SG-enabled devices.

[PATCH net-next] net: fix GSO for SG-enabled devices.

[Paolo Abeni]

The commit dbd50f238dec ("net: move the hsize check to the else
block in skb_segment") introduced a data corruption for devices
supporting scatter-gather.

The problem boils down to signed/unsigned comparison given
unexpected results: if signed 'hsize' is negative, it will be
considered greater than a positive 'len', which is unsigned.

This commit addresses the issue explicitly casting 'len' to a
signed integer, so that the comparison gives the correct result.

Bisected-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Fixes: dbd50f238dec ("net: move the hsize check to the else block in skb_segment")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
---
note: a possible more readable alternative would be moving the
	if (hsize < 0)

before 'if (hsize > len)', but that was explicitly discouraged
in a previous iteration of the blamed commit to save a comparison,
so I opted to preserve that optimization.
---
 net/core/skbuff.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index e835193cabcc3..27f69c0bd8393 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -3938,7 +3938,7 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb,
 			skb_release_head_state(nskb);
 			__skb_push(nskb, doffset);
 		} else {
-			if (hsize > len || !sg)
+			if (hsize > (int)len || !sg)
 				hsize = len;
 			else if (hsize < 0)
 				hsize = 0;
-- 
2.26.2

RE: [PATCH net-next] net: fix GSO for SG-enabled devices.

[Alexander Duyck]

> -----Original Message-----
> From: Paolo Abeni <pabeni@redhat.com>
> Sent: Tuesday, January 19, 2021 4:31 AM
> To: netdev@vger.kernel.org
> Cc: David S . Miller <davem@davemloft.net>; Jakub Kicinski
> <kuba@kernel.org>; Alexander Duyck <alexanderduyck@fb.com>; Xin Long
> <lucien.xin@gmail.com>
> Subject: [PATCH net-next] net: fix GSO for SG-enabled devices.
> 
> The commit dbd50f238dec ("net: move the hsize check to the else block in
> skb_segment") introduced a data corruption for devices supporting scatter-
> gather.
> 
> The problem boils down to signed/unsigned comparison given unexpected
> results: if signed 'hsize' is negative, it will be considered greater than a
> positive 'len', which is unsigned.
> 
> This commit addresses the issue explicitly casting 'len' to a signed integer, so
> that the comparison gives the correct result.
> 
> Bisected-by: Matthieu Baerts <matthieu.baerts@tessares.net>
> Fixes: dbd50f238dec ("net: move the hsize check to the else block in
> skb_segment")
> Signed-off-by: Paolo Abeni <pabeni@redhat.com>
> ---
> note: a possible more readable alternative would be moving the
> 	if (hsize < 0)
> 
> before 'if (hsize > len)', but that was explicitly discouraged in a previous
> iteration of the blamed commit to save a comparison, so I opted to preserve
> that optimization.

I would say it is probably better to just moving the "hsize < 0" check. What I had suggested was a minor optimization and it hadn't occurred to me that this is a signed vs unsigned comparison.

> ---
>  net/core/skbuff.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/core/skbuff.c b/net/core/skbuff.c index
> e835193cabcc3..27f69c0bd8393 100644
> --- a/net/core/skbuff.c
> +++ b/net/core/skbuff.c
> @@ -3938,7 +3938,7 @@ struct sk_buff *skb_segment(struct sk_buff
> *head_skb,
>  			skb_release_head_state(nskb);
>  			__skb_push(nskb, doffset);
>  		} else {
> -			if (hsize > len || !sg)
> +			if (hsize > (int)len || !sg)
>  				hsize = len;
>  			else if (hsize < 0)
>  				hsize = 0;