* [PATCH net-next] net: fix GSO for SG-enabled devices.
@ 2021-01-19 12:30 Paolo Abeni
2021-01-19 16:35 ` Alexander Duyck
0 siblings, 1 reply; 2+ messages in thread
From: Paolo Abeni @ 2021-01-19 12:30 UTC (permalink / raw)
To: netdev; +Cc: David S . Miller, Jakub Kicinski, Alexander Duyck, Xin Long
The commit dbd50f238dec ("net: move the hsize check to the else
block in skb_segment") introduced a data corruption for devices
supporting scatter-gather.
The problem boils down to signed/unsigned comparison given
unexpected results: if signed 'hsize' is negative, it will be
considered greater than a positive 'len', which is unsigned.
This commit addresses the issue explicitly casting 'len' to a
signed integer, so that the comparison gives the correct result.
Bisected-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Fixes: dbd50f238dec ("net: move the hsize check to the else block in skb_segment")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
---
note: a possible more readable alternative would be moving the
if (hsize < 0)
before 'if (hsize > len)', but that was explicitly discouraged
in a previous iteration of the blamed commit to save a comparison,
so I opted to preserve that optimization.
---
net/core/skbuff.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index e835193cabcc3..27f69c0bd8393 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -3938,7 +3938,7 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb,
skb_release_head_state(nskb);
__skb_push(nskb, doffset);
} else {
- if (hsize > len || !sg)
+ if (hsize > (int)len || !sg)
hsize = len;
else if (hsize < 0)
hsize = 0;
--
2.26.2
^ permalink raw reply related [flat|nested] 2+ messages in thread
* RE: [PATCH net-next] net: fix GSO for SG-enabled devices.
2021-01-19 12:30 [PATCH net-next] net: fix GSO for SG-enabled devices Paolo Abeni
@ 2021-01-19 16:35 ` Alexander Duyck
0 siblings, 0 replies; 2+ messages in thread
From: Alexander Duyck @ 2021-01-19 16:35 UTC (permalink / raw)
To: Paolo Abeni, netdev; +Cc: David S . Miller, Jakub Kicinski, Xin Long
> -----Original Message-----
> From: Paolo Abeni <pabeni@redhat.com>
> Sent: Tuesday, January 19, 2021 4:31 AM
> To: netdev@vger.kernel.org
> Cc: David S . Miller <davem@davemloft.net>; Jakub Kicinski
> <kuba@kernel.org>; Alexander Duyck <alexanderduyck@fb.com>; Xin Long
> <lucien.xin@gmail.com>
> Subject: [PATCH net-next] net: fix GSO for SG-enabled devices.
>
> The commit dbd50f238dec ("net: move the hsize check to the else block in
> skb_segment") introduced a data corruption for devices supporting scatter-
> gather.
>
> The problem boils down to signed/unsigned comparison given unexpected
> results: if signed 'hsize' is negative, it will be considered greater than a
> positive 'len', which is unsigned.
>
> This commit addresses the issue explicitly casting 'len' to a signed integer, so
> that the comparison gives the correct result.
>
> Bisected-by: Matthieu Baerts <matthieu.baerts@tessares.net>
> Fixes: dbd50f238dec ("net: move the hsize check to the else block in
> skb_segment")
> Signed-off-by: Paolo Abeni <pabeni@redhat.com>
> ---
> note: a possible more readable alternative would be moving the
> if (hsize < 0)
>
> before 'if (hsize > len)', but that was explicitly discouraged in a previous
> iteration of the blamed commit to save a comparison, so I opted to preserve
> that optimization.
I would say it is probably better to just moving the "hsize < 0" check. What I had suggested was a minor optimization and it hadn't occurred to me that this is a signed vs unsigned comparison.
> ---
> net/core/skbuff.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/core/skbuff.c b/net/core/skbuff.c index
> e835193cabcc3..27f69c0bd8393 100644
> --- a/net/core/skbuff.c
> +++ b/net/core/skbuff.c
> @@ -3938,7 +3938,7 @@ struct sk_buff *skb_segment(struct sk_buff
> *head_skb,
> skb_release_head_state(nskb);
> __skb_push(nskb, doffset);
> } else {
> - if (hsize > len || !sg)
> + if (hsize > (int)len || !sg)
> hsize = len;
> else if (hsize < 0)
> hsize = 0;
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-01-19 18:28 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-19 12:30 [PATCH net-next] net: fix GSO for SG-enabled devices Paolo Abeni
2021-01-19 16:35 ` Alexander Duyck
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).