Re: [PATCH] ipv4: ip_check_defrag must not modify skb before unsharing

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Eric Leblond <eric@regit.org>
To: Johannes Berg <johannes@sipsolutions.net>
Cc: David Miller <davem@davemloft.net>,
	netdev@vger.kernel.org, linux-wireless@vger.kernel.org,
	linville@tuxdriver.com, Eric Dumazet <eric.dumazet@gmail.com>
Subject: Re: [PATCH] ipv4: ip_check_defrag must not modify skb before unsharing
Date: Mon, 10 Dec 2012 12:02:58 +0100	[thread overview]
Message-ID: <1355137378.5391.2.camel@tiger2> (raw)
In-Reply-To: <1355132466.9857.6.camel@jlt4.sipsolutions.net>

Hello,

On Mon, 2012-12-10 at 10:41 +0100, Johannes Berg wrote:
> From: Johannes Berg <johannes.berg@intel.com>
> 
> ip_check_defrag() might be called from af_packet within the
> RX path where shared SKBs are used, so it must not modify
> the input SKB before it has unshared it for defragmentation.
> Use skb_copy_bits() to get the IP header and only pull in
> everything later.
> 
> The same is true for the other caller in macvlan as it is
> called from dev->rx_handler which can also get a shared SKB.

I've applied the patch and built a new kernel. I did not manage to get
it crashed when using the two techniques (suspend to ram and down/up
interface) that were working well to crash kernel without the patch.

BR,

> Reported-by: Eric Leblond <eric@regit.org>
> Cc: stable@vger.kernel.org
> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> ---
> For some versions of the kernel, this code goes into af_packet.c
> 
>  net/ipv4/ip_fragment.c | 19 +++++++++----------
>  1 file changed, 9 insertions(+), 10 deletions(-)
> 
> diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
> index 448e685..8d5cc75 100644
> --- a/net/ipv4/ip_fragment.c
> +++ b/net/ipv4/ip_fragment.c
> @@ -707,28 +707,27 @@ EXPORT_SYMBOL(ip_defrag);
>  
>  struct sk_buff *ip_check_defrag(struct sk_buff *skb, u32 user)
>  {
> -	const struct iphdr *iph;
> +	struct iphdr iph;
>  	u32 len;
>  
>  	if (skb->protocol != htons(ETH_P_IP))
>  		return skb;
>  
> -	if (!pskb_may_pull(skb, sizeof(struct iphdr)))
> +	if (!skb_copy_bits(skb, 0, &iph, sizeof(iph)))
>  		return skb;
>  
> -	iph = ip_hdr(skb);
> -	if (iph->ihl < 5 || iph->version != 4)
> +	if (iph.ihl < 5 || iph.version != 4)
>  		return skb;
> -	if (!pskb_may_pull(skb, iph->ihl*4))
> -		return skb;
> -	iph = ip_hdr(skb);
> -	len = ntohs(iph->tot_len);
> -	if (skb->len < len || len < (iph->ihl * 4))
> +
> +	len = ntohs(iph.tot_len);
> +	if (skb->len < len || len < (iph.ihl * 4))
>  		return skb;
>  
> -	if (ip_is_fragment(ip_hdr(skb))) {
> +	if (ip_is_fragment(&iph)) {
>  		skb = skb_share_check(skb, GFP_ATOMIC);
>  		if (skb) {
> +			if (!pskb_may_pull(skb, iph.ihl*4))
> +				return skb;
>  			if (pskb_trim_rcsum(skb, len))
>  				return skb;
>  			memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));

-- 
Eric Leblond <eric@regit.org>
Blog: https://home.regit.org/

next prev parent reply	other threads:[~2012-12-10 11:03 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-12-07 18:56 [RFC PATCH] af_packet: don't to defrag shared skb Eric Leblond
2012-12-07 19:10 ` David Miller
2012-12-07 20:31 ` David Miller
2012-12-07 20:42   ` Johannes Berg
2012-12-07 20:54   ` Eric Leblond
2012-12-07 21:30   ` Johannes Berg
2012-12-07 21:41     ` Johannes Berg
2012-12-07 22:12       ` Johannes Berg
2012-12-07 22:12         ` Johannes Berg
2012-12-07 22:23         ` Johannes Berg
2012-12-10  9:29           ` Johannes Berg
2012-12-10  9:29             ` Johannes Berg
2012-12-10  9:41             ` [PATCH] ipv4: ip_check_defrag must not modify skb before unsharing Johannes Berg
2012-12-10 11:02               ` Eric Leblond [this message]
2012-12-10 18:41               ` David Miller
2012-12-10 18:45                 ` Johannes Berg
2012-12-10 18:50                   ` David Miller
2012-12-10 18:50                     ` David Miller
2012-12-07 21:46     ` [RFC PATCH] af_packet: don't to defrag shared skb Eric Leblond
2012-12-07 21:56       ` Johannes Berg
2012-12-07 21:56         ` Johannes Berg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1355137378.5391.2.camel@tiger2 \
    --to=eric@regit.org \
    --cc=davem@davemloft.net \
    --cc=eric.dumazet@gmail.com \
    --cc=johannes@sipsolutions.net \
    --cc=linux-wireless@vger.kernel.org \
    --cc=linville@tuxdriver.com \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.