From: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com>
To: Daniel Borkmann <daniel@iogearbox.net>
Cc: "David S. Miller" <davem@davemloft.net>,
Pravin Shelar <pshelar@ovn.org>,
netdev@vger.kernel.org,
Shmulik Ladkani <shmulik.ladkani@gmail.com>,
Jiri Pirko <jiri@mellanox.com>
Subject: Re: [PATCH v2 net] net: skbuff: skb_vlan_push: Fix wrong unwinding of skb->data after __vlan_insert_tag call
Date: Wed, 28 Sep 2016 14:56:44 +0300 [thread overview]
Message-ID: <20160928145644.662ecc04@pixies> (raw)
In-Reply-To: <57EB9BE0.4080903@iogearbox.net>
Hi,
On Wed, 28 Sep 2016 12:30:56 +0200, daniel@iogearbox.net wrote:
> > @@ -4608,6 +4608,8 @@ int skb_vlan_push(struct sk_buff *skb, __be16 vlan_proto, u16 vlan_tci)
> >
> > skb->protocol = skb->vlan_proto;
> > skb->mac_len += VLAN_HLEN;
> > + if (offset)
> > + offset += VLAN_HLEN;
> >
> > skb_postpush_rcsum(skb, skb->data + (2 * ETH_ALEN), VLAN_HLEN);
> > __skb_pull(skb, offset);
>
> This looks much better indeed than your v1 of this patch.
Yep, after some meditation and history digging I happened to notice I
was barking at the wrong tree.
> So the issue might only be visible to act_vlan as the other remaining user of
> skb_vlan_push().
Yes, this is correct. I'll amend the log message to express that.
The bug occurs for callers of skb_vlan_push() whose data is not
pointing at mac_header.
> My only question would be:
> what about __skb_vlan_pop(), wouldn't that then need the same adjustment
> a la offset -= VLAN_HLEN?
Well, theoretically, yes; but caller may expect 2 different things:
(assuming tags are in-payload)
(1) suppose upon entry we have
DA,SA,0x8100,TCI,0x0800,
^ ^
mac_hdr data
initial offset is 18, and after current unwinding code we'll get
DA,SA,0x0800,4_bytes,
^ ^
mac_hdr data
which is probably incorrect, adjustment 'offset -= VLAN_HLEN' is needed.
(2) suppose upon entry we have
DA,SA,0x8100,TCI,0x0800
^ ^
mac_hdr data
initial offset is 14, and after current unwinding code we'll get
DA,SA,0x0800,
^ ^
mac_hdr data
which is probably what user has intended.
(had we adjusted offset to be 10, 'data' would point into SA)
From test I've made using act_vlan upon ingress on QinQ tags, existing call
provides data as in (2).
Thoughts?
Should we adjust "offset" back, only if resulting offset is >=14 ?
Thanks,
Shmulik
next prev parent reply other threads:[~2016-09-28 11:56 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-28 9:08 [PATCH v2 net] net: skbuff: skb_vlan_push: Fix wrong unwinding of skb->data after __vlan_insert_tag call Shmulik Ladkani
2016-09-28 10:30 ` Daniel Borkmann
2016-09-28 11:56 ` Shmulik Ladkani [this message]
2016-09-28 14:43 ` Daniel Borkmann
2016-09-28 17:11 ` Shmulik Ladkani
2016-09-28 17:42 ` Shmulik Ladkani
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160928145644.662ecc04@pixies \
--to=shmulik.ladkani@ravellosystems.com \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=jiri@mellanox.com \
--cc=netdev@vger.kernel.org \
--cc=pshelar@ovn.org \
--cc=shmulik.ladkani@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.