From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Miller Subject: Re: [PATCH net] pppoe: take ->needed_headroom of lower device into account on xmit Date: Tue, 23 Jan 2018 19:46:10 -0500 (EST) Message-ID: <20180123.194610.1683271824751989350.davem@davemloft.net> References: Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org, mostrows@earthlink.net, johannes@sipsolutions.net, lucien.xin@gmail.com To: g.nault@alphalink.fr Return-path: Received: from shards.monkeyblade.net ([184.105.139.130]:34656 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752705AbeAXAqN (ORCPT ); Tue, 23 Jan 2018 19:46:13 -0500 In-Reply-To: Sender: netdev-owner@vger.kernel.org List-ID: From: Guillaume Nault Date: Mon, 22 Jan 2018 18:06:37 +0100 > In pppoe_sendmsg(), reserving dev->hard_header_len bytes of headroom > was probably fine before the introduction of ->needed_headroom in > commit f5184d267c1a ("net: Allow netdevices to specify needed head/tailroom"). > > But now, virtual devices typically advertise the size of their overhead > in dev->needed_headroom, so we must also take it into account in > skb_reserve(). > Allocation size of skb is also updated to take dev->needed_tailroom > into account and replace the arbitrary 32 bytes with the real size of > a PPPoE header. > > This issue was discovered by syzbot, who connected a pppoe socket to a > gre device which had dev->header_ops->create == ipgre_header and > dev->hard_header_len == 0. Therefore, PPPoE didn't reserve any > headroom, and dev_hard_header() crashed when ipgre_header() tried to > prepend its header to skb->data. ... > Admittedly PPPoE shouldn't be allowed to run on non Ethernet-like > interfaces, but reserving space for ->needed_headroom is a more > fundamental issue that needs to be addressed first. > > Same problem exists for __pppoe_xmit(), which also needs to take > dev->needed_headroom into account in skb_cow_head(). > > Fixes: f5184d267c1a ("net: Allow netdevices to specify needed head/tailroom") > Reported-by: syzbot+ed0838d0fa4c4f2b528e20286e6dc63effc7c14d@syzkaller.appspotmail.com > Signed-off-by: Guillaume Nault Applied, thanks Guillaume.