From mboxrd@z Thu Jan  1 00:00:00 1970
From: Stanislav Fomichev <sdf@fomichev.me>
Subject: Re: [PATCH net v2 2/2] tun: always set skb->dev to tun->dev
Date: Mon, 7 Jan 2019 14:37:21 -0800
Message-ID: <20190107223721.GD14250@mini-arch>
References: <20190107213839.83297-1-sdf@google.com>
 <20190107213839.83297-2-sdf@google.com>
 <CAF=yD-JLeqAM=LYQCpEry_NBFXDNphjcixGe0+sv0XUqtNCF7w@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: Stanislav Fomichev <sdf@google.com>,
        Network Development <netdev@vger.kernel.org>,
        David Miller <davem@davemloft.net>,
        Jason Wang <jasowang@redhat.com>,
        Jesper Dangaard Brouer <brouer@redhat.com>,
        "Michael S. Tsirkin" <mst@redhat.com>,
        Eric Dumazet <edumazet@google.com>,
        syzbot <syzkaller@googlegroups.com>
To: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Return-path: <netdev-owner@vger.kernel.org>
Received: from mail-pf1-f196.google.com ([209.85.210.196]:41523 "EHLO
        mail-pf1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726668AbfAGWhY (ORCPT
        <rfc822;netdev@vger.kernel.org>); Mon, 7 Jan 2019 17:37:24 -0500
Received: by mail-pf1-f196.google.com with SMTP id b7so864602pfi.8
        for <netdev@vger.kernel.org>; Mon, 07 Jan 2019 14:37:23 -0800 (PST)
Content-Disposition: inline
In-Reply-To: <CAF=yD-JLeqAM=LYQCpEry_NBFXDNphjcixGe0+sv0XUqtNCF7w@mail.gmail.com>
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

On 01/07, Willem de Bruijn wrote:
> On Mon, Jan 7, 2019 at 4:41 PM Stanislav Fomichev <sdf@google.com> wrote:
> >
> > While debugging previous issue I noticed that commit 90e33d459407 ("tun:
> > enable napi_gro_frags() for TUN/TAP driver") started conditionally
> > (!frags) calling eth_type_trans(skb, tun->dev) for IFF_TAP case. Since
> > eth_type_trans sets skb->dev, some skbs can now have NULL skb->dev.
> > Fix that by always setting skb->dev unconditionally.
> >
> > The syzbot fails with the following trace:
> > WARNING: CPU: 0 PID: 11136 at net/core/flow_dissector.c:764
> >  skb_flow_dissect_flow_keys_basic include/linux/skbuff.h:1240 [inline]
> >  skb_probe_transport_header include/linux/skbuff.h:2403 [inline]
> >  tun_get_user+0x2d4a/0x4250 drivers/net/tun.c:1906
> >  tun_chr_write_iter+0xb9/0x160 drivers/net/tun.c:1993
> >  call_write_iter include/linux/fs.h:1808 [inline]
> >  new_sync_write fs/read_write.c:474 [inline]
> >
> > But I don't think there is an actual issue since we exercise flow
> > dissector via eth_get_headlen which doesn't use skb (and hence BPF flow
> > dissector).
> 
> Do you mean skb_probe_transport_header?
I was actually thinking about possible future conversion of
eth_get_headlen to be able to run bpf flow dissector, I missed the fact
that we already call dissector via skb_probe_transport_header :-(
> 
> if frags, tun_napi_alloc_frags will return napi->skb, which has
> skb->dev set by napi_reuse_skb.
> 
> I don't think this is needed.
Ah, indeed, napi_alloc_skb sets proper skb->dev.