From: Florian Westphal <fw@strlen.de>
To: Eric Dumazet <edumazet@google.com>
Cc: Florian Westphal <fw@strlen.de>,
syzbot <syzbot+99d15fcdb0132a1e1a82@syzkaller.appspotmail.com>,
davem@davemloft.net, dsahern@kernel.org, horms@kernel.org,
kuba@kernel.org, linux-kernel@vger.kernel.org,
netdev@vger.kernel.org, pabeni@redhat.com,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [net?] WARNING in mpls_gso_segment
Date: Thu, 22 Feb 2024 13:23:24 +0100 [thread overview]
Message-ID: <20240222122324.GB28098@breakpoint.cc> (raw)
In-Reply-To: <CANn89iK_D+v2J7Ftg1W6-zn7KSZajwWVzfetSdrBPM6f_Zg80A@mail.gmail.com>
Eric Dumazet <edumazet@google.com> wrote:
> I guess we should try this, or perhaps understand why
> skb->encapsulation might not be set,
> or why skb_inner_network_header(skb) is not set at this point.
syz repro injects data via packet socket, skb passed down stack
has ->protocol set to NSH (0x894f), gso type is SKB_GSO_UDP | SKB_GSO_DODGY.
This gets passed down to skb_mac_gso_segment(), which sees NSH as ptype
callback.
nsh_gso_segment() retrieves next type:
proto = tun_p_to_eth_p(nsh_hdr(skb)->np);
... which is mpls (TUN_P_MPLS_UC), it then updates
skb->protocol. This calls back into skb_mac_gso_segment() which
sees MPLS as ptype callback, we then end up in mpls_gso_segment()
without any inner headers set (skb->encapsulation is not set,
inner header offsets are 0) and mpls_gso_segment() attempts to pull
negative header size off the skb.
I don't see anything that could be done earlier in the stack about this.
As far as I understand NSH assumes its only called from openvswitch
and MPLS GSO code only via Openvswitch or mpls_iptunnel, but its
reachable by other means.
But skb_mac_gso_segment() doesn't have any info on the originator
to know if it can call into nsh or mpls 'as intended'.
So I'd guess best solution is to explicitly check for negative
header size, plus a comment that explains how this could happen.
next prev parent reply other threads:[~2024-02-22 12:23 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-21 12:33 [syzbot] [net?] WARNING in mpls_gso_segment syzbot
2024-02-21 13:15 ` Florian Westphal
2024-02-22 8:14 ` Eric Dumazet
2024-02-22 12:23 ` Florian Westphal [this message]
2024-02-22 12:29 ` Eric Dumazet
2024-02-22 12:57 ` Florian Westphal
2024-02-22 13:27 ` Eric Dumazet
2024-02-22 14:03 ` [PATCH net v2] net: mpls: error out if inner headers are not set Florian Westphal
2024-02-23 3:33 ` Jakub Kicinski
2024-02-23 7:08 ` Florian Westphal
2024-02-24 2:10 ` patchwork-bot+netdevbpf
2024-02-22 4:00 ` [PATCH net-next] net/mpls: fix WARNING in mpls_gso_segment Lizhi Xu
2024-02-22 8:11 ` Eric Dumazet
2024-02-23 3:30 ` Lizhi Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240222122324.GB28098@breakpoint.cc \
--to=fw@strlen.de \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzbot+99d15fcdb0132a1e1a82@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).