| Message ID | f8c2784c13faa54469a2aac339470b1049ca6b63.1604102750.git.gnault@redhat.com |
|---|---|
| State | Accepted |
| Delegated to: | David Miller |
| Headers | show |
| Series | [net-next] mpls: drop skb's dst in mpls_forward() | expand |
| Context | Check | Description |
|---|---|---|
| jkicinski/cover_letter | success | Link |
| jkicinski/fixes_present | success | Link |
| jkicinski/patch_count | success | Link |
| jkicinski/tree_selection | success | Clearly marked for net-next |
| jkicinski/subject_prefix | success | Link |
| jkicinski/source_inline | success | Was 0 now: 0 |
| jkicinski/verify_signedoff | success | Link |
| jkicinski/module_param | success | Was 0 now: 0 |
| jkicinski/build_32bit | success | Errors and warnings before: 4841 this patch: 4841 |
| jkicinski/kdoc | success | Errors and warnings before: 0 this patch: 0 |
| jkicinski/verify_fixes | success | Link |
| jkicinski/checkpatch | success | total: 0 errors, 0 warnings, 0 checks, 27 lines checked |
| jkicinski/build_allmodconfig_warn | success | Errors and warnings before: 5165 this patch: 5165 |
| jkicinski/header_inline | success | Link |
| jkicinski/stable | success | Stable not CCed |
On Sat, 31 Oct 2020 01:07:25 +0100 Guillaume Nault wrote: > Commit 394de110a733 ("net: Added pointer check for > dst->ops->neigh_lookup in dst_neigh_lookup_skb") added a test in > dst_neigh_lookup_skb() to avoid a NULL pointer dereference. The root > cause was the MPLS forwarding code, which doesn't call skb_dst_drop() > on incoming packets. That is, if the packet is received from a > collect_md device, it has a metadata_dst attached to it that doesn't > implement any dst_ops function. > > To align the MPLS behaviour with IPv4 and IPv6, let's drop the dst in > mpls_forward(). This way, dst_neigh_lookup_skb() doesn't need to test > ->neigh_lookup any more. Let's keep a WARN condition though, to > document the precondition and to ease detection of such problems in the > future. > > Signed-off-by: Guillaume Nault <gnault@redhat.com> Applied, thanks!
diff --git a/include/net/dst.h b/include/net/dst.h index 8ea8812b0b41..10f0a8399867 100644 --- a/include/net/dst.h +++ b/include/net/dst.h @@ -400,14 +400,12 @@ static inline struct neighbour *dst_neigh_lookup(const struct dst_entry *dst, co static inline struct neighbour *dst_neigh_lookup_skb(const struct dst_entry *dst, struct sk_buff *skb) { - struct neighbour *n = NULL; + struct neighbour *n; - /* The packets from tunnel devices (eg bareudp) may have only - * metadata in the dst pointer of skb. Hence a pointer check of - * neigh_lookup is needed. - */ - if (dst->ops->neigh_lookup) - n = dst->ops->neigh_lookup(dst, skb, NULL); + if (WARN_ON_ONCE(!dst->ops->neigh_lookup)) + return NULL; + + n = dst->ops->neigh_lookup(dst, skb, NULL); return IS_ERR(n) ? NULL : n; } diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c index f2868a8a50c3..47bab701555f 100644 --- a/net/mpls/af_mpls.c +++ b/net/mpls/af_mpls.c @@ -377,6 +377,8 @@ static int mpls_forward(struct sk_buff *skb, struct net_device *dev, if (!pskb_may_pull(skb, sizeof(*hdr))) goto err; + skb_dst_drop(skb); + /* Read and decode the label */ hdr = mpls_hdr(skb); dec = mpls_entry_decode(hdr);
Commit 394de110a733 ("net: Added pointer check for dst->ops->neigh_lookup in dst_neigh_lookup_skb") added a test in dst_neigh_lookup_skb() to avoid a NULL pointer dereference. The root cause was the MPLS forwarding code, which doesn't call skb_dst_drop() on incoming packets. That is, if the packet is received from a collect_md device, it has a metadata_dst attached to it that doesn't implement any dst_ops function. To align the MPLS behaviour with IPv4 and IPv6, let's drop the dst in mpls_forward(). This way, dst_neigh_lookup_skb() doesn't need to test ->neigh_lookup any more. Let's keep a WARN condition though, to document the precondition and to ease detection of such problems in the future. Signed-off-by: Guillaume Nault <gnault@redhat.com> --- include/net/dst.h | 12 +++++------- net/mpls/af_mpls.c | 2 ++ 2 files changed, 7 insertions(+), 7 deletions(-)