Re: [PATCH net] net: 802: reset skb->transport_header

From: Antonio Pastor
Date: Thu Jan 02 2025 - 19:19:16 EST

Next message: syzbot: "Re: [syzbot] [io-uring?] KMSAN: uninit-value in io_recv"
Previous message: Paul E. McKenney: "Re: watchdog: BUG: soft lockup in note_gp_changes in kernel/rcu/tree.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sorry, this patch is wrong, it does not fix the potential issue yet.

No worries! Thanks for your patience with this. Much appreciated.

Note how skb_transport_header(skb) is used in
find_snap_client(skb_transport_header(skb));

I've spent so much time trying to figure out why the offset is wrong I lost sight that the core issue is that it is being used to begin with. Paolo Abeni hinted at that too.

The proper way to fix the issue is to not rely on the transport header
at all, only reset it after pulling the network header.

diff --git a/net/802/psnap.c b/net/802/psnap.c
index fca9d454905fe37d6b838f0f00b3a16767e44e74..389df460c8c4b92f9ec6198247db0ba15bfb8f2e
100644
--- a/net/802/psnap.c
+++ b/net/802/psnap.c
@@ -55,11 +55,11 @@ static int snap_rcv(struct sk_buff *skb, struct
net_device *dev,
goto drop;

rcu_read_lock();
- proto = find_snap_client(skb_transport_header(skb));
+ proto = find_snap_client(skb->data);
if (proto) {
/* Pass the frame on. */
- skb->transport_header += 5;
skb_pull_rcsum(skb, 5);
+ skb_reset_transport_header(skb);
rc = proto->rcvfunc(skb, dev, &snap_packet_type, orig_dev);
}
rcu_read_unlock();

Will send V2.

Next message: syzbot: "Re: [syzbot] [io-uring?] KMSAN: uninit-value in io_recv"
Previous message: Paul E. McKenney: "Re: watchdog: BUG: soft lockup in note_gp_changes in kernel/rcu/tree.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]