Re: [PATCH net v2] amt: don't read the IP source address from a reallocated skb header

Next message: David Woodhouse: "Re: [patch V2 18/25] timekeeping: Prepare for cross timestamps on arbitrary clock IDs"
Previous message: guoniu . zhou: "Re: [PATCH v5 8/8] arm64: dts: imx8qxp-mek: add parallel ov5640 camera support"
In reply to: Jakub Kicinski: "Re: [PATCH net v2] amt: don't read the IP source address from a reallocated skb header"
Next in thread: Michael Bommarito: "Re: [PATCH net v2] amt: don't read the IP source address from a reallocated skb header"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Taehee Yoo

Date: Mon Jun 22 2026 - 04:59:26 EST

On Mon, Jun 22, 2026 at 7:00 AM Jakub Kicinski <kuba@xxxxxxxxxx> wrote:
>
> On Wed, 17 Jun 2026 08:34:43 -0400 Michael Bommarito wrote:
> > amt_update_handler() caches iph = ip_hdr(skb) and then calls
> > pskb_may_pull(). pskb_may_pull() can reallocate the skb head: the new
> > head is allocated and the old one is freed. The cached iph is not
> > refreshed, so the following tunnel lookup reads iph->saddr from the
> > freed head. On an AMT relay this lookup runs for every incoming
> > membership update, before the update's nonce and response MAC are
> > validated.
> >
> > The sibling handlers amt_multicast_data_handler() and
> > amt_membership_query_handler() re-read ip_hdr() after the pull and are
> > not affected; only amt_update_handler() keeps the pre-pull pointer.
>
> Sashikos point out a bunch more of these in AMT:
> https://sashiko.dev/#/patchset/20260617123443.3586930-1-michael.bommarito@xxxxxxxxx
> https://netdev-ai.bots.linux.dev/sashiko/#/patchset/20260617123443.3586930-1-michael.bommarito@xxxxxxxxx
>
> Let's fix them all with one patch?

Agreed.
Michael, could you please fix the remaining ones Sashiko flagged?

Thanks a lot!
Taehee Yoo

> --
> pw-bot: cr