From patchwork Tue Jul  3 08:30:47 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Xin Long <lucien.xin@gmail.com>
X-Patchwork-Id: 938502
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="POSMnvrW"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 41KclZ4qYyz9s1b
	for <patchwork-incoming-netdev@ozlabs.org>;
	Tue,  3 Jul 2018 18:31:06 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S933659AbeGCIbB (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Tue, 3 Jul 2018 04:31:01 -0400
Received: from mail-pg0-f66.google.com ([74.125.83.66]:37530 "EHLO
	mail-pg0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S932169AbeGCIa4 (ORCPT
	<rfc822;netdev@vger.kernel.org>); Tue, 3 Jul 2018 04:30:56 -0400
Received: by mail-pg0-f66.google.com with SMTP id n15-v6so631584pgv.4;
	Tue, 03 Jul 2018 01:30:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=T3QQ/dJcBsyC3hNTejwuUy7r/IauVw4oWB5+gQh5e4s=;
	b=POSMnvrWqg/4EZ4KKm7Zsxt9vHC0K0qwTOitVRnDu60+OQFty67u2EhVOgqwpZJpkK
	vw0CdBcaS5bAriR6ZWgG7wOP/9Fq33iLUa3yICjYoPgDLKIe2aInRcHKhmQX8wBYoaR4
	dEpctmEB3MxJtyglfCFQ+GuDo5yOUbtzTEMYtsZaglpEaN2N78lzzxpYgpao0cepO4yf
	t2GB9Y4rU9oJ7r5dmfXmHyrEG1x7jyaULgQjwuUb+K/bFsfsgBmDogmY5xIZQkx6F3Jf
	lS/RndGArZ8UlaB8XsZf9RRWrKyLy4+iwIUyZs06uEMv6KpP74WtBzvYHZgp0ulOgJLy
	rxbA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=T3QQ/dJcBsyC3hNTejwuUy7r/IauVw4oWB5+gQh5e4s=;
	b=eTm93b1xbvSoLW5Rti64NYqpgfI+QpUPOH0pL+cnFKtVElWMAXsjjcwUaNUALUapYI
	vzVzNhAyu/6mvOJ9wW8X2pvV32wt2y8qmJDqsbvOxxB5ON30G4y9zOM5EEJO4pir2b8t
	iGw7FpGlHHchYX7MFUlFZJg5jUGsyfVGlss3k55vIKtj5GDdNL+HCWUgBeWBJWdDwrwn
	pq8L/qtHn77hrVyFsUORhm7HPOgzoIeo+6PxvilHsCbRjPHbvM59VCr4JupQQ0fOH8nV
	5l5+VqpTwgyWeAmMszkOEWIV9fAiJ4UUZtDWK8QMcU+P/xNIbY0FWypE7gtXiLMS68Ux
	p27Q==
X-Gm-Message-State: APt69E1nSnrqelAQlFG62tLtHiErbizsKMFS7zSebuPPPsE33K4/GGTn
	PKGqngnoiELO/64ApD/vZnCb1wu7
X-Google-Smtp-Source: 
 AAOMgpcvnFou2HxEos4NSozU3dwWMqDY6rS7iOeKTRmGp4kZOVzmBAAkMqpfbK01ht0Yew1+qiEXUA==
X-Received: by 2002:a62:234a:: with SMTP id
	j71-v6mr28077747pfj.221.1530606655610;
	Tue, 03 Jul 2018 01:30:55 -0700 (PDT)
Received: from localhost ([209.132.188.80]) by smtp.gmail.com with ESMTPSA id
	b62-v6sm3296476pfm.97.2018.07.03.01.30.54
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 03 Jul 2018 01:30:54 -0700 (PDT)
From: Xin Long <lucien.xin@gmail.com>
To: network dev <netdev@vger.kernel.org>, linux-sctp@vger.kernel.org
Cc: davem@davemloft.net, Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
	Neil Horman <nhorman@tuxdriver.com>, syzkaller@googlegroups.com
Subject: [PATCHv2 net] sctp: fix the issue that pathmtu may be set lower
	than MINSEGMENT
Date: Tue,  3 Jul 2018 16:30:47 +0800
Message-Id: 
 <0ebc621b57952699c67c558dde3ce61b784e3f74.1530606647.git.lucien.xin@gmail.com>
X-Mailer: git-send-email 2.1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

After commit b6c5734db070 ("sctp: fix the handling of ICMP Frag Needed
for too small MTUs"), sctp_transport_update_pmtu would refetch pathmtu
from the dst and set it to transport's pathmtu without any check.

The new pathmtu may be lower than MINSEGMENT if the dst is obsolete and
updated by .get_dst() in sctp_transport_update_pmtu. In this case, it
could have a smaller MTU as well, and thus we should validate it
against MINSEGMENT instead.

Syzbot reported a warning in sctp_mtu_payload caused by this.

This patch refetches the pathmtu by calling sctp_dst_mtu where it does
the check against MINSEGMENT.

v1->v2:
  - refetch the pathmtu by calling sctp_dst_mtu instead as Marcelo's
    suggestion.

Fixes: b6c5734db070 ("sctp: fix the handling of ICMP Frag Needed for too small MTUs")
Reported-by: syzbot+f0d9d7cba052f9344b03@syzkaller.appspotmail.com
Suggested-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
---
 net/sctp/transport.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/sctp/transport.c b/net/sctp/transport.c
index 445b7ef..12cac85 100644
--- a/net/sctp/transport.c
+++ b/net/sctp/transport.c
@@ -282,7 +282,7 @@ bool sctp_transport_update_pmtu(struct sctp_transport *t, u32 pmtu)
 
 	if (dst) {
 		/* Re-fetch, as under layers may have a higher minimum size */
-		pmtu = SCTP_TRUNC4(dst_mtu(dst));
+		pmtu = sctp_dst_mtu(dst);
 		change = t->pathmtu != pmtu;
 	}
 	t->pathmtu = pmtu;