Message ID | 20130807155918.GA16263@orbit.nwl.cc |
---|---|
State | Rejected, archived |
Delegated to: | David Miller |
Headers | show |
On Wed, 2013-08-07 at 17:59 +0200, Phil Sutter wrote: > The idea behind this patch is that users setting the protocol to > something else probably do know better and so should be left alone. Regardless of that, I think that still the skb pointers would be changed by this patch which would confuse the receiver of the SKB (device driver), no? Has anyone verified that theory? :) johannes -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, 2013-08-07 at 18:12 +0200, Johannes Berg wrote: > On Wed, 2013-08-07 at 17:59 +0200, Phil Sutter wrote: > > > The idea behind this patch is that users setting the protocol to > > something else probably do know better and so should be left alone. > > Regardless of that, I think that still the skb pointers would be changed > by this patch which would confuse the receiver of the SKB (device > driver), no? Has anyone verified that theory? :) Maybe receivers made wrong assumptions about some headers being set or not set ? A patch can uncover prior bugs. commit 76fe45812a3b134c3917 is an example of a fix we had to do because of another fix ;) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, 2013-08-07 at 09:17 -0700, Eric Dumazet wrote: > On Wed, 2013-08-07 at 18:12 +0200, Johannes Berg wrote: > > On Wed, 2013-08-07 at 17:59 +0200, Phil Sutter wrote: > > > > > The idea behind this patch is that users setting the protocol to > > > something else probably do know better and so should be left alone. > > > > Regardless of that, I think that still the skb pointers would be changed > > by this patch which would confuse the receiver of the SKB (device > > driver), no? Has anyone verified that theory? :) > > Maybe receivers made wrong assumptions about some headers being set or > not set ? Maybe. I haven't tested it, but I'm thinking that skb->data doesn't point to the start of the data frame in this case, since we now call eth_type_trans() which pulls the ethernet header. So if the device just transmits skb->len starting from skb->data, it'll be wrong, no? That seems a basic assumption though. johannes -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, 2013-08-07 at 18:22 +0200, Johannes Berg wrote: > Maybe. I haven't tested it, but I'm thinking that skb->data doesn't > point to the start of the data frame in this case, since we now call > eth_type_trans() which pulls the ethernet header. So if the device just > transmits skb->len starting from skb->data, it'll be wrong, no? That > seems a basic assumption though. Yes, it seems calling eth_type_trans() is not right here, and even could crash. Sorry, for being vague, I am a bit busy this morning. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
From: Eric Dumazet <eric.dumazet@gmail.com> Date: Wed, 07 Aug 2013 09:40:09 -0700 > On Wed, 2013-08-07 at 18:22 +0200, Johannes Berg wrote: > >> Maybe. I haven't tested it, but I'm thinking that skb->data doesn't >> point to the start of the data frame in this case, since we now call >> eth_type_trans() which pulls the ethernet header. So if the device just >> transmits skb->len starting from skb->data, it'll be wrong, no? That >> seems a basic assumption though. > > Yes, it seems calling eth_type_trans() is not right here, and even could > crash. > > Sorry, for being vague, I am a bit busy this morning. Yes, this is absolutely the core problem, you absolute cannot call eth_type_trans() on the output path, it pulls off the ethernet header from the packet. That can't possibly work. I want a real fix submitted formally for this problem immediately, or else I'm reverting all of these changes this afternoon. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, Aug 07, 2013 at 10:47:13AM -0700, David Miller wrote: > From: Eric Dumazet <eric.dumazet@gmail.com> > Date: Wed, 07 Aug 2013 09:40:09 -0700 > > > On Wed, 2013-08-07 at 18:22 +0200, Johannes Berg wrote: > > > >> Maybe. I haven't tested it, but I'm thinking that skb->data doesn't > >> point to the start of the data frame in this case, since we now call > >> eth_type_trans() which pulls the ethernet header. So if the device just > >> transmits skb->len starting from skb->data, it'll be wrong, no? That > >> seems a basic assumption though. > > > > Yes, it seems calling eth_type_trans() is not right here, and even could > > crash. > > > > Sorry, for being vague, I am a bit busy this morning. > > Yes, this is absolutely the core problem, you absolute cannot > call eth_type_trans() on the output path, it pulls off the > ethernet header from the packet. That can't possibly work. > > I want a real fix submitted formally for this problem immediately, > or else I'm reverting all of these changes this afternoon. One could simply call skb_push(skb, ETH_HLEN) right after calling eth_type_trans(skb, dev) in order to undo the 'data' and 'len' adjustment. Not sure if this kind of hack is the right way to go here, or if the whole af_packet parses ethernet header discussion should be opened again instead. Best wishes, Phil -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
From: Phil Sutter <phil@nwl.cc> Date: Wed, 7 Aug 2013 20:37:58 +0200 > One could simply call skb_push(skb, ETH_HLEN) right after calling > eth_type_trans(skb, dev) in order to undo the 'data' and 'len' > adjustment. Not sure if this kind of hack is the right way to go here, > or if the whole af_packet parses ethernet header discussion should be > opened again instead. That's completely pointless work. Without that header pull, the only two things left that eth_type_trans() does is set the skb->protocol field and set skb->dev. And even the latter has to be done already in an else branch in the suspect AF_PACKET code. So this eth_type_trans() call is 2/3 duplicate or unnecessary work, it's the completely the wrong thing to do. Look, I'm going to fix this myself, because I'm pretty tired of waiting for the obvious fix. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index bbe1ece..66bc79c 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -1932,8 +1932,6 @@ static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb, ph.raw = frame; - skb->protocol = proto; - skb->dev = dev; skb->priority = po->sk.sk_priority; skb->mark = po->sk.sk_mark; sock_tx_timestamp(&po->sk, &skb_shinfo(skb)->tx_flags); @@ -2002,13 +2000,18 @@ static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb, if (unlikely(err)) return err; - if (dev->type == ARPHRD_ETHER) - skb->protocol = eth_type_trans(skb, dev); - data += dev->hard_header_len; to_write -= dev->hard_header_len; } + if (dev->type == ARPHRD_ETHER && + proto = htons(ETH_P_ALL)) { + skb->protocol = eth_type_trans(skb, dev); + } else { + skb->protocol = proto; + skb->dev = dev; + } + max_frame_len = dev->mtu + dev->hard_header_len; if (skb->protocol == htons(ETH_P_8021Q)) max_frame_len += VLAN_HLEN; @@ -2331,15 +2334,17 @@ static int packet_snd(struct socket *sock, sock_tx_timestamp(sk, &skb_shinfo(skb)->tx_flags); - if (dev->type == ARPHRD_ETHER) { + if (dev->type == ARPHRD_ETHER && + proto == htons(ETH_P_ALL)) { skb->protocol = eth_type_trans(skb, dev); - if (skb->protocol == htons(ETH_P_8021Q)) - reserve += VLAN_HLEN; } else { skb->protocol = proto; skb->dev = dev; } + if (skb->protocol == htons(ETH_P_8021Q)) + reserve += VLAN_HLEN; + if (!gso_type && (len > dev->mtu + reserve + extra_len)) { err = -EMSGSIZE; goto out_free;