2008-06-29 19:48:27

by Krzysztof Halasa

[permalink] [raw]
Subject: [PATCH] Add missing skb->dev assignment in Frame Relay RX code

Hi,

Commit 4c13eb6657fe9ef7b4dc8f1a405c902e9e5234e0 ([ETH]: Make
eth_type_trans set skb->dev like the other *_type_trans) removed
skb->dev assignment from hdlc_fr.c:fr_rx(). Unfortunately it was also
needed for cases other than eth_type_trans().

Adding it back.

It's quite serious and may be a security risk as it causes a wrong
input interface indication (the physical hdlcX instead of logical
pvcX). Probably -stable class fix.

Signed-off-by: Krzysztof Halasa <[email protected]>

diff --git a/drivers/net/wan/hdlc_fr.c b/drivers/net/wan/hdlc_fr.c
index c4ab032..3a86e64 100644
--- a/drivers/net/wan/hdlc_fr.c
+++ b/drivers/net/wan/hdlc_fr.c
@@ -1008,6 +1008,7 @@ static int fr_rx(struct sk_buff *skb)
stats->rx_bytes += skb->len;
if (pvc->state.becn)
stats->rx_compressed++;
+ skb->dev = dev;
netif_rx(skb);
return NET_RX_SUCCESS;
} else {


2008-06-29 20:04:42

by Stephen Hemminger

[permalink] [raw]
Subject: Re: [PATCH] Add missing skb->dev assignment in Frame Relay RX code

On Sun, 29 Jun 2008 21:48:11 +0200
Krzysztof Halasa <[email protected]> wrote:

> Hi,
>
> Commit 4c13eb6657fe9ef7b4dc8f1a405c902e9e5234e0 ([ETH]: Make
> eth_type_trans set skb->dev like the other *_type_trans) removed
> skb->dev assignment from hdlc_fr.c:fr_rx(). Unfortunately it was also
> needed for cases other than eth_type_trans().
>
> Adding it back.
>
> It's quite serious and may be a security risk as it causes a wrong
> input interface indication (the physical hdlcX instead of logical
> pvcX). Probably -stable class fix.
>
> Signed-off-by: Krzysztof Halasa <[email protected]>
>
> diff --git a/drivers/net/wan/hdlc_fr.c b/drivers/net/wan/hdlc_fr.c
> index c4ab032..3a86e64 100644
> --- a/drivers/net/wan/hdlc_fr.c
> +++ b/drivers/net/wan/hdlc_fr.c
> @@ -1008,6 +1008,7 @@ static int fr_rx(struct sk_buff *skb)
> stats->rx_bytes += skb->len;
> if (pvc->state.becn)
> stats->rx_compressed++;
> + skb->dev = dev;
> netif_rx(skb);
> return NET_RX_SUCCESS;
> } else {
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html

Better to use netdev_alloc_skb for receive buffers instead.
--- a/drivers/net/wan/hdlc_fr.c 2008-06-29 13:02:42.000000000 -0700
+++ b/drivers/net/wan/hdlc_fr.c 2008-06-29 13:04:01.000000000 -0700
@@ -515,7 +515,7 @@ static void fr_lmi_send(struct net_devic
}
}

- skb = dev_alloc_skb(len);
+ skb = netdev_alloc_skb(dev, len);
if (!skb) {
printk(KERN_WARNING "%s: Memory squeeze on fr_lmi_send()\n",
dev->name);

2008-06-29 21:10:28

by Krzysztof Halasa

[permalink] [raw]
Subject: Re: [PATCH] Add missing skb->dev assignment in Frame Relay RX code

Stephen Hemminger <[email protected]> writes:

>> --- a/drivers/net/wan/hdlc_fr.c
>> +++ b/drivers/net/wan/hdlc_fr.c
>> @@ -1008,6 +1008,7 @@ static int fr_rx(struct sk_buff *skb)
>> stats->rx_bytes += skb->len;
>> if (pvc->state.becn)
>> stats->rx_compressed++;
>> + skb->dev = dev;
>> netif_rx(skb);
>> return NET_RX_SUCCESS;
>> } else {
>
> Better to use netdev_alloc_skb for receive buffers instead.
> --- a/drivers/net/wan/hdlc_fr.c 2008-06-29 13:02:42.000000000 -0700
> +++ b/drivers/net/wan/hdlc_fr.c 2008-06-29 13:04:01.000000000 -0700
> @@ -515,7 +515,7 @@ static void fr_lmi_send(struct net_devic
> }
> }
>
> - skb = dev_alloc_skb(len);
> + skb = netdev_alloc_skb(dev, len);
> if (!skb) {
> printk(KERN_WARNING "%s: Memory squeeze on fr_lmi_send()\n",
> dev->name);

Well, no, that's another story - the missing assignment is in fr_rx(),
in the regular receive path (similar to 802.1q case, ethX ->
ethX.VLAN_ID transition). I.e., we get incoming packet from a hardware
driver, with skb->dev pointing to hardware hdlcX device, and we change
it to point to a logical pvcX device.

fr_lmi_send() is for control messages (generated locally) only, in TX
path. IOW we alloc skb and send it through hw driver immediately. Not
related to the bug.

That said, perhaps I should indeed use netdev_alloc_skb() for those
control messages? Or is it RX-only?
--
Krzysztof Halasa

2008-06-30 17:20:05

by Stephen Hemminger

[permalink] [raw]
Subject: Re: [PATCH] Add missing skb->dev assignment in Frame Relay RX code

On Sun, 29 Jun 2008 23:10:11 +0200
Krzysztof Halasa <[email protected]> wrote:

> Stephen Hemminger <[email protected]> writes:
>
> >> --- a/drivers/net/wan/hdlc_fr.c
> >> +++ b/drivers/net/wan/hdlc_fr.c
> >> @@ -1008,6 +1008,7 @@ static int fr_rx(struct sk_buff *skb)
> >> stats->rx_bytes += skb->len;
> >> if (pvc->state.becn)
> >> stats->rx_compressed++;
> >> + skb->dev = dev;
> >> netif_rx(skb);
> >> return NET_RX_SUCCESS;
> >> } else {
> >
> > Better to use netdev_alloc_skb for receive buffers instead.
> > --- a/drivers/net/wan/hdlc_fr.c 2008-06-29 13:02:42.000000000 -0700
> > +++ b/drivers/net/wan/hdlc_fr.c 2008-06-29 13:04:01.000000000 -0700
> > @@ -515,7 +515,7 @@ static void fr_lmi_send(struct net_devic
> > }
> > }
> >
> > - skb = dev_alloc_skb(len);
> > + skb = netdev_alloc_skb(dev, len);
> > if (!skb) {
> > printk(KERN_WARNING "%s: Memory squeeze on fr_lmi_send()\n",
> > dev->name);
>
> Well, no, that's another story - the missing assignment is in fr_rx(),
> in the regular receive path (similar to 802.1q case, ethX ->
> ethX.VLAN_ID transition). I.e., we get incoming packet from a hardware
> driver, with skb->dev pointing to hardware hdlcX device, and we change
> it to point to a logical pvcX device.
>
> fr_lmi_send() is for control messages (generated locally) only, in TX
> path. IOW we alloc skb and send it through hw driver immediately. Not
> related to the bug.
>
> That said, perhaps I should indeed use netdev_alloc_skb() for those
> control messages? Or is it RX-only?

netdev_alloc_skb does two things:
1) it sets skb->dev
2) on some platforms it can choose memory "closer" to the device.
but this is really a NUMA issue

2008-06-30 18:12:52

by Krzysztof Halasa

[permalink] [raw]
Subject: Re: [PATCH] Add missing skb->dev assignment in Frame Relay RX code

Stephen Hemminger <[email protected]> writes:

> netdev_alloc_skb does two things:
> 1) it sets skb->dev
> 2) on some platforms it can choose memory "closer" to the device.
> but this is really a NUMA issue

I see. It looks like I should use it for sending control messages
then. Thanks.
--
Krzysztof Halasa

2008-07-04 12:14:21

by Jeff Garzik

[permalink] [raw]
Subject: Re: [PATCH] Add missing skb->dev assignment in Frame Relay RX code

Krzysztof Halasa wrote:
> Hi,
>
> Commit 4c13eb6657fe9ef7b4dc8f1a405c902e9e5234e0 ([ETH]: Make
> eth_type_trans set skb->dev like the other *_type_trans) removed
> skb->dev assignment from hdlc_fr.c:fr_rx(). Unfortunately it was also
> needed for cases other than eth_type_trans().
>
> Adding it back.
>
> It's quite serious and may be a security risk as it causes a wrong
> input interface indication (the physical hdlcX instead of logical
> pvcX). Probably -stable class fix.
>
> Signed-off-by: Krzysztof Halasa <[email protected]>
>
> diff --git a/drivers/net/wan/hdlc_fr.c b/drivers/net/wan/hdlc_fr.c
> index c4ab032..3a86e64 100644
> --- a/drivers/net/wan/hdlc_fr.c
> +++ b/drivers/net/wan/hdlc_fr.c
> @@ -1008,6 +1008,7 @@ static int fr_rx(struct sk_buff *skb)
> stats->rx_bytes += skb->len;
> if (pvc->state.becn)
> stats->rx_compressed++;
> + skb->dev = dev;
> netif_rx(skb);
> return NET_RX_SUCCESS;
> } else {

applied

2008-07-04 12:39:35

by Krzysztof Halasa

[permalink] [raw]
Subject: Re: [PATCH] Add missing skb->dev assignment in Frame Relay RX code

Jeff Garzik <[email protected]> writes:

>> Commit 4c13eb6657fe9ef7b4dc8f1a405c902e9e5234e0 ([ETH]: Make
>> eth_type_trans set skb->dev like the other *_type_trans) removed
>> skb->dev assignment from hdlc_fr.c:fr_rx(). Unfortunately it was also
>> needed for cases other than eth_type_trans().
>>
>> Adding it back.

> applied

Thanks.
--
Krzysztof Halasa