2022-11-29 14:48:31

by Artem Chernyshev

[permalink] [raw]
Subject: [PATCH] net: dsa: ksz: Check proper trim in ksz_common_rcv()

Return NULL if we got unexpected value from skb_trim_rcsum()

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: bafe9ba7d908 ("net: dsa: ksz: Factor out common tag code")
Signed-off-by: Artem Chernyshev <[email protected]>
---
net/dsa/tag_ksz.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/dsa/tag_ksz.c b/net/dsa/tag_ksz.c
index 38fa19c1e2d5..429250298ac4 100644
--- a/net/dsa/tag_ksz.c
+++ b/net/dsa/tag_ksz.c
@@ -21,7 +21,8 @@ static struct sk_buff *ksz_common_rcv(struct sk_buff *skb,
if (!skb->dev)
return NULL;

- pskb_trim_rcsum(skb, skb->len - len);
+ if (pskb_trim_rcsum(skb, skb->len - len))
+ return NULL;

dsa_default_offload_fwd_mark(skb);

--
2.30.3


2022-11-29 17:44:12

by Vladimir Oltean

[permalink] [raw]
Subject: Re: [PATCH] net: dsa: ksz: Check proper trim in ksz_common_rcv()

Hi Artyom,

On Tue, Nov 29, 2022 at 05:08:09PM +0300, Artem Chernyshev wrote:
> Return NULL if we got unexpected value from skb_trim_rcsum()
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: bafe9ba7d908 ("net: dsa: ksz: Factor out common tag code")
> Signed-off-by: Artem Chernyshev <[email protected]>
> ---

Reviewed-by: Vladimir Oltean <[email protected]>

It looks like the same pattern exists in tag_hellcreek.c and in
tag_sja1105.c. Do you intend to patch those as well?

> net/dsa/tag_ksz.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/net/dsa/tag_ksz.c b/net/dsa/tag_ksz.c
> index 38fa19c1e2d5..429250298ac4 100644
> --- a/net/dsa/tag_ksz.c
> +++ b/net/dsa/tag_ksz.c
> @@ -21,7 +21,8 @@ static struct sk_buff *ksz_common_rcv(struct sk_buff *skb,
> if (!skb->dev)
> return NULL;
>
> - pskb_trim_rcsum(skb, skb->len - len);
> + if (pskb_trim_rcsum(skb, skb->len - len))
> + return NULL;
>
> dsa_default_offload_fwd_mark(skb);
>
> --
> 2.30.3
>

2022-11-29 20:19:31

by Artem Chernyshev

[permalink] [raw]
Subject: [PATCH v2] net: dsa: Check return value from skb_trim_rcsum()

Return NULL if we got unexpected value from skb_trim_rcsum()

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 01ef09caad66 ("net: dsa: Add tag handling for Hirschmann Hellcreek switches")
Fixes: bafe9ba7d908 ("net: dsa: ksz: Factor out common tag code")
Fixes: 4913b8ebf8a9 ("net: dsa: add support for the SJA1110 native tagging protocol")
Signed-off-by: Artem Chernyshev <[email protected]>
---
V1->V2 Fixes for tag_hellcreek.c and tag_sja1105.c

net/dsa/tag_hellcreek.c | 3 ++-
net/dsa/tag_ksz.c | 3 ++-
net/dsa/tag_sja1105.c | 3 ++-
3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/net/dsa/tag_hellcreek.c b/net/dsa/tag_hellcreek.c
index 846588c0070a..53a206d11685 100644
--- a/net/dsa/tag_hellcreek.c
+++ b/net/dsa/tag_hellcreek.c
@@ -49,7 +49,8 @@ static struct sk_buff *hellcreek_rcv(struct sk_buff *skb,
return NULL;
}

- pskb_trim_rcsum(skb, skb->len - HELLCREEK_TAG_LEN);
+ if (pskb_trim_rcsum(skb, skb->len - HELLCREEK_TAG_LEN))
+ return NULL;

dsa_default_offload_fwd_mark(skb);

diff --git a/net/dsa/tag_ksz.c b/net/dsa/tag_ksz.c
index 38fa19c1e2d5..429250298ac4 100644
--- a/net/dsa/tag_ksz.c
+++ b/net/dsa/tag_ksz.c
@@ -21,7 +21,8 @@ static struct sk_buff *ksz_common_rcv(struct sk_buff *skb,
if (!skb->dev)
return NULL;

- pskb_trim_rcsum(skb, skb->len - len);
+ if (pskb_trim_rcsum(skb, skb->len - len))
+ return NULL;

dsa_default_offload_fwd_mark(skb);

diff --git a/net/dsa/tag_sja1105.c b/net/dsa/tag_sja1105.c
index 83e4136516b0..1a85125bda6d 100644
--- a/net/dsa/tag_sja1105.c
+++ b/net/dsa/tag_sja1105.c
@@ -665,7 +665,8 @@ static struct sk_buff *sja1110_rcv_inband_control_extension(struct sk_buff *skb,
* padding and trailer we need to account for the fact that
* skb->data points to skb_mac_header(skb) + ETH_HLEN.
*/
- pskb_trim_rcsum(skb, start_of_padding - ETH_HLEN);
+ if (pskb_trim_rcsum(skb, start_of_padding - ETH_HLEN))
+ return NULL;
/* Trap-to-host frame, no timestamp trailer */
} else {
*source_port = SJA1110_RX_HEADER_SRC_PORT(rx_header);
--
2.30.3

2022-11-30 22:52:46

by Vladimir Oltean

[permalink] [raw]
Subject: Re: [PATCH v2] net: dsa: Check return value from skb_trim_rcsum()

Hi,

On Tue, Nov 29, 2022 at 10:43:09PM +0300, Artem Chernyshev wrote:
> Return NULL if we got unexpected value from skb_trim_rcsum()
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: 01ef09caad66 ("net: dsa: Add tag handling for Hirschmann Hellcreek switches")
> Fixes: bafe9ba7d908 ("net: dsa: ksz: Factor out common tag code")
> Fixes: 4913b8ebf8a9 ("net: dsa: add support for the SJA1110 native tagging protocol")
> Signed-off-by: Artem Chernyshev <[email protected]>
> ---

While you're fixing the same class of bug in 3 drivers, the bugs are
unrelated to one another.

SJA1110, KSZ and Hellcreek are switch families from 3 different hardware
vendors, and none of those vendors cares about the other.

When you squash 3 Fixes: tags into the same patch like that, the
following will happen.

$ git tag --contains 01ef09caad66 # "net: dsa: Add tag handling for Hirschmann Hellcreek switches"
v5.11
$ git tag --contains bafe9ba7d908 # "net: dsa: ksz: Factor out common tag code"
v5.0
$ git tag --contains 4913b8ebf8a9 # "net: dsa: add support for the SJA1110 native tagging protocol"
v5.14

Your patch can only be backported down to linux-stable branch linux-5.15.y,
because that's the only stable branch that contains the code you're
modifying.

The Hellcreek driver won't benefit from the bug fix on the 5.10 stable
branch, and neither KSZ nor Hellcreek will benefit from it on 5.4.

Be smart, write 3 patches with 3 distinct Fixes: tags, and each will be
backported where it needs to, independent from the other.

Oh, and also, don't send the v3 emails with an In-reply-to: header to v2.

And please remember to run ./scripts/get_maintainer.pl again, on each
patch revision.

2022-11-30 23:02:10

by Vladimir Oltean

[permalink] [raw]
Subject: Re: [PATCH v2] net: dsa: Check return value from skb_trim_rcsum()

One more thing. I gave you a Reviewed-by tag for v1. The patch submitter
is supposed to carry it over to the applicable code in future patch
revisions, below his Signed-off-by tag (see "git log" for examples).
The reviewer is not supposed to chase the submitter from one revision to
another with the same tags all over again. So I expect that v3 will have
the tag added for the tag_ksz.c related change.

2022-12-01 05:52:06

by Artem Chernyshev

[permalink] [raw]
Subject: Re: [PATCH v2] net: dsa: Check return value from skb_trim_rcsum()

Hi,

On Thu, Dec 01, 2022 at 12:53:30AM +0200, Vladimir Oltean wrote:
> One more thing. I gave you a Reviewed-by tag for v1. The patch submitter
> is supposed to carry it over to the applicable code in future patch
> revisions, below his Signed-off-by tag (see "git log" for examples).
> The reviewer is not supposed to chase the submitter from one revision to
> another with the same tags all over again. So I expect that v3 will have
> the tag added for the tag_ksz.c related change.

Thank you for detailed explanation. I'll fix flaws in patches as quickly
as possible.

Artem