Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752046AbdFHEGu (ORCPT ); Thu, 8 Jun 2017 00:06:50 -0400 Received: from relay2-d.mail.gandi.net ([217.70.183.194]:47598 "EHLO relay2-d.mail.gandi.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750786AbdFHEGs (ORCPT ); Thu, 8 Jun 2017 00:06:48 -0400 X-Originating-IP: 74.125.82.51 MIME-Version: 1.0 In-Reply-To: <1496891711.736.55.camel@edumazet-glaptop3.roam.corp.google.com> References: <1496883476-17445-1-git-send-email-yanhaishuang@cmss.chinamobile.com> <1496891711.736.55.camel@edumazet-glaptop3.roam.corp.google.com> From: Pravin Shelar Date: Wed, 7 Jun 2017 21:06:45 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v2 1/2] ip_tunnel: fix potential issue in ip_tunnel_rcv To: Eric Dumazet Cc: Haishuang Yan , "=David S. Miller" , Alexey Kuznetsov , James Morris , Hideaki YOSHIFUJI , Patrick McHardy , Linux Kernel Network Developers , linux-kernel@vger.kernel.org, Pravin B Shelar , Haishuang Yan Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1436 Lines: 33 On Wed, Jun 7, 2017 at 8:15 PM, Eric Dumazet wrote: > On Wed, 2017-06-07 at 19:13 -0700, Pravin Shelar wrote: >> On Wed, Jun 7, 2017 at 5:57 PM, Haishuang Yan >> wrote: >> > When ip_tunnel_rcv fails, the tun_dst won't be freed, so move >> > skb_dst_set to begin and tun_dst would be freed by kfree_skb. >> > >> > CC: Pravin B Shelar >> > Fixes: 2e15ea390e6f ("ip_gre: Add support to collect tunnel metadata.") >> > Signed-off-by: Haishuang Yan >> > --- >> > net/ipv4/ip_tunnel.c | 6 +++--- >> > 1 file changed, 3 insertions(+), 3 deletions(-) >> > >> > diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c >> > index b878ecb..27fc20f 100644 >> > --- a/net/ipv4/ip_tunnel.c >> > +++ b/net/ipv4/ip_tunnel.c >> > @@ -386,6 +386,9 @@ int ip_tunnel_rcv(struct ip_tunnel *tunnel, struct sk_buff *skb, >> > const struct iphdr *iph = ip_hdr(skb); >> > int err; >> > >> > + if (tun_dst) >> > + skb_dst_set(skb, (struct dst_entry *)tun_dst); >> > + >> If dst is set so early, skb_scrub_packet() would remove the tunnel dst >> reference. >> It is better to call skb_dst_drop() from error code path. > > Do we really want to keep a dst from another namespace if > skb_scrub_packet() is called with xnet=true ? > tun_dst is allocated in same namespace. It is required for LWT to work.