LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, "Jason Wang" <jasowang@redhat.com>,
	"Bjørn Mork" <bjorn@mork.no>,
	"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.16 56/81] tun: fix vlan packet truncation
Date: Fri, 27 Apr 2018 15:58:58 +0200	[thread overview]
Message-ID: <20180427135746.547013427@linuxfoundation.org> (raw)
In-Reply-To: <20180427135743.216853156@linuxfoundation.org>

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=UTF-8, Size: 2430 bytes --]

4.16-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "Bjørn Mork" <bjorn@mork.no>


[ Upstream commit 81c895072d29cd70eea5be1a8587cd6461c3715a ]

Bogus trimming in tun_net_xmit() causes truncated vlan packets.

skb->len is correct whether or not skb_vlan_tag_present() is true. There
is no more reason to adjust the skb length on xmit in this driver than
any other driver. tun_put_user() adds 4 bytes to the total for tagged
packets because it transmits the tag inline to userspace.  This is
similar to a nic transmitting the tag inline on the wire.

Reproducing the bug by sending any tagged packet through back-to-back
connected tap interfaces:

 socat TUN,tun-type=tap,iff-up,tun-name=in TUN,tun-type=tap,iff-up,tun-name=out &
 ip link add link in name in.20 type vlan id 20
 ip addr add 10.9.9.9/24 dev in.20
 ip link set in.20 up
 tshark -nxxi in -f arp -c1 2>/dev/null &
 tshark -nxxi out -f arp -c1 2>/dev/null &
 ping -c 1 10.9.9.5 >/dev/null 2>&1

The output from the 'in' and 'out' interfaces are different when the
bug is present:

 Capturing on 'in'
 0000  ff ff ff ff ff ff 76 cf 76 37 d5 0a 81 00 00 14   ......v.v7......
 0010  08 06 00 01 08 00 06 04 00 01 76 cf 76 37 d5 0a   ..........v.v7..
 0020  0a 09 09 09 00 00 00 00 00 00 0a 09 09 05         ..............

 Capturing on 'out'
 0000  ff ff ff ff ff ff 76 cf 76 37 d5 0a 81 00 00 14   ......v.v7......
 0010  08 06 00 01 08 00 06 04 00 01 76 cf 76 37 d5 0a   ..........v.v7..
 0020  0a 09 09 09 00 00 00 00 00 00                     ..........

Fixes: aff3d70a07ff ("tun: allow to attach ebpf socket filter")
Cc: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/tun.c |    7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -1094,12 +1094,7 @@ static netdev_tx_t tun_net_xmit(struct s
 		goto drop;
 
 	len = run_ebpf_filter(tun, skb, len);
-
-	/* Trim extra bytes since we may insert vlan proto & TCI
-	 * in tun_put_user().
-	 */
-	len -= skb_vlan_tag_present(skb) ? sizeof(struct veth) : 0;
-	if (len <= 0 || pskb_trim(skb, len))
+	if (len == 0 || pskb_trim(skb, len))
 		goto drop;
 
 	if (unlikely(skb_orphan_frags_rx(skb, GFP_ATOMIC)))

  parent reply	other threads:[~2018-04-27 13:58 UTC|newest]

Thread overview: 88+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-04-27 13:58 [PATCH 4.16 00/81] 4.16.6-stable review Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 01/81] Revert "pinctrl: intel: Initialize GPIO properly when used through irqchip" Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 02/81] drm: bridge: dw-hdmi: Fix overflow workaround for Amlogic Meson GX SoCs Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 03/81] i40e: Fix attach VF to VM issue Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 04/81] tpm: cmd_ready command can be issued only after granting locality Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 05/81] tpm: tpm-interface: fix tpm_transmit/_cmd kdoc Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 06/81] tpm: add retry logic Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 07/81] Revert "ath10k: send (re)assoc peer command when NSS changed" Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 08/81] bonding: do not set slave_dev npinfo before slave_enable_netpoll in bond_enslave Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 09/81] docs: ip-sysctl.txt: fix name of some ipv6 variables Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 10/81] ipv6: add RTA_TABLE and RTA_PREFSRC to rtm_ipv6_policy Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 11/81] ipv6: sr: fix NULL pointer dereference in seg6_do_srh_encap()- v4 pkts Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 12/81] KEYS: DNS: limit the length of option strings Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 13/81] l2tp: check sockaddr length in pppol2tp_connect() Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 14/81] llc: delete timers synchronously in llc_sk_free() Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 15/81] net: af_packet: fix race in PACKET_{R|T}X_RING Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 16/81] net: fix deadlock while clearing neighbor proxy table Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 17/81] net: mvpp2: Fix DMA address mask size Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 18/81] net: qmi_wwan: add Wistron Neweb D19Q1 Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 19/81] net/smc: fix shutdown in state SMC_LISTEN Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 20/81] net: stmmac: Disable ACS Feature for GMAC >= 4 Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 21/81] packet: fix bitfield update race Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 22/81] pppoe: check sockaddr length in pppoe_connect() Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 23/81] Revert "macsec: missing dev_put() on error in macsec_newlink()" Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 24/81] sctp: do not check port in sctp_inet6_cmp_addr Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 25/81] strparser: Do not call mod_delayed_work with a timeout of LONG_MAX Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 26/81] strparser: Fix incorrect strp->need_bytes value Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 27/81] tcp: clear tp->packets_out when purging write queue Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 28/81] tcp: dont read out-of-bounds opsize Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 29/81] tcp: md5: reject TCP_MD5SIG or TCP_MD5SIG_EXT on established sockets Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 30/81] team: avoid adding twice the same option to the event list Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 31/81] team: fix netconsole setup over team Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 32/81] tipc: add policy for TIPC_NLA_NET_ADDR Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 33/81] vlan: Fix reading memory beyond skb->tail in skb_vlan_tagged_multi Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 34/81] vmxnet3: fix incorrect dereference when rxvlan is disabled Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 35/81] amd-xgbe: Add pre/post auto-negotiation phy hooks Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 36/81] amd-xgbe: Improve KR auto-negotiation and training Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 37/81] amd-xgbe: Only use the SFP supported transceiver signals Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 38/81] net: sched: ife: signal not finding metaid Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 39/81] net: sched: ife: handle malformed tlv length Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 40/81] net: sched: ife: check on metadata length Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 41/81] l2tp: hold reference on tunnels in netlink dumps Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 42/81] l2tp: hold reference on tunnels printed in pppol2tp proc file Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 43/81] l2tp: hold reference on tunnels printed in l2tp/tunnels debugfs file Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 44/81] l2tp: fix {pppol2tp, l2tp_dfs}_seq_stop() in case of seq_file overflow Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 45/81] llc: hold llc_sap before release_sock() Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 46/81] llc: fix NULL pointer deref for SOCK_ZAPPED Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 47/81] s390/qeth: fix error handling in adapter command callbacks Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 48/81] s390/qeth: avoid control IO completion stalls Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 49/81] s390/qeth: handle failure on workqueue creation Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 50/81] net: ethernet: ti: cpsw: fix tx vlan priority mapping Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 51/81] net: validate attribute sizes in neigh_dump_table() Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 52/81] bnxt_en: Fix memory fault in bnxt_ethtool_init() Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 53/81] virtio-net: add missing virtqueue kick when flushing packets Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 54/81] VSOCK: make af_vsock.ko removable again Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 55/81] net: aquantia: Regression on reset with 1.x firmware Greg Kroah-Hartman
2018-04-27 13:58 ` Greg Kroah-Hartman [this message]
2018-04-27 13:58 ` [PATCH 4.16 57/81] net: aquantia: oops when shutdown on already stopped device Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 58/81] virtio_net: split out ctrl buffer Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 59/81] virtio_net: fix adding vids on big-endian Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 60/81] Revert "mm/hmm: fix header file if/else/endif maze" Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 61/81] commoncap: Handle memory allocation failure Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 62/81] scsi: mptsas: Disable WRITE SAME Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 63/81] cdrom: information leak in cdrom_ioctl_media_changed() Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 64/81] fsnotify: Fix fsnotify_mark_connector race Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 65/81] m68k/mac: Dont remap SWIM MMIO region Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 66/81] block/swim: Check drive type Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 67/81] block/swim: Dont log an error message for an invalid ioctl Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 68/81] block/swim: Remove extra put_disk() call from error path Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 69/81] block/swim: Rename macros to avoid inconsistent inverted logic Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 70/81] block/swim: Select appropriate drive on device open Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 71/81] block/swim: Fix array bounds check Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 72/81] block/swim: Fix IO error at end of medium Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 73/81] tracing: Fix missing tab for hwlat_detector print format Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 74/81] hwmon: (k10temp) Add temperature offset for Ryzen 2700X Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 75/81] hwmon: (k10temp) Add support for AMD Ryzen w/ Vega graphics Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 76/81] s390/cio: update chpid descriptor after resource accessibility event Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 77/81] s390/dasd: fix IO error for newly defined devices Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 78/81] s390/uprobes: implement arch_uretprobe_is_alive() Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 79/81] s390/cpum_cf: rename IBM z13/z14 counter names Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 80/81] kprobes: Fix random address output of blacklist file Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 81/81] ACPI / video: Only default only_lcd to true on Win8-ready _desktops_ Greg Kroah-Hartman
2018-04-27 18:15 ` [PATCH 4.16 00/81] 4.16.6-stable review Shuah Khan
2018-04-27 20:41 ` Dan Rue
2018-04-28  5:50   ` Greg Kroah-Hartman
2018-04-27 20:44 ` kernelci.org bot
2018-04-28 14:32 ` Guenter Roeck
2018-04-28 15:52   ` Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180427135746.547013427@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=bjorn@mork.no \
    --cc=davem@davemloft.net \
    --cc=jasowang@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --subject='Re: [PATCH 4.16 56/81] tun: fix vlan packet truncation' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).