Commit 010f245b authored by Eric Dumazet's avatar Eric Dumazet Committed by David S. Miller

tun: relax check on eth_get_headlen() return value

syzkaller hit the WARN() in tun_get_user(), providing skb
with payload in fragments only, and nothing in skb->head

GRO layer is fine with this, so relax the check.

Fixes: 90e33d45 ("tun: enable napi_gro_frags() for TUN/TAP driver")
Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 22ce97fe
...@@ -1737,7 +1737,7 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, ...@@ -1737,7 +1737,7 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
/* Exercise flow dissector code path. */ /* Exercise flow dissector code path. */
u32 headlen = eth_get_headlen(skb->data, skb_headlen(skb)); u32 headlen = eth_get_headlen(skb->data, skb_headlen(skb));
if (headlen > skb_headlen(skb) || headlen < ETH_HLEN) { if (unlikely(headlen > skb_headlen(skb))) {
this_cpu_inc(tun->pcpu_stats->rx_dropped); this_cpu_inc(tun->pcpu_stats->rx_dropped);
napi_free_frags(&tfile->napi); napi_free_frags(&tfile->napi);
mutex_unlock(&tfile->napi_mutex); mutex_unlock(&tfile->napi_mutex);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment