tun: relax check on eth_get_headlen() return value
authorEric Dumazet <edumazet@google.com>
Tue, 17 Oct 2017 17:07:44 +0000 (10:07 -0700)
committerDavid S. Miller <davem@davemloft.net>
Thu, 19 Oct 2017 12:17:39 +0000 (13:17 +0100)
syzkaller hit the WARN() in tun_get_user(), providing skb
with payload in fragments only, and nothing in skb->head

GRO layer is fine with this, so relax the check.

Fixes: 90e33d459407 ("tun: enable napi_gro_frags() for TUN/TAP driver")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/tun.c

index 57e4c31fa84adc4d9af6ab69a87feac23a8b034e..c64ec19af9b73744270f5cdb922d0f0c1c8f4443 100644 (file)
@@ -1737,7 +1737,7 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
                /* Exercise flow dissector code path. */
                u32 headlen = eth_get_headlen(skb->data, skb_headlen(skb));
 
-               if (headlen > skb_headlen(skb) || headlen < ETH_HLEN) {
+               if (unlikely(headlen > skb_headlen(skb))) {
                        this_cpu_inc(tun->pcpu_stats->rx_dropped);
                        napi_free_frags(&tfile->napi);
                        mutex_unlock(&tfile->napi_mutex);