net: make skb_gso_segment error handling more robust

skb_gso_segment has three possible return values: 1. a pointer to the first segmented skb 2. an errno value (IS_ERR()) 3. NULL. This can happen when GSO is used for header verification. However, several callers currently test IS_ERR instead of IS_ERR_OR_NULL and would oops when NULL is returned. Note that these call sites should never actually see such a NULL return value; all callers mask out the GSO bits in the feature argument. However, there have been issues with some protocol handlers erronously not respecting the specified feature mask in some cases. It is preferable to get 'have to turn off hw offloading, else slow' reports rather than 'kernel crashes'. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Florian Westphal <fw@strlen.de> 2014-10-20 07:49:17 -0400
committer: David S. Miller <davem@davemloft.net> 2014-10-20 12:38:13 -0400
commit: 330966e501ffe282d7184fde4518d5e0c24bc7f8 (patch)
tree: 59951ec61922bcdbb674b63f114cfdf52d1203ef
parent: 1e16aa3ddf863c6b9f37eddf52503230a62dedb3 (diff)
4 files changed, 6 insertions, 2 deletions
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 88e5ef2c7f51..bc6471d4abcd 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -231,7 +231,7 @@ static int ip_finish_output_gso(struct sk_buff *skb)
         */
        features = netif_skb_features(skb);
        segs = skb_gso_segment(skb, features & ~NETIF_F_GSO_MASK);
-        if (IS_ERR(segs)) {
+        if (IS_ERR_OR_NULL(segs)) {
                kfree_skb(skb);
                return -ENOMEM;
        }
diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
index a82077d9f59b..7c60ccd61a3e 100644
--- a/net/netfilter/nfnetlink_queue_core.c
+++ b/net/netfilter/nfnetlink_queue_core.c
@@ -665,7 +665,7 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum)
         * returned by nf_queue.  For instance, callers rely on -ECANCELED to
         * mean 'ignore this hook'.
         */
-        if (IS_ERR(segs))
+        if (IS_ERR_OR_NULL(segs))
                goto out_err;
        queued = 0;
        err = 0;
diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
index 2e31d9e7f4dc..e6d7255183eb 100644
--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -324,6 +324,8 @@ static int queue_gso_packets(struct datapath *dp, struct sk_buff *skb,
        segs = __skb_gso_segment(skb, NETIF_F_SG, false);
        if (IS_ERR(segs))
                return PTR_ERR(segs);
+        if (segs == NULL)
+                return -EINVAL;
        /* Queue all of the segments. */
        skb = segs;
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
index 499d6c18a8ce..7c532856b398 100644
--- a/net/xfrm/xfrm_output.c
+++ b/net/xfrm/xfrm_output.c
@@ -157,6 +157,8 @@ static int xfrm_output_gso(struct sk_buff *skb)
        kfree_skb(skb);
        if (IS_ERR(segs))
                return PTR_ERR(segs);
+        if (segs == NULL)
+                return -EINVAL;
        do {
                struct sk_buff *nskb = segs->next;
author	Florian Westphal <fw@strlen.de>	2014-10-20 07:49:17 -0400
committer	David S. Miller <davem@davemloft.net>	2014-10-20 12:38:13 -0400
commit	330966e501ffe282d7184fde4518d5e0c24bc7f8 (patch)
tree	59951ec61922bcdbb674b63f114cfdf52d1203ef
parent	1e16aa3ddf863c6b9f37eddf52503230a62dedb3 (diff)