> On May 31, 2019, at 3:29 PM, Martin KaFai Lau <kafai@xxxxxx> wrote:
>
> __udp6_lib_err() may be called when handling icmpv6 message. For example,
> the icmpv6 toobig(type=2). __udp6_lib_lookup() is then called
> which may call reuseport_select_sock(). reuseport_select_sock() will
> call into a bpf_prog (if there is one).
>
> reuseport_select_sock() is expecting the skb->data pointing to the
> transport header (udphdr in this case). For example, run_bpf_filter()
> is pulling the transport header.
>
> However, in the __udp6_lib_err() path, the skb->data is pointing to the
> ipv6hdr instead of the udphdr.
>
> One option is to pull and push the ipv6hdr in __udp6_lib_err().
> Instead of doing this, this patch follows how the original
> commit 538950a1b752 ("soreuseport: setsockopt SO_ATTACH_REUSEPORT_[CE]BPF")
> was done in IPv4, which has passed a NULL skb pointer to
> reuseport_select_sock().
>
> Fixes: 538950a1b752 ("soreuseport: setsockopt SO_ATTACH_REUSEPORT_[CE]BPF")
> Cc: Craig Gallek <kraig@xxxxxxxxxx>
> Signed-off-by: Martin KaFai Lau <kafai@xxxxxx>
Acked-by: Song Liu <songliubraving@xxxxxx>
> ---
> net/ipv6/udp.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
> index 07fa579dfb96..133e6370f89c 100644
> --- a/net/ipv6/udp.c
> +++ b/net/ipv6/udp.c
> @@ -515,7 +515,7 @@ int __udp6_lib_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
> struct net *net = dev_net(skb->dev);
>
> sk = __udp6_lib_lookup(net, daddr, uh->dest, saddr, uh->source,
> - inet6_iif(skb), inet6_sdif(skb), udptable, skb);
> + inet6_iif(skb), inet6_sdif(skb), udptable, NULL);
> if (!sk) {
> /* No socket for error: try tunnels before discarding */
> sk = ERR_PTR(-ENOENT);
> --
> 2.17.1
>
