From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Eric Dumazet <edumazet@google.com>,
syzbot+6a1423ff3f97159aae64@syzkaller.appspotmail.com,
Jiri Pirko <jiri@nvidia.com>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.6 23/60] geneve: make sure to pull inner header in geneve_rx()
Date: Wed, 13 Mar 2024 12:36:30 -0400 [thread overview]
Message-ID: <20240313163707.615000-24-sashal@kernel.org> (raw)
In-Reply-To: <20240313163707.615000-1-sashal@kernel.org>
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 1ca1ba465e55b9460e4e75dec9fff31e708fec74 ]
syzbot triggered a bug in geneve_rx() [1]
Issue is similar to the one I fixed in commit 8d975c15c0cd
("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()")
We have to save skb->network_header in a temporary variable
in order to be able to recompute the network_header pointer
after a pskb_inet_may_pull() call.
pskb_inet_may_pull() makes sure the needed headers are in skb->head.
[1]
BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]
BUG: KMSAN: uninit-value in geneve_rx drivers/net/geneve.c:279 [inline]
BUG: KMSAN: uninit-value in geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391
IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]
geneve_rx drivers/net/geneve.c:279 [inline]
geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391
udp_queue_rcv_one_skb+0x1d39/0x1f20 net/ipv4/udp.c:2108
udp_queue_rcv_skb+0x6ae/0x6e0 net/ipv4/udp.c:2186
udp_unicast_rcv_skb+0x184/0x4b0 net/ipv4/udp.c:2346
__udp4_lib_rcv+0x1c6b/0x3010 net/ipv4/udp.c:2422
udp_rcv+0x7d/0xa0 net/ipv4/udp.c:2604
ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205
ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233
NF_HOOK include/linux/netfilter.h:314 [inline]
ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254
dst_input include/net/dst.h:461 [inline]
ip_rcv_finish net/ipv4/ip_input.c:449 [inline]
NF_HOOK include/linux/netfilter.h:314 [inline]
ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569
__netif_receive_skb_one_core net/core/dev.c:5534 [inline]
__netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648
process_backlog+0x480/0x8b0 net/core/dev.c:5976
__napi_poll+0xe3/0x980 net/core/dev.c:6576
napi_poll net/core/dev.c:6645 [inline]
net_rx_action+0x8b8/0x1870 net/core/dev.c:6778
__do_softirq+0x1b7/0x7c5 kernel/softirq.c:553
do_softirq+0x9a/0xf0 kernel/softirq.c:454
__local_bh_enable_ip+0x9b/0xa0 kernel/softirq.c:381
local_bh_enable include/linux/bottom_half.h:33 [inline]
rcu_read_unlock_bh include/linux/rcupdate.h:820 [inline]
__dev_queue_xmit+0x2768/0x51c0 net/core/dev.c:4378
dev_queue_xmit include/linux/netdevice.h:3171 [inline]
packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276
packet_snd net/packet/af_packet.c:3081 [inline]
packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
__sys_sendto+0x735/0xa10 net/socket.c:2191
__do_sys_sendto net/socket.c:2203 [inline]
__se_sys_sendto net/socket.c:2199 [inline]
__x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Uninit was created at:
slab_post_alloc_hook mm/slub.c:3819 [inline]
slab_alloc_node mm/slub.c:3860 [inline]
kmem_cache_alloc_node+0x5cb/0xbc0 mm/slub.c:3903
kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560
__alloc_skb+0x352/0x790 net/core/skbuff.c:651
alloc_skb include/linux/skbuff.h:1296 [inline]
alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6394
sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2783
packet_alloc_skb net/packet/af_packet.c:2930 [inline]
packet_snd net/packet/af_packet.c:3024 [inline]
packet_sendmsg+0x70c2/0x9f10 net/packet/af_packet.c:3113
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
__sys_sendto+0x735/0xa10 net/socket.c:2191
__do_sys_sendto net/socket.c:2203 [inline]
__se_sys_sendto net/socket.c:2199 [inline]
__x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Fixes: 2d07dc79fe04 ("geneve: add initial netdev driver for GENEVE tunnels")
Reported-and-tested-by: syzbot+6a1423ff3f97159aae64@syzkaller.appspotmail.com
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/geneve.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c
index 78f9d588f7129..9566fda8b2e2e 100644
--- a/drivers/net/geneve.c
+++ b/drivers/net/geneve.c
@@ -221,7 +221,7 @@ static void geneve_rx(struct geneve_dev *geneve, struct geneve_sock *gs,
struct genevehdr *gnvh = geneve_hdr(skb);
struct metadata_dst *tun_dst = NULL;
unsigned int len;
- int err = 0;
+ int nh, err = 0;
void *oiph;
if (ip_tunnel_collect_metadata() || gs->collect_md) {
@@ -272,9 +272,23 @@ static void geneve_rx(struct geneve_dev *geneve, struct geneve_sock *gs,
skb->pkt_type = PACKET_HOST;
}
- oiph = skb_network_header(skb);
+ /* Save offset of outer header relative to skb->head,
+ * because we are going to reset the network header to the inner header
+ * and might change skb->head.
+ */
+ nh = skb_network_header(skb) - skb->head;
+
skb_reset_network_header(skb);
+ if (!pskb_inet_may_pull(skb)) {
+ DEV_STATS_INC(geneve->dev, rx_length_errors);
+ DEV_STATS_INC(geneve->dev, rx_errors);
+ goto drop;
+ }
+
+ /* Get the outer header. */
+ oiph = skb->head + nh;
+
if (geneve_get_sk_family(gs) == AF_INET)
err = IP_ECN_decapsulate(oiph, skb);
#if IS_ENABLED(CONFIG_IPV6)
--
2.43.0
next prev parent reply other threads:[~2024-03-13 16:37 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-13 16:36 [PATCH 6.6 00/60] 6.6.22-rc1 review Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 01/60] dt-bindings: dma: fsl-edma: Add fsl-edma.h to prevent hardcoding in dts Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 02/60] dmaengine: fsl-edma: utilize common dt-binding header file Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 03/60] dmaengine: fsl-edma: correct max_segment_size setting Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 04/60] ceph: switch to corrected encoding of max_xattr_size in mdsmap Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 05/60] mm: migrate: remove PageTransHuge check in numamigrate_isolate_page() Sasha Levin
2024-03-13 17:29 ` Hugh Dickins
2024-03-13 16:36 ` [PATCH 6.6 06/60] mm: migrate: remove THP mapcount " Sasha Levin
2024-03-13 17:31 ` Hugh Dickins
2024-03-13 16:36 ` [PATCH 6.6 07/60] mm: migrate: convert numamigrate_isolate_page() to numamigrate_isolate_folio() Sasha Levin
2024-03-13 17:32 ` Hugh Dickins
2024-03-13 18:32 ` Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 08/60] mm/vmscan: fix a bug calling wakeup_kswapd() with a wrong zone index Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 09/60] xfrm: Pass UDP encapsulation in TX packet offload Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 10/60] net: lan78xx: fix runtime PM count underflow on link stop Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 11/60] ixgbe: {dis, en}able irqs in ixgbe_txrx_ring_{dis, en}able Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 12/60] i40e: disable NAPI right after disabling irqs when handling xsk_pool Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 13/60] ice: reorder disabling IRQ and NAPI in ice_qp_dis Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 14/60] Revert "net/mlx5: Block entering switchdev mode with ns inconsistency" Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 15/60] Revert "net/mlx5e: Check the number of elements before walk TC rhashtable" Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 16/60] net/mlx5: E-switch, Change flow rule destination checking Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 17/60] net/mlx5: Check capability for fw_reset Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 18/60] net/mlx5e: Change the warning when ignore_flow_level is not supported Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 19/60] net/mlx5e: Fix MACsec state loss upon state update in offload path Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 20/60] net/mlx5e: Use a memory barrier to enforce PTP WQ xmit submission tracking occurs after populating the metadata_map Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 21/60] net/mlx5e: Switch to using _bh variant of of spinlock API in port timestamping NAPI poll context Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 22/60] tracing/net_sched: Fix tracepoints that save qdisc_dev() as a string Sasha Levin
2024-03-13 16:36 ` Sasha Levin [this message]
2024-03-13 16:36 ` [PATCH 6.6 24/60] net: sparx5: Fix use after free inside sparx5_del_mact_entry Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 25/60] ice: virtchnl: stop pretending to support RSS over AQ or registers Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 26/60] net: ice: Fix potential NULL pointer dereference in ice_bridge_setlink() Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 27/60] igc: avoid returning frame twice in XDP_REDIRECT Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 28/60] net/ipv6: avoid possible UAF in ip6_route_mpath_notify() Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 29/60] bpf: check bpf_func_state->callback_depth when pruning states Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 30/60] xdp, bonding: Fix feature flags when there are no slave devs anymore Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 31/60] selftests/bpf: Fix up xdp bonding test wrt feature flags Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 32/60] cpumap: Zero-initialise xdp_rxq_info struct before running XDP program Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 33/60] net: dsa: microchip: fix register write order in ksz8_ind_write8() Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 34/60] net/rds: fix WARNING in rds_conn_connect_if_down Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 35/60] netfilter: nft_ct: fix l3num expectations with inet pseudo family Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 36/60] netfilter: nf_conntrack_h323: Add protection for bmp length out of range Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 37/60] erofs: apply proper VMA alignment for memory mapped files on THP Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 38/60] netrom: Fix a data-race around sysctl_netrom_default_path_quality Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 39/60] netrom: Fix a data-race around sysctl_netrom_obsolescence_count_initialiser Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 40/60] netrom: Fix data-races around sysctl_netrom_network_ttl_initialiser Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 41/60] netrom: Fix a data-race around sysctl_netrom_transport_timeout Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 42/60] netrom: Fix a data-race around sysctl_netrom_transport_maximum_tries Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 43/60] netrom: Fix a data-race around sysctl_netrom_transport_acknowledge_delay Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 44/60] netrom: Fix a data-race around sysctl_netrom_transport_busy_delay Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 45/60] netrom: Fix a data-race around sysctl_netrom_transport_requested_window_size Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 46/60] netrom: Fix a data-race around sysctl_netrom_transport_no_activity_timeout Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 47/60] netrom: Fix a data-race around sysctl_netrom_routing_control Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 48/60] netrom: Fix a data-race around sysctl_netrom_link_fails_count Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 49/60] netrom: Fix data-races around sysctl_net_busy_read Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 50/60] net: pds_core: Fix possible double free in error handling path Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 51/60] KVM: s390: add stat counter for shadow gmap events Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 52/60] KVM: s390: vsie: fix race during shadow creation Sasha Levin
2024-03-13 16:37 ` [PATCH 6.6 53/60] readahead: avoid multiple marked readahead pages Sasha Levin
2024-03-13 16:37 ` [PATCH 6.6 54/60] selftests: mptcp: decrease BW in simult flows Sasha Levin
2024-03-13 16:37 ` [PATCH 6.6 55/60] exit: wait_task_zombie: kill the no longer necessary spin_lock_irq(siglock) Sasha Levin
2024-03-13 16:37 ` [PATCH 6.6 56/60] x86/mmio: Disable KVM mitigation when X86_FEATURE_CLEAR_CPU_BUF is set Sasha Levin
2024-03-13 16:37 ` [PATCH 6.6 57/60] Documentation/hw-vuln: Add documentation for RFDS Sasha Levin
2024-03-13 16:37 ` [PATCH 6.6 58/60] x86/rfds: Mitigate Register File Data Sampling (RFDS) Sasha Levin
2024-03-13 16:37 ` [PATCH 6.6 59/60] KVM/x86: Export RFDS_NO and RFDS_CLEAR to guests Sasha Levin
2024-03-13 16:37 ` [PATCH 6.6 60/60] Linux 6.6.22-rc1 Sasha Levin
2024-03-14 8:02 ` [PATCH 6.6 00/60] 6.6.22-rc1 review Bagas Sanjaya
2024-03-14 10:08 ` Naresh Kamboju
2024-03-14 11:56 ` Takeshi Ogasawara
2024-03-14 20:55 ` Florian Fainelli
2024-03-15 15:44 ` Mark Brown
2024-03-15 16:01 ` Ron Economos
2024-03-15 17:36 ` Harshit Mogalapalli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240313163707.615000-24-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jiri@nvidia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+6a1423ff3f97159aae64@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.