From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Eric Dumazet <edumazet@google.com>,
syzbot+6a1423ff3f97159aae64@syzkaller.appspotmail.com,
Jiri Pirko <jiri@nvidia.com>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 08/41] geneve: make sure to pull inner header in geneve_rx()
Date: Wed, 13 Mar 2024 13:04:02 -0400 [thread overview]
Message-ID: <20240313170435.616724-9-sashal@kernel.org> (raw)
In-Reply-To: <20240313170435.616724-1-sashal@kernel.org>
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 1ca1ba465e55b9460e4e75dec9fff31e708fec74 ]
syzbot triggered a bug in geneve_rx() [1]
Issue is similar to the one I fixed in commit 8d975c15c0cd
("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()")
We have to save skb->network_header in a temporary variable
in order to be able to recompute the network_header pointer
after a pskb_inet_may_pull() call.
pskb_inet_may_pull() makes sure the needed headers are in skb->head.
[1]
BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]
BUG: KMSAN: uninit-value in geneve_rx drivers/net/geneve.c:279 [inline]
BUG: KMSAN: uninit-value in geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391
IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]
geneve_rx drivers/net/geneve.c:279 [inline]
geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391
udp_queue_rcv_one_skb+0x1d39/0x1f20 net/ipv4/udp.c:2108
udp_queue_rcv_skb+0x6ae/0x6e0 net/ipv4/udp.c:2186
udp_unicast_rcv_skb+0x184/0x4b0 net/ipv4/udp.c:2346
__udp4_lib_rcv+0x1c6b/0x3010 net/ipv4/udp.c:2422
udp_rcv+0x7d/0xa0 net/ipv4/udp.c:2604
ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205
ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233
NF_HOOK include/linux/netfilter.h:314 [inline]
ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254
dst_input include/net/dst.h:461 [inline]
ip_rcv_finish net/ipv4/ip_input.c:449 [inline]
NF_HOOK include/linux/netfilter.h:314 [inline]
ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569
__netif_receive_skb_one_core net/core/dev.c:5534 [inline]
__netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648
process_backlog+0x480/0x8b0 net/core/dev.c:5976
__napi_poll+0xe3/0x980 net/core/dev.c:6576
napi_poll net/core/dev.c:6645 [inline]
net_rx_action+0x8b8/0x1870 net/core/dev.c:6778
__do_softirq+0x1b7/0x7c5 kernel/softirq.c:553
do_softirq+0x9a/0xf0 kernel/softirq.c:454
__local_bh_enable_ip+0x9b/0xa0 kernel/softirq.c:381
local_bh_enable include/linux/bottom_half.h:33 [inline]
rcu_read_unlock_bh include/linux/rcupdate.h:820 [inline]
__dev_queue_xmit+0x2768/0x51c0 net/core/dev.c:4378
dev_queue_xmit include/linux/netdevice.h:3171 [inline]
packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276
packet_snd net/packet/af_packet.c:3081 [inline]
packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
__sys_sendto+0x735/0xa10 net/socket.c:2191
__do_sys_sendto net/socket.c:2203 [inline]
__se_sys_sendto net/socket.c:2199 [inline]
__x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Uninit was created at:
slab_post_alloc_hook mm/slub.c:3819 [inline]
slab_alloc_node mm/slub.c:3860 [inline]
kmem_cache_alloc_node+0x5cb/0xbc0 mm/slub.c:3903
kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560
__alloc_skb+0x352/0x790 net/core/skbuff.c:651
alloc_skb include/linux/skbuff.h:1296 [inline]
alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6394
sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2783
packet_alloc_skb net/packet/af_packet.c:2930 [inline]
packet_snd net/packet/af_packet.c:3024 [inline]
packet_sendmsg+0x70c2/0x9f10 net/packet/af_packet.c:3113
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
__sys_sendto+0x735/0xa10 net/socket.c:2191
__do_sys_sendto net/socket.c:2203 [inline]
__se_sys_sendto net/socket.c:2199 [inline]
__x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Fixes: 2d07dc79fe04 ("geneve: add initial netdev driver for GENEVE tunnels")
Reported-and-tested-by: syzbot+6a1423ff3f97159aae64@syzkaller.appspotmail.com
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/geneve.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c
index a19e04f8bcc8f..8aa04b37c5fe0 100644
--- a/drivers/net/geneve.c
+++ b/drivers/net/geneve.c
@@ -217,7 +217,7 @@ static void geneve_rx(struct geneve_dev *geneve, struct geneve_sock *gs,
struct metadata_dst *tun_dst = NULL;
struct pcpu_sw_netstats *stats;
unsigned int len;
- int err = 0;
+ int nh, err = 0;
void *oiph;
if (ip_tunnel_collect_metadata() || gs->collect_md) {
@@ -261,9 +261,23 @@ static void geneve_rx(struct geneve_dev *geneve, struct geneve_sock *gs,
goto drop;
}
- oiph = skb_network_header(skb);
+ /* Save offset of outer header relative to skb->head,
+ * because we are going to reset the network header to the inner header
+ * and might change skb->head.
+ */
+ nh = skb_network_header(skb) - skb->head;
+
skb_reset_network_header(skb);
+ if (!pskb_inet_may_pull(skb)) {
+ DEV_STATS_INC(geneve->dev, rx_length_errors);
+ DEV_STATS_INC(geneve->dev, rx_errors);
+ goto drop;
+ }
+
+ /* Get the outer header. */
+ oiph = skb->head + nh;
+
if (geneve_get_sk_family(gs) == AF_INET)
err = IP_ECN_decapsulate(oiph, skb);
#if IS_ENABLED(CONFIG_IPV6)
--
2.43.0
next prev parent reply other threads:[~2024-03-13 17:04 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-13 17:03 [PATCH 4.19 00/41] 4.19.310-rc1 review Sasha Levin
2024-03-13 17:03 ` [PATCH 4.19 01/41] net: usb: lan78xx: Remove lots of set but unused 'ret' variables Sasha Levin
2024-03-13 17:03 ` [PATCH 4.19 02/41] lan78xx: Fix white space and style issues Sasha Levin
2024-03-13 17:03 ` [PATCH 4.19 03/41] lan78xx: Add missing return code checks Sasha Levin
2024-03-13 17:03 ` [PATCH 4.19 04/41] lan78xx: Fix partial packet errors on suspend/resume Sasha Levin
2024-03-13 17:03 ` [PATCH 4.19 05/41] lan78xx: Fix race conditions in suspend/resume handling Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 06/41] net: lan78xx: fix runtime PM count underflow on link stop Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 07/41] net: move definition of pcpu_lstats to header file Sasha Levin
2024-03-13 17:04 ` Sasha Levin [this message]
2024-03-13 17:04 ` [PATCH 4.19 09/41] net/ipv6: avoid possible UAF in ip6_route_mpath_notify() Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 10/41] net/rds: fix WARNING in rds_conn_connect_if_down Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 11/41] netfilter: nf_conntrack_h323: Add protection for bmp length out of range Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 12/41] netrom: Fix a data-race around sysctl_netrom_default_path_quality Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 13/41] netrom: Fix a data-race around sysctl_netrom_obsolescence_count_initialiser Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 14/41] netrom: Fix data-races around sysctl_netrom_network_ttl_initialiser Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 15/41] netrom: Fix a data-race around sysctl_netrom_transport_timeout Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 16/41] netrom: Fix a data-race around sysctl_netrom_transport_maximum_tries Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 17/41] netrom: Fix a data-race around sysctl_netrom_transport_acknowledge_delay Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 18/41] netrom: Fix a data-race around sysctl_netrom_transport_busy_delay Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 19/41] netrom: Fix a data-race around sysctl_netrom_transport_requested_window_size Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 20/41] netrom: Fix a data-race around sysctl_netrom_transport_no_activity_timeout Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 21/41] netrom: Fix a data-race around sysctl_netrom_routing_control Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 22/41] netrom: Fix a data-race around sysctl_netrom_link_fails_count Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 23/41] netrom: Fix data-races around sysctl_net_busy_read Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 24/41] btrfs: ref-verify: free ref cache before clearing mount opt Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 25/41] tools/selftest/vm: allow choosing mem size and page size in map_hugetlb Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 26/41] selftests: mm: fix map_hugetlb failure on 64K page size systems Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 27/41] um: allow not setting extra rpaths in the linux binary Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 28/41] Input: i8042 - fix strange behavior of touchpad on Clevo NS70PU Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 29/41] hv_netvsc: Make netvsc/VF binding check both MAC and serial number Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 30/41] hv_netvsc: use netif_is_bond_master() instead of open code Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 31/41] hv_netvsc: Register VF in netvsc_probe if NET_DEVICE_REGISTER missed Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 32/41] y2038: rusage: use __kernel_old_timeval Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 33/41] getrusage: add the "signal_struct *sig" local variable Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 34/41] getrusage: move thread_group_cputime_adjusted() outside of lock_task_sighand() Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 35/41] getrusage: use __for_each_thread() Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 36/41] getrusage: use sig->stats_lock rather than lock_task_sighand() Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 37/41] exit: Fix typo in comment: s/sub-theads/sub-threads Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 38/41] exit: wait_task_zombie: kill the no longer necessary spin_lock_irq(siglock) Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 39/41] selftests/vm: fix display of page size in map_hugetlb Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 40/41] selftests/vm: fix map_hugetlb length used for testing read and write Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 41/41] Linux 4.19.310-rc1 Sasha Levin
2024-03-13 20:06 ` [PATCH 4.19 00/41] 4.19.310-rc1 review Pavel Machek
2024-03-15 8:21 ` Naresh Kamboju
2024-03-16 20:57 ` Guenter Roeck
2024-03-19 14:24 ` Guenter Roeck
2024-03-30 9:19 ` Greg KH
2024-04-11 9:12 ` Greg KH
2024-04-29 21:44 ` [PATCH 4.19] Revert "y2038: rusage: use __kernel_old_timeval" Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240313170435.616724-9-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jiri@nvidia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+6a1423ff3f97159aae64@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.