From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Tom Herbert <tom@quantonium.net>,
David Lebrun <dlebrun@google.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.14 10/43] ipv6: sr: fix NULL pointer dereference when setting encap source address
Date: Thu, 29 Mar 2018 20:00:05 +0200 [thread overview]
Message-ID: <20180329175731.128620506@linuxfoundation.org> (raw)
In-Reply-To: <20180329175730.190353692@linuxfoundation.org>
4.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Lebrun <dlebrun@google.com>
[ Upstream commit 8936ef7604c11b5d701580d779e0f5684abc7b68 ]
When using seg6 in encap mode, we call ipv6_dev_get_saddr() to set the
source address of the outer IPv6 header, in case none was specified.
Using skb->dev can lead to BUG() when it is in an inconsistent state.
This patch uses the net_device attached to the skb's dst instead.
[940807.667429] BUG: unable to handle kernel NULL pointer dereference at 000000000000047c
[940807.762427] IP: ipv6_dev_get_saddr+0x8b/0x1d0
[940807.815725] PGD 0 P4D 0
[940807.847173] Oops: 0000 [#1] SMP PTI
[940807.890073] Modules linked in:
[940807.927765] CPU: 6 PID: 0 Comm: swapper/6 Tainted: G W 4.16.0-rc1-seg6bpf+ #2
[940808.028988] Hardware name: HP ProLiant DL120 G6/ProLiant DL120 G6, BIOS O26 09/06/2010
[940808.128128] RIP: 0010:ipv6_dev_get_saddr+0x8b/0x1d0
[940808.187667] RSP: 0018:ffff88043fd836b0 EFLAGS: 00010206
[940808.251366] RAX: 0000000000000005 RBX: ffff88042cb1c860 RCX: 00000000000000fe
[940808.338025] RDX: 00000000000002c0 RSI: ffff88042cb1c860 RDI: 0000000000004500
[940808.424683] RBP: ffff88043fd83740 R08: 0000000000000000 R09: ffffffffffffffff
[940808.511342] R10: 0000000000000040 R11: 0000000000000000 R12: ffff88042cb1c850
[940808.598012] R13: ffffffff8208e380 R14: ffff88042ac8da00 R15: 0000000000000002
[940808.684675] FS: 0000000000000000(0000) GS:ffff88043fd80000(0000) knlGS:0000000000000000
[940808.783036] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[940808.852975] CR2: 000000000000047c CR3: 00000004255fe000 CR4: 00000000000006e0
[940808.939634] Call Trace:
[940808.970041] <IRQ>
[940808.995250] ? ip6t_do_table+0x265/0x640
[940809.043341] seg6_do_srh_encap+0x28f/0x300
[940809.093516] ? seg6_do_srh+0x1a0/0x210
[940809.139528] seg6_do_srh+0x1a0/0x210
[940809.183462] seg6_output+0x28/0x1e0
[940809.226358] lwtunnel_output+0x3f/0x70
[940809.272370] ip6_xmit+0x2b8/0x530
[940809.313185] ? ac6_proc_exit+0x20/0x20
[940809.359197] inet6_csk_xmit+0x7d/0xc0
[940809.404173] tcp_transmit_skb+0x548/0x9a0
[940809.453304] __tcp_retransmit_skb+0x1a8/0x7a0
[940809.506603] ? ip6_default_advmss+0x40/0x40
[940809.557824] ? tcp_current_mss+0x24/0x90
[940809.605925] tcp_retransmit_skb+0xd/0x80
[940809.654016] tcp_xmit_retransmit_queue.part.17+0xf9/0x210
[940809.719797] tcp_ack+0xa47/0x1110
[940809.760612] tcp_rcv_established+0x13c/0x570
[940809.812865] tcp_v6_do_rcv+0x151/0x3d0
[940809.858879] tcp_v6_rcv+0xa5c/0xb10
[940809.901770] ? seg6_output+0xdd/0x1e0
[940809.946745] ip6_input_finish+0xbb/0x460
[940809.994837] ip6_input+0x74/0x80
[940810.034612] ? ip6_rcv_finish+0xb0/0xb0
[940810.081663] ipv6_rcv+0x31c/0x4c0
...
Fixes: 6c8702c60b886 ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels")
Reported-by: Tom Herbert <tom@quantonium.net>
Signed-off-by: David Lebrun <dlebrun@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/seg6_iptunnel.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/net/ipv6/seg6_iptunnel.c
+++ b/net/ipv6/seg6_iptunnel.c
@@ -93,7 +93,8 @@ static void set_tun_src(struct net *net,
/* encapsulate an IPv6 packet within an outer IPv6 header with a given SRH */
int seg6_do_srh_encap(struct sk_buff *skb, struct ipv6_sr_hdr *osrh, int proto)
{
- struct net *net = dev_net(skb_dst(skb)->dev);
+ struct dst_entry *dst = skb_dst(skb);
+ struct net *net = dev_net(dst->dev);
struct ipv6hdr *hdr, *inner_hdr;
struct ipv6_sr_hdr *isrh;
int hdrlen, tot_len, err;
@@ -134,7 +135,7 @@ int seg6_do_srh_encap(struct sk_buff *sk
isrh->nexthdr = proto;
hdr->daddr = isrh->segments[isrh->first_segment];
- set_tun_src(net, skb->dev, &hdr->daddr, &hdr->saddr);
+ set_tun_src(net, ip6_dst_idev(dst)->dev, &hdr->daddr, &hdr->saddr);
#ifdef CONFIG_IPV6_SEG6_HMAC
if (sr_has_hmac(isrh)) {
next prev parent reply other threads:[~2018-03-29 18:00 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-29 17:59 [PATCH 4.14 00/43] 4.14.32-stable review Greg Kroah-Hartman
2018-03-29 17:59 ` [PATCH 4.14 01/43] tcp: reset sk_send_head in tcp_write_queue_purge Greg Kroah-Hartman
2018-03-29 17:59 ` [PATCH 4.14 02/43] tcp: purge write queue upon aborting the connection Greg Kroah-Hartman
2018-03-29 17:59 ` [PATCH 4.14 03/43] qed: Fix non TCP packets should be dropped on iWARP ll2 connection Greg Kroah-Hartman
2018-03-29 17:59 ` [PATCH 4.14 04/43] sysfs: symlink: export sysfs_create_link_nowarn() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 05/43] net: phy: relax error checking when creating sysfs link netdev->phydev Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 06/43] devlink: Remove redundant free on error path Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 07/43] macvlan: filter out unsupported feature flags Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 08/43] net: ipv6: keep sk status consistent after datagram connect failure Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 09/43] ipv6: old_dport should be a __be16 in __ip6_datagram_connect() Greg Kroah-Hartman
2018-03-29 18:00 ` Greg Kroah-Hartman [this message]
2018-03-29 18:00 ` [PATCH 4.14 11/43] ipv6: sr: fix scheduling in RCU when creating seg6 lwtunnel state Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 12/43] mlxsw: spectrum_buffers: Set a minimum quota for CPU port traffic Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 13/43] net: phy: Tell caller result of phy_change() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 14/43] net sched actions: return explicit error when tunnel_key mode is not specified Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 15/43] ppp: avoid loop in xmit recursion detection code Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 16/43] rhashtable: Fix rhlist duplicates insertion Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 17/43] kcm: lock lower socket in kcm_attach Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 18/43] sch_netem: fix skb leak in netem_enqueue() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 19/43] ieee802154: 6lowpan: fix possible NULL deref in lowpan_device_event() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 20/43] net: use skb_to_full_sk() in skb_update_prio() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 21/43] net: Fix hlist corruptions in inet_evict_bucket() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 22/43] dccp: check sk for closed state in dccp_sendmsg() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 23/43] ipv6: fix access to non-linear packet in ndisc_fill_redirect_hdr_option() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 24/43] l2tp: do not accept arbitrary sockets Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 25/43] net: ethernet: arc: Fix a potential memory leak if an optional regulator is deferred Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 26/43] net: ethernet: ti: cpsw: add check for in-band mode setting with RGMII PHY interface Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 27/43] net: fec: Fix unbalanced PM runtime calls Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 28/43] net/iucv: Free memory obtained by kzalloc Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 29/43] netlink: avoid a double skb free in genlmsg_mcast() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 30/43] net: Only honor ifindex in IP_PKTINFO if non-0 Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 31/43] net: systemport: Rewrite __bcm_sysport_tx_reclaim() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 32/43] qede: Fix qedr link update Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 33/43] skbuff: Fix not waking applications when errors are enqueued Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 34/43] team: Fix double free in error path Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 35/43] soc/fsl/qbman: fix issue in qman_delete_cgr_safe() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 36/43] dpaa_eth: fix error in dpaa_remove() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 37/43] dpaa_eth: remove duplicate initialization Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 38/43] dpaa_eth: increment the RX dropped counter when needed Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 39/43] dpaa_eth: remove duplicate increment of the tx_errors counter Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 40/43] s390/qeth: free netdevice when removing a card Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 41/43] s390/qeth: when thread completes, wake up all waiters Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 42/43] s390/qeth: lock read device while queueing next buffer Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.14 43/43] s390/qeth: on channel error, reject further cmd requests Greg Kroah-Hartman
2018-03-29 22:01 ` [PATCH 4.14 00/43] 4.14.32-stable review kernelci.org bot
2018-03-29 23:10 ` Shuah Khan
2018-03-30 15:02 ` Naresh Kamboju
2018-03-30 15:19 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180329175731.128620506@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=dlebrun@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tom@quantonium.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox