From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Daniel Petre <daniel.petre@rcs-rds.ro>,
Eric Dumazet <edumazet@google.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [ 09/17] ip_tunnel: fix kernel panic with icmp_dest_unreach
Date: Tue, 25 Jun 2013 11:39:24 -0700 [thread overview]
Message-ID: <20130625183916.502927132@linuxfoundation.org> (raw)
In-Reply-To: <20130625183915.443950649@linuxfoundation.org>
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit a622260254ee481747cceaaa8609985b29a31565 ]
Daniel Petre reported crashes in icmp_dst_unreach() with following call
graph:
Daniel found a similar problem mentioned in
http://lkml.indiana.edu/hypermail/linux/kernel/1007.0/00961.html
And indeed this is the root cause : skb->cb[] contains data fooling IP
stack.
We must clear IPCB in ip_tunnel_xmit() sooner in case dst_link_failure()
is called. Or else skb->cb[] might contain garbage from GSO segmentation
layer.
A similar fix was tested on linux-3.9, but gre code was refactored in
linux-3.10. I'll send patches for stable kernels as well.
Many thanks to Daniel for providing reports, patches and testing !
Reported-by: Daniel Petre <daniel.petre@rcs-rds.ro>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/ip_gre.c | 2 +-
net/ipv4/ipip.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -716,6 +716,7 @@ static netdev_tx_t ipgre_tunnel_xmit(str
tiph = &tunnel->parms.iph;
}
+ memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
if ((dst = tiph->daddr) == 0) {
/* NBMA tunnel */
@@ -853,7 +854,6 @@ static netdev_tx_t ipgre_tunnel_xmit(str
skb_reset_transport_header(skb);
skb_push(skb, gre_hlen);
skb_reset_network_header(skb);
- memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED |
IPSKB_REROUTED);
skb_dst_drop(skb);
--- a/net/ipv4/ipip.c
+++ b/net/ipv4/ipip.c
@@ -448,6 +448,7 @@ static netdev_tx_t ipip_tunnel_xmit(stru
if (tos & 1)
tos = old_iph->tos;
+ memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
if (!dst) {
/* NBMA tunnel */
if ((rt = skb_rtable(skb)) == NULL) {
@@ -531,7 +532,6 @@ static netdev_tx_t ipip_tunnel_xmit(stru
skb->transport_header = skb->network_header;
skb_push(skb, sizeof(struct iphdr));
skb_reset_network_header(skb);
- memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED |
IPSKB_REROUTED);
skb_dst_drop(skb);
next prev parent reply other threads:[~2013-06-25 18:39 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-25 18:39 [ 00/17] 3.0.84-stable review Greg Kroah-Hartman
2013-06-25 18:39 ` [ 01/17] ALSA: usb-audio: work around Android accessory firmware bug Greg Kroah-Hartman
2013-06-25 18:39 ` [ 02/17] tilepro: work around module link error with gcc 4.7 Greg Kroah-Hartman
2013-06-25 18:39 ` [ 03/17] KVM: x86: remove vcpus CPL check in host-invoked XCR set Greg Kroah-Hartman
2013-06-25 18:39 ` [ 04/17] tcp: fix tcp_md5_hash_skb_data() Greg Kroah-Hartman
2013-06-25 18:39 ` [ 05/17] gianfar: add missing iounmap() on error in gianfar_ptp_probe() Greg Kroah-Hartman
2013-06-25 18:39 ` [ 06/17] ipv6: fix possible crashes in ip6_cork_release() Greg Kroah-Hartman
2013-06-25 18:39 ` [ 07/17] netlabel: improve domain mapping validation Greg Kroah-Hartman
2013-06-25 18:39 ` [ 08/17] tcp: xps: fix reordering issues Greg Kroah-Hartman
2013-06-25 18:39 ` Greg Kroah-Hartman [this message]
2013-06-25 18:39 ` [ 10/17] net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg Greg Kroah-Hartman
2013-06-25 18:39 ` [ 11/17] net: force a reload of first item in hlist_nulls_for_each_entry_rcu Greg Kroah-Hartman
2013-06-25 18:39 ` [ 12/17] ipv6: assign rt6_info to inet6_ifaddr in init_loopback Greg Kroah-Hartman
2013-06-25 18:39 ` [ 13/17] net: sctp: fix NULL pointer dereference in socket destruction Greg Kroah-Hartman
2013-06-25 18:39 ` [ 14/17] packet: packet_getname_spkt: make sure string is always 0-terminated Greg Kroah-Hartman
2013-06-25 18:39 ` [ 15/17] l2tp: Fix PPP header erasure and memory leak Greg Kroah-Hartman
2013-06-25 18:39 ` [ 16/17] l2tp: Fix sendmsg() return value Greg Kroah-Hartman
2013-06-25 18:39 ` [ 17/17] USB: serial: ti_usb_3410_5052: new device id for Abbot strip port cable Greg Kroah-Hartman
2013-06-25 21:39 ` Anders Hammarquist
2013-06-26 17:21 ` Greg Kroah-Hartman
2013-06-27 0:28 ` Anders Hammarquist
2013-06-25 19:23 ` [ 00/17] 3.0.84-stable review Guenter Roeck
2013-06-25 19:32 ` Geert Uytterhoeven
2013-06-25 19:39 ` Guenter Roeck
2013-06-26 7:34 ` Geert Uytterhoeven
2013-06-26 14:40 ` Guenter Roeck
2013-06-26 23:06 ` Greg Ungerer
2013-06-26 23:29 ` Guenter Roeck
2013-08-01 14:35 ` Greg Ungerer
2013-08-01 15:08 ` Guenter Roeck
2013-06-26 4:16 ` Greg Kroah-Hartman
2013-06-26 16:57 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130625183916.502927132@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=daniel.petre@rcs-rds.ro \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).