From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
syzbot <syzkaller@googlegroups.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.4 57/59] macvlan: do not assume mac_header is set in macvlan_broadcast()
Date: Sat, 11 Jan 2020 10:50:06 +0100 [thread overview]
Message-ID: <20200111094853.199852008@linuxfoundation.org> (raw)
In-Reply-To: <20200111094835.417654274@linuxfoundation.org>
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 96cc4b69581db68efc9749ef32e9cf8e0160c509 ]
Use of eth_hdr() in tx path is error prone.
Many drivers call skb_reset_mac_header() before using it,
but others do not.
Commit 6d1ccff62780 ("net: reset mac header in dev_start_xmit()")
attempted to fix this generically, but commit d346a3fae3ff
("packet: introduce PACKET_QDISC_BYPASS socket option") brought
back the macvlan bug.
Lets add a new helper, so that tx paths no longer have
to call skb_reset_mac_header() only to get a pointer
to skb->data.
Hopefully we will be able to revert 6d1ccff62780
("net: reset mac header in dev_start_xmit()") and save few cycles
in transmit fast path.
BUG: KASAN: use-after-free in __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline]
BUG: KASAN: use-after-free in mc_hash drivers/net/macvlan.c:251 [inline]
BUG: KASAN: use-after-free in macvlan_broadcast+0x547/0x620 drivers/net/macvlan.c:277
Read of size 4 at addr ffff8880a4932401 by task syz-executor947/9579
CPU: 0 PID: 9579 Comm: syz-executor947 Not tainted 5.5.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
__kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
kasan_report+0x12/0x20 mm/kasan/common.c:639
__asan_report_load_n_noabort+0xf/0x20 mm/kasan/generic_report.c:145
__get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline]
mc_hash drivers/net/macvlan.c:251 [inline]
macvlan_broadcast+0x547/0x620 drivers/net/macvlan.c:277
macvlan_queue_xmit drivers/net/macvlan.c:520 [inline]
macvlan_start_xmit+0x402/0x77f drivers/net/macvlan.c:559
__netdev_start_xmit include/linux/netdevice.h:4447 [inline]
netdev_start_xmit include/linux/netdevice.h:4461 [inline]
dev_direct_xmit+0x419/0x630 net/core/dev.c:4079
packet_direct_xmit+0x1a9/0x250 net/packet/af_packet.c:240
packet_snd net/packet/af_packet.c:2966 [inline]
packet_sendmsg+0x260d/0x6220 net/packet/af_packet.c:2991
sock_sendmsg_nosec net/socket.c:639 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:659
__sys_sendto+0x262/0x380 net/socket.c:1985
__do_sys_sendto net/socket.c:1997 [inline]
__se_sys_sendto net/socket.c:1993 [inline]
__x64_sys_sendto+0xe1/0x1a0 net/socket.c:1993
do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x442639
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffc13549e08 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442639
RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003
RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000403bb0 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 9389:
save_stack+0x23/0x90 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:513 [inline]
__kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486
kasan_kmalloc+0x9/0x10 mm/kasan/common.c:527
__do_kmalloc mm/slab.c:3656 [inline]
__kmalloc+0x163/0x770 mm/slab.c:3665
kmalloc include/linux/slab.h:561 [inline]
tomoyo_realpath_from_path+0xc5/0x660 security/tomoyo/realpath.c:252
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x230/0x430 security/tomoyo/file.c:822
tomoyo_inode_getattr+0x1d/0x30 security/tomoyo/tomoyo.c:129
security_inode_getattr+0xf2/0x150 security/security.c:1222
vfs_getattr+0x25/0x70 fs/stat.c:115
vfs_statx_fd+0x71/0xc0 fs/stat.c:145
vfs_fstat include/linux/fs.h:3265 [inline]
__do_sys_newfstat+0x9b/0x120 fs/stat.c:378
__se_sys_newfstat fs/stat.c:375 [inline]
__x64_sys_newfstat+0x54/0x80 fs/stat.c:375
do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 9389:
save_stack+0x23/0x90 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:335 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/common.c:474
kasan_slab_free+0xe/0x10 mm/kasan/common.c:483
__cache_free mm/slab.c:3426 [inline]
kfree+0x10a/0x2c0 mm/slab.c:3757
tomoyo_realpath_from_path+0x1a7/0x660 security/tomoyo/realpath.c:289
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x230/0x430 security/tomoyo/file.c:822
tomoyo_inode_getattr+0x1d/0x30 security/tomoyo/tomoyo.c:129
security_inode_getattr+0xf2/0x150 security/security.c:1222
vfs_getattr+0x25/0x70 fs/stat.c:115
vfs_statx_fd+0x71/0xc0 fs/stat.c:145
vfs_fstat include/linux/fs.h:3265 [inline]
__do_sys_newfstat+0x9b/0x120 fs/stat.c:378
__se_sys_newfstat fs/stat.c:375 [inline]
__x64_sys_newfstat+0x54/0x80 fs/stat.c:375
do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8880a4932000
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 1025 bytes inside of
4096-byte region [ffff8880a4932000, ffff8880a4933000)
The buggy address belongs to the page:
page:ffffea0002924c80 refcount:1 mapcount:0 mapping:ffff8880aa402000 index:0x0 compound_mapcount: 0
raw: 00fffe0000010200 ffffea0002846208 ffffea00028f3888 ffff8880aa402000
raw: 0000000000000000 ffff8880a4932000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a4932300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a4932380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880a4932400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880a4932480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a4932500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Fixes: b863ceb7ddce ("[NET]: Add macvlan driver")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/macvlan.c | 2 +-
include/linux/if_ether.h | 8 ++++++++
2 files changed, 9 insertions(+), 1 deletion(-)
--- a/drivers/net/macvlan.c
+++ b/drivers/net/macvlan.c
@@ -233,7 +233,7 @@ static void macvlan_broadcast(struct sk_
struct net_device *src,
enum macvlan_mode mode)
{
- const struct ethhdr *eth = eth_hdr(skb);
+ const struct ethhdr *eth = skb_eth_hdr(skb);
const struct macvlan_dev *vlan;
struct sk_buff *nskb;
unsigned int i;
--- a/include/linux/if_ether.h
+++ b/include/linux/if_ether.h
@@ -28,6 +28,14 @@ static inline struct ethhdr *eth_hdr(con
return (struct ethhdr *)skb_mac_header(skb);
}
+/* Prefer this version in TX path, instead of
+ * skb_reset_mac_header() + eth_hdr()
+ */
+static inline struct ethhdr *skb_eth_hdr(const struct sk_buff *skb)
+{
+ return (struct ethhdr *)skb->data;
+}
+
int eth_header_parse(const struct sk_buff *skb, unsigned char *haddr);
extern ssize_t sysfs_format_mac(char *buf, const unsigned char *addr, int len);
next prev parent reply other threads:[~2020-01-11 9:58 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-11 9:49 [PATCH 4.4 00/59] 4.4.209-stable review Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 01/59] PM / devfreq: Dont fail devfreq_dev_release if not in list Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 02/59] RDMA/cma: add missed unregister_pernet_subsys in init failure Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 03/59] scsi: lpfc: Fix memory leak on lpfc_bsg_write_ebuf_set func Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 04/59] scsi: qla2xxx: Dont call qlt_async_event twice Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 05/59] scsi: iscsi: qla4xxx: fix double free in probe Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 06/59] scsi: libsas: stop discovering if oob mode is disconnected Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 07/59] usb: gadget: fix wrong endpoint desc Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 08/59] md: raid1: check rdev before reference in raid1_sync_request func Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 09/59] s390/cpum_sf: Adjust sampling interval to avoid hitting sample limits Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 10/59] s390/cpum_sf: Avoid SBD overflow condition in irq handler Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 11/59] xen/balloon: fix ballooned page accounting without hotplug enabled Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 12/59] xfs: fix mount failure crash on invalid iclog memory access Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 13/59] taskstats: fix data-race Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 14/59] Revert "perf report: Add warning when libunwind not compiled in" Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 15/59] ALSA: ice1724: Fix sleep-in-atomic in Infrasonic Quartet support code Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 16/59] MIPS: Avoid VDSO ABI breakage due to global register variable Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 17/59] locks: print unsigned ino in /proc/locks Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 18/59] dmaengine: Fix access to uninitialized dma_slave_caps Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 19/59] compat_ioctl: block: handle Persistent Reservations Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 20/59] gpiolib: fix up emulated open drain outputs Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 21/59] ALSA: cs4236: fix error return comparison of an unsigned integer Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 22/59] ftrace: Avoid potential division by zero in function profiler Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 23/59] Bluetooth: btusb: fix PM leak in error case of setup Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 24/59] Bluetooth: delete a stray unlock Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 25/59] tty: serial: msm_serial: Fix lockup for sysrq and oops Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 26/59] drm/mst: Fix MST sideband up-reply failure handling Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 27/59] powerpc/pseries/hvconsole: Fix stack overread via udbg Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 28/59] ath9k_htc: Modify byte order for an error message Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 29/59] ath9k_htc: Discard undersized packets Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 30/59] net: add annotations on hh->hh_len lockless accesses Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 31/59] s390/smp: fix physical to logical CPU map for SMT Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 32/59] locking/x86: Remove the unused atomic_inc_short() methd Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 33/59] pstore/ram: Write new dumps to start of recycled zones Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 34/59] locking/spinlock/debug: Fix various data races Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 35/59] netfilter: ctnetlink: netns exit must wait for callbacks Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 36/59] ARM: vexpress: Set-up shared OPP table instead of individual for each CPU Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 37/59] netfilter: uapi: Avoid undefined left-shift in xt_sctp.h Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 38/59] ARM: dts: am437x-gp/epos-evm: fix panel compatible Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 39/59] powerpc: Ensure that swiotlb buffer is allocated from low memory Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 40/59] bnx2x: Do not handle requests from VFs after parity Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 41/59] bnx2x: Fix logic to get total no. of PFs per engine Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 42/59] net: usb: lan78xx: Fix error message format specifier Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 43/59] rfkill: Fix incorrect check to avoid NULL pointer dereference Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 44/59] ASoC: wm8962: fix lambda value Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 45/59] regulator: rn5t618: fix module aliases Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 46/59] kconfig: dont crash on NULL expressions in expr_eq() Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 47/59] parisc: Fix compiler warnings in debug_core.c Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 48/59] llc2: Fix return statement of llc_stat_ev_rx_null_dsap_xid_c (and _test_c) Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 49/59] net: stmmac: dwmac-sunxi: Allow all RGMII modes Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 50/59] net: usb: lan78xx: fix possible skb leak Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.4 51/59] pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.4 52/59] sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.4 53/59] tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.4 54/59] vlan: vlan_changelink() should propagate errors Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.4 55/59] vlan: fix memory leak in vlan_dev_set_egress_priority Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.4 56/59] vxlan: fix tos value before xmit Greg Kroah-Hartman
2020-01-11 9:50 ` Greg Kroah-Hartman [this message]
2020-01-11 9:50 ` [PATCH 4.4 58/59] USB: core: fix check for duplicate endpoints Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.4 59/59] USB: serial: option: add Telit ME910G1 0x110a composition Greg Kroah-Hartman
2020-01-11 14:51 ` [PATCH 4.4 00/59] 4.4.209-stable review Guenter Roeck
2020-01-11 18:39 ` Naresh Kamboju
2020-01-13 15:41 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200111094853.199852008@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).