From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, syzbot <syzkaller@googlegroups.com>,
Eric Dumazet <edumazet@google.com>,
Stefano Brivio <sbrivio@redhat.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 5.15 54/98] tunnels: do not assume mac header is set in skb_tunnel_check_pmtu()
Date: Tue, 5 Jul 2022 13:58:12 +0200 [thread overview]
Message-ID: <20220705115619.117158778@linuxfoundation.org> (raw)
In-Reply-To: <20220705115617.568350164@linuxfoundation.org>
From: Eric Dumazet <edumazet@google.com>
commit 853a7614880231747040cada91d2b8d2e995c51a upstream.
Recently added debug in commit f9aefd6b2aa3 ("net: warn if mac header
was not set") caught a bug in skb_tunnel_check_pmtu(), as shown
in this syzbot report [1].
In ndo_start_xmit() paths, there is really no need to use skb->mac_header,
because skb->data is supposed to point at it.
[1] WARNING: CPU: 1 PID: 8604 at include/linux/skbuff.h:2784 skb_mac_header_len include/linux/skbuff.h:2784 [inline]
WARNING: CPU: 1 PID: 8604 at include/linux/skbuff.h:2784 skb_tunnel_check_pmtu+0x5de/0x2f90 net/ipv4/ip_tunnel_core.c:413
Modules linked in:
CPU: 1 PID: 8604 Comm: syz-executor.3 Not tainted 5.19.0-rc2-syzkaller-00443-g8720bd951b8e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:skb_mac_header_len include/linux/skbuff.h:2784 [inline]
RIP: 0010:skb_tunnel_check_pmtu+0x5de/0x2f90 net/ipv4/ip_tunnel_core.c:413
Code: 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 80 3c 02 00 0f 84 b9 fe ff ff 4c 89 ff e8 7c 0f d7 f9 e9 ac fe ff ff e8 c2 13 8a f9 <0f> 0b e9 28 fc ff ff e8 b6 13 8a f9 48 8b 54 24 70 48 b8 00 00 00
RSP: 0018:ffffc90002e4f520 EFLAGS: 00010212
RAX: 0000000000000324 RBX: ffff88804d5fd500 RCX: ffffc90005b52000
RDX: 0000000000040000 RSI: ffffffff87f05e3e RDI: 0000000000000003
RBP: ffffc90002e4f650 R08: 0000000000000003 R09: 000000000000ffff
R10: 000000000000ffff R11: 0000000000000000 R12: 000000000000ffff
R13: 0000000000000000 R14: 000000000000ffcd R15: 000000000000001f
FS: 00007f3babba9700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000080 CR3: 0000000075319000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
geneve_xmit_skb drivers/net/geneve.c:927 [inline]
geneve_xmit+0xcf8/0x35d0 drivers/net/geneve.c:1107
__netdev_start_xmit include/linux/netdevice.h:4805 [inline]
netdev_start_xmit include/linux/netdevice.h:4819 [inline]
__dev_direct_xmit+0x500/0x730 net/core/dev.c:4309
dev_direct_xmit include/linux/netdevice.h:3007 [inline]
packet_direct_xmit+0x1b8/0x2c0 net/packet/af_packet.c:282
packet_snd net/packet/af_packet.c:3073 [inline]
packet_sendmsg+0x21f4/0x55d0 net/packet/af_packet.c:3104
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:734
____sys_sendmsg+0x6eb/0x810 net/socket.c:2489
___sys_sendmsg+0xf3/0x170 net/socket.c:2543
__sys_sendmsg net/socket.c:2572 [inline]
__do_sys_sendmsg net/socket.c:2581 [inline]
__se_sys_sendmsg net/socket.c:2579 [inline]
__x64_sys_sendmsg+0x132/0x220 net/socket.c:2579
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f3baaa89109
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f3babba9168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f3baab9bf60 RCX: 00007f3baaa89109
RDX: 0000000000000000 RSI: 0000000020000a00 RDI: 0000000000000003
RBP: 00007f3baaae305d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe74f2543f R14: 00007f3babba9300 R15: 0000000000022000
</TASK>
Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/ip_tunnel_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/ipv4/ip_tunnel_core.c
+++ b/net/ipv4/ip_tunnel_core.c
@@ -410,7 +410,7 @@ int skb_tunnel_check_pmtu(struct sk_buff
u32 mtu = dst_mtu(encap_dst) - headroom;
if ((skb_is_gso(skb) && skb_gso_validate_network_len(skb, mtu)) ||
- (!skb_is_gso(skb) && (skb->len - skb_mac_header_len(skb)) <= mtu))
+ (!skb_is_gso(skb) && (skb->len - skb_network_offset(skb)) <= mtu))
return 0;
skb_dst_update_pmtu_no_confirm(skb, mtu);
next prev parent reply other threads:[~2022-07-05 12:20 UTC|newest]
Thread overview: 109+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-05 11:57 [PATCH 5.15 00/98] 5.15.53-rc1 review Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 01/98] Revert "drm/amdgpu/display: set vblank_disable_immediate for DC" Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 02/98] drm/amdgpu: To flush tlb for MMHUB of RAVEN series Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 03/98] ksmbd: set the range of bytes to zero without extending file size in FSCTL_ZERO_DATA Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 04/98] ksmbd: check invalid FileOffset and BeyondFinalZero " Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 05/98] ksmbd: use vfs_llseek instead of dereferencing NULL Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 06/98] ipv6: take care of disable_policy when restoring routes Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 07/98] net: phy: Dont trigger state machine while in suspend Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 08/98] nvme-pci: add NVME_QUIRK_BOGUS_NID for ADATA XPG SX6000LNP (AKA SPECTRIX S40G) Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 09/98] nvme-pci: add NVME_QUIRK_BOGUS_NID for ADATA IM2P33F8ABR1 Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 10/98] nvdimm: Fix badblocks clear off-by-one error Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 11/98] powerpc/prom_init: Fix kernel config grep Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 12/98] powerpc/book3e: Fix PUD allocation size in map_kernel_page() Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 13/98] powerpc/bpf: Fix use of user_pt_regs in uapi Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 14/98] dm raid: fix accesses beyond end of raid member array Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 15/98] dm raid: fix KASAN warning in raid5_add_disks Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 16/98] s390/archrandom: simplify back to earlier design and initialize earlier Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 17/98] SUNRPC: Fix READ_PLUS crasher Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 18/98] net: rose: fix UAF bugs caused by timer handler Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 19/98] net: usb: ax88179_178a: Fix packet receiving Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 20/98] virtio-net: fix race between ndo_open() and virtio_device_ready() Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 21/98] selftests/net: pass ipv6_args to udpgso_benchs IPv6 TCP test Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 22/98] net: dsa: bcm_sf2: force pause link settings Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 23/98] net: tun: unlink NAPI from device on destruction Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 24/98] net: tun: stop NAPI when detaching queues Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 25/98] net: dp83822: disable false carrier interrupt Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 26/98] net: dp83822: disable rx error interrupt Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 27/98] RDMA/qedr: Fix reporting QP timeout attribute Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 28/98] RDMA/cm: Fix memory leak in ib_cm_insert_listen Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 29/98] linux/dim: Fix divide by 0 in RDMA DIM Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 30/98] net: usb: asix: do not force pause frames support Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 31/98] usbnet: fix memory allocation in helpers Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 32/98] selftests: mptcp: more stable diag tests Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 33/98] net: ipv6: unexport __init-annotated seg6_hmac_net_init() Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 34/98] NFSD: restore EINVAL error translation in nfsd_commit() Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 35/98] vfs: fix copy_file_range() regression in cross-fs copies Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 36/98] caif_virtio: fix race between virtio_device_ready() and ndo_open() Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 37/98] PM / devfreq: exynos-ppmu: Fix refcount leak in of_get_devfreq_events Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 38/98] vdpa/mlx5: Update Control VQ callback information Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 39/98] s390: remove unneeded select BUILD_BIN2C Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 40/98] netfilter: nft_dynset: restore set element counter when failing to update Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 41/98] net/dsa/hirschmann: Add missing of_node_get() in hellcreek_led_setup() Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 42/98] net/sched: act_api: Notify user space if any actions were flushed before error Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 43/98] net: asix: fix "cant send until first packet is send" issue Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 44/98] net: bonding: fix possible NULL deref in rlb code Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 45/98] net: phy: ax88772a: fix lost pause advertisement configuration Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 46/98] net: bonding: fix use-after-free after 802.3ad slave unbind Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 47/98] powerpc/memhotplug: Add add_pages override for PPC Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 48/98] nfc: nfcmrvl: Fix irq_of_parse_and_map() return value Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 49/98] NFC: nxp-nci: Dont issue a zero length i2c_master_read() Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 50/98] tipc: move bc link creation back to tipc_node_create Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 51/98] epic100: fix use after free on rmmod Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 52/98] io_uring: ensure that send/sendmsg and recv/recvmsg check sqe->ioprio Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 53/98] ACPI: video: Change how we determine if brightness key-presses are handled Greg Kroah-Hartman
2022-07-05 11:58 ` Greg Kroah-Hartman [this message]
2022-07-05 11:58 ` [PATCH 5.15 55/98] ipv6/sit: fix ipip6_tunnel_get_prl return value Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 56/98] ipv6: fix lockdep splat in in6_dump_addrs() Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 57/98] mlxsw: spectrum_router: Fix rollback in tunnel next hop init Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 58/98] net: tun: avoid disabling NAPI twice Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 59/98] MAINTAINERS: add Leah as xfs maintainer for 5.15.y Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 60/98] tcp: add a missing nf_reset_ct() in 3WHS handling Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 61/98] selftests/bpf: Add test_verifier support to fixup kfunc call insns Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 62/98] selftests/rseq: remove ARRAY_SIZE define from individual tests Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 63/98] selftests/rseq: introduce own copy of rseq uapi header Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 64/98] selftests/rseq: Remove useless assignment to cpu variable Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 65/98] selftests/rseq: Remove volatile from __rseq_abi Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 66/98] selftests/rseq: Introduce rseq_get_abi() helper Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 67/98] selftests/rseq: Introduce thread pointer getters Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 68/98] selftests/rseq: Uplift rseq selftests for compatibility with glibc-2.35 Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 69/98] selftests/rseq: Fix ppc32: wrong rseq_cs 32-bit field pointer on big endian Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 70/98] selftests/rseq: Fix ppc32 missing instruction selection "u" and "x" for load/store Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 71/98] selftests/rseq: Fix ppc32 offsets by using long rather than off_t Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 72/98] selftests/rseq: Fix warnings about #if checks of undefined tokens Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 73/98] selftests/rseq: Remove arm/mips asm goto compiler work-around Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 74/98] selftests/rseq: Fix: work-around asm goto compiler bugs Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 75/98] selftests/rseq: x86-64: use %fs segment selector for accessing rseq thread area Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 76/98] selftests/rseq: x86-32: use %gs " Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 77/98] selftests/rseq: Change type of rseq_offset to ptrdiff_t Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 78/98] xen/blkfront: fix leaking data in shared pages Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 79/98] xen/netfront: " Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 80/98] xen/netfront: force data bouncing when backend is untrusted Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 81/98] xen/blkfront: " Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 82/98] xen-netfront: restore __skb_queue_tail() positioning in xennet_get_responses() Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 83/98] xen/arm: Fix race in RB-tree based P2M accounting Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 84/98] net: usb: qmi_wwan: add Telit 0x1070 composition Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 85/98] clocksource/drivers/ixp4xx: remove EXPORT_SYMBOL_GPL from ixp4xx_timer_setup() Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 86/98] net: fix IFF_TX_SKB_NO_LINEAR definition Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 87/98] drm/i915/gem: add missing else Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 88/98] drm/msm/gem: Fix error return on fence id alloc fail Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 89/98] drivers: cpufreq: Add missing of_node_put() in qoriq-cpufreq.c Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 90/98] platform/x86: panasonic-laptop: de-obfuscate button codes Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 91/98] platform/x86: panasonic-laptop: sort includes alphabetically Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 92/98] platform/x86: panasonic-laptop: revert "Resolve hotkey double trigger bug" Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 93/98] platform/x86: panasonic-laptop: dont report duplicate brightness key-presses Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 94/98] platform/x86: panasonic-laptop: filter out duplicate volume up/down/mute keypresses Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 95/98] drm/fourcc: fix integer type usage in uapi header Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 96/98] hwmon: (occ) Remove sequence numbering and checksum calculation Greg Kroah-Hartman
2022-07-06 6:43 ` Joel Stanley
2022-07-06 7:02 ` Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 97/98] hwmon: (occ) Prevent power cap command overwriting poll response Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 98/98] hwmon: (ibmaem) dont call platform_device_del() if platform_device_add() fails Greg Kroah-Hartman
2022-07-05 14:35 ` [PATCH 5.15 00/98] 5.15.53-rc1 review Jon Hunter
2022-07-05 18:35 ` Florian Fainelli
2022-07-06 6:44 ` Naresh Kamboju
2022-07-06 7:46 ` Bagas Sanjaya
2022-07-06 7:52 ` Ron Economos
2022-07-06 10:15 ` Sudip Mukherjee (Codethink)
2022-07-06 13:44 ` Guenter Roeck
2022-07-06 23:54 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220705115619.117158778@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sbrivio@redhat.com \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox