From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, GangMin Kim <km.kim1503@gmail.com>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.12 079/113] net/sched: cls_u32: use skb_header_pointer_careful()
Date: Mon, 9 Feb 2026 15:23:48 +0100 [thread overview]
Message-ID: <20260209142313.023557748@linuxfoundation.org> (raw)
In-Reply-To: <20260209142310.204833231@linuxfoundation.org>
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit cabd1a976375780dabab888784e356f574bbaed8 ]
skb_header_pointer() does not fully validate negative @offset values.
Use skb_header_pointer_careful() instead.
GangMin Kim provided a report and a repro fooling u32_classify():
BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0
net/sched/cls_u32.c:221
Fixes: fbc2e7d9cf49 ("cls_u32: use skb_header_pointer() to dereference data safely")
Reported-by: GangMin Kim <km.kim1503@gmail.com>
Closes: https://lore.kernel.org/netdev/CANn89iJkyUZ=mAzLzC4GdcAgLuPnUoivdLaOs6B9rq5_erj76w@mail.gmail.com/T/
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260128141539.3404400-3-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/cls_u32.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c
index 2a1c00048fd6f..58e849c0acf41 100644
--- a/net/sched/cls_u32.c
+++ b/net/sched/cls_u32.c
@@ -161,10 +161,8 @@ TC_INDIRECT_SCOPE int u32_classify(struct sk_buff *skb,
int toff = off + key->off + (off2 & key->offmask);
__be32 *data, hdata;
- if (skb_headroom(skb) + toff > INT_MAX)
- goto out;
-
- data = skb_header_pointer(skb, toff, 4, &hdata);
+ data = skb_header_pointer_careful(skb, toff, 4,
+ &hdata);
if (!data)
goto out;
if ((*data ^ key->val) & key->mask) {
@@ -214,8 +212,9 @@ TC_INDIRECT_SCOPE int u32_classify(struct sk_buff *skb,
if (ht->divisor) {
__be32 *data, hdata;
- data = skb_header_pointer(skb, off + n->sel.hoff, 4,
- &hdata);
+ data = skb_header_pointer_careful(skb,
+ off + n->sel.hoff,
+ 4, &hdata);
if (!data)
goto out;
sel = ht->divisor & u32_hash_fold(*data, &n->sel,
@@ -229,7 +228,7 @@ TC_INDIRECT_SCOPE int u32_classify(struct sk_buff *skb,
if (n->sel.flags & TC_U32_VAROFFSET) {
__be16 *data, hdata;
- data = skb_header_pointer(skb,
+ data = skb_header_pointer_careful(skb,
off + n->sel.offoff,
2, &hdata);
if (!data)
--
2.51.0
next prev parent reply other threads:[~2026-02-09 14:39 UTC|newest]
Thread overview: 127+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-09 14:22 [PATCH 6.12 000/113] 6.12.70-rc1 review Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 001/113] nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 002/113] x86/vmware: Fix hypercall clobbers Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 003/113] x86/kfence: fix booting on 32bit non-PAE systems Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 004/113] platform/x86: intel_telemetry: Fix swapped arrays in PSS output Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 005/113] ALSA: aloop: Fix racy access at PCM trigger Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 006/113] pmdomain: qcom: rpmpd: fix off-by-one error in clamping to the highest state Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 007/113] pmdomain: imx8mp-blk-ctrl: Keep gpc power domain on for system wakeup Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 008/113] pmdomain: imx: gpcv2: Fix the imx8mm gpu hang due to wrong adb400 reset Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 009/113] pmdomain: imx8mp-blk-ctrl: Keep usb phy power domain on for system wakeup Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 010/113] pmdomain: imx8m-blk-ctrl: fix out-of-range access of bc->domains Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 011/113] mm/slab: Add alloc_tagging_slab_free_hook for memcg_alloc_abort_single Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 012/113] ceph: fix NULL pointer dereference in ceph_mds_auth_match() Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 013/113] rbd: check for EOD after exclusive lock is ensured to be held Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 014/113] ARM: 9468/1: fix memset64() on big-endian Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 015/113] ceph: fix oops due to invalid pointer for kfree() in parse_longname() Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 016/113] gve: Fix stats report corruption on queue count change Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 017/113] gve: Correct ethtool rx_dropped calculation Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 018/113] mm, shmem: prevent infinite loop on truncate race Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 019/113] Revert "drm/amd: Check if ASPM is enabled from PCIe subsystem" Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 020/113] KVM: Dont clobber irqfd routing type when deassigning irqfd Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 021/113] PCI/ERR: Ensure error recoverability at all times Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 022/113] tools/power turbostat: fix GCC9 build regression Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 023/113] ublk: fix deadlock when reading partition table Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 024/113] hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 025/113] binder: fix BR_FROZEN_REPLY error log Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 026/113] binderfs: fix ida_alloc_max() upper bound Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 027/113] KVM: selftests: Add -U_FORTIFY_SOURCE to avoid some unpredictable test failures Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 028/113] procfs: avoid fetching build ID while holding VMA lock Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 029/113] tracing: Fix ftrace event field alignments Greg Kroah-Hartman
2026-02-09 14:22 ` [PATCH 6.12 030/113] wifi: mac80211: ocb: skip rx_no_sta when interface is not joined Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 031/113] wifi: wlcore: ensure skb headroom before skb_push Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 032/113] net: usb: sr9700: support devices with virtual driver CD Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 033/113] block,bfq: fix aux stat accumulation destination Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 034/113] smb/server: call ksmbd_session_rpc_close() on error path in create_smb2_pipe() Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 035/113] LoongArch: Set correct protection_map[] for VM_NONE/VM_SHARED Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 036/113] md: suspend array while updating raid_disks via sysfs Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 037/113] smb/server: fix refcount leak in smb2_open() Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 038/113] LoongArch: Enable exception fixup for specific ADE subcode Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 039/113] smb/server: fix refcount leak in parse_durable_handle_context() Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 040/113] HID: intel-ish-hid: Update ishtp bus match to support device ID table Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 041/113] HID: multitouch: add MT_QUIRK_STICKY_FINGERS to MT_CLS_VTL Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 042/113] btrfs: fix reservation leak in some error paths when inserting inline extent Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 043/113] riscv: Sanitize syscall table indexing under speculation Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 044/113] HID: intel-ish-hid: Reset enum_devices_done before enumeration Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 045/113] HID: playstation: Center initial joystick axes to prevent spurious events Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 046/113] ALSA: hda/realtek: Add quirk for Acer Nitro AN517-55 Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 047/113] ALSA: hda/realtek: add HP Laptop 15s-eq1xxx mute LED quirk Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 048/113] PCI: qcom: Remove ASPM L0s support for MSM8996 SoC Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 049/113] netfilter: replace -EEXIST with -EBUSY Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 050/113] HID: quirks: Add another Chicony HP 5MP Cameras to hid_ignore_list Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 051/113] HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report() Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 052/113] HID: Apply quirk HID_QUIRK_ALWAYS_POLL to Edifier QR30 (2d99:a101) Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 053/113] drm/amd/pm: Disable MMIO access during SMU Mode 1 reset Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 054/113] ring-buffer: Avoid softlockup in ring_buffer_resize() during memory free Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 055/113] HID: logitech: add HID++ support for Logitech MX Anywhere 3S Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 056/113] wifi: mac80211: collect station statistics earlier when disconnect Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 057/113] ASoC: davinci-evm: Fix reference leak in davinci_evm_probe Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 058/113] ASoC: simple-card-utils: Check device node before overwrite direction Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 059/113] nvme-fc: release admin tagset if init fails Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 060/113] nvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready() Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 061/113] ASoC: amd: yc: Fix microphone on ASUS M6500RE Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 062/113] ASoC: tlv320adcx140: Propagate error codes during probe Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 063/113] spi: hisi-kunpeng: Fixed the wrong debugfs node name in hisi_spi debugfs initialization Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 064/113] regmap: maple: free entry on mas_store_gfp() failure Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 065/113] wifi: cfg80211: Fix bitrate calculation overflow for HE rates Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 066/113] scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count() Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 067/113] ALSA: hda/realtek: Fix headset mic for TongFang X6AR55xU Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 068/113] scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count() Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 069/113] wifi: mac80211: correctly check if CSA is active Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 070/113] wifi: mac80211: dont increment crypto_tx_tailroom_needed_cnt twice Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 071/113] btrfs: reject new transactions if the fs is fully read-only Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 072/113] ALSA: hda/realtek: ALC269 fixup for Lenovo Yoga Book 9i 13IRU8 audio Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 073/113] platform/x86: toshiba_haps: Fix memory leaks in add/remove routines Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 074/113] platform/x86: intel_telemetry: Fix PSS event register mask Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 075/113] platform/x86: hp-bioscfg: Skip empty attribute names Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 076/113] platform/x86/intel/tpmi/plr: Make the file domain<n>/status writeable Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 077/113] smb/client: fix memory leak in smb2_open_file() Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 078/113] net: add skb_header_pointer_careful() helper Greg Kroah-Hartman
2026-02-09 14:23 ` Greg Kroah-Hartman [this message]
2026-02-09 14:23 ` [PATCH 6.12 080/113] dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 081/113] net: liquidio: Initialize netdev pointer before queue setup Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 082/113] net: liquidio: Fix off-by-one error in PF setup_nic_devices() cleanup Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 083/113] net: liquidio: Fix off-by-one error in VF " Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 084/113] dpaa2-switch: add bounds check for if_id in IRQ handler Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 085/113] net: phy: add phy_interface_weight() Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 086/113] net: phy: add phy_interface_copy() Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 087/113] net: sfp: pre-parse the module support Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 088/113] net: sfp: convert sfp quirks to modify struct sfp_module_support Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 089/113] net: sfp: Fix quirk for Ubiquiti U-Fiber Instant SFP module Greg Kroah-Hartman
2026-02-09 14:23 ` [PATCH 6.12 090/113] macvlan: fix error recovery in macvlan_common_newlink() Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 091/113] net: usb: r8152: fix resume reset deadlock Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 092/113] net: dont touch dev->stats in BPF redirect paths Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 093/113] tipc: use kfree_sensitive() for session key material Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 094/113] drm/amd/display: fix wrong color value mapping on MCM shaper LUT Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 095/113] net: ethernet: adi: adin1110: Check return value of devm_gpiod_get_optional() in adin1110_check_spi() Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 096/113] net: gro: fix outer network offset Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 097/113] drm/mgag200: fix mgag200_bmc_stop_scanout() Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 098/113] drm/xe/query: Fix topology query pointer advance Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 099/113] drm/xe/pm: Also avoid missing outer rpm warning on system suspend Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 100/113] drm/xe/pm: Disable D3Cold for BMG only on specific platforms Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 101/113] hwmon: (occ) Mark occ_init_attribute() as __printf Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 102/113] netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 103/113] ipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 104/113] ALSA: usb-audio: fix broken logic in snd_audigy2nx_led_update() Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 105/113] ASoC: amd: fix memory leak in acp3x pdm dma ops Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 106/113] spi: tegra210-quad: Return IRQ_HANDLED when timeout already processed transfer Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 107/113] spi: tegra210-quad: Move curr_xfer read inside spinlock Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 108/113] spi: tegra210-quad: Protect curr_xfer assignment in tegra_qspi_setup_transfer_one Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 109/113] spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 110/113] spi: tegra210-quad: Protect curr_xfer clearing in tegra_qspi_non_combined_seq_xfer Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 111/113] spi: tegra: Fix a memory leak in tegra_slink_probe() Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 112/113] spi: tegra114: Preserve SPI mode bits in def_command1_reg Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 6.12 113/113] ALSA: hda/realtek: Really fix headset mic for TongFang X6AR55xU Greg Kroah-Hartman
2026-02-09 16:31 ` [PATCH 6.12 000/113] 6.12.70-rc1 review Francesco Dolcini
2026-02-09 18:16 ` Brett A C Sheffield
2026-02-09 20:36 ` Peter Schneider
2026-02-09 20:53 ` Hardik Garg
2026-02-09 20:54 ` Souleymane Conte
2026-02-09 20:55 ` Jon Hunter
2026-02-10 3:00 ` Florian Fainelli
2026-02-10 6:00 ` Harshit Mogalapalli
2026-02-10 7:53 ` Ron Economos
2026-02-10 13:00 ` Mark Brown
2026-02-10 15:55 ` Jeffrin Thalakkottoor
2026-02-11 4:26 ` Shung-Hsi Yu
2026-02-11 13:45 ` Miguel Ojeda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260209142313.023557748@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=edumazet@google.com \
--cc=km.kim1503@gmail.com \
--cc=kuba@kernel.org \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox