linux/net/ipv6
Florian Westphal 51210ad5a5 inet: do not call sublist_rcv on empty list
syzbot triggered struct net NULL deref in NF_HOOK_LIST:
RIP: 0010:NF_HOOK_LIST include/linux/netfilter.h:331 [inline]
RIP: 0010:ip6_sublist_rcv+0x5c9/0x930 net/ipv6/ip6_input.c:292
 ipv6_list_rcv+0x373/0x4b0 net/ipv6/ip6_input.c:328
 __netif_receive_skb_list_ptype net/core/dev.c:5274 [inline]

Reason:
void ipv6_list_rcv(struct list_head *head, struct packet_type *pt,
                   struct net_device *orig_dev)
[..]
        list_for_each_entry_safe(skb, next, head, list) {
		/* iterates list */
                skb = ip6_rcv_core(skb, dev, net);
		/* ip6_rcv_core drops skb -> NULL is returned */
                if (skb == NULL)
                        continue;
	[..]
	}
	/* sublist is empty -> curr_net is NULL */
        ip6_sublist_rcv(&sublist, curr_dev, curr_net);

Before the recent change NF_HOOK_LIST did a list iteration before
struct net deref, i.e. it was a no-op in the empty list case.

List iteration now happens after *net deref, causing crash.

Follow the same pattern as the ip(v6)_list_rcv loop and add a list_empty
test for the final sublist dispatch too.

Cc: Edward Cree <ecree@solarflare.com>
Reported-by: syzbot+c54f457cad330e57e967@syzkaller.appspotmail.com
Fixes: ca58fbe06c ("netfilter: add and use nf_hook_slow_list()")
Signed-off-by: Florian Westphal <fw@strlen.de>
Tested-by: Leon Romanovsky <leonro@mellanox.com>
Tested-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-10-29 17:54:29 -07:00
..
ila treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
netfilter netfilter: nft_tproxy: Fix typo in IPv6 module description. 2019-10-17 12:21:11 +02:00
addrconf_core.c ipv6: Add delete route hook to stubs 2019-05-22 17:48:43 -07:00
addrconf.c Revert "blackhole_netdev: fix syzkaller reported issue" 2019-10-16 13:41:26 -04:00
addrlabel.c netlink: make validation more configurable for future strictness 2019-04-27 17:07:21 -04:00
af_inet6.c ipv6: use indirect call wrappers for {tcp, udpv6}_{recv, send}msg() 2019-07-03 13:51:54 -07:00
ah6.c ipv6: Use ipv6_authlen for len 2019-07-11 14:43:25 -07:00
anycast.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
calipso.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 2019-05-21 11:28:45 +02:00
datagram.c udp: correct reuseport selection with connected sockets 2019-09-16 09:02:18 +02:00
esp6_offload.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next 2019-07-05 15:01:15 -07:00
esp6.c xfrm: remove get_mtu indirection from xfrm_type 2019-07-01 06:16:40 +02:00
exthdrs_core.c ipv6: remove printk 2019-07-27 14:23:48 -07:00
exthdrs_offload.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
exthdrs.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
fib6_notifier.c net: fib_notifier: propagate extack down to the notifier block callback 2019-10-04 11:10:56 -07:00
fib6_rules.c net: fib_notifier: propagate extack down to the notifier block callback 2019-10-04 11:10:56 -07:00
fou6.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
icmp.c ipv6: icmp: allow flowlabel reflection in echo replies 2019-07-01 10:54:51 -07:00
inet6_connection_sock.c ipv6: add priority parameter to ip6_xmit() 2019-09-27 12:05:02 +02:00
inet6_hashtables.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-06-07 11:00:14 -07:00
ip6_checksum.c net: udp: fix handling of CHECKSUM_COMPLETE packets 2018-10-24 14:18:16 -07:00
ip6_fib.c net: fib_notifier: propagate extack down to the notifier block callback 2019-10-04 11:10:56 -07:00
ip6_flowlabel.c ipv6: fix static key imbalance in fl_create() 2019-07-11 14:43:25 -07:00
ip6_gre.c ip6erspan: remove the incorrect mtu limit for ip6erspan 2019-10-08 19:46:42 -07:00
ip6_icmp.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ip6_input.c inet: do not call sublist_rcv on empty list 2019-10-29 17:54:29 -07:00
ip6_offload.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
ip6_offload.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
ip6_output.c net: ensure correct skb->tstamp in various fragmenters 2019-10-18 10:02:37 -07:00
ip6_tunnel.c ip6_tunnel: fix possible use-after-free on xmit 2019-07-26 14:17:44 -07:00
ip6_udp_tunnel.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
ip6_vti.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
ip6mr.c net: fib_notifier: propagate extack down to the notifier block callback 2019-10-04 11:10:56 -07:00
ipcomp6.c xfrm: remove type and offload_type map from xfrm_state_afinfo 2019-06-06 08:34:50 +02:00
ipv6_sockglue.c SPDX update for 5.2-rc3, round 1 2019-05-31 08:34:32 -07:00
Kconfig treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
Makefile xfrm: make xfrm modes builtin 2019-04-08 09:15:17 +02:00
mcast_snoop.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 343 2019-06-05 17:37:07 +02:00
mcast.c mld: fix memory leak in mld_del_delrec() 2019-08-28 14:47:35 -07:00
mip6.c xfrm: remove type and offload_type map from xfrm_state_afinfo 2019-06-06 08:34:50 +02:00
ndisc.c net-ipv6-ndisc: add support for RFC7710 RA Captive Portal Identifier 2019-07-22 12:10:54 -07:00
netfilter.c net: ensure correct skb->tstamp in various fragmenters 2019-10-18 10:02:37 -07:00
output_core.c treewide: Add SPDX license identifier for missed files 2019-05-21 10:50:45 +02:00
ping.c ipv6: Fix the link time qualifier of 'ping_v6_proc_exit_net()' 2019-09-12 11:20:33 +01:00
proc.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-06-07 11:00:14 -07:00
protocol.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
raw.c netfilter: drop bridge nf reset from nf_reset 2019-10-01 18:42:15 +02:00
reassembly.c inet: frags: re-introduce skb coalescing for local delivery 2019-08-08 15:55:10 -07:00
route.c Revert "blackhole_netdev: fix syzkaller reported issue" 2019-10-16 13:41:26 -04:00
seg6_hmac.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
seg6_iptunnel.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
seg6_local.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
seg6.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
sit.c sit: use dst_cache in ipip6_tunnel_xmit 2019-07-14 12:15:28 -07:00
syncookies.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
sysctl_net_ipv6.c proc/sysctl: add shared variables for range check 2019-07-18 17:08:07 -07:00
tcp_ipv6.c tcp: annotate tp->write_seq lockless reads 2019-10-13 10:13:08 -07:00
tcpv6_offload.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
tunnel6.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 2019-05-21 11:28:45 +02:00
udp_impl.h udp6: add missing rehash callback to udplite 2019-01-17 15:01:08 -08:00
udp_offload.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
udp.c udp: only do GSO if # of segs > 1 2019-10-03 11:47:10 -04:00
udplite.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
xfrm6_input.c net: use skb_sec_path helper in more places 2018-12-19 11:21:37 -08:00
xfrm6_output.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
xfrm6_policy.c xfrm: remove decode_session indirection from afinfo_policy 2019-04-23 07:42:20 +02:00
xfrm6_protocol.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
xfrm6_state.c xfrm: remove eth_proto value from xfrm_state_afinfo 2019-06-06 08:34:50 +02:00
xfrm6_tunnel.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 2019-05-21 11:28:45 +02:00