leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
10ad3e998f
linux/drivers/net
History
Taehee Yoo 10ad3e998f bareudp: Fix use of incorrect min_headroom size 
In the bareudp6_xmit_skb(), it calculates min_headroom.
At that point, it uses struct iphdr, but it's not correct.
So panic could occur.
The struct ipv6hdr should be used.

Test commands:
    ip netns add A
    ip netns add B
    ip link add veth0 netns A type veth peer name veth1 netns B
    ip netns exec A ip link set veth0 up
    ip netns exec A ip a a 2001:db8:0::1/64 dev veth0
    ip netns exec B ip link set veth1 up
    ip netns exec B ip a a 2001:db8:0::2/64 dev veth1

    for i in {10..1}
    do
            let A=$i-1
            ip netns exec A ip link add bareudp$i type bareudp dstport $i \
		    ethertype 0x86dd
            ip netns exec A ip link set bareudp$i up
            ip netns exec A ip -6 a a 2001:db8:$i::1/64 dev bareudp$i
            ip netns exec A ip -6 r a 2001:db8:$i::2 encap ip6 src \
		    2001:db8:$A::1 dst 2001:db8:$A::2 via 2001:db8:$i::2 \
		    dev bareudp$i

            ip netns exec B ip link add bareudp$i type bareudp dstport $i \
		    ethertype 0x86dd
            ip netns exec B ip link set bareudp$i up
            ip netns exec B ip -6 a a 2001:db8:$i::2/64 dev bareudp$i
            ip netns exec B ip -6 r a 2001:db8:$i::1 encap ip6 src \
		    2001:db8:$A::2 dst 2001:db8:$A::1 via 2001:db8:$i::1 \
		    dev bareudp$i
    done
    ip netns exec A ping 2001:db8:7::2

Splat looks like:
[   66.436679][    C2] skbuff: skb_under_panic: text:ffffffff928614c8 len:454 put:14 head:ffff88810abb4000 data:ffff88810abb3ffa tail:0x1c0 end:0x3ec0 dev:veth0
[   66.441626][    C2] ------------[ cut here ]------------
[   66.443458][    C2] kernel BUG at net/core/skbuff.c:109!
[   66.445313][    C2] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
[   66.447606][    C2] CPU: 2 PID: 913 Comm: ping Not tainted 5.10.0+ #819
[   66.450251][    C2] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[   66.453713][    C2] RIP: 0010:skb_panic+0x15d/0x15f
[   66.455345][    C2] Code: 98 fe 4c 8b 4c 24 10 53 8b 4d 70 45 89 e0 48 c7 c7 60 8b 78 93 41 57 41 56 41 55 48 8b 54 24 20 48 8b 74 24 28 e8 b5 40 f9 ff <0f> 0b 48 8b 6c 24 20 89 34 24 e8 08 c9 98 fe 8b 34 24 48 c7 c1 80
[   66.462314][    C2] RSP: 0018:ffff888119209648 EFLAGS: 00010286
[   66.464281][    C2] RAX: 0000000000000089 RBX: ffff888003159000 RCX: 0000000000000000
[   66.467216][    C2] RDX: 0000000000000089 RSI: 0000000000000008 RDI: ffffed10232412c0
[   66.469768][    C2] RBP: ffff88810a53d440 R08: ffffed102328018d R09: ffffed102328018d
[   66.472297][    C2] R10: ffff888119400c67 R11: ffffed102328018c R12: 000000000000000e
[   66.474833][    C2] R13: ffff88810abb3ffa R14: 00000000000001c0 R15: 0000000000003ec0
[   66.477361][    C2] FS:  00007f37c0c72f00(0000) GS:ffff888119200000(0000) knlGS:0000000000000000
[   66.480214][    C2] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   66.482296][    C2] CR2: 000055a058808570 CR3: 000000011039e002 CR4: 00000000003706e0
[   66.484811][    C2] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   66.487793][    C2] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   66.490424][    C2] Call Trace:
[   66.491469][    C2]  <IRQ>
[   66.492374][    C2]  ? eth_header+0x28/0x190
[   66.494054][    C2]  ? eth_header+0x28/0x190
[   66.495401][    C2]  skb_push.cold.99+0x22/0x22
[   66.496700][    C2]  eth_header+0x28/0x190
[   66.497867][    C2]  neigh_resolve_output+0x3de/0x720
[   66.499615][    C2]  ? __neigh_update+0x7e8/0x20a0
[   66.501176][    C2]  __neigh_update+0x8bd/0x20a0
[   66.502749][    C2]  ndisc_update+0x34/0xc0
[   66.504010][    C2]  ndisc_recv_na+0x8da/0xb80
[   66.505041][    C2]  ? pndisc_redo+0x20/0x20
[   66.505888][    C2]  ? rcu_read_lock_sched_held+0xc0/0xc0
[   66.506965][    C2]  ndisc_rcv+0x3a0/0x470
[   66.507797][    C2]  icmpv6_rcv+0xad9/0x1b00
[   66.508645][    C2]  ip6_protocol_deliver_rcu+0xcd6/0x1560
[   66.509719][    C2]  ip6_input_finish+0x5b/0xf0
[   66.510615][    C2]  ip6_input+0xcd/0x2d0
[   66.511406][    C2]  ? ip6_input_finish+0xf0/0xf0
[   66.512327][    C2]  ? rcu_read_lock_held+0x91/0xa0
[   66.513279][    C2]  ? ip6_protocol_deliver_rcu+0x1560/0x1560
[   66.514414][    C2]  ipv6_rcv+0xe8/0x300
[ ... ]

Acked-by: Guillaume Nault <gnault@redhat.com>
Fixes: 571912c69f ("net: UDP tunnel encapsulation module for tunnelling different protocols like MPLS, IP, NSH etc.")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Link: https://lore.kernel.org/r/20201228152146.24270-1-ap420073@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-01-04 13:13:04 -08:00
..
appletalk
arcnet
bonding Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-12-11 22:29:38 -08:00
caif
can can: m_can: use struct m_can_classdev as drvdata 2020-12-14 14:24:17 +01:00
dsa net: dsa: qca: ar9331: fix sleeping function called from invalid context bug 2020-12-16 10:57:35 -08:00
ethernet atlantic: remove architecture depends 2020-12-28 15:04:25 -08:00
fddi
fjes
hamradio
hippi
hyperv Networking fixes for 5.11-rc1. 2020-12-17 13:45:24 -08:00
ieee802154
ipa net: ipa: don't return a value from evt_ring_command() 2020-12-28 14:13:22 -08:00
ipvlan net: don't include ethtool.h from netdevice.h 2020-11-23 17:27:04 -08:00
mdio
netdevsim Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-12-11 22:29:38 -08:00
pcs
phy net: sfp: relax bitrate-derived mode check 2020-12-09 19:38:10 -08:00
plip
ppp ppp: add PPPIOCBRIDGECHAN and PPPIOCUNBRIDGECHAN ioctls 2020-12-10 13:57:36 -08:00
slip
team net: don't include ethtool.h from netdevice.h 2020-11-23 17:27:04 -08:00
usb CDC-NCM: remove "connected" log message 2020-12-28 13:23:28 -08:00
vmxnet3
wan net: hdlc_ppp: Fix issues when mod_timer is called while timer is running 2020-12-28 15:09:04 -08:00
wireguard selinux/stable-5.11 PR 20201214 2020-12-16 11:01:04 -08:00
wireless wireless-drivers fixes for v5.11 2020-12-22 19:43:33 -08:00
xen-netback xen/xenbus: Add 'will_handle' callback support in xenbus_watch_path() 2020-12-14 10:04:18 +01:00
bareudp.c bareudp: Fix use of incorrect min_headroom size 2021-01-04 13:13:04 -08:00
dummy.c
eql.c
geneve.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-12-11 22:29:38 -08:00
gtp.c
ifb.c
Kconfig net: fix spelling mistake "wil" -> "will" in Kconfig 2020-12-05 15:17:19 -08:00
LICENSE.SRC
loopback.c
macsec.c
macvlan.c macvlan: Support for high multicast packet rate 2020-12-03 08:21:29 -08:00
macvtap.c
Makefile
mdio.c
mhi_net.c net: mhi: Fix unexpected queue wake 2020-12-14 17:25:56 -08:00
mii.c
net_failover.c
netconsole.c
nlmon.c net: don't include ethtool.h from netdevice.h 2020-11-23 17:27:04 -08:00
ntb_netdev.c
rionet.c
sb1000.c
Space.c
sungem_phy.c
tap.c
thunderbolt.c USB / Thunderbolt patches for 5.11-rc1 2020-12-15 13:54:56 -08:00
tun.c tun: fix return value when the number of iovs exceeds MAX_SKB_FRAGS 2020-12-28 13:34:36 -08:00
veth.c Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2020-12-04 07:48:12 -08:00
virtio_net.c virtio_net: Fix recursive call to cpus_read_lock() 2020-12-23 09:11:13 -08:00
vrf.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-12-11 22:29:38 -08:00
vsockmon.c net: don't include ethtool.h from netdevice.h 2020-11-23 17:27:04 -08:00
vxlan.c vxlan: avoid double unlikely() notation when using IS_ERR() 2020-12-10 12:43:29 -08:00
xen-netfront.c xsk: Propagate napi_id to XDP socket Rx path 2020-12-01 00:09:25 +01:00