superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/drivers
History
Eric Dumazet 1ca1ba465e geneve: make sure to pull inner header in geneve_rx() 
syzbot triggered a bug in geneve_rx() [1]

Issue is similar to the one I fixed in commit 8d975c15c0
("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()")

We have to save skb->network_header in a temporary variable
in order to be able to recompute the network_header pointer
after a pskb_inet_may_pull() call.

pskb_inet_may_pull() makes sure the needed headers are in skb->head.

[1]
BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]
 BUG: KMSAN: uninit-value in geneve_rx drivers/net/geneve.c:279 [inline]
 BUG: KMSAN: uninit-value in geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391
  IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]
  geneve_rx drivers/net/geneve.c:279 [inline]
  geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391
  udp_queue_rcv_one_skb+0x1d39/0x1f20 net/ipv4/udp.c:2108
  udp_queue_rcv_skb+0x6ae/0x6e0 net/ipv4/udp.c:2186
  udp_unicast_rcv_skb+0x184/0x4b0 net/ipv4/udp.c:2346
  __udp4_lib_rcv+0x1c6b/0x3010 net/ipv4/udp.c:2422
  udp_rcv+0x7d/0xa0 net/ipv4/udp.c:2604
  ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205
  ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233
  NF_HOOK include/linux/netfilter.h:314 [inline]
  ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254
  dst_input include/net/dst.h:461 [inline]
  ip_rcv_finish net/ipv4/ip_input.c:449 [inline]
  NF_HOOK include/linux/netfilter.h:314 [inline]
  ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569
  __netif_receive_skb_one_core net/core/dev.c:5534 [inline]
  __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648
  process_backlog+0x480/0x8b0 net/core/dev.c:5976
  __napi_poll+0xe3/0x980 net/core/dev.c:6576
  napi_poll net/core/dev.c:6645 [inline]
  net_rx_action+0x8b8/0x1870 net/core/dev.c:6778
  __do_softirq+0x1b7/0x7c5 kernel/softirq.c:553
  do_softirq+0x9a/0xf0 kernel/softirq.c:454
  __local_bh_enable_ip+0x9b/0xa0 kernel/softirq.c:381
  local_bh_enable include/linux/bottom_half.h:33 [inline]
  rcu_read_unlock_bh include/linux/rcupdate.h:820 [inline]
  __dev_queue_xmit+0x2768/0x51c0 net/core/dev.c:4378
  dev_queue_xmit include/linux/netdevice.h:3171 [inline]
  packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276
  packet_snd net/packet/af_packet.c:3081 [inline]
  packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113
  sock_sendmsg_nosec net/socket.c:730 [inline]
  __sock_sendmsg net/socket.c:745 [inline]
  __sys_sendto+0x735/0xa10 net/socket.c:2191
  __do_sys_sendto net/socket.c:2203 [inline]
  __se_sys_sendto net/socket.c:2199 [inline]
  __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

Uninit was created at:
  slab_post_alloc_hook mm/slub.c:3819 [inline]
  slab_alloc_node mm/slub.c:3860 [inline]
  kmem_cache_alloc_node+0x5cb/0xbc0 mm/slub.c:3903
  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560
  __alloc_skb+0x352/0x790 net/core/skbuff.c:651
  alloc_skb include/linux/skbuff.h:1296 [inline]
  alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6394
  sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2783
  packet_alloc_skb net/packet/af_packet.c:2930 [inline]
  packet_snd net/packet/af_packet.c:3024 [inline]
  packet_sendmsg+0x70c2/0x9f10 net/packet/af_packet.c:3113
  sock_sendmsg_nosec net/socket.c:730 [inline]
  __sock_sendmsg net/socket.c:745 [inline]
  __sys_sendto+0x735/0xa10 net/socket.c:2191
  __do_sys_sendto net/socket.c:2203 [inline]
  __se_sys_sendto net/socket.c:2199 [inline]
  __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

Fixes: 2d07dc79fe ("geneve: add initial netdev driver for GENEVE tunnels")
Reported-and-tested-by: syzbot+6a1423ff3f97159aae64@syzkaller.appspotmail.com
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
 		2024-03-04 09:59:33 +00:00
..
accel accel/ivpu: Don't enable any tiles by default on VPU40xx 2024-02-20 16:56:21 +01:00
accessibility
acpi ACPI fix for 6.8-rc7 2024-02-28 12:20:00 -08:00
amba
android binder: signal epoll threads of self-work 2024-01-31 14:08:28 -08:00
ata ata: libata-core: Do not call ata_dev_power_set_standby() twice 2024-02-21 19:09:17 +01:00
atm atm: idt77252: fix a memleak in open_card_ubr0 2024-02-03 12:46:13 +00:00
auxdisplay drm-next for 6.8: 2024-01-12 11:32:19 -08:00
base Driver core fixes for 6.8-rc5 2024-02-17 08:56:41 -08:00
bcma
block block-6.8-2024-02-10 2024-02-10 08:02:48 -08:00
bluetooth Bluetooth: qca: Fix triggering coredump implementation 2024-02-28 09:50:51 -05:00
bus bus: imx-weim: fix valid range check 2024-02-06 14:10:47 +08:00
cache cache: ax45mp_cache: Align end size to cache boundary in ax45mp_dma_cache_wback() 2024-02-21 16:24:10 +00:00
cdrom
cdx cdx: Unlock on error path in rescan_store() 2024-01-04 17:01:14 +01:00
char TTY/Serial changes for 6.8-rc1 2024-01-18 11:37:24 -08:00
clk clk: samsung: clk-gs101: comply with the new dt cmu_misc clock names 2024-01-22 11:40:12 +01:00
clocksource
comedi
connector connector/cn_proc: revert "connector: Fix proc_event_num_listeners count not cleared" 2024-02-13 11:15:44 +01:00
counter
cpufreq cpufreq: intel_pstate: fix pstate limits enforcement for adjust_perf call back 2024-02-24 15:01:59 +01:00
cpuidle
crypto crypto: virtio/akcipher - Fix stack overflow on memcpy 2024-02-09 12:55:53 +08:00
cxl cxl/acpi: Fix load failures due to single window creation failure 2024-02-20 22:58:05 -08:00
dax New code for 6.8: 2024-01-10 08:45:22 -08:00
dca
devfreq
dio
dma dmaengine: at_hdmac: add missing kernel-doc style description 2024-02-02 17:16:55 +01:00
dma-buf dma-buf: heaps: Don't track CMA dma-buf pages under RssFile 2024-01-31 19:54:58 +05:30
dpll dpll: fix build failure due to rcu_dereference_check() on unknown type 2024-02-29 12:18:37 -08:00
edac Driver core changes for 6.8-rc1 2024-01-18 09:48:40 -08:00
eisa
extcon
firewire firewire: core: send bus reset promptly on gap count error 2024-02-07 08:20:02 +09:00
firmware Microchip firmware driver fixes for v6.8-rc6 2024-02-23 13:53:44 +01:00
fpga Char/Misc and other Driver changes for 6.8-rc1 2024-01-17 16:47:17 -08:00
fsi
gnss TTY/Serial changes for 6.8-rc1 2024-01-18 11:37:24 -08:00
gpio gpiolib: Handle no pin_ranges in gpiochip_generic_config() 2024-02-20 12:49:14 +01:00
gpu drm fixes for 6.8-rc6 2024-02-23 09:17:47 -08:00
greybus TTY/Serial changes for 6.8-rc1 2024-01-18 11:37:24 -08:00
hid HID: wacom: generic: Avoid reporting a serial of '0' to userspace 2024-02-13 11:40:23 +01:00
hsi
hte
hv
hwmon hwmon: (nct6775) Fix access to temperature configuration registers 2024-02-21 13:56:33 -08:00
hwspinlock
hwtracing
i2c i2c: imx: when being a target, mark the last read as processed 2024-02-23 23:39:35 +01:00
i3c i3c: master: cdns: Update maximum prescaler value for i2c clock 2024-01-08 00:51:36 +01:00
idle Power management updates for 6.8-rc1 2024-01-09 16:32:11 -08:00
iio iio: adc: ad4130: only set GPIO_CTRL if pin is unused 2024-02-10 16:52:39 +00:00
infiniband RDMA/srpt: fix function pointer cast warnings 2024-02-14 11:15:54 +02:00
input Input updates for v6.8-rc2 2024-02-02 12:52:44 -08:00
interconnect interconnect: qcom: x1e80100: Add missing ACV enable_mask 2024-02-04 23:36:06 +02:00
iommu IOMMU Fixes for Linux v6.8-rc5 2024-02-24 15:59:26 -08:00
ipack TTY/Serial changes for 6.8-rc1 2024-01-18 11:37:24 -08:00
irqchip irqchip/gic-v3-its: Do not assume vPE tables are preallocated 2024-02-21 21:11:20 +01:00
isdn
leds - New Drivers 2024-01-17 15:25:27 -08:00
macintosh
mailbox mediatek: add CMDQ support for mt8188 2024-01-17 15:39:32 -08:00
mcb
md - Fix DM integrity and verity targets to not use excessive stack when 2024-02-24 09:55:29 -08:00
media media: pwm-ir-tx: Depend on CONFIG_HIGH_RES_TIMERS 2024-02-01 13:49:39 +01:00
memory IOMMU Updates for Linux v6.8 2024-01-18 15:16:57 -08:00
memstick
message
mfd TTY/Serial changes for 6.8-rc1 2024-01-18 11:37:24 -08:00
misc misc: open-dice: Fix spurious lockdep warning 2024-01-30 16:20:54 -08:00
mmc mmc: slot-gpio: Allow non-sleeping GPIO ro 2024-02-06 12:35:44 +01:00
most
mtd mtd: rawnand: marvell: fix layouts 2024-02-05 16:16:24 +01:00
mux mux: mmio: use reg property when parent device is not a syscon 2024-01-04 17:01:14 +01:00
net geneve: make sure to pull inner header in geneve_rx() 2024-03-04 09:59:33 +00:00
nfc
ntb
nubus nubus: Make nubus_bus_type static and constant 2024-01-03 13:33:59 +01:00
nvdimm virtio: features, fixes 2024-01-18 16:44:03 -08:00
nvme nvmet: remove superfluous initialization 2024-02-13 15:42:44 -08:00
nvmem nvmem: include bit index in cell sysfs file name 2024-02-14 16:28:16 +01:00
of Devicetree fixes for v6.8: 2024-02-15 10:19:55 -08:00
opp OPP: Rename 'rate_clk_single' 2024-01-05 15:55:41 +05:30
parisc parisc/power: Fix power soft-off button emulation on qemu 2024-01-07 22:59:16 +01:00
parport
pci PCI/MSI: Prevent MSI hardware interrupt number truncation 2024-02-19 16:11:01 +01:00
pcmcia
peci
perf perf: CXL: fix CPMU filter value mask length 2024-02-20 12:04:07 +00:00
phy phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP 2024-01-30 22:41:11 +05:30
pinctrl pinctrl: amd: Add IRQF_ONESHOT to the interrupt request 2024-01-31 10:06:07 +01:00
platform platform/x86: thinkpad_acpi: Only update profile if successfully converted 2024-02-20 14:35:36 +01:00
pmdomain pmdomain: mediatek: fix race conditions with genpd 2024-01-23 13:19:15 +01:00
pnp More ACPI updates for 6.8-rc1 2024-01-17 14:37:40 -08:00
power Revert "power: supply: qcom_battmgr: Register the power supplies after PDR is up" 2024-01-26 22:45:58 +01:00
powercap
pps
ps3
ptp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-01-04 18:06:46 -08:00
pwm pwm: jz4740: Don't use dev_err_probe() in .request() 2024-01-12 18:25:05 +01:00
rapidio
ras
regulator regulator: max5970: Fix regulator child node name 2024-02-13 15:38:23 +00:00
remoteproc
reset SoC: driver updates for 6.8 2024-01-11 11:31:46 -08:00
rpmsg
rtc rtc: nuvoton: Compatible with NCT3015Y-R and NCT3018Y-R 2024-01-18 01:05:33 +01:00
s390 s390 fixes for 6.8-rc6 2024-02-23 09:54:13 -08:00
sbus
scsi scsi: jazz_esp: Only build if SCSI core is builtin 2024-02-15 15:34:47 -05:00
sh maple: make maple_bus_type static and const 2024-01-04 14:37:17 +01:00
siox
slimbus
soc RISC-V SoC driver fixes for v6.8-rc6 2024-02-23 13:53:54 +01:00
soundwire soundwire updates for 6.7 2024-01-18 17:08:31 -08:00
spi spi: Drop mismerged fix 2024-02-27 12:52:51 +00:00
spmi
ssb
staging Char/Misc changes for 6.8-rc5 2024-02-17 08:52:38 -08:00
target scsi: target: pscsi: Fix bio_put() for error case 2024-02-15 14:44:07 -05:00
tc
tee Another moderately busy cycle for documentation, including: 2024-01-11 19:46:52 -08:00
thermal thermal: intel: powerclamp: Remove dead code for target mwait value 2024-01-22 11:59:22 +01:00
thunderbolt thunderbolt: Fix setting the CNS bit in ROUTER_CS_5 2024-01-29 09:48:40 +02:00
tty serial: amba-pl011: Fix DMA transmission in RS485 mode 2024-02-19 09:43:37 +01:00
ufs scsi: ufs: Uninitialized variable in ufshcd_devfreq_target() 2024-02-15 14:46:13 -05:00
uio uio: Fix use-after-free in uio_open 2024-01-04 17:03:47 +01:00
usb USB fixes for 6.8-rc6 2024-02-25 10:41:57 -08:00
vdpa virtio: features, fixes 2024-01-18 16:44:03 -08:00
vfio VFIO updates for v6.8-rc1 2024-01-18 15:57:25 -08:00
vhost virtio: features, fixes 2024-01-18 16:44:03 -08:00
video fbdev: stifb: Fix crash in stifb_blank() 2024-01-23 09:13:24 +01:00
virt Char/Misc and other Driver changes for 6.8-rc1 2024-01-17 16:47:17 -08:00
virtio virtio: features, fixes 2024-01-18 16:44:03 -08:00
w1
watchdog linux-watchdog 6.8-rc1 tag 2024-01-12 13:32:30 -08:00
xen xen/events: close evtchn after mapping cleanup 2024-02-13 10:12:47 +01:00
zorro
Kconfig
Makefile fbdev/intelfb: Remove driver 2024-01-12 12:38:37 +01:00