mirror-linux

History

Eric Dumazet e67c577d89 ipv4: ip_gre: make ipgre_header() robust Analog to commit `db5b4e39c4` ("ip6_gre: make ip6gre_header() robust") Over the years, syzbot found many ways to crash the kernel in ipgre_header() [1]. This involves team or bonding drivers ability to dynamically change their dev->needed_headroom and/or dev->hard_header_len In this particular crash mld_newpack() allocated an skb with a too small reserve/headroom, and by the time mld_sendpack() was called, syzbot managed to attach an ipgre device. [1] skbuff: skb_under_panic: text:ffffffff89ea3cb7 len:2030915468 put:2030915372 head:ffff888058b43000 data:ffff887fdfa6e194 tail:0x120 end:0x6c0 dev:team0 kernel BUG at net/core/skbuff.c:213 ! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 1 UID: 0 PID: 1322 Comm: kworker/1:9 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Workqueue: mld mld_ifc_work RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:213 Call Trace: <TASK> skb_under_panic net/core/skbuff.c:223 [inline] skb_push+0xc3/0xe0 net/core/skbuff.c:2641 ipgre_header+0x67/0x290 net/ipv4/ip_gre.c:897 dev_hard_header include/linux/netdevice.h:3436 [inline] neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618 NF_HOOK_COND include/linux/netfilter.h:307 [inline] ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 mld_send_cr net/ipv6/mcast.c:2154 [inline] mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 Fixes: `c544193214` ("GRE: Refactor GRE tunneling code.") Reported-by: syzbot+7c134e1c3aa3283790b9@syzkaller.appspotmail.com Closes: https://www.spinics.net/lists/netdev/msg1147302.html Signed-off-by: Eric Dumazet <edumazet@google.com> Link: https://patch.msgid.link/20260108190214.1667040-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>		2026-01-10 12:06:22 -08:00
..
netfilter	netfilter: nf_reject: don't reply to icmp error messages	2025-09-11 15:40:55 +02:00
Kconfig	tcp: Convert tcp-md5 to use MD5 library instead of crypto_ahash	2025-10-17 17:14:54 -07:00
Makefile	…
af_inet.c	net: factor-out _sk_charge() helper	2025-11-24 19:49:40 -08:00
ah4.c	…
arp.c	arp: do not assume dev_hard_header() does not change skb->head	2026-01-08 09:04:24 -08:00
bpf_tcp_ca.c	tcp: Pass flags to __tcp_send_ack	2025-03-17 13:56:38 +00:00
cipso_ipv4.c	ipv4: icmp: Pass IPv4 control block structure as an argument to __icmp_send()	2025-09-11 12:22:38 +02:00
datagram.c	net: Convert proto callbacks from sockaddr to sockaddr_unsized	2025-11-04 19:10:33 -08:00
devinet.c	ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init()	2025-09-03 16:58:44 -07:00
esp4.c	tcp: Don't pass hashinfo to socket lookup helpers.	2025-08-25 17:53:35 -07:00
esp4_offload.c	xfrm: Determine inner GSO type from packet inner protocol	2025-10-30 11:52:31 +01:00
fib_frontend.c	ipv4: Convert ->flowi4_tos to dscp_t.	2025-08-26 17:34:31 -07:00
fib_lookup.h	…
fib_notifier.c	net: do not acquire rtnl in fib_seq_sum()	2024-10-11 15:35:05 -07:00
fib_rules.c	ipv4: Convert ->flowi4_tos to dscp_t.	2025-08-26 17:34:31 -07:00
fib_semantics.c	net: fib: restore ECMP balance from loopback	2025-12-30 11:07:38 +01:00
fib_trie.c	ipv4: Fix reference count leak when using error routes with nexthop objects	2025-12-30 10:39:22 +01:00
fou_bpf.c	…
fou_core.c	net: gro: remove is_ipv6 from napi_gro_cb	2025-09-25 12:42:49 +02:00
fou_nl.c	tools: ynl-gen: add regeneration comment	2025-11-25 19:20:42 -08:00
fou_nl.h	tools: ynl-gen: add regeneration comment	2025-11-25 19:20:42 -08:00
gre_demux.c	net: ip_gre: Fix spelling mistake "demultiplexor" -> "demultiplexer"	2025-04-24 18:20:40 -07:00
gre_offload.c	…
icmp.c	ipv4: icmp: Add RFC 5837 support	2025-10-29 18:28:29 -07:00
igmp.c	ipv4: adopt dst_dev, skb_dst_dev and skb_dst_dev_net[_rcu]	2025-07-02 14:32:30 -07:00
igmp_internal.h	netlink: support dumping IPv4 multicast addresses	2025-02-11 11:26:53 +01:00
inet_connection_sock.c	tcp: remove icsk->icsk_retransmit_timer	2025-11-25 19:28:29 -08:00
inet_diag.c	tcp: introduce icsk->icsk_keepalive_timer	2025-11-25 19:28:29 -08:00
inet_fragment.c	inet: frags: drop fraglist conntrack references	2026-01-04 10:58:04 -08:00
inet_hashtables.c	inet: Avoid ehash lookup race in inet_ehash_insert()	2025-10-17 16:08:43 -07:00
inet_timewait_sock.c	inet: Avoid ehash lookup race in inet_twsk_hashdance_schedule()	2025-10-17 16:08:43 -07:00
inetpeer.c	inetpeer: use EXPORT_IPV6_MOD[_GPL]()	2025-02-14 13:09:39 -08:00
ip_forward.c	…
ip_fragment.c	inet: frags: flush pending skbs in fqdir_pre_exit()	2025-12-10 01:15:27 -08:00
ip_gre.c	ipv4: ip_gre: make ipgre_header() robust	2026-01-10 12:06:22 -08:00
ip_input.c	net: ipv4: Remove extern udp_v4_early_demux()/tcp_v4_early_demux() in .c files	2025-10-29 17:05:30 -07:00
ip_options.c	net: Switch to skb_dstref_steal/skb_dstref_restore for ip_route_input callers	2025-08-19 17:54:35 -07:00
ip_output.c	net: psp: don't assume reply skbs will have a socket	2025-10-03 10:23:50 -07:00
ip_sockglue.c	Networking changes for 6.14.	2025-01-22 08:28:57 -08:00
ip_tunnel.c	ipv4: ip_tunnel: spread netdev_lockdep_set_classes()	2026-01-08 18:02:35 -08:00
ip_tunnel_core.c	tunnels: reset the GSO metadata before reusing the skb	2025-09-09 13:03:33 +02:00
ip_vti.c	ipv4: adopt dst_dev, skb_dst_dev and skb_dst_dev_net[_rcu]	2025-07-02 14:32:30 -07:00
ipcomp.c	xfrm: delete x->tunnel as we delete x	2025-07-08 13:28:27 +02:00
ipconfig.c	net: ipconfig: Replace strncpy with strscpy in ic_proto_name	2025-11-28 20:19:16 -08:00
ipip.c	netfilter: flowtable: Add IPIP rx sw acceleration	2025-11-28 00:00:38 +00:00
ipmr.c	ipv4: start using dst_dev_rcu()	2025-08-29 19:36:32 -07:00
ipmr_base.c	ipmr: do not call mr_mfc_uses_dev() for unres entries	2025-01-23 07:08:13 -08:00
metrics.c	…
netfilter.c	ipv4: Convert ->flowi4_tos to dscp_t.	2025-08-26 17:34:31 -07:00
netlink.c	…
nexthop.c	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2025-09-25 11:00:59 -07:00
ping.c	inet: ping: Fix icmp out counting	2026-01-04 09:48:53 -08:00
proc.c	ipv4: snmp: do not use SNMP_MIB_SENTINEL anymore	2025-09-08 18:06:20 -07:00
protocol.c	…
raw.c	net: Convert proto callbacks from sockaddr to sockaddr_unsized	2025-11-04 19:10:33 -08:00
raw_diag.c	inet_diag: change inet_diag_bc_sk() first argument	2025-08-29 19:29:24 -07:00
route.c	ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe	2025-11-12 06:46:36 -08:00
syncookies.c	tcp: accecn: AccECN negotiation	2025-09-18 08:47:51 +02:00
sysctl_net_ipv4.c	tcp: add net.ipv4.tcp_rcvbuf_low_rtt	2025-11-20 17:44:23 -08:00
tcp.c	net: do not write to msg_get_inq in callee	2026-01-08 08:45:13 -08:00
tcp_ao.c	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2025-09-18 11:26:06 -07:00
tcp_bbr.c	…
tcp_bic.c	…
tcp_bpf.c	tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork.	2025-09-10 06:53:56 -07:00
tcp_cdg.c	tcp: cdg: remove redundant __GFP_NOWARN	2025-08-12 14:05:43 -07:00
tcp_cong.c	tcp: only release congestion control if it has been initialized	2024-10-31 18:22:48 -07:00
tcp_cubic.c	tcp_cubic: fix incorrect HyStart round start detection	2025-01-20 12:26:41 +00:00
tcp_dctcp.c	tcp: helpers for ECN mode handling	2025-03-17 13:54:11 +00:00
tcp_dctcp.h	tcp: Pass flags to __tcp_send_ack	2025-03-17 13:56:38 +00:00
tcp_diag.c	inet_diag: change inet_diag_bc_sk() first argument	2025-08-29 19:29:24 -07:00
tcp_fastopen.c	tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check()	2025-08-29 19:36:32 -07:00
tcp_highspeed.c	…
tcp_htcp.c	…
tcp_hybla.c	…
tcp_illinois.c	…
tcp_input.c	tcp: add net.ipv4.tcp_rcvbuf_low_rtt	2025-11-20 17:44:23 -08:00
tcp_ipv4.c	tcp: introduce icsk->icsk_keepalive_timer	2025-11-25 19:28:29 -08:00
tcp_lp.c	net: tcp_lp: fix kernel-doc warnings and update outdated reference links	2025-10-28 17:52:44 -07:00
tcp_metrics.c	Networking changes for 6.18.	2025-10-02 15:17:01 -07:00
tcp_minisocks.c	tcp: Don't reinitialise tw->tw_transparent in tcp_time_wait().	2025-11-18 18:00:38 -08:00
tcp_nv.c	…
tcp_offload.c	tcp: gro: inline tcp_gro_pull_header()	2025-11-14 18:00:08 -08:00
tcp_output.c	net/smc: bpf: Introduce generic hook for handshake flow	2025-11-10 11:19:41 -08:00
tcp_plb.c	…
tcp_rate.c	…
tcp_recovery.c	tcp: update the outdated ref draft-ietf-tcpm-rack	2025-07-08 09:01:52 -07:00
tcp_scalable.c	…
tcp_sigpool.c	…
tcp_timer.c	tcp: remove icsk->icsk_retransmit_timer	2025-11-25 19:28:29 -08:00
tcp_ulp.c	…
tcp_vegas.c	…
tcp_vegas.h	…
tcp_veno.c	…
tcp_westwood.c	…
tcp_yeah.c	…
tunnel4.c	…
udp.c	udp: call skb_orphan() before skb_attempt_defer_free()	2026-01-06 17:05:17 -08:00
udp_bpf.c	…
udp_diag.c	inet_diag: change inet_diag_bc_sk() first argument	2025-08-29 19:29:24 -07:00
udp_impl.h	udp: move udp_memory_allocated into net_aligned_data	2025-07-02 14:22:02 -07:00
udp_offload.c	net: gro: remove is_ipv6 from napi_gro_cb	2025-09-25 12:42:49 +02:00
udp_tunnel_core.c	net: Convert proto_ops connect() callbacks to use sockaddr_unsized	2025-11-04 19:10:32 -08:00
udp_tunnel_nic.c	udp_tunnel: use netdev_warn() instead of netdev_WARN()	2025-09-11 19:09:48 -07:00
udp_tunnel_stub.c	…
udplite.c	udp: move udp_memory_allocated into net_aligned_data	2025-07-02 14:22:02 -07:00
xfrm4_input.c	xfrm: Set transport header to fix UDP GRO handling	2025-07-02 09:19:56 +02:00
xfrm4_output.c	ipv4: adopt dst_dev, skb_dst_dev and skb_dst_dev_net[_rcu]	2025-07-02 14:32:30 -07:00
xfrm4_policy.c	ipv4: Convert ->flowi4_tos to dscp_t.	2025-08-26 17:34:31 -07:00
xfrm4_protocol.c	ipv4: Convert ip_route_input_noref() to dscp_t.	2024-10-03 16:21:21 -07:00
xfrm4_state.c	…
xfrm4_tunnel.c	…