forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
linux-uconsole/net/core
History
Eric Dumazet 220e80d937 net: increment xmit_recursion level in dev_direct_xmit() 
[ Upstream commit 0ad6f6e767 ]

Back in commit f60e5990d9 ("ipv6: protect skb->sk accesses
from recursive dereference inside the stack") Hannes added code
so that IPv6 stack would not trust skb->sk for typical cases
where packet goes through 'standard' xmit path (__dev_queue_xmit())

Alas af_packet had a dev_direct_xmit() path that was not
dealing yet with xmit_recursion level.

Also change sk_mc_loop() to dump a stack once only.

Without this patch, syzbot was able to trigger :

[1]
[  153.567378] WARNING: CPU: 7 PID: 11273 at net/core/sock.c:721 sk_mc_loop+0x51/0x70
[  153.567378] Modules linked in: nfnetlink ip6table_raw ip6table_filter iptable_raw iptable_nat nf_nat nf_conntrack nf_defrag_ipv4 nf_defrag_ipv6 iptable_filter macsec macvtap tap macvlan 8021q hsr wireguard libblake2s blake2s_x86_64 libblake2s_generic udp_tunnel ip6_udp_tunnel libchacha20poly1305 poly1305_x86_64 chacha_x86_64 libchacha curve25519_x86_64 libcurve25519_generic netdevsim batman_adv dummy team bridge stp llc w1_therm wire i2c_mux_pca954x i2c_mux cdc_acm ehci_pci ehci_hcd mlx4_en mlx4_ib ib_uverbs ib_core mlx4_core
[  153.567386] CPU: 7 PID: 11273 Comm: b159172088 Not tainted 5.8.0-smp-DEV #273
[  153.567387] RIP: 0010:sk_mc_loop+0x51/0x70
[  153.567388] Code: 66 83 f8 0a 75 24 0f b6 4f 12 b8 01 00 00 00 31 d2 d3 e0 a9 bf ef ff ff 74 07 48 8b 97 f0 02 00 00 0f b6 42 3a 83 e0 01 5d c3 <0f> 0b b8 01 00 00 00 5d c3 0f b6 87 18 03 00 00 5d c0 e8 04 83 e0
[  153.567388] RSP: 0018:ffff95c69bb93990 EFLAGS: 00010212
[  153.567388] RAX: 0000000000000011 RBX: ffff95c6e0ee3e00 RCX: 0000000000000007
[  153.567389] RDX: ffff95c69ae50000 RSI: ffff95c6c30c3000 RDI: ffff95c6c30c3000
[  153.567389] RBP: ffff95c69bb93990 R08: ffff95c69a77f000 R09: 0000000000000008
[  153.567389] R10: 0000000000000040 R11: 00003e0e00026128 R12: ffff95c6c30c3000
[  153.567390] R13: ffff95c6cc4fd500 R14: ffff95c6f84500c0 R15: ffff95c69aa13c00
[  153.567390] FS:  00007fdc3a283700(0000) GS:ffff95c6ff9c0000(0000) knlGS:0000000000000000
[  153.567390] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  153.567391] CR2: 00007ffee758e890 CR3: 0000001f9ba20003 CR4: 00000000001606e0
[  153.567391] Call Trace:
[  153.567391]  ip6_finish_output2+0x34e/0x550
[  153.567391]  __ip6_finish_output+0xe7/0x110
[  153.567391]  ip6_finish_output+0x2d/0xb0
[  153.567392]  ip6_output+0x77/0x120
[  153.567392]  ? __ip6_finish_output+0x110/0x110
[  153.567392]  ip6_local_out+0x3d/0x50
[  153.567392]  ipvlan_queue_xmit+0x56c/0x5e0
[  153.567393]  ? ksize+0x19/0x30
[  153.567393]  ipvlan_start_xmit+0x18/0x50
[  153.567393]  dev_direct_xmit+0xf3/0x1c0
[  153.567393]  packet_direct_xmit+0x69/0xa0
[  153.567394]  packet_sendmsg+0xbf0/0x19b0
[  153.567394]  ? plist_del+0x62/0xb0
[  153.567394]  sock_sendmsg+0x65/0x70
[  153.567394]  sock_write_iter+0x93/0xf0
[  153.567394]  new_sync_write+0x18e/0x1a0
[  153.567395]  __vfs_write+0x29/0x40
[  153.567395]  vfs_write+0xb9/0x1b0
[  153.567395]  ksys_write+0xb1/0xe0
[  153.567395]  __x64_sys_write+0x1a/0x20
[  153.567395]  do_syscall_64+0x43/0x70
[  153.567396]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  153.567396] RIP: 0033:0x453549
[  153.567396] Code: Bad RIP value.
[  153.567396] RSP: 002b:00007fdc3a282cc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[  153.567397] RAX: ffffffffffffffda RBX: 00000000004d32d0 RCX: 0000000000453549
[  153.567397] RDX: 0000000000000020 RSI: 0000000020000300 RDI: 0000000000000003
[  153.567398] RBP: 00000000004d32d8 R08: 0000000000000000 R09: 0000000000000000
[  153.567398] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004d32dc
[  153.567398] R13: 00007ffee742260f R14: 00007fdc3a282dc0 R15: 00007fdc3a283700
[  153.567399] ---[ end trace c1d5ae2b1059ec62 ]---

f60e5990d9 ("ipv6: protect skb->sk accesses from recursive dereference inside the stack")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-06-30 23:17:04 -04:00
..
datagram.c net: add READ_ONCE() annotation in __skb_wait_for_more_packets() 2019-11-10 11:27:49 +01:00
dev.c net: increment xmit_recursion level in dev_direct_xmit() 2020-06-30 23:17:04 -04:00
dev_addr_lists.c net: change the comment of dev_mc_init 2018-04-19 12:58:20 -04:00
dev_ioctl.c net: remove redundant input checks in SIOCSIFTXQLEN case of dev_ifsioc 2018-07-24 11:36:15 -07:00
devlink.c devlink: validate length of region addr/len 2020-03-18 07:14:18 +01:00
drop_monitor.c drop_monitor: work around gcc-10 stringop-overflow warning 2020-05-20 08:18:33 +02:00
dst.c netfilter: nf_tables: add tunnel support 2018-08-03 21:12:12 +02:00
dst_cache.c net: core: dst_cache_set_ip6: Rename 'addr' parameter to 'saddr' for consistency 2018-03-05 12:52:45 -05:00
ethtool.c ethtool: reduce stack usage with clang 2020-01-17 19:46:55 +01:00
failover.c failover: allow name change on IFF_UP slave interfaces 2019-04-27 09:36:30 +02:00
fib_notifier.c net: Fix fib notifer to return errno 2018-03-29 14:10:30 -04:00
fib_rules.c net: fib_rules: Correctly set table field when table number exceeds 8 bits 2020-03-05 16:42:15 +01:00
filter.c net: place xmit recursion in softnet data 2020-06-30 23:17:04 -04:00
flow_dissector.c net: dsa: fix flow dissection on Tx path 2019-12-21 10:57:11 +01:00
gen_estimator.c net: core: protect rate estimator statistics pointer with lock 2018-08-11 12:37:10 -07:00
gen_stats.c net: sched: put back q.qlen into a single location 2019-03-10 07:17:16 +01:00
gro_cells.c gro_cells: make sure device is up in gro_cells_receive() 2019-03-19 13:12:38 +01:00
hwbm.c
link_watch.c
lwt_bpf.c bpf: in __bpf_redirect_no_mac pull mac only if present 2019-01-22 21:40:35 +01:00
lwtunnel.c
Makefile net: Introduce generic failover module 2018-05-28 22:59:54 -04:00
neighbour.c net: neigh: use long type to store jiffies delta 2020-01-27 14:51:21 +01:00
net-procfs.c proc: introduce proc_create_net{,_data} 2018-05-16 07:24:30 +02:00
net-sysfs.c net-sysfs: Call dev_hold always in rx_queue_add_kobject 2020-01-29 16:43:17 +01:00
net-sysfs.h
net-traces.c net/ipv6: Udate fib6_table_lookup tracepoint 2018-05-24 23:01:15 -04:00
net_namespace.c net/net_namespace: Check the return value of register_pernet_subsys() 2019-12-05 09:20:51 +01:00
netclassid_cgroup.c cgroup, netclassid: remove double cond_resched 2020-05-10 10:30:12 +02:00
netevent.c
netpoll.c net: fix skb use after free in netpoll 2019-09-10 10:33:38 +01:00
netprio_cgroup.c netprio_cgroup: Fix unlimited memory leak of v2 cgroups 2020-05-20 08:18:38 +02:00
page_pool.c net/page_pool: Fix inconsistent lock state warning 2018-07-19 23:23:01 -07:00
pktgen.c pktgen: do not sleep with the thread lock held. 2019-06-11 12:20:49 +02:00
ptp_classifier.c
request_sock.c
rtnetlink.c net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link() 2020-01-29 16:43:16 +01:00
scm.c
secure_seq.c infiniband: i40iw, nes: don't use wall time for TCP sequence numbers 2018-07-11 12:10:19 -06:00
skbuff.c net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list 2019-09-19 09:09:30 +02:00
sock.c net: increment xmit_recursion level in dev_direct_xmit() 2020-06-30 23:17:04 -04:00
sock_diag.c net: sock_diag: Fix spectre v1 gadget in __sock_diag_cmd() 2018-08-14 10:01:24 -07:00
sock_reuseport.c udp: correct reuseport selection with connected sockets 2019-09-21 07:16:43 +02:00
stream.c tcp: make sure EPOLLOUT wont be missed 2019-09-06 10:22:07 +02:00
sysctl_net_core.c net, sysctl: Fix compiler warning when only cBPF is present 2020-01-04 19:13:20 +01:00
timestamping.c
tso.c
utils.c net: Fix skb->csum update in inet_proto_csum_replace16(). 2020-02-05 14:43:53 +00:00
xdp.c net/xdp: Fix suspicious RCU usage warning 2018-08-16 21:55:21 +02:00