linux-stable

mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-24 03:15:59 +00:00

History

Sasha Neftin 488ea2a3e2 net/core: Fix ETH_P_1588 flow dissector [ Upstream commit `75ad80ed88` ] When a PTP ethernet raw frame with a size of more than 256 bytes followed by a 0xff pattern is sent to __skb_flow_dissect, nhoff value calculation is wrong. For example: hdr->message_length takes the wrong value (0xffff) and it does not replicate real header length. In this case, 'nhoff' value was overridden and the PTP header was badly dissected. This leads to a kernel crash. net/core: flow_dissector net/core flow dissector nhoff = 0x0000000e net/core flow dissector hdr->message_length = 0x0000ffff net/core flow dissector nhoff = 0x0001000d (u16 overflow) ... skb linear: 00000000: 00 a0 c9 00 00 00 00 a0 c9 00 00 00 88 skb frag: 00000000: f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Using the size of the ptp_header struct will allow the corrected calculation of the nhoff value. net/core flow dissector nhoff = 0x0000000e net/core flow dissector nhoff = 0x00000030 (sizeof ptp_header) ... skb linear: 00000000: 00 a0 c9 00 00 00 00 a0 c9 00 00 00 88 f7 ff ff skb linear: 00000010: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff skb linear: 00000020: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff skb frag: 00000000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Kernel trace: [ 74.984279] ------------[ cut here ]------------ [ 74.989471] kernel BUG at include/linux/skbuff.h:2440! [ 74.995237] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 75.001098] CPU: 4 PID: 0 Comm: swapper/4 Tainted: G U 5.15.85-intel-ese-standard-lts #1 [ 75.011629] Hardware name: Intel Corporation A-Island (CPU:AlderLake)/A-Island (ID:06), BIOS SB_ADLP.01.01.00.01.03.008.D-6A9D9E73-dirty Mar 30 2023 [ 75.026507] RIP: 0010:eth_type_trans+0xd0/0x130 [ 75.031594] Code: 03 88 47 78 eb c7 8b 47 68 2b 47 6c 48 8b 97 c0 00 00 00 83 f8 01 7e 1b 48 85 d2 74 06 66 83 3a ff 74 09 b8 00 04 00 00 eb ab <0f> 0b b8 00 01 00 00 eb a2 48 85 ff 74 eb 48 8d 54 24 06 31 f6 b9 [ 75.052612] RSP: 0018:ffff9948c0228de0 EFLAGS: 00010297 [ 75.058473] RAX: 00000000000003f2 RBX: ffff8e47047dc300 RCX: 0000000000001003 [ 75.066462] RDX: ffff8e4e8c9ea040 RSI: ffff8e4704e0a000 RDI: ffff8e47047dc300 [ 75.074458] RBP: ffff8e4704e2acc0 R08: 00000000000003f3 R09: 0000000000000800 [ 75.082466] R10: 000000000000000d R11: ffff9948c0228dec R12: ffff8e4715e4e010 [ 75.090461] R13: ffff9948c0545018 R14: 0000000000000001 R15: 0000000000000800 [ 75.098464] FS: 0000000000000000(0000) GS:ffff8e4e8fb00000(0000) knlGS:0000000000000000 [ 75.107530] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 75.113982] CR2: 00007f5eb35934a0 CR3: 0000000150e0a002 CR4: 0000000000770ee0 [ 75.121980] PKRU: 55555554 [ 75.125035] Call Trace: [ 75.127792] <IRQ> [ 75.130063] ? eth_get_headlen+0xa4/0xc0 [ 75.134472] igc_process_skb_fields+0xcd/0x150 [ 75.139461] igc_poll+0xc80/0x17b0 [ 75.143272] __napi_poll+0x27/0x170 [ 75.147192] net_rx_action+0x234/0x280 [ 75.151409] __do_softirq+0xef/0x2f4 [ 75.155424] irq_exit_rcu+0xc7/0x110 [ 75.159432] common_interrupt+0xb8/0xd0 [ 75.163748] </IRQ> [ 75.166112] <TASK> [ 75.168473] asm_common_interrupt+0x22/0x40 [ 75.173175] RIP: 0010:cpuidle_enter_state+0xe2/0x350 [ 75.178749] Code: 85 c0 0f 8f 04 02 00 00 31 ff e8 39 6c 67 ff 45 84 ff 74 12 9c 58 f6 c4 02 0f 85 50 02 00 00 31 ff e8 52 b0 6d ff fb 45 85 f6 <0f> 88 b1 00 00 00 49 63 ce 4c 2b 2c 24 48 89 c8 48 6b d1 68 48 c1 [ 75.199757] RSP: 0018:ffff9948c013bea8 EFLAGS: 00000202 [ 75.205614] RAX: ffff8e4e8fb00000 RBX: ffffb948bfd23900 RCX: 000000000000001f [ 75.213619] RDX: 0000000000000004 RSI: ffffffff94206161 RDI: ffffffff94212e20 [ 75.221620] RBP: 0000000000000004 R08: 000000117568973a R09: 0000000000000001 [ 75.229622] R10: 000000000000afc8 R11: ffff8e4e8fb29ce4 R12: ffffffff945ae980 [ 75.237628] R13: 000000117568973a R14: 0000000000000004 R15: 0000000000000000 [ 75.245635] ? cpuidle_enter_state+0xc7/0x350 [ 75.250518] cpuidle_enter+0x29/0x40 [ 75.254539] do_idle+0x1d9/0x260 [ 75.258166] cpu_startup_entry+0x19/0x20 [ 75.262582] secondary_startup_64_no_verify+0xc2/0xcb [ 75.268259] </TASK> [ 75.270721] Modules linked in: 8021q snd_sof_pci_intel_tgl snd_sof_intel_hda_common tpm_crb snd_soc_hdac_hda snd_sof_intel_hda snd_hda_ext_core snd_sof_pci snd_sof snd_sof_xtensa_dsp snd_soc_acpi_intel_match snd_soc_acpi snd_soc_core snd_compress iTCO_wdt ac97_bus intel_pmc_bxt mei_hdcp iTCO_vendor_support snd_hda_codec_hdmi pmt_telemetry intel_pmc_core pmt_class snd_hda_intel x86_pkg_temp_thermal snd_intel_dspcfg snd_hda_codec snd_hda_core kvm_intel snd_pcm snd_timer kvm snd mei_me soundcore tpm_tis irqbypass i2c_i801 mei tpm_tis_core pcspkr intel_rapl_msr tpm i2c_smbus intel_pmt thermal sch_fq_codel uio uhid i915 drm_buddy video drm_display_helper drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm fuse configfs [ 75.342736] ---[ end trace 3785f9f360400e3a ]--- [ 75.347913] RIP: 0010:eth_type_trans+0xd0/0x130 [ 75.352984] Code: 03 88 47 78 eb c7 8b 47 68 2b 47 6c 48 8b 97 c0 00 00 00 83 f8 01 7e 1b 48 85 d2 74 06 66 83 3a ff 74 09 b8 00 04 00 00 eb ab <0f> 0b b8 00 01 00 00 eb a2 48 85 ff 74 eb 48 8d 54 24 06 31 f6 b9 [ 75.373994] RSP: 0018:ffff9948c0228de0 EFLAGS: 00010297 [ 75.379860] RAX: 00000000000003f2 RBX: ffff8e47047dc300 RCX: 0000000000001003 [ 75.387856] RDX: ffff8e4e8c9ea040 RSI: ffff8e4704e0a000 RDI: ffff8e47047dc300 [ 75.395864] RBP: ffff8e4704e2acc0 R08: 00000000000003f3 R09: 0000000000000800 [ 75.403857] R10: 000000000000000d R11: ffff9948c0228dec R12: ffff8e4715e4e010 [ 75.411863] R13: ffff9948c0545018 R14: 0000000000000001 R15: 0000000000000800 [ 75.419875] FS: 0000000000000000(0000) GS:ffff8e4e8fb00000(0000) knlGS:0000000000000000 [ 75.428946] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 75.435403] CR2: 00007f5eb35934a0 CR3: 0000000150e0a002 CR4: 0000000000770ee0 [ 75.443410] PKRU: 55555554 [ 75.446477] Kernel panic - not syncing: Fatal exception in interrupt [ 75.453738] Kernel Offset: 0x11c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 75.465794] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- Fixes: `4f1cc51f34` ("net: flow_dissector: Parse PTP L2 packet header") Signed-off-by: Sasha Neftin <sasha.neftin@intel.com> Reviewed-by: Jiri Pirko <jiri@nvidia.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org>		2023-10-06 14:56:36 +02:00
..
bpf_sk_storage.c	bpf: Add length check for SK_DIAG_BPF_STORAGE_REQ_MAP_FD parsing	2023-08-11 12:08:12 +02:00
datagram.c	net: datagram: fix data-races in datagram_poll()	2023-05-24 17:32:32 +01:00
dev.c	net: sched: add rcu annotations around qdisc->qdisc_sleeping	2023-06-14 11:15:21 +02:00
dev.h	net: add skb_defer_max sysctl	2022-05-16 11:33:59 +01:00
dev_addr_lists.c	net: extract a few internals from netdevice.h	2022-04-07 20:32:09 -07:00
dev_addr_lists_test.c
dev_ioctl.c	net: rename reference+tracking helpers	2022-06-09 21:52:55 -07:00
drop_monitor.c	genetlink: start to validate reserved header bytes	2022-08-29 12:47:15 +01:00
dst.c	net: rename reference+tracking helpers	2022-06-09 21:52:55 -07:00
dst_cache.c
failover.c	net: rename reference+tracking helpers	2022-06-09 21:52:55 -07:00
fib_notifier.c
fib_rules.c
filter.c	bpf: reject unhashed sockets in bpf_sk_assign	2023-09-13 09:42:31 +02:00
flow_dissector.c	net/core: Fix ETH_P_1588 flow dissector	2023-10-06 14:56:36 +02:00
flow_offload.c	flow_offload: Introduce flow_match_l2tpv3	2022-09-20 09:13:38 +02:00
gen_estimator.c
gen_stats.c	net: sched: fix misuse of qcpu->backlog in gnet_stats_add_queue_cpu	2022-08-16 19:38:20 -07:00
gro.c	skb: Do mix page pool and page referenced frags in GRO	2023-02-09 11:28:05 +01:00
gro_cells.c	net: drop the weight argument from netif_napi_add	2022-09-28 18:57:14 -07:00
hwbm.c
link_watch.c	net: rename reference+tracking helpers	2022-06-09 21:52:55 -07:00
lwt_bpf.c	lwt: Fix return values of BPF xmit ops	2023-09-13 09:42:33 +02:00
lwtunnel.c	xfrm: lwtunnel: squelch kernel warning in case XFRM encap type is not available	2022-10-12 10:45:51 +02:00
Makefile	devlink: move code to a dedicated directory	2023-08-30 16:11:00 +02:00
neighbour.c	neighbour: delete neigh_lookup_nodev as not used	2023-06-21 16:01:03 +02:00
net-procfs.c	net: extract a few internals from netdevice.h	2022-04-07 20:32:09 -07:00
net-sysfs.c	net-sysfs: Convert to use sysfs_emit() APIs	2022-09-30 12:27:44 +01:00
net-sysfs.h
net-traces.c
net_namespace.c	net: fix UaF in netns ops registration error path	2023-02-01 08:34:43 +01:00
netclassid_cgroup.c	core: Variable type completion	2022-08-31 09:40:34 +01:00
netevent.c
netpoll.c	net: don't let netpoll invoke NAPI if in xmit context	2023-04-13 16:55:21 +02:00
netprio_cgroup.c
of_net.c
page_pool.c	page_pool: fix inconsistency for page_pool_ring_[un]lock()	2023-06-05 09:26:20 +02:00
pktgen.c	treewide: use get_random_u32() when possible	2022-10-11 17:42:58 -06:00
ptp_classifier.c	ptp: Add generic PTP is_sync() function	2022-03-07 11:31:34 +00:00
request_sock.c
rtnetlink.c	rtnetlink: Reject negative ifindexes in RTM_NEWLINK	2023-08-30 16:11:04 +02:00
scm.c	scm: add user copy checks to put_cmsg()	2023-03-10 09:33:54 +01:00
secure_seq.c	tcp: Fix data-races around sysctl knobs related to SYN option.	2022-07-20 10:14:49 +01:00
selftests.c
skbuff.c	net: deal with integer overflows in kmalloc_reserve()	2023-09-19 12:27:58 +02:00
skmsg.c	bpf, sockmap: Fix skb refcnt race after locking changes	2023-09-19 12:28:02 +02:00
sock.c	net: Use sockaddr_storage for getsockopt(SO_PEERNAME).	2023-09-23 11:11:02 +02:00
sock_destructor.h
sock_diag.c
sock_map.c	bpf, sockmap: Fix map type error in sock_map_del_link	2023-08-16 18:27:26 +02:00
sock_reuseport.c	soreuseport: Fix socket selection for SO_INCOMING_CPU.	2022-12-31 13:32:04 +01:00
stream.c	net: deal with most data-races in sk_wait_event()	2023-05-24 17:32:32 +01:00
sysctl_net_core.c	net: sysctl: remove unused variable long_max	2022-09-07 15:31:19 +01:00
timestamping.c
tso.c
utils.c	net: core: Use csum_replace_by_diff() and csum_sub() instead of opencoding	2022-02-21 11:40:44 +00:00
xdp.c	xdp: improve page_pool xdp_return performance	2022-09-26 11:28:19 -07:00