mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-01 22:54:01 +00:00
Code Issues Releases Wiki Activity
linux-stable/drivers
History
Eric Dumazet e431c32278 geneve: make sure to pull inner header in geneve_rx() 
[ Upstream commit 1ca1ba465e ]

syzbot triggered a bug in geneve_rx() [1]

Issue is similar to the one I fixed in commit 8d975c15c0
("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()")

We have to save skb->network_header in a temporary variable
in order to be able to recompute the network_header pointer
after a pskb_inet_may_pull() call.

pskb_inet_may_pull() makes sure the needed headers are in skb->head.

[1]
BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]
 BUG: KMSAN: uninit-value in geneve_rx drivers/net/geneve.c:279 [inline]
 BUG: KMSAN: uninit-value in geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391
  IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]
  geneve_rx drivers/net/geneve.c:279 [inline]
  geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391
  udp_queue_rcv_one_skb+0x1d39/0x1f20 net/ipv4/udp.c:2108
  udp_queue_rcv_skb+0x6ae/0x6e0 net/ipv4/udp.c:2186
  udp_unicast_rcv_skb+0x184/0x4b0 net/ipv4/udp.c:2346
  __udp4_lib_rcv+0x1c6b/0x3010 net/ipv4/udp.c:2422
  udp_rcv+0x7d/0xa0 net/ipv4/udp.c:2604
  ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205
  ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233
  NF_HOOK include/linux/netfilter.h:314 [inline]
  ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254
  dst_input include/net/dst.h:461 [inline]
  ip_rcv_finish net/ipv4/ip_input.c:449 [inline]
  NF_HOOK include/linux/netfilter.h:314 [inline]
  ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569
  __netif_receive_skb_one_core net/core/dev.c:5534 [inline]
  __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648
  process_backlog+0x480/0x8b0 net/core/dev.c:5976
  __napi_poll+0xe3/0x980 net/core/dev.c:6576
  napi_poll net/core/dev.c:6645 [inline]
  net_rx_action+0x8b8/0x1870 net/core/dev.c:6778
  __do_softirq+0x1b7/0x7c5 kernel/softirq.c:553
  do_softirq+0x9a/0xf0 kernel/softirq.c:454
  __local_bh_enable_ip+0x9b/0xa0 kernel/softirq.c:381
  local_bh_enable include/linux/bottom_half.h:33 [inline]
  rcu_read_unlock_bh include/linux/rcupdate.h:820 [inline]
  __dev_queue_xmit+0x2768/0x51c0 net/core/dev.c:4378
  dev_queue_xmit include/linux/netdevice.h:3171 [inline]
  packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276
  packet_snd net/packet/af_packet.c:3081 [inline]
  packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113
  sock_sendmsg_nosec net/socket.c:730 [inline]
  __sock_sendmsg net/socket.c:745 [inline]
  __sys_sendto+0x735/0xa10 net/socket.c:2191
  __do_sys_sendto net/socket.c:2203 [inline]
  __se_sys_sendto net/socket.c:2199 [inline]
  __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

Uninit was created at:
  slab_post_alloc_hook mm/slub.c:3819 [inline]
  slab_alloc_node mm/slub.c:3860 [inline]
  kmem_cache_alloc_node+0x5cb/0xbc0 mm/slub.c:3903
  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560
  __alloc_skb+0x352/0x790 net/core/skbuff.c:651
  alloc_skb include/linux/skbuff.h:1296 [inline]
  alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6394
  sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2783
  packet_alloc_skb net/packet/af_packet.c:2930 [inline]
  packet_snd net/packet/af_packet.c:3024 [inline]
  packet_sendmsg+0x70c2/0x9f10 net/packet/af_packet.c:3113
  sock_sendmsg_nosec net/socket.c:730 [inline]
  __sock_sendmsg net/socket.c:745 [inline]
  __sys_sendto+0x735/0xa10 net/socket.c:2191
  __do_sys_sendto net/socket.c:2203 [inline]
  __se_sys_sendto net/socket.c:2199 [inline]
  __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

Fixes: 2d07dc79fe ("geneve: add initial netdev driver for GENEVE tunnels")
Reported-and-tested-by: syzbot+6a1423ff3f97159aae64@syzkaller.appspotmail.com
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-03-15 10:48:14 -04:00
..
accessibility
acpi ACPI: extlog: fix NULL pointer dereference check 2024-02-23 08:12:44 +01:00
amba amba: bus: fix refcount leak 2023-09-23 10:48:09 +02:00
android binder: signal epoll threads of self-work 2024-02-23 08:12:57 +01:00
ata ahci: asm1166: correct count of reported ports 2024-03-01 13:06:09 +01:00
atm atm: idt77252: fix a memleak in open_card_ubr0 2024-02-23 08:12:53 +01:00
auxdisplay
base pmdomain: core: Move the unused cleanup to a _sync initcall 2024-02-23 08:12:58 +01:00
bcma
block virtio-blk: Ensure no requests in virtqueues before deleting vqs. 2024-03-01 13:06:09 +01:00
bluetooth Bluetooth: btmtkuart: fix recv_buf() return value 2024-01-25 14:33:34 -08:00
bus bus: imx-weim: fix branch condition evaluates to a garbage value 2023-04-05 11:15:38 +02:00
cdrom
char hwrng: core - Fix page fault dead lock on mmap-ed hwrng 2024-02-23 08:12:40 +01:00
clk clk: mmp: pxa168: Fix memory leak in pxa168_clk_init() 2024-02-23 08:12:50 +01:00
clocksource clocksource/drivers/timer-atmel-tcb: Fix initialization on SAM9 hardware 2023-11-28 16:46:31 +00:00
connector
cpufreq cpufreq: imx6q: Don't disable 792 Mhz OPP unnecessarily 2023-12-08 08:43:26 +01:00
cpuidle sched,idle,rcu: Push rcu_idle deeper into the idle path 2023-10-25 11:16:26 +02:00
crypto crypto: stm32/crc32 - fix parsing list of devices 2024-02-23 08:12:45 +01:00
dax
dca
devfreq PM / devfreq: Fix leak in devfreq_dev_release() 2023-09-23 10:48:10 +02:00
dio
dma dmaengine: shdma: increase size of 'dev_id' 2024-03-01 13:06:09 +01:00
dma-buf dma-buf/sw_sync: Avoid recursive lock during fence signal 2023-08-30 16:31:56 +02:00
edac EDAC/thunderx: Fix possible out-of-bounds string access 2024-01-25 14:33:31 -08:00
eisa
extcon extcon: Fix kernel doc of property capability fields to avoid warnings 2023-08-11 11:45:12 +02:00
firewire firewire: core: send bus reset promptly on gap count error 2024-03-01 13:06:09 +01:00
firmware efi/capsule-loader: fix incorrect allocation size 2024-03-06 14:35:23 +00:00
fmc
fpga fpga: bridge: fix kernel-doc parameter description 2023-05-17 11:13:15 +02:00
fsi fsi: master-ast-cf: Add MODULE_FIRMWARE macro 2023-09-23 10:47:57 +02:00
gnss
gpio gpio: 74x164: Enable output pins after registers are reset 2024-03-06 14:35:23 +00:00
gpu nouveau: fix function cast warnings 2024-03-01 13:06:11 +01:00
hid HID: wacom: Do not register input devices until after hid_hw_start 2024-02-23 08:12:56 +01:00
hsi
hv Drivers: hv: vmbus: Fix vmbus_wait_for_unload() to scan present CPUs 2023-06-28 10:15:28 +02:00
hwmon hwmon: (coretemp) Enlarge per package core count limit 2024-03-01 13:06:09 +01:00
hwspinlock
hwtracing coresight: etm4x: Fix width of CCITMIN field 2024-01-25 14:33:31 -08:00
i2c i2c: s3c24xx: fix transferring more than one message in polling mode 2024-01-25 14:33:39 -08:00
ide treewide: Remove uninitialized_var() usage 2023-08-11 11:45:01 +02:00
idle
iio iio: common: ms_sensors: ms_sensors_i2c: fix humidity conversion time table 2024-01-08 11:27:35 +01:00
infiniband RDMA/srpt: fix function pointer cast warnings 2024-03-01 13:06:10 +01:00
input Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID 2024-02-23 08:12:54 +01:00
iommu
ipack
irqchip irqchip/irq-brcmstb-l2: Add write memory barrier before exit 2024-02-23 08:12:58 +01:00
isdn mISDN: Update parameter type of dsp_cmx_send() 2023-08-16 18:13:00 +02:00
leds leds: trigger: panic: Don't register panic notifier if creating the trigger failed 2024-02-23 08:12:50 +01:00
lightnvm
macintosh macintosh: via-pmu-led: requires ATA to be set 2023-05-17 11:13:18 +02:00
mailbox mailbox: ti-msgmgr: Fill non-message tx data fields with 0x0 2023-08-11 11:45:13 +02:00
mcb mcb: fix error handling for different scenarios when parsing 2023-11-28 16:46:35 +00:00
md dm-crypt: don't modify the data when using authenticated encryption 2024-03-01 13:06:10 +01:00
media media: ddbridge: fix an error code problem in ddb_probe 2024-02-23 08:12:49 +01:00
memory
memstick memstick r592: make memstick_debug_get_tpc_name() static 2023-08-11 11:45:06 +02:00
message scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition 2023-05-30 12:42:09 +01:00
mfd mfd: ti_am335x_tscadc: Fix TI SoC dependencies 2024-02-23 08:12:50 +01:00
misc misc: st_core: Do not call kfree_skb() under spin_lock_irqsave() 2023-11-20 10:29:20 +01:00
mmc mmc: core: Fix eMMC initialization with 1-bit bus connection 2024-03-06 14:35:23 +00:00
mtd mtd: Fix gluebi NULL pointer dereference caused by ftl notifier 2024-01-25 14:33:32 -08:00
mux
net geneve: make sure to pull inner header in geneve_rx() 2024-03-15 10:48:14 -04:00
nfc nfcsim.c: Fix error checking for debugfs_create_dir 2023-06-28 10:15:31 +02:00
ntb ntb: Fix calculation ntb_transport_tx_free_entry() 2023-09-23 10:48:10 +02:00
nubus
nvdimm nd_btt: Make BTT lanes preemptible 2023-11-20 10:29:18 +01:00
nvme nvme-pci: do not set the NUMA node of device if it has none 2023-10-10 21:44:59 +02:00
nvmem nvmem: imx: correct nregs for i.MX6UL 2023-11-08 11:22:16 +01:00
of of: unittest: Fix of_count_phandle_with_args() expected value message 2024-01-25 14:33:36 -08:00
opp
oprofile
parisc parisc: iosapic.c: Fix sparse warnings 2023-10-10 21:44:58 +02:00
parport parport: Add support for Brainboxes IX/UC/PX parallel cards 2023-12-13 17:42:19 +01:00
pci PCI/MSI: Prevent MSI hardware interrupt number truncation 2024-03-01 13:06:11 +01:00
pcmcia pcmcia: ds: fix possible name leak in error path in pcmcia_device_add() 2023-11-20 10:29:20 +01:00
perf
phy phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP 2024-02-23 08:12:53 +01:00
pinctrl pinctrl: at91-pio4: use dedicated lock class for IRQ 2024-01-08 11:27:34 +01:00
platform platform/x86: intel_telemetry: Fix kernel doc descriptions 2023-12-20 15:38:02 +01:00
pnp PNP: ACPI: fix fortify warning 2024-02-23 08:12:44 +01:00
power power: supply: bq27xxx-i2c: Do not free non existing IRQ 2024-03-06 14:35:23 +00:00
powercap
pps
ps3
ptp ptp: annotate data-race around q->head and q->tail 2023-11-28 16:46:33 +00:00
pwm pwm: brcmstb: Utilize appropriate clock APIs in suspend/resume 2023-11-20 10:29:20 +01:00
rapidio
ras
regulator regulator: pwm-regulator: Add validity checks in continuous .get_voltage 2024-03-01 13:06:09 +01:00
remoteproc
reset reset: hisilicon: hi6220: fix Wvoid-pointer-to-enum-cast warning 2024-01-25 14:33:30 -08:00
rpmsg rpmsg: virtio: Free driver_override when rpmsg_remove() 2024-02-23 08:12:40 +01:00
rtc rtc: ds1685: use EXPORT_SYMBOL_GPL for ds1685_rtc_poweroff 2023-09-23 10:47:56 +02:00
s390 s390/qeth: Fix potential loss of L3-IP@ in case of network issues 2024-03-01 13:06:09 +01:00
sbus
scsi scsi: jazz_esp: Only build if SCSI core is builtin 2024-03-01 13:06:11 +01:00
sfi
sh
siox
slimbus
sn
soc pmdomain: renesas: r8a77980-sysc: CR7 must be always on 2024-03-01 13:06:10 +01:00
soundwire
spi spi: ppc4xx: Drop write-only variable 2024-02-23 08:12:55 +01:00
spmi spmi: Add a check for remove callback when removing a SPMI driver 2023-05-17 11:13:17 +02:00
ssb treewide: Remove uninitialized_var() usage 2023-08-11 11:45:01 +02:00
staging staging: iio: ad5933: fix type mismatch regression 2024-02-23 08:12:57 +01:00
target scsi: target: core: Add TMF to tmr_list handling 2024-03-01 13:06:09 +01:00
tc
tee
thermal thermal: core: prevent potential string overflow 2023-11-20 10:29:17 +01:00
thunderbolt
tty serial: max310x: improve crystal stable clock detection 2024-02-23 08:12:57 +01:00
uio uio: Fix use-after-free in uio_open 2024-01-25 14:33:30 -08:00
usb usb: roles: don't get/set_role() when usb_role_switch is unregistered 2024-03-01 13:06:10 +01:00
uwb
vfio
vhost vhost: use kzalloc() instead of kmalloc() followed by memset() 2024-02-23 08:12:55 +01:00
video fbdev: sis: Error out if pixclock equals zero 2024-03-01 13:06:09 +01:00
virt
virtio virtio-mmio: fix memory leak of vm_dev 2023-11-08 11:22:15 +01:00
visorbus
vlynq
vme
w1 w1: fix loop in w1_fini() 2023-08-11 11:45:11 +02:00
watchdog watchdog: bcm2835_wdt: Fix WDIOC_SETTIMEOUT handling 2024-01-25 14:33:36 -08:00
xen xen/events: fix delayed eoi list handling 2023-11-28 16:46:33 +00:00
zorro
Kconfig
Makefile