linux-stable

mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-02 15:18:19 +00:00

History

Eric Dumazet d9f92772e8 xfrm6: avoid potential infinite loop in _decode_session6() syzbot found a way to trigger an infinitie loop by overflowing @offset variable that has been forced to use u16 for some very obscure reason in the past. We probably want to look at NEXTHDR_FRAGMENT handling which looks wrong, in a separate patch. In net-next, we shall try to use skb_header_pointer() instead of pskb_may_pull(). watchdog: BUG: soft lockup - CPU#1 stuck for 134s! [syz-executor738:4553] Modules linked in: irq event stamp: 13885653 hardirqs last enabled at (13885652): [<ffffffff878009d5>] restore_regs_and_return_to_kernel+0x0/0x2b hardirqs last disabled at (13885653): [<ffffffff87800905>] interrupt_entry+0xb5/0xf0 arch/x86/entry/entry_64.S:625 softirqs last enabled at (13614028): [<ffffffff84df0809>] tun_napi_alloc_frags drivers/net/tun.c:1478 [inline] softirqs last enabled at (13614028): [<ffffffff84df0809>] tun_get_user+0x1dd9/0x4290 drivers/net/tun.c:1825 softirqs last disabled at (13614032): [<ffffffff84df1b6f>] tun_get_user+0x313f/0x4290 drivers/net/tun.c:1942 CPU: 1 PID: 4553 Comm: syz-executor738 Not tainted 4.17.0-rc3+ #40 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:check_kcov_mode kernel/kcov.c:67 [inline] RIP: 0010:__sanitizer_cov_trace_pc+0x20/0x50 kernel/kcov.c:101 RSP: 0018:ffff8801d8cfe250 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 RAX: ffff8801d88a8080 RBX: ffff8801d7389e40 RCX: 0000000000000006 RDX: 0000000000000000 RSI: ffffffff868da4ad RDI: ffff8801c8a53277 RBP: ffff8801d8cfe250 R08: ffff8801d88a8080 R09: ffff8801d8cfe3e8 R10: ffffed003b19fc87 R11: ffff8801d8cfe43f R12: ffff8801c8a5327f R13: 0000000000000000 R14: ffff8801c8a4e5fe R15: ffff8801d8cfe3e8 FS: 0000000000d88940(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffff600400 CR3: 00000001acab3000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: _decode_session6+0xc1d/0x14f0 net/ipv6/xfrm6_policy.c:150 __xfrm_decode_session+0x71/0x140 net/xfrm/xfrm_policy.c:2368 xfrm_decode_session_reverse include/net/xfrm.h:1213 [inline] icmpv6_route_lookup+0x395/0x6e0 net/ipv6/icmp.c:372 icmp6_send+0x1982/0x2da0 net/ipv6/icmp.c:551 icmpv6_send+0x17a/0x300 net/ipv6/ip6_icmp.c:43 ip6_input_finish+0x14e1/0x1a30 net/ipv6/ip6_input.c:305 NF_HOOK include/linux/netfilter.h:288 [inline] ip6_input+0xe1/0x5e0 net/ipv6/ip6_input.c:327 dst_input include/net/dst.h:450 [inline] ip6_rcv_finish+0x29c/0xa10 net/ipv6/ip6_input.c:71 NF_HOOK include/linux/netfilter.h:288 [inline] ipv6_rcv+0xeb8/0x2040 net/ipv6/ip6_input.c:208 __netif_receive_skb_core+0x2468/0x3650 net/core/dev.c:4646 __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4711 netif_receive_skb_internal+0x126/0x7b0 net/core/dev.c:4785 napi_frags_finish net/core/dev.c:5226 [inline] napi_gro_frags+0x631/0xc40 net/core/dev.c:5299 tun_get_user+0x3168/0x4290 drivers/net/tun.c:1951 tun_chr_write_iter+0xb9/0x154 drivers/net/tun.c:1996 call_write_iter include/linux/fs.h:1784 [inline] do_iter_readv_writev+0x859/0xa50 fs/read_write.c:680 do_iter_write+0x185/0x5f0 fs/read_write.c:959 vfs_writev+0x1c7/0x330 fs/read_write.c:1004 do_writev+0x112/0x2f0 fs/read_write.c:1039 __do_sys_writev fs/read_write.c:1112 [inline] __se_sys_writev fs/read_write.c:1109 [inline] __x64_sys_writev+0x75/0xb0 fs/read_write.c:1109 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe Fixes: `1da177e4c3` ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Steffen Klassert <steffen.klassert@secunet.com> Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com> Reported-by: syzbot+0053c8...@syzkaller.appspotmail.com Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>		2018-05-14 09:42:07 +02:00
..
6lowpan
9p	net/9p/client.c: fix potential refcnt problem of trans module	2018-04-05 21:36:23 -07:00
802
8021q	vlan: also check phy_driver ts_info for vlan's real device	2018-04-01 20:53:50 -04:00
appletalk
atm	net: atm: Fix potential Spectre v1	2018-05-04 12:52:47 -04:00
ax25
batman-adv	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net	2018-04-01 19:49:34 -04:00
bluetooth	Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth	2018-04-08 17:19:15 -04:00
bpf
bridge	bridge: check iface upper dev when setting master via ioctl	2018-04-29 21:08:02 -04:00
caif	net: caif: fix spelling mistake "UKNOWN" -> "UNKNOWN"	2018-04-19 13:37:10 -04:00
can	net: Drop pernet_operations::async	2018-03-27 13:18:09 -04:00
ceph	libceph: validate con->state at the top of try_write()	2018-04-26 17:39:08 +02:00
core	ethtool: fix a potential missing-check bug	2018-05-01 14:18:47 -04:00
dcb
dccp	dccp: fix tasklet usage	2018-05-03 15:14:57 -04:00
decnet
dns_resolver	KEYS: DNS: limit the length of option strings	2018-04-17 15:17:41 -04:00
dsa	net: dsa: Discard frames from unused ports	2018-04-08 10:34:49 -04:00
ethernet
hsr
ieee802154	inet: frags: fix ip6frag_low_thresh boundary	2018-04-04 12:04:59 -04:00
ife	net: sched: ife: check on metadata length	2018-04-22 21:12:00 -04:00
ipv4	tcp: restore autocorking	2018-05-03 11:28:50 -04:00
ipv6	xfrm6: avoid potential infinite loop in _decode_session6()	2018-05-14 09:42:07 +02:00
iucv
kcm	net: Drop pernet_operations::async	2018-03-27 13:18:09 -04:00
key	af_key: Always verify length of provided sadb_key	2018-04-09 07:06:38 +02:00
l2tp	l2tp: check sockaddr length in pppol2tp_connect()	2018-04-23 21:10:43 -04:00
l3mdev
lapb
llc	llc: better deal with too small mtu	2018-05-08 00:11:40 -04:00
mac80211	We have a fair number of patches, but many of them are from the	2018-03-29 16:23:26 -04:00
mac802154	net/mac802154: disambiguate mac80215 vs mac802154 trace events	2018-03-28 22:55:18 +02:00
mpls	net: Drop pernet_operations::async	2018-03-27 13:18:09 -04:00
ncsi
netfilter	netfilter: xt_connmark: do not cast xt_connmark_tginfo1 to xt_connmark_tginfo2	2018-04-19 16:19:28 +02:00
netlabel
netlink	net/netlink: make sure the headers line up actual value output	2018-05-04 13:00:57 -04:00
netrom
nfc
nsh	nsh: fix infinite loop	2018-05-04 12:54:38 -04:00
openvswitch	openvswitch: Don't swap table in nlattr_set() after OVS_ATTR_NESTED is found	2018-05-04 12:51:02 -04:00
packet	packet: fix bitfield update race	2018-04-24 13:17:08 -04:00
phonet	net: Drop pernet_operations::async	2018-03-27 13:18:09 -04:00
psample
qrtr	net: qrtr: add MODULE_ALIAS_NETPROTO macro	2018-04-17 09:58:00 -04:00
rds	rds: do not leak kernel memory to user land	2018-05-03 11:26:14 -04:00
rfkill
rose
rxrpc	rxrpc: Fix undefined packet handling	2018-04-04 11:04:08 -04:00
sched	net_sched: fq: take care of throttled flows before reuse	2018-05-02 16:37:38 -04:00
sctp	sctp: delay the authentication for the duplicated cookie-echo chunk	2018-05-07 23:39:10 -04:00
smc	smc: fix sendpage() call	2018-05-03 14:47:31 -04:00
strparser	strparser: Do not call mod_delayed_work with a timeout of LONG_MAX	2018-04-22 21:09:16 -04:00
sunrpc	rpc_pipefs: fix double-dput()	2018-04-15 23:49:27 -04:00
switchdev
tipc	tipc: fix bug in function tipc_nl_node_dump_monitor	2018-04-27 11:03:56 -04:00
tls	net/tls: Fix connection stall on partial tls record	2018-05-07 23:47:58 -04:00
unix	af_unix: remove redundant lockdep class	2018-04-04 11:13:40 -04:00
vmw_vsock	VSOCK: make af_vsock.ko removable again	2018-04-17 09:44:30 -04:00
wimax
wireless	Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next	2018-03-31 23:33:04 -04:00
x25
xfrm	xfrm: Fix warning in xfrm6_tunnel_net_exit.	2018-04-16 07:50:09 +02:00
compat.c	net: support compat 64-bit time in {s,g}etsockopt	2018-04-27 19:46:06 -04:00
Kconfig
Makefile
socket.c	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial	2018-04-05 11:56:35 -07:00
sysctl_net.c	net: Drop pernet_operations::async	2018-03-27 13:18:09 -04:00