xiaomi-sm8450/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a9fd5d6cd5943a64fc0a7d94e6731f7da40de27f
android_kernel_xiaomi_sm8450/net/core
History
Eyal Birger 9ef33d23f8 bpf, lwt: Fix crash when using bpf_skb_set_tunnel_key() from bpf_xmit lwt hook 
[ Upstream commit b02d196c44ead1a5949729be9ff08fe781c3e48a ]

xmit_check_hhlen() observes the dst for getting the device hard header
length to make sure a modified packet can fit. When a helper which changes
the dst - such as bpf_skb_set_tunnel_key() - is called as part of the
xmit program the accessed dst is no longer valid.

This leads to the following splat:

 BUG: kernel NULL pointer dereference, address: 00000000000000de
 #PF: supervisor read access in kernel mode
 #PF: error_code(0x0000) - not-present page
 PGD 0 P4D 0
 Oops: 0000 [#1] PREEMPT SMP PTI
 CPU: 0 PID: 798 Comm: ping Not tainted 5.18.0-rc2+ #103
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
 RIP: 0010:bpf_xmit+0xfb/0x17f
 Code: c6 c0 4d cd 8e 48 c7 c7 7d 33 f0 8e e8 42 09 fb ff 48 8b 45 58 48 8b 95 c8 00 00 00 48 2b 95 c0 00 00 00 48 83 e0 fe 48 8b 00 <0f> b7 80 de 00 00 00 39 c2 73 22 29 d0 b9 20 0a 00 00 31 d2 48 89
 RSP: 0018:ffffb148c0bc7b98 EFLAGS: 00010282
 RAX: 0000000000000000 RBX: 0000000000240008 RCX: 0000000000000000
 RDX: 0000000000000010 RSI: 00000000ffffffea RDI: 00000000ffffffff
 RBP: ffff922a828a4e00 R08: ffffffff8f1350e8 R09: 00000000ffffdfff
 R10: ffffffff8f055100 R11: ffffffff8f105100 R12: 0000000000000000
 R13: ffff922a828a4e00 R14: 0000000000000040 R15: 0000000000000000
 FS:  00007f414e8f0080(0000) GS:ffff922afdc00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00000000000000de CR3: 0000000002d80006 CR4: 0000000000370ef0
 Call Trace:
  <TASK>
  lwtunnel_xmit.cold+0x71/0xc8
  ip_finish_output2+0x279/0x520
  ? __ip_finish_output.part.0+0x21/0x130

Fix by fetching the device hard header length before running the BPF code.

Fixes: 3a0af8fd61 ("bpf: BPF for lightweight tunnel infrastructure")
Signed-off-by: Eyal Birger <eyal.birger@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20220420165219.1755407-1-eyal.birger@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-05-09 09:05:02 +02:00
..
bpf_sk_storage.c
bpf: Change bpf_sk_storage_*() to accept ARG_PTR_TO_BTF_ID_SOCK_COMMON
2020-09-25 13:58:01 -07:00
datagram.c
udp: fix skb_copy_and_csum_datagram with odd segment sizes
2021-02-17 11:02:28 +01:00
datagram.h
net/core: Allow the compiler to verify declaration and definition consistency
2019-03-27 13:49:44 -07:00
dev_addr_lists.c
net: core: add nested_level variable in net_device
2020-09-28 15:00:15 -07:00
dev_ioctl.c
net: fix dev_ifsioc_locked() race condition
2021-03-07 12:34:07 +01:00
dev.c
xdp: check prog type before updating BPF link
2022-01-27 10:54:30 +01:00
devlink.c
devlink: Remove misleading internal_flags from health reporter dump
2022-01-27 10:54:34 +01:00
drop_monitor.c
drop_monitor: fix data-race in dropmon_net_event / trace_napi_poll_hit
2022-02-23 12:01:02 +01:00
dst_cache.c
wireguard: device: reset peer src endpoint when netns exits
2021-12-08 09:03:22 +01:00
dst.c
net, bpf: Fix ip6ip6 crash with collect_md populated skbs
2021-03-30 14:32:05 +02:00
failover.c
failover: allow name change on IFF_UP slave interfaces
2019-04-10 22:12:26 -07:00
fib_notifier.c
net: fib_notifier: propagate extack down to the notifier block callback
2019-10-04 11:10:56 -07:00
fib_rules.c
ipv6: fix memory leak in fib6_rule_suppress
2021-12-08 09:03:21 +01:00
filter.c
bpf: Support dual-stack sockets in bpf_tcp_check_syncookie
2022-04-13 21:01:06 +02:00
flow_dissector.c
net/sched: flower: fix parsing of ethertype following VLAN header
2022-04-20 09:23:11 +02:00
flow_offload.c
net: Fix offloading indirect devices dependency on qdisc order creation
2021-09-18 13:40:30 +02:00
gen_estimator.c
net_sched: gen_estimator: support large ewma log
2021-01-27 11:55:23 +01:00
gen_stats.c
docs: networking: convert gen_stats.txt to ReST
2020-04-28 14:39:46 -07:00
gro_cells.c
gro_cells: reduce number of synchronize_net() calls
2020-11-25 11:28:12 -08:00
hwbm.c
net: hwbm: Make the hwbm_pool lock a mutex
2019-06-09 19:40:10 -07:00
link_watch.c
net: linkwatch: fix failure to restore device state across suspend/resume
2021-08-18 08:59:13 +02:00
lwt_bpf.c
bpf, lwt: Fix crash when using bpf_skb_set_tunnel_key() from bpf_xmit lwt hook
2022-05-09 09:05:02 +02:00
lwtunnel.c
lwtunnel: Validate RTA_ENCAP_TYPE attribute length
2022-01-11 15:25:00 +01:00
Makefile
ethtool: move to its own directory
2019-12-12 17:07:05 -08:00
neighbour.c
net, neigh: clear whole pneigh_entry at alloc time
2021-12-14 11:32:43 +01:00
net_namespace.c
netns: add schedule point in ops_exit_list()
2022-01-27 10:54:33 +01:00
net-procfs.c
net-procfs: show net devices bound packet types
2022-02-01 17:25:44 +01:00
net-sysfs.c
net-sysfs: add check for netdevice being present to speed_show
2022-03-16 14:16:00 +01:00
net-sysfs.h
net-sysfs: add netdev_change_owner()
2020-02-26 20:07:25 -08:00
net-traces.c
page_pool: add tracepoints for page_pool with details need by XDP
2019-06-19 11:23:13 -04:00
netclassid_cgroup.c
cgroup, netclassid: remove double cond_resched
2020-04-21 15:44:30 -07:00
netevent.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152
2019-05-30 11:26:32 -07:00
netpoll.c
net: Have netpoll bring-up DSA management interface
2020-11-18 11:04:11 -08:00
netprio_cgroup.c
netprio_cgroup: Fix unlimited memory leak of v2 cgroups
2020-05-09 20:59:21 -07:00
page_pool.c
mm: fix struct page layout on 32-bit systems
2021-05-19 10:13:17 +02:00
pktgen.c
pktgen: fix misuse of BUG_ON() in pktgen_thread_worker()
2021-03-07 12:34:09 +01:00
ptp_classifier.c
ptp: Add generic ptp v2 header parsing function
2020-08-19 16:07:49 -07:00
request_sock.c
tcp: add rcu protection around tp->fastopen_rsk
2019-10-13 10:13:08 -07:00
rtnetlink.c
net: limit altnames to 64k total
2022-04-13 21:01:00 +02:00
scm.c
fs: Add receive_fd() wrapper for __receive_fd()
2020-07-13 11:03:44 -07:00
secure_seq.c
crypto: lib/sha1 - remove unnecessary includes of linux/cryptohash.h
2020-05-08 15:32:17 +10:00
skbuff.c
net: fix up skbs delta_truesize in UDP GRO frag_list
2022-03-08 19:09:32 +01:00
skmsg.c
bpf, sockmap: Fix memleak in tcp_bpf_sendmsg while sk msg is full
2022-04-08 14:40:21 +02:00
sock_diag.c
bpf, net: Rework cookie generator as per-cpu one
2020-09-30 11:50:35 -07:00
sock_map.c
bpf: Fix integer overflow in argument calculation for bpf_map_area_alloc
2021-12-17 10:14:41 +01:00
sock_reuseport.c
udp: Prevent reuseport_select_sock from reading uninitialized socks
2021-01-23 16:03:59 +01:00
sock.c
sock: fix /proc/net/sockstat underflow in sk_clone_lock()
2021-11-26 10:39:14 +01:00
stream.c
net: stream: don't purge sk_error_queue in sk_stream_kill_queues()
2021-11-18 14:04:08 +01:00
sysctl_net_core.c
bpf: Prevent increasing bpf_jit_limit above max
2021-11-18 14:03:42 +01:00
timestamping.c
net: Introduce a new MII time stamping interface.
2019-12-25 19:51:33 -08:00
tso.c
net: tso: add UDP segmentation support
2020-06-18 20:46:23 -07:00
utils.c
net: Fix skb->csum update in inet_proto_csum_replace16().
2020-01-24 20:54:30 +01:00
xdp.c
xdp: fix xdp_return_frame() kernel BUG throw for page_pool memory model
2021-04-14 08:42:09 +02:00