mirror/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
1ca1ba465e55b9460e4e75dec9fff31e708fec74
linux/drivers
History
Eric Dumazet 1ca1ba465e geneve: make sure to pull inner header in geneve_rx() 
syzbot triggered a bug in geneve_rx() [1]

Issue is similar to the one I fixed in commit 8d975c15c0
("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()")

We have to save skb->network_header in a temporary variable
in order to be able to recompute the network_header pointer
after a pskb_inet_may_pull() call.

pskb_inet_may_pull() makes sure the needed headers are in skb->head.

[1]
BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]
 BUG: KMSAN: uninit-value in geneve_rx drivers/net/geneve.c:279 [inline]
 BUG: KMSAN: uninit-value in geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391
  IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]
  geneve_rx drivers/net/geneve.c:279 [inline]
  geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391
  udp_queue_rcv_one_skb+0x1d39/0x1f20 net/ipv4/udp.c:2108
  udp_queue_rcv_skb+0x6ae/0x6e0 net/ipv4/udp.c:2186
  udp_unicast_rcv_skb+0x184/0x4b0 net/ipv4/udp.c:2346
  __udp4_lib_rcv+0x1c6b/0x3010 net/ipv4/udp.c:2422
  udp_rcv+0x7d/0xa0 net/ipv4/udp.c:2604
  ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205
  ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233
  NF_HOOK include/linux/netfilter.h:314 [inline]
  ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254
  dst_input include/net/dst.h:461 [inline]
  ip_rcv_finish net/ipv4/ip_input.c:449 [inline]
  NF_HOOK include/linux/netfilter.h:314 [inline]
  ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569
  __netif_receive_skb_one_core net/core/dev.c:5534 [inline]
  __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648
  process_backlog+0x480/0x8b0 net/core/dev.c:5976
  __napi_poll+0xe3/0x980 net/core/dev.c:6576
  napi_poll net/core/dev.c:6645 [inline]
  net_rx_action+0x8b8/0x1870 net/core/dev.c:6778
  __do_softirq+0x1b7/0x7c5 kernel/softirq.c:553
  do_softirq+0x9a/0xf0 kernel/softirq.c:454
  __local_bh_enable_ip+0x9b/0xa0 kernel/softirq.c:381
  local_bh_enable include/linux/bottom_half.h:33 [inline]
  rcu_read_unlock_bh include/linux/rcupdate.h:820 [inline]
  __dev_queue_xmit+0x2768/0x51c0 net/core/dev.c:4378
  dev_queue_xmit include/linux/netdevice.h:3171 [inline]
  packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276
  packet_snd net/packet/af_packet.c:3081 [inline]
  packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113
  sock_sendmsg_nosec net/socket.c:730 [inline]
  __sock_sendmsg net/socket.c:745 [inline]
  __sys_sendto+0x735/0xa10 net/socket.c:2191
  __do_sys_sendto net/socket.c:2203 [inline]
  __se_sys_sendto net/socket.c:2199 [inline]
  __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

Uninit was created at:
  slab_post_alloc_hook mm/slub.c:3819 [inline]
  slab_alloc_node mm/slub.c:3860 [inline]
  kmem_cache_alloc_node+0x5cb/0xbc0 mm/slub.c:3903
  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560
  __alloc_skb+0x352/0x790 net/core/skbuff.c:651
  alloc_skb include/linux/skbuff.h:1296 [inline]
  alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6394
  sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2783
  packet_alloc_skb net/packet/af_packet.c:2930 [inline]
  packet_snd net/packet/af_packet.c:3024 [inline]
  packet_sendmsg+0x70c2/0x9f10 net/packet/af_packet.c:3113
  sock_sendmsg_nosec net/socket.c:730 [inline]
  __sock_sendmsg net/socket.c:745 [inline]
  __sys_sendto+0x735/0xa10 net/socket.c:2191
  __do_sys_sendto net/socket.c:2203 [inline]
  __se_sys_sendto net/socket.c:2199 [inline]
  __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

Fixes: 2d07dc79fe ("geneve: add initial netdev driver for GENEVE tunnels")
Reported-and-tested-by: syzbot+6a1423ff3f97159aae64@syzkaller.appspotmail.com
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2024-03-04 09:59:33 +00:00
..
accel
accel/ivpu: Don't enable any tiles by default on VPU40xx
2024-02-20 16:56:21 +01:00
accessibility
acpi
Merge tag 'acpi-6.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
2024-02-28 12:20:00 -08:00
amba
android
binder: signal epoll threads of self-work
2024-01-31 14:08:28 -08:00
ata
ata: libata-core: Do not call ata_dev_power_set_standby() twice
2024-02-21 19:09:17 +01:00
atm
atm: idt77252: fix a memleak in open_card_ubr0
2024-02-03 12:46:13 +00:00
auxdisplay
Merge tag 'drm-next-2024-01-10' of git://anongit.freedesktop.org/drm/drm
2024-01-12 11:32:19 -08:00
base
Merge tag 'driver-core-6.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
2024-02-17 08:56:41 -08:00
bcma
block
Merge tag 'block-6.8-2024-02-10' of git://git.kernel.dk/linux
2024-02-10 08:02:48 -08:00
bluetooth
Bluetooth: qca: Fix triggering coredump implementation
2024-02-28 09:50:51 -05:00
bus
bus: imx-weim: fix valid range check
2024-02-06 14:10:47 +08:00
cache
cache: ax45mp_cache: Align end size to cache boundary in ax45mp_dma_cache_wback()
2024-02-21 16:24:10 +00:00
cdrom
cdx
cdx: Unlock on error path in rescan_store()
2024-01-04 17:01:14 +01:00
char
Merge tag 'tty-6.8-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty
2024-01-18 11:37:24 -08:00
clk
clk: samsung: clk-gs101: comply with the new dt cmu_misc clock names
2024-01-22 11:40:12 +01:00
clocksource
clocksource/drivers/ep93xx: Fix error handling during probe
2023-12-27 15:37:11 +01:00
comedi
connector
connector/cn_proc: revert "connector: Fix proc_event_num_listeners count not cleared"
2024-02-13 11:15:44 +01:00
counter
cpufreq
cpufreq: intel_pstate: fix pstate limits enforcement for adjust_perf call back
2024-02-24 15:01:59 +01:00
cpuidle
cpuidle: haltpoll: Do not enable interrupts when entering idle
2023-12-29 18:08:18 +01:00
crypto
crypto: virtio/akcipher - Fix stack overflow on memcpy
2024-02-09 12:55:53 +08:00
cxl
cxl/acpi: Fix load failures due to single window creation failure
2024-02-20 22:58:05 -08:00
dax
Merge tag 'xfs-6.8-merge-3' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux
2024-01-10 08:45:22 -08:00
dca
devfreq
PM / devfreq: Synchronize devfreq_monitor_[start/stop]
2023-12-19 07:58:27 +09:00
dio
dma
dmaengine: at_hdmac: add missing kernel-doc style description
2024-02-02 17:16:55 +01:00
dma-buf
dma-buf: heaps: Don't track CMA dma-buf pages under RssFile
2024-01-31 19:54:58 +05:30
dpll
dpll: fix build failure due to rcu_dereference_check() on unknown type
2024-02-29 12:18:37 -08:00
edac
Merge tag 'driver-core-6.8-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
2024-01-18 09:48:40 -08:00
eisa
extcon
firewire
firewire: core: send bus reset promptly on gap count error
2024-02-07 08:20:02 +09:00
firmware
Merge tag 'riscv-firmware-fixes-for-v6.8-rc6' of https://git.kernel.org/pub/scm/linux/kernel/git/conor/linux into arm/fixes
2024-02-23 13:53:44 +01:00
fpga
Merge tag 'char-misc-6.8-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
2024-01-17 16:47:17 -08:00
fsi
gnss
Merge tag 'tty-6.8-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty
2024-01-18 11:37:24 -08:00
gpio
gpiolib: Handle no pin_ranges in gpiochip_generic_config()
2024-02-20 12:49:14 +01:00
gpu
Merge tag 'drm-fixes-2024-02-23' of git://anongit.freedesktop.org/drm/drm
2024-02-23 09:17:47 -08:00
greybus
Merge tag 'tty-6.8-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty
2024-01-18 11:37:24 -08:00
hid
HID: wacom: generic: Avoid reporting a serial of '0' to userspace
2024-02-13 11:40:23 +01:00
hsi
hte
hv
hwmon
hwmon: (nct6775) Fix access to temperature configuration registers
2024-02-21 13:56:33 -08:00
hwspinlock
hwtracing
i2c
i2c: imx: when being a target, mark the last read as processed
2024-02-23 23:39:35 +01:00
i3c
i3c: master: cdns: Update maximum prescaler value for i2c clock
2024-01-08 00:51:36 +01:00
idle
Merge tag 'pm-6.8-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
2024-01-09 16:32:11 -08:00
iio
iio: adc: ad4130: only set GPIO_CTRL if pin is unused
2024-02-10 16:52:39 +00:00
infiniband
RDMA/srpt: fix function pointer cast warnings
2024-02-14 11:15:54 +02:00
input
Merge tag 'input-for-v6.8-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
2024-02-02 12:52:44 -08:00
interconnect
interconnect: qcom: x1e80100: Add missing ACV enable_mask
2024-02-04 23:36:06 +02:00
iommu
Merge tag 'iommu-fixes-v6.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu
2024-02-24 15:59:26 -08:00
ipack
Merge tag 'tty-6.8-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty
2024-01-18 11:37:24 -08:00
irqchip
irqchip/gic-v3-its: Do not assume vPE tables are preallocated
2024-02-21 21:11:20 +01:00
isdn
leds
Merge tag 'leds-next-6.8' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/leds
2024-01-17 15:25:27 -08:00
macintosh
mailbox
Merge tag 'mailbox-v6.8' of git://git.kernel.org/pub/scm/linux/kernel/git/jassibrar/mailbox
2024-01-17 15:39:32 -08:00
mcb
mcb: core: fix kernel-doc warnings
2023-12-15 17:07:05 +01:00
md
Merge tag 'for-6.8/dm-fix-3' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm
2024-02-24 09:55:29 -08:00
media
media: pwm-ir-tx: Depend on CONFIG_HIGH_RES_TIMERS
2024-02-01 13:49:39 +01:00
memory
Merge tag 'iommu-updates-v6.8' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu
2024-01-18 15:16:57 -08:00
memstick
message
mfd
Merge tag 'tty-6.8-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty
2024-01-18 11:37:24 -08:00
misc
misc: open-dice: Fix spurious lockdep warning
2024-01-30 16:20:54 -08:00
mmc
mmc: slot-gpio: Allow non-sleeping GPIO ro
2024-02-06 12:35:44 +01:00
most
mtd
mtd: rawnand: marvell: fix layouts
2024-02-05 16:16:24 +01:00
mux
mux: mmio: use reg property when parent device is not a syscon
2024-01-04 17:01:14 +01:00
net
geneve: make sure to pull inner header in geneve_rx()
2024-03-04 09:59:33 +00:00
nfc
ntb
nubus
nubus: Make nubus_bus_type static and constant
2024-01-03 13:33:59 +01:00
nvdimm
Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost
2024-01-18 16:44:03 -08:00
nvme
nvmet: remove superfluous initialization
2024-02-13 15:42:44 -08:00
nvmem
nvmem: include bit index in cell sysfs file name
2024-02-14 16:28:16 +01:00
of
Merge tag 'devicetree-fixes-for-6.8-1' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux
2024-02-15 10:19:55 -08:00
opp
OPP: Rename 'rate_clk_single'
2024-01-05 15:55:41 +05:30
parisc
parisc/power: Fix power soft-off button emulation on qemu
2024-01-07 22:59:16 +01:00
parport
parport: parport_serial: Add Brainboxes device IDs and geometry
2023-12-15 19:54:56 +01:00
pci
PCI/MSI: Prevent MSI hardware interrupt number truncation
2024-02-19 16:11:01 +01:00
pcmcia
pcmcia: xxs1500_ss: Convert to platform remove callback returning void
2023-12-15 17:07:28 +01:00
peci
perf
perf: CXL: fix CPMU filter value mask length
2024-02-20 12:04:07 +00:00
phy
phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP
2024-01-30 22:41:11 +05:30
pinctrl
pinctrl: amd: Add IRQF_ONESHOT to the interrupt request
2024-01-31 10:06:07 +01:00
platform
platform/x86: thinkpad_acpi: Only update profile if successfully converted
2024-02-20 14:35:36 +01:00
pmdomain
pmdomain: mediatek: fix race conditions with genpd
2024-01-23 13:19:15 +01:00
pnp
Merge tag 'acpi-6.8-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
2024-01-17 14:37:40 -08:00
power
Revert "power: supply: qcom_battmgr: Register the power supplies after PDR is up"
2024-01-26 22:45:58 +01:00
powercap
pps
ps3
ptp
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2024-01-04 18:06:46 -08:00
pwm
pwm: jz4740: Don't use dev_err_probe() in .request()
2024-01-12 18:25:05 +01:00
rapidio
rapidio/tsi721: fix kernel-doc warnings
2023-12-20 15:02:57 -08:00
ras
regulator
regulator: max5970: Fix regulator child node name
2024-02-13 15:38:23 +00:00
remoteproc
remoteproc: qcom_q6v5_pas: Add SC7280 ADSP, CDSP & WPSS
2023-12-17 10:06:32 -08:00
reset
Merge tag 'soc-drivers-6.8' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc
2024-01-11 11:31:46 -08:00
rpmsg
rpmsg: virtio: Free driver_override when rpmsg_remove()
2023-12-18 10:56:03 -07:00
rtc
rtc: nuvoton: Compatible with NCT3015Y-R and NCT3018Y-R
2024-01-18 01:05:33 +01:00
s390
Merge tag 's390-6.8-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux
2024-02-23 09:54:13 -08:00
sbus
scsi
scsi: jazz_esp: Only build if SCSI core is builtin
2024-02-15 15:34:47 -05:00
sh
maple: make maple_bus_type static and const
2024-01-04 14:37:17 +01:00
siox
slimbus
soc
Merge tag 'riscv-soc-drivers-fixes-for-v6.8-rc6' of https://git.kernel.org/pub/scm/linux/kernel/git/conor/linux into arm/fixes
2024-02-23 13:53:54 +01:00
soundwire
Merge tag 'soundwire-6.8-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/soundwire
2024-01-18 17:08:31 -08:00
spi
spi: Drop mismerged fix
2024-02-27 12:52:51 +00:00
spmi
spmi: mediatek: add device id check
2023-12-15 17:27:04 +01:00
ssb
staging
Merge tag 'char-misc-6.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
2024-02-17 08:52:38 -08:00
target
scsi: target: pscsi: Fix bio_put() for error case
2024-02-15 14:44:07 -05:00
tc
tee
Merge tag 'docs-6.8' of git://git.lwn.net/linux
2024-01-11 19:46:52 -08:00
thermal
thermal: intel: powerclamp: Remove dead code for target mwait value
2024-01-22 11:59:22 +01:00
thunderbolt
thunderbolt: Fix setting the CNS bit in ROUTER_CS_5
2024-01-29 09:48:40 +02:00
tty
serial: amba-pl011: Fix DMA transmission in RS485 mode
2024-02-19 09:43:37 +01:00
ufs
scsi: ufs: Uninitialized variable in ufshcd_devfreq_target()
2024-02-15 14:46:13 -05:00
uio
uio: Fix use-after-free in uio_open
2024-01-04 17:03:47 +01:00
usb
Merge tag 'usb-6.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
2024-02-25 10:41:57 -08:00
vdpa
Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost
2024-01-18 16:44:03 -08:00
vfio
Merge tag 'vfio-v6.8-rc1' of https://github.com/awilliam/linux-vfio
2024-01-18 15:57:25 -08:00
vhost
Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost
2024-01-18 16:44:03 -08:00
video
fbdev: stifb: Fix crash in stifb_blank()
2024-01-23 09:13:24 +01:00
virt
Merge tag 'char-misc-6.8-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
2024-01-17 16:47:17 -08:00
virtio
Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost
2024-01-18 16:44:03 -08:00
w1
w1: ds2433: add support for ds28ec20 eeprom
2023-12-20 09:25:25 +01:00
watchdog
Merge tag 'linux-watchdog-6.8-rc1' of git://www.linux-watchdog.org/linux-watchdog
2024-01-12 13:32:30 -08:00
xen
xen/events: close evtchn after mapping cleanup
2024-02-13 10:12:47 +01:00
zorro
Kconfig
Makefile
fbdev/intelfb: Remove driver
2024-01-12 12:38:37 +01:00