Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp354954imm;
        Mon, 2 Jul 2018 12:47:28 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKKsGNShmCFSv+3e9g34mpwLQUBwCDpz0S4SS4X+JRiB1Jvpw9yy4wd1rH864h9BkJ3Yg8FL
X-Received: by 2002:a17:902:6b09:: with SMTP id o9-v6mr26722928plk.256.1530560848781;
        Mon, 02 Jul 2018 12:47:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1530560848; cv=none;
        d=google.com; s=arc-20160816;
        b=DUTUseYVO1MazuJVOW5PCrBzgzRTC0Z35ql+C+2wrVcZoVbuXSudTH+TNVzUWgqoZN
         J8gprv519JFiGsvOxXQbGGYZKgdsK0YX6M4GseQ+/TU5bXWBeM5pbqa1bc8lh6JAWIAJ
         8OFGeQNShcEFyJNNPH8ipCvMrz50Ozs0k8uSzcRV83j+4ejS4fYI9GZuKfeD+ITfLIVc
         ZbDNvvQgSMfqh+9Gu1I1mNgfWd4qxy5Dfvh2OZcumCyhXbCi5Xh/ID9/MCqvwZzzgSiP
         iejTeZOO9t4eKkr0TZaj1Ao0IcwScmSnEyEzEYeo8nsNd3x+RZ+9+WQnaPJvuSHV4OIQ
         EDaA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-language
         :content-transfer-encoding:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:dkim-signature
         :arc-authentication-results;
        bh=tZmwouYozNc+8c04ym3LmTVvUYeGPhSISwyA93IHVYs=;
        b=DaonAUTbwuqxdXbV8wWi5Xyb1DOhJsAEFr0n0L5xz0MPeNoCiJoRdB3dkqn7TvY717
         AOuXm/gLxRqRyr+lvYzUwjbWqBygPx3x8VDQ88VZJHPFqKPR3j54BwtSGuuIziqHtQhv
         UctA9/4dUuAnyKeaRCAdIC6pJexasnIdYZYV1Y2tWuYV4tMapgIlhQgNFADX2BnNwSI4
         IHqZUIxQ9uX3yhl2dQC41tDfKHAeHUpe2iahEn9jIdSQpV9BXUbZwVyklwwS/EdFkyr0
         AlRE8sCVoTZNXVlGFheGU9iwsBfNTrGUTmSPf8wa2F9+oLpwL6F2hCkHIqAqv4cBteCF
         Z4+g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@opensourcefoundries-com.20150623.gappssmtp.com header.s=20150623 header.b=h7c2pGbl;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id n26-v6si3118583pfj.251.2018.07.02.12.47.14;
        Mon, 02 Jul 2018 12:47:28 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@opensourcefoundries-com.20150623.gappssmtp.com header.s=20150623 header.b=h7c2pGbl;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753018AbeGBTpq (ORCPT <rfc822;utfcpqpk@gmail.com> + 99 others);
        Mon, 2 Jul 2018 15:45:46 -0400
Received: from mail-oi0-f65.google.com ([209.85.218.65]:45001 "EHLO
        mail-oi0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752893AbeGBTpo (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 2 Jul 2018 15:45:44 -0400
Received: by mail-oi0-f65.google.com with SMTP id s198-v6so14748582oih.11
        for <linux-kernel@vger.kernel.org>; Mon, 02 Jul 2018 12:45:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=opensourcefoundries-com.20150623.gappssmtp.com; s=20150623;
        h=subject:to:cc:references:from:message-id:date:user-agent
         :mime-version:in-reply-to:content-transfer-encoding:content-language;
        bh=tZmwouYozNc+8c04ym3LmTVvUYeGPhSISwyA93IHVYs=;
        b=h7c2pGbl+GJnGUh9IHT0RJZFKpOltHb7mzSVmNG5e1QbBeR4qtXD3Fu68zfjW/UtBw
         YLE1FqJ8FOxhXR5BwMFHU3df3hTdzYjVHqa0LJN2FygGqW7oHEvw8/HB6B3+GuOdW5Ab
         goOBbqGNwB5El8Gf/SlmwG7iKr153wwGMsUQUsleosYSHO+d0X76C+W7GvyIFg2uq9gn
         qIMd3zJbCWdEqVq00O9rBVGaJKDF6kMlY3Uxt9F9F05xiK5eeeZiUZ9jW2u61XzAwmr7
         eXqEmBQ1x1igtCZTOGksZ7OzAENIqkoGsUjtqsLOaAOBGcQIpX9bU9P7UAcPzV+D2McC
         +CQw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-transfer-encoding
         :content-language;
        bh=tZmwouYozNc+8c04ym3LmTVvUYeGPhSISwyA93IHVYs=;
        b=KRJCKb8dvpvmKUdWOujd5hBcZ5tqxG3voMBpFla5joiJRdoyf1BEzyrOne8md6c4nw
         TnltgfFfP4OSr3s6bGJnJaydJiMAy0QfaSOHLjqf3ccUw+bz554wybsARb4W6TWcrRVw
         rL/KeiJb07cym2w2aDRcKj0wky65BKOnL8V8M3+xjX9plFlCEr3L2I9qIZcA7c9KJp5R
         TDfBWOybNiulk0ARQQI99oFVaEoKy8npYR7L2WVUfFN6A3sb2GomK/rvV5EzWKM1hh2I
         VvczN3TY6HUefTbM2wCTuFnEbTij0BrFjcFD+1wrEh5AibDPUP8u8nirOAhepLO62rry
         unsw==
X-Gm-Message-State: APt69E3j1F7vK0KmxjvzRWE1HCdOY+Wbe0wytvG4N7cpvvU2QnPUaq42
        k7p7AvA+41/frrfCLFErmskW3Wd59nI=
X-Received: by 2002:aca:f516:: with SMTP id t22-v6mr18391296oih.56.1530560743426;
        Mon, 02 Jul 2018 12:45:43 -0700 (PDT)
Received: from [192.168.69.121] (107-198-5-8.lightspeed.irvnca.sbcglobal.net. [107.198.5.8])
        by smtp.gmail.com with ESMTPSA id d38-v6sm9856340otc.44.2018.07.02.12.45.42
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 02 Jul 2018 12:45:42 -0700 (PDT)
Subject: Re: [PATCH] 6lowpan: iphc: reset mac_header after decompress to fix
 panic
To:     Alexander Aring <aring@mojatatu.com>
Cc:     Jukka Rissanen <jukka.rissanen@linux.intel.com>,
        "David S. Miller" <davem@davemloft.net>,
        linux-bluetooth@vger.kernel.org, linux-wpan@vger.kernel.org,
        netdev@vger.kernel.org, linux-kernel@vger.kernel.org
References: <20180619234406.8217-1-michael@opensourcefoundries.com>
 <20180702185438.dqqjg6k45iefj5is@x220t>
From:   Michael Scott <michael@opensourcefoundries.com>
Message-ID: <516fbc65-cc4b-8016-de5a-e2240b779d15@opensourcefoundries.com>
Date:   Mon, 2 Jul 2018 12:45:41 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <20180702185438.dqqjg6k45iefj5is@x220t>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hello Alexander,


On 07/02/2018 11:54 AM, Alexander Aring wrote:
> Hi,
>
> On Tue, Jun 19, 2018 at 04:44:06PM -0700, Michael Scott wrote:
>> After decompression of 6lowpan socket data, an IPv6 header is inserted
>> before the existing socket payload.  After this, we reset the
>> network_header value of the skb to account for the difference in payload
>> size from prior to decompression + the addition of the IPv6 header.
>>
>> However, we fail to reset the mac_header value.
>>
>> Leaving the mac_header value untouched here, can cause a calculation
>> error in net/packet/af_packet.c packet_rcv() function when an
>> AF_PACKET socket is opened in SOCK_RAW mode for use on a 6lowpan
>> interface.
>>
>> On line 2088, the data pointer is moved backward by the value returned
>> from skb_mac_header().  If skb->data is adjusted so that it is before
>> the skb->head pointer (which can happen when an old value of mac_header
>> is left in place) the kernel generates a panic in net/core/skbuff.c
>> line 1717.
>>
>> This panic can be generated by BLE 6lowpan interfaces (such as bt0) and
>> 802.15.4 interfaces (such as lowpan0) as they both use the same 6lowpan
>> sources for compression and decompression.
>>
>> Signed-off-by: Michael Scott <michael@opensourcefoundries.com>
>> ---
>>   net/6lowpan/iphc.c | 1 +
>>   1 file changed, 1 insertion(+)
>>
>> diff --git a/net/6lowpan/iphc.c b/net/6lowpan/iphc.c
>> index 6b1042e21656..52fad5dad9f7 100644
>> --- a/net/6lowpan/iphc.c
>> +++ b/net/6lowpan/iphc.c
>> @@ -770,6 +770,7 @@ int lowpan_header_decompress(struct sk_buff *skb, const struct net_device *dev,
>>   		hdr.hop_limit, &hdr.daddr);
>>   
>>   	skb_push(skb, sizeof(hdr));
>> +	skb_reset_mac_header(skb);
>>   	skb_reset_network_header(skb);
>>   	skb_copy_to_linear_data(skb, &hdr, sizeof(hdr));
>>   
> I think it's good to make that if the mac_header gets a dangled pointer.
> But we don't have a mac header at this point anymore...
>
> There exists also some functionality that the MAC header is not set, I
> suppose this can be usefuly for tun like interfaces e.g. RAW IP what we
> have here.
>
> skb_mac_header_was_set
>
> which does:
>
> return skb->mac_header != (typeof(skb->mac_header))~0U;
>
> maybe we can set it as (typeof(skb->mac_header))~0U and then everything
> will run as far the kernel will not crash anymore.
>
> Question is for me: which upper layer wants access MAC header here on
> receive path?
> It cannot parsed anyhow because so far I know no upper layer can parse
> at the moment 802.15.4 frames (which is a complex format). Maybe over
> some header_ops callback?

I was testing a C program which performs NAT64 handling on packets
destined to a certain IPv6 subnet (64:ff9b::). To do this, the 
application opens a RAW socket like this: sniff_sock = socket(PF_PACKET, 
SOCK_RAW, htons(ETH_P_ALL)); It then sets promiscuous mode and enters a 
looping call of:
length = recv(sniff_sock, buffer, PACKET_BUFFER, MSG_TRUNC); My host PC 
kernel would then promptly crash on me. (I'm going to purposely avoid 
the obvious point of: this probably isn't the best way to parse packets 
for NAT64 translation as you will get every single packet incoming or 
outgoing on the host.) Turns out, testing the program on an 802.15.4 
6lowpan interface exposed some of the issues which this mailing list 
(but not myself) is well aware of (no L2 data in the RAW packets) and 
also led me to debugging this patch to stop the kernel crash. TL;DR: To 
summarize, any PF_PACKET SOCK_RAW socket which recv()'s IPv6 data from a 
6lowpan node will cause this kernel crash eventually (checked on kernel 
4.15, 4.16, 4.17 and 4.18-rc1). - Mike
>
> - Alex