Received: by 2002:ac0:a591:0:0:0:0:0 with SMTP id m17-v6csp523112imm; Thu, 5 Jul 2018 04:35:54 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfCOppX0A7e/5DrJcS4fdHWpuE2tn4SiuflO9nhJ/3cQwqoiJCpLu4J+diYhuASz0xLCsk9 X-Received: by 2002:a17:902:a508:: with SMTP id s8-v6mr5870220plq.223.1530790554434; Thu, 05 Jul 2018 04:35:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1530790554; cv=none; d=google.com; s=arc-20160816; b=QV1fzRJhl7mni8B6qGivxKBlcS4wXBPC5wRh8FufAzHSR2n/GfntHJPbB6QQvWAh+Y jkU/M4dRLWcnIdNUEqzZlUmqdfrloZpsFSSxaDQCPzu7VS3FBcvCyZRBH6Of4Y1XHgha lLwVlVzOzrmT8E0nySSI6+AumrmJ91iamrJHBKZXaBaTgFefgcm3YXOyhxH7hsGwQj4a N4aCfX1wtfI3ASd5OVm31K/pP0TYEQNfFs44oGoBYI5p2G8c1YZ+uF98gEzlRVBSo6Ry XrfErqygmUQRLntD34aklB9y/DlFaz5S8ZLq/Bpo3SS+v2WUwh1zdPHCSgpOpTEBy1xc bVrw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=8zMtZBl4+zNtdPE7lbdhJjdcxj2oAafo0ya0vKGyDls=; b=dejcgrFUc76Wi0aGrnhlT10lzsKl1OQx80jJsZDBJs/qUC502+kf1MlOaKyjha71Ao +bNmIKtgqC/S8viLg4mY0fa2P58bZO7+haiiwYcMim9jIJ9XB3L63N1O5ALJWjxyd69k 8K/3CEqtCBiMRjk+s0ujTQTDnz+MuWh7q4EUtO37/I30h9MPiLhC/nFTae+O4UGooFYg o8t57hJ76NDCR3ecOKSptWQyl7qi8IwtuNoUx6Lff92biuvYvko2Ls3nmbDD/fCOXmoQ JaQy04gwfgBZkb1mGfdmfooXwvbAklmxn1sLpHYDjh8hLSStN4+bQsvzJoty3hgtugj4 2BSA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c2-v6si5166007pgp.134.2018.07.05.04.35.40; Thu, 05 Jul 2018 04:35:54 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753922AbeGELe7 (ORCPT + 99 others); Thu, 5 Jul 2018 07:34:59 -0400 Received: from proxima.lasnet.de ([78.47.171.185]:49823 "EHLO proxima.lasnet.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753499AbeGELe5 (ORCPT ); Thu, 5 Jul 2018 07:34:57 -0400 Received: from [IPv6:2003:e9:d74b:8bb:3252:cbff:fe54:190f] (p200300E9D74B08BB3252CBFFFE54190F.dip0.t-ipconnect.de [IPv6:2003:e9:d74b:8bb:3252:cbff:fe54:190f]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: stefan@datenfreihafen.org) by proxima.lasnet.de (Postfix) with ESMTPSA id 307A0C80C1; Thu, 5 Jul 2018 13:34:55 +0200 (CEST) Subject: Re: [PATCH] 6lowpan: iphc: reset mac_header after decompress to fix panic To: Michael Scott Cc: Alexander Aring , Jukka Rissanen , "David S. Miller" , linux-bluetooth@vger.kernel.org, linux-wpan@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org References: <20180619234406.8217-1-michael@opensourcefoundries.com> From: Stefan Schmidt Message-ID: <38d8f677-3236-48c6-9f1b-41180aa5a91b@datenfreihafen.org> Date: Thu, 5 Jul 2018 13:34:54 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: <20180619234406.8217-1-michael@opensourcefoundries.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello Jukka. On 20.06.2018 01:44, Michael Scott wrote: > After decompression of 6lowpan socket data, an IPv6 header is inserted > before the existing socket payload. After this, we reset the > network_header value of the skb to account for the difference in payload > size from prior to decompression + the addition of the IPv6 header. > > However, we fail to reset the mac_header value. > > Leaving the mac_header value untouched here, can cause a calculation > error in net/packet/af_packet.c packet_rcv() function when an > AF_PACKET socket is opened in SOCK_RAW mode for use on a 6lowpan > interface. > > On line 2088, the data pointer is moved backward by the value returned > from skb_mac_header(). If skb->data is adjusted so that it is before > the skb->head pointer (which can happen when an old value of mac_header > is left in place) the kernel generates a panic in net/core/skbuff.c > line 1717. > > This panic can be generated by BLE 6lowpan interfaces (such as bt0) and > 802.15.4 interfaces (such as lowpan0) as they both use the same 6lowpan > sources for compression and decompression. > > Signed-off-by: Michael Scott > --- > net/6lowpan/iphc.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/net/6lowpan/iphc.c b/net/6lowpan/iphc.c > index 6b1042e21656..52fad5dad9f7 100644 > --- a/net/6lowpan/iphc.c > +++ b/net/6lowpan/iphc.c > @@ -770,6 +770,7 @@ int lowpan_header_decompress(struct sk_buff *skb, const struct net_device *dev, > hdr.hop_limit, &hdr.daddr); > > skb_push(skb, sizeof(hdr)); > + skb_reset_mac_header(skb); > skb_reset_network_header(skb); > skb_copy_to_linear_data(skb, &hdr, sizeof(hdr)); > > Alex acked this patch for the ieee802154 side. Could you test it for the bluetooth 6lowpan side and ack or nack as well? So far plain 6lowpan subsystem patches would still go through the bluetooth tree after Alex and you acked them. I guess Marcel or Johan just waiting for your review. regards Stefan Schmidt