Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3912367imm; Mon, 8 Oct 2018 11:34:27 -0700 (PDT) X-Google-Smtp-Source: ACcGV61hYGSxArvBjCjfbYsa8rLRToirsTGjeGTA+Nak2tjRjRVyVOPAc1lo6vGGKSEEyHdr4eVa X-Received: by 2002:a62:2741:: with SMTP id n62-v6mr19277483pfn.138.1539023667389; Mon, 08 Oct 2018 11:34:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539023667; cv=none; d=google.com; s=arc-20160816; b=XzrY1IeBNdRPfgEyYA3at1x4KXkV1db3xZDtshVtjiR5q2hqd65GRdGkqPITXj72q2 77sbIDuguVsJC1esHAsA6HbXhchrQE63CMp+1og92X98Ssyd5X7Sx7x7Y8ggf9uOxBck ZqCPVgXBHgWdwJjat3m/BTgfMu3V9+wEAs2Od5SlXOyi+OZfd62nug1OIaE7UzNvhlXz iIccLQpO/wg1QyWCumhvQOOxqrtMCWkk6LAmC43CiRPyvjpTBZWWgfvQX0nFtvpDAEuJ QtZOeKozKPHwHmV8TOI28k3pJ/NExEDy+kJChmae4gw06RaN7hFaelBUBUaIr1KhHHpX ICOA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=pknMiq7Jt2pwoOi7wZmZHv9cdgCPVOMPKVKbjHmqNLs=; b=zlWFOGcKu9xxiTy/2/SdlBvuLk8cgUmhEcPAyMcoI2SFujQOWLBYXV3gP2qElOAaFh 2cIOp+c2N1G2I/6c/3t3nJroxrBcBuQD2l3/DvetuYRjmp5VfePBTrB9guS7gzPfmZLw IwYlL3FxEjgTOMi8zQT8h87GGUSgsZNo53SA3zmsFmNSH3AE45mftOtNwhMD7Ssa7h3C U6dPkpJqE+M14Nk/03yr8m5+4ZMsjaxcoNzE6Gjh6EbpMHqxkclBydDgeMu2V86aBvdF tkhojkP/VCEjuhObIsDvxk0FOmhMl+C4ROK5B/GTq0gjulG+/EnwZ6JA/0JYLmvfPUjD 46mQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ZDh+z50I; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k5-v6si17582704pgi.99.2018.10.08.11.34.12; Mon, 08 Oct 2018 11:34:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ZDh+z50I; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726569AbeJIBpu (ORCPT + 99 others); Mon, 8 Oct 2018 21:45:50 -0400 Received: from mail.kernel.org ([198.145.29.99]:55376 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726434AbeJIBpt (ORCPT ); Mon, 8 Oct 2018 21:45:49 -0400 Received: from localhost (ip-213-127-77-176.ip.prioritytelecom.net [213.127.77.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D88862089D; Mon, 8 Oct 2018 18:32:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1539023567; bh=NLIyqUPgRwQtrXYFuVOofXRFCywQEYnv+uxPVquxTZo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ZDh+z50IHSBYRtRmw+/1Pl5KJ5XzmM/yza/yohbOdC8ox1c0O/mtp+QlG8mGvfR0C 83Iuh4VxKFh6wlGYc/1S+WVz0DhnASoo27WDDi+Ss3KlSI/t6+pe72cVmU++/zG+A8 HIlvCdjcRIeioc7B9PbSjYaZVA3cbsBIz3tSA0WU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Michael Scott , Alexander Aring , Jukka Rissanen , Marcel Holtmann , Sasha Levin Subject: [PATCH 4.4 010/113] 6lowpan: iphc: reset mac_header after decompress to fix panic Date: Mon, 8 Oct 2018 20:30:11 +0200 Message-Id: <20181008175531.347067225@linuxfoundation.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20181008175530.864641368@linuxfoundation.org> References: <20181008175530.864641368@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Michael Scott [ Upstream commit 03bc05e1a4972f73b4eb8907aa373369e825c252 ] After decompression of 6lowpan socket data, an IPv6 header is inserted before the existing socket payload. After this, we reset the network_header value of the skb to account for the difference in payload size from prior to decompression + the addition of the IPv6 header. However, we fail to reset the mac_header value. Leaving the mac_header value untouched here, can cause a calculation error in net/packet/af_packet.c packet_rcv() function when an AF_PACKET socket is opened in SOCK_RAW mode for use on a 6lowpan interface. On line 2088, the data pointer is moved backward by the value returned from skb_mac_header(). If skb->data is adjusted so that it is before the skb->head pointer (which can happen when an old value of mac_header is left in place) the kernel generates a panic in net/core/skbuff.c line 1717. This panic can be generated by BLE 6lowpan interfaces (such as bt0) and 802.15.4 interfaces (such as lowpan0) as they both use the same 6lowpan sources for compression and decompression. Signed-off-by: Michael Scott Acked-by: Alexander Aring Acked-by: Jukka Rissanen Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- net/6lowpan/iphc.c | 1 + 1 file changed, 1 insertion(+) --- a/net/6lowpan/iphc.c +++ b/net/6lowpan/iphc.c @@ -569,6 +569,7 @@ int lowpan_header_decompress(struct sk_b hdr.hop_limit, &hdr.daddr); skb_push(skb, sizeof(hdr)); + skb_reset_mac_header(skb); skb_reset_network_header(skb); skb_copy_to_linear_data(skb, &hdr, sizeof(hdr));