Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp11169497ybi;
        Thu, 25 Jul 2019 11:10:54 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxInPCNpm8B6unAH4JW2C6o3I+N2yQdNuSVkw3fzOJ7TLmhx3nGrdn0J8UX++TKt3/V2QiI
X-Received: by 2002:aa7:8555:: with SMTP id y21mr5494378pfn.104.1564078254599;
        Thu, 25 Jul 2019 11:10:54 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1564078254; cv=none;
        d=google.com; s=arc-20160816;
        b=kYDtPRZbvFOC5ILw8YhSUosQX3Q0dtzH6R4SzL71OMzuy7rHoeSM5D1URRuBOGYxcH
         mTY6hMMfyfVcJQKgJZndXaJBTqFj4TMUYlBh/+c3VYIQUWwTpnhgyqd9QzXzMb+AcWsp
         6iehPtCFsvxYseClapDYqByFu833hD8h59zwQrRGZb5CCXMoFyrEzqrTaxWNjURwGSk1
         l9jZAav5pDzhqDdIQx8AdN+hSmZgUSYdnzNfr2nXhL42gVxtXJLapRz4hAlanfU+N7bc
         5ZD04ZkkprIIURlvPouOyobkl+dbi841GwDHvqpAZDDlOZhlHFAFmNz2DpN/yQl8lotJ
         vfsA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from;
        bh=cHczMe6Iue/2FhNbQq5m4BpeXkG2npLVntYe8LtkLto=;
        b=eW6Sy7zV0CrJuJwTQLgNNBLpU9Xc/+Z1wACXY1rq9gvMLI7obKuCWivMnC4keSeHov
         Hi0cJQQW4hUkiioJaFUSUMnDJd3OfnaS3qyMjloke7iky0zWOozVuS5RIvS2hYH1o/YY
         2sMrldqKhAHtnXFRqo9WMu50016T8ZbUKsXp3jM1l/MUW34AjKlObWuWzjaibihR9apn
         CcwaeGPUzh8IkCx17Ru5ZeoN5kV+wUJmh1apbDELCvXuODBnznZW2Xo9dt1cho7iQQhn
         EvCQFD3np8mgMq+ZheGb+oGeVqaCnl+1oHtXxe/EWFCu1crt+7X6a7+Y/SeTmxAZJW5h
         0PBA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f96si18936424plb.339.2019.07.25.11.10.39;
        Thu, 25 Jul 2019 11:10:54 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2388052AbfGYQkr (ORCPT <rfc822;fezhang.suse@gmail.com>
        + 99 others); Thu, 25 Jul 2019 12:40:47 -0400
Received: from cmccmta3.chinamobile.com ([221.176.66.81]:2359 "EHLO
        cmccmta3.chinamobile.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727957AbfGYQkq (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 25 Jul 2019 12:40:46 -0400
Received: from spf.mail.chinamobile.com (unknown[172.16.121.17]) by rmmx-syy-dmz-app10-12010 (RichMail) with SMTP id 2eea5d39db803aa-2e984; Fri, 26 Jul 2019 00:40:32 +0800 (CST)
X-RM-TRANSID: 2eea5d39db803aa-2e984
X-RM-TagInfo: emlType=0                                       
X-RM-SPAM-FLAG: 00000000
Received: from localhost (unknown[223.105.0.241])
        by rmsmtp-syy-appsvr09-12009 (RichMail) with SMTP id 2ee95d39db7fe7d-57bd5;
        Fri, 26 Jul 2019 00:40:32 +0800 (CST)
X-RM-TRANSID: 2ee95d39db7fe7d-57bd5
From:   Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
To:     "David S. Miller" <davem@davemloft.net>,
        Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Cc:     netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
        Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
Subject: [PATCH] ip6_tunnel: fix possible use-after-free on xmit
Date:   Fri, 26 Jul 2019 00:40:17 +0800
Message-Id: <1564072817-13240-1-git-send-email-yanhaishuang@cmss.chinamobile.com>
X-Mailer: git-send-email 1.8.3.1
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

ip4ip6/ip6ip6 tunnels run iptunnel_handle_offloads on xmit which
can cause a possible use-after-free accessing iph/ipv6h pointer
since the packet will be 'uncloned' running pskb_expand_head if
it is a cloned gso skb.

Fixes: 0e9a709560db ("ip6_tunnel, ip6_gre: fix setting of DSCP on encapsulated packets")
Signed-off-by: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
---
 net/ipv6/ip6_tunnel.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 3134fbb..754a484 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1278,12 +1278,11 @@ int ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev, __u8 dsfield,
 	}
 
 	fl6.flowi6_uid = sock_net_uid(dev_net(dev), NULL);
+	dsfield = INET_ECN_encapsulate(dsfield, ipv4_get_dsfield(iph));
 
 	if (iptunnel_handle_offloads(skb, SKB_GSO_IPXIP6))
 		return -1;
 
-	dsfield = INET_ECN_encapsulate(dsfield, ipv4_get_dsfield(iph));
-
 	skb_set_inner_ipproto(skb, IPPROTO_IPIP);
 
 	err = ip6_tnl_xmit(skb, dev, dsfield, &fl6, encap_limit, &mtu,
@@ -1367,12 +1366,11 @@ int ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev, __u8 dsfield,
 	}
 
 	fl6.flowi6_uid = sock_net_uid(dev_net(dev), NULL);
+	dsfield = INET_ECN_encapsulate(dsfield, ipv6_get_dsfield(ipv6h));
 
 	if (iptunnel_handle_offloads(skb, SKB_GSO_IPXIP6))
 		return -1;
 
-	dsfield = INET_ECN_encapsulate(dsfield, ipv6_get_dsfield(ipv6h));
-
 	skb_set_inner_ipproto(skb, IPPROTO_IPV6);
 
 	err = ip6_tnl_xmit(skb, dev, dsfield, &fl6, encap_limit, &mtu,
-- 
1.8.3.1