Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp537445ybi; Fri, 26 Jul 2019 14:19:22 -0700 (PDT) X-Google-Smtp-Source: APXvYqw0PLupVnyuPTqlTdtA6uSHoMGGGaBwC/UY8PcRrOgyCg7Z8//yzK+RoCF+wTdyt57i/I82 X-Received: by 2002:a63:d30f:: with SMTP id b15mr92352245pgg.341.1564175961853; Fri, 26 Jul 2019 14:19:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564175961; cv=none; d=google.com; s=arc-20160816; b=cr+CT00qHvHoSr3TVVXeBwC0lTLSoVlqYMLNYpcjWNWJpV7Ox1OrSsn2CLrhe11Lvv T+vK+6dPKcKgxK4jCmMcepnoMyD9e7bW7enjDwN7lW7THfZEUD4Ku/trAIwvVNRqY2ZX rezquP3yfbTB860G1/v4bBJ1BB14h8jzi8cVtxCULZg6j0wlgLbFgAwS7+U8J28ognGl fVFMAC+FpWb0uPgjtJcrpvj7+cSmsj0WDwPMQs02WviSbMdLS54hjzRQLbKHlnut2kEx 2YcHq5+fr3nXVUa8Zh6uZGpVD8uDkGI1NsIY0wLYJG/tiLUa418mnSzm1Uspx4ejamNK JWAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:from:subject:cc:to:message-id:date; bh=KwzbJWoMAEWdM7X1oOCmrqDg81iqhWmeLGGycacNYFs=; b=rjHHd8oEr7RNqPROi+VljcHWdMsW/O1thgBmRe6EUZuoZNk6JJ9LYArjZjBKH2Hpwc UVU/My3a4xuJi8EIDwIPXHUEQvxEIDRQ0NXKKo2YQFGmWvwmSepnFNJ57Pq4945zqBo5 oN3/Xq/ymnKT0RIxI9DwjvtYI5l9yeMkd/DjMy8BOQCIJUUaKNf8t1x+nrXVRk6WV073 qJ1TuA+mc/ZvGQE8terU3bX43cpQM5hh5WLIL/DuXzNeSMLwnBHjXKbLlNtQAAvpA+WJ jiyGGazfV5tT7SRsou5nFYAhI90ri16Po+8hkbAhNj+XGLGGjMxTcTH/asFeDxJWSxMr Lu4w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h18si19438095pjt.9.2019.07.26.14.19.06; Fri, 26 Jul 2019 14:19:21 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728320AbfGZVSc (ORCPT + 99 others); Fri, 26 Jul 2019 17:18:32 -0400 Received: from shards.monkeyblade.net ([23.128.96.9]:55254 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726102AbfGZVSc (ORCPT ); Fri, 26 Jul 2019 17:18:32 -0400 Received: from localhost (unknown [IPv6:2601:601:9f80:35cd::d71]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: davem-davemloft) by shards.monkeyblade.net (Postfix) with ESMTPSA id 1460312B8A119; Fri, 26 Jul 2019 14:18:31 -0700 (PDT) Date: Fri, 26 Jul 2019 14:18:30 -0700 (PDT) Message-Id: <20190726.141830.1385987551076676185.davem@davemloft.net> To: yanhaishuang@cmss.chinamobile.com Cc: kuznet@ms2.inr.ac.ru, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] ip6_tunnel: fix possible use-after-free on xmit From: David Miller In-Reply-To: <1564072817-13240-1-git-send-email-yanhaishuang@cmss.chinamobile.com> References: <1564072817-13240-1-git-send-email-yanhaishuang@cmss.chinamobile.com> X-Mailer: Mew version 6.8 on Emacs 26.1 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Fri, 26 Jul 2019 14:18:31 -0700 (PDT) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Haishuang Yan Date: Fri, 26 Jul 2019 00:40:17 +0800 > ip4ip6/ip6ip6 tunnels run iptunnel_handle_offloads on xmit which > can cause a possible use-after-free accessing iph/ipv6h pointer > since the packet will be 'uncloned' running pskb_expand_head if > it is a cloned gso skb. > > Fixes: 0e9a709560db ("ip6_tunnel, ip6_gre: fix setting of DSCP on encapsulated packets") > Signed-off-by: Haishuang Yan Applied and queued up for -stable, thanks.