Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp1678936pxu; Sun, 6 Dec 2020 03:48:39 -0800 (PST) X-Google-Smtp-Source: ABdhPJxE+rC9nekQtzogFAWSJnOaxoOeJOV1KPXQtN8e5e5gtValzKv4gdrsHqosZvuYtLHqWAK0 X-Received: by 2002:a50:e0c9:: with SMTP id j9mr15491212edl.380.1607255319632; Sun, 06 Dec 2020 03:48:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607255319; cv=none; d=google.com; s=arc-20160816; b=sZyJMxjC9W/G/BbbYYBO2bvmjMuPKHcZrmlvZZtXlBN+cvpNzNoOz3QHcBZSX0CCw/ E6/wjgDLyg7Wj05LXVd/OnAL2rlfEdhKWOCGsL21oJrvMaGaOfu81Y3TvSwJC3tHD3Uo 2M7cNR9LCQ6+EfpaWuxlXzU5brmOpYkZdOdjh90P+bS8Xe/102v3kcHLksSsMhGciR4y NbxN3HKV0zSw8TIaDp313ivBfeonQtvb95yqzlfcdmLKW1W7K6v818Aj7Wzi1es28vuW +bhMBCSxUe2sCY2WvEDuxZaFNE3a6gt7OqBdeE1OsrTZibbePAV9jy+8AmB/4YQL2CAL OoGw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from; bh=XhoEa3CpzypOWjBONr3vNU3UnfppDYkBoHc0jYFcavY=; b=AvC1gFiY+EBazSrvRcWVbmGCQDdJ/1NvIN9bO+k3ST+YzSOTX7/DMLRnX2iKSyBr5/ XcfmQw4xIa7Liw5JrenKY+2K3Glu6Fi11jtGMQrOkBqREcDDtKxqWXrQF/XcXAzSXwg+ 2XTxaDYFRr2d4770367AcYOHH81KExDVxRRnltQVHVSUlPqsnEr4GKW8XPd0Vv2Tk8Hx Tk1jYF2/sCe+fJbbHYA8unlfKeoyNhCZDRk81LL0kkdrA2bSrKmT7+QkgDAw+46QIZhT FJUDFF2Xg6Ku2+2bWMeGSTz+s8mKlBgpsoibvjaUksDTkwSxnGwUO+HUCBHyc2ypJDWc ouGg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id lx6si4691840ejb.550.2020.12.06.03.48.17; Sun, 06 Dec 2020 03:48:39 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729405AbgLFLot (ORCPT + 99 others); Sun, 6 Dec 2020 06:44:49 -0500 Received: from mail.kernel.org ([198.145.29.99]:44674 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729374AbgLFLoo (ORCPT ); Sun, 6 Dec 2020 06:44:44 -0500 From: Greg Kroah-Hartman Authentication-Results: mail.kernel.org; dkim=permerror (bad message/signature format) To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Maria Pasechnik , Antoine Tenart , Jakub Kicinski Subject: [PATCH 5.9 25/46] net: ip6_gre: set dev->hard_header_len when using header_ops Date: Sun, 6 Dec 2020 12:17:33 +0100 Message-Id: <20201206111557.669687743@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201206111556.455533723@linuxfoundation.org> References: <20201206111556.455533723@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Antoine Tenart [ Upstream commit 832ba596494b2c9eac7760259eff2d8b7dcad0ee ] syzkaller managed to crash the kernel using an NBMA ip6gre interface. I could reproduce it creating an NBMA ip6gre interface and forwarding traffic to it: skbuff: skb_under_panic: text:ffffffff8250e927 len:148 put:44 head:ffff8c03c7a33 ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:109! Call Trace: skb_push+0x10/0x10 ip6gre_header+0x47/0x1b0 neigh_connected_output+0xae/0xf0 ip6gre tunnel provides its own header_ops->create, and sets it conditionally when initializing the tunnel in NBMA mode. When header_ops->create is used, dev->hard_header_len should reflect the length of the header created. Otherwise, when not used, dev->needed_headroom should be used. Fixes: eb95f52fc72d ("net: ipv6_gre: Fix GRO to work on IPv6 over GRE tap") Cc: Maria Pasechnik Signed-off-by: Antoine Tenart Link: https://lore.kernel.org/r/20201130161911.464106-1-atenart@kernel.org Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman --- net/ipv6/ip6_gre.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) --- a/net/ipv6/ip6_gre.c +++ b/net/ipv6/ip6_gre.c @@ -1122,8 +1122,13 @@ static void ip6gre_tnl_link_config_route return; if (rt->dst.dev) { - dev->needed_headroom = rt->dst.dev->hard_header_len + - t_hlen; + unsigned short dst_len = rt->dst.dev->hard_header_len + + t_hlen; + + if (t->dev->header_ops) + dev->hard_header_len = dst_len; + else + dev->needed_headroom = dst_len; if (set_mtu) { dev->mtu = rt->dst.dev->mtu - t_hlen; @@ -1148,7 +1153,12 @@ static int ip6gre_calc_hlen(struct ip6_t tunnel->hlen = tunnel->tun_hlen + tunnel->encap_hlen; t_hlen = tunnel->hlen + sizeof(struct ipv6hdr); - tunnel->dev->needed_headroom = LL_MAX_HEADER + t_hlen; + + if (tunnel->dev->header_ops) + tunnel->dev->hard_header_len = LL_MAX_HEADER + t_hlen; + else + tunnel->dev->needed_headroom = LL_MAX_HEADER + t_hlen; + return t_hlen; }