Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp7150775rwr;
        Tue, 2 May 2023 10:07:22 -0700 (PDT)
X-Google-Smtp-Source: ACHHUZ40AG/TY+RlfDKruvgm/TAXpkpxfsrVleu2B7aD8/gQXjmYIpbTrZ5nh6Jjg6Tz6/Gz135Y
X-Received: by 2002:a05:6870:d88f:b0:183:fc80:7354 with SMTP id dv15-20020a056870d88f00b00183fc807354mr9129908oab.21.1683047242149;
        Tue, 02 May 2023 10:07:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1683047242; cv=none;
        d=google.com; s=arc-20160816;
        b=XSmYhMpEM9a/MDzpjZ8qiVMsX0fT7SvFzzvfWRMZUbfsFWLUuawnCUNOYoPebiFDX5
         WjWWih8Y3Acko1uI14EoLs+OA5IWT3RiFzOYyg+gwyhYyvCB28DyumHUWVyKsQdunke1
         iq7ZECDxWeEdlKEa1Wosa53vFTN2BsKS7K70yU6kSjEcTesqt3a9WBaXYd4z1DQveJfW
         ymlROTpQiGbqik2LMUylMOpi+9RHMm6pDmo9YI4UA7MM7f+J4H/vIjfRHPLrMlFM3niI
         3uGbkRbLSgDU+vuaYgvVZHhP5ovDbmlstdH2ms6Z3i/wO5KoJQYaAzPeBbKD/aXR+FuU
         yODw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:user-agent:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date;
        bh=Xjw9vnnc0o6+C1mZlAslmiLAagFfmTRjAonNQuMQJNE=;
        b=po0MUM+CqgqFtTqwsWmu+JU7wtY7Y/xU95DJpjdbWaA+Srzk7mMUL9h/rlRpvzjPu8
         ZfQXLMe9hq7npqDuXt+EytzQ0HNnj8+ZHZ1W0jnP/IpbmSDe6UCze7EvI4NnXwpX0Ds2
         liIYnOo/SddoIZvMPrcAiU8CG7FoMoip9GA1jXztiIPJs/96n6VAP512L02zTHcDD5gV
         onq2MMXFViKDJQwPRwpDi+5yO1BVztTIIeZphZQM1p7/LZDgjgrdxUENL88/FjV+Xfog
         QjDlFEgVbPHAfflR0YJyGISjPNZJTmzj+sC250HnSiMuX0O8PAhIqyOxdlpErTOpni8F
         G7Tw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id z22-20020a9d7a56000000b006a5f763145fsi21973664otm.245.2023.05.02.10.07.08;
        Tue, 02 May 2023 10:07:22 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234114AbjEBQzB (ORCPT <rfc822;bainonline@gmail.com> + 99 others);
        Tue, 2 May 2023 12:55:01 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41148 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S234122AbjEBQy7 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 2 May 2023 12:54:59 -0400
Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [IPv6:2a0a:51c0:0:237:300::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5F8141BE5;
        Tue,  2 May 2023 09:54:57 -0700 (PDT)
Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92)
        (envelope-from <fw@strlen.de>)
        id 1pttH4-0005tY-Py; Tue, 02 May 2023 18:54:46 +0200
Date:   Tue, 2 May 2023 18:54:46 +0200
From:   Florian Westphal <fw@strlen.de>
To:     "Fengtao (fengtao, Euler)" <fengtao40@huawei.com>
Cc:     jhs@mojatatu.com, xiyou.wangcong@gmail.com, jiri@resnulli.us,
        davem@davemloft.net, kuba@kernel.org, stephen@networkplumber.org,
        netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
        yanan@huawei.com, caowangbao@huawei.com
Subject: Re: BUG: KASAN: stack-out-of-bounds in __ip_options_echo
Message-ID: <20230502165446.GA22029@breakpoint.cc>
References: <05324dd2-3620-8f07-60a0-051814913ff8@huawei.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <05324dd2-3620-8f07-60a0-051814913ff8@huawei.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
        SPF_HELO_PASS,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Fengtao (fengtao, Euler) <fengtao40@huawei.com> wrote:
> Hi,all
> 
> We found the following crash on stable-5.10(reproduce in kasan kernel).
> ------------[ cut here ]------------
> [ 2203.651571] BUG: KASAN: stack-out-of-bounds in __ip_options_echo+0x589/0x800
> [ 2203.653327] Write of size 4 at addr ffff88811a388f27 by task swapper/3/0
> 
> [ 2203.655460] CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Not tainted 5.10.0-60.18.0.50.h856.kasan.eulerosv2r11.x86_64 #1
> [ 2203.655466] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.10.2-0-g5f4c7b1-20181220_000000-szxrtosci10000 04/01/2014
> [ 2203.655475] Call Trace:
> [ 2203.655481]  <IRQ>
> [ 2203.655501]  dump_stack+0x9c/0xd3
> [ 2203.655514]  print_address_description.constprop.0+0x19/0x170
> [ 2203.655522]  ? __ip_options_echo+0x589/0x800
> [ 2203.655530]  __kasan_report.cold+0x6c/0x84
> [ 2203.655569]  ? resolve_normal_ct+0x301/0x430 [nf_conntrack]
> [ 2203.655576]  ? __ip_options_echo+0x589/0x800
> [ 2203.655586]  kasan_report+0x3a/0x50
> [ 2203.655594]  check_memory_region+0xfd/0x1f0
> [ 2203.655601]  memcpy+0x39/0x60
> [ 2203.655608]  __ip_options_echo+0x589/0x800
[..]

> [ 2203.655702]  ? tcp_print_conntrack+0xb0/0xb0 [nf_conntrack]
> [ 2203.655709]  ? memset+0x20/0x50
> [ 2203.655719]  ? nf_nat_setup_info+0x2fb/0x480 [nf_nat]
> [ 2203.655729]  ? get_unique_tuple+0x390/0x390 [nf_nat]
> [ 2203.655735]  ? tcp_mt+0x456/0x550
> [ 2203.655747]  ? ipt_do_table+0x776/0xa40 [ip_tables]
> [ 2203.655755]  nf_send_unreach+0x129/0x3d0 [nf_reject_ipv4]
> [ 2203.655763]  reject_tg+0x77/0x1bf [ipt_REJECT]
> [ 2203.655772]  ipt_do_table+0x691/0xa40 [ip_tables]
[..]
> [ 2203.655857]  ip_local_out+0x28/0x90
> [ 2203.655868]  ipvlan_process_v4_outbound+0x21e/0x260 [ipvlan]

Somewhere between ipvlan_queue_xmit() and ipvlan_process_v4|6_outbound
skb->cb has to be cleared; ip_local_out and friends assume that upper
layer took care of this for outbound packets.

Try something like this (not even compile tested):

diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c
--- a/drivers/net/ipvlan/ipvlan_core.c
+++ b/drivers/net/ipvlan/ipvlan_core.c
@@ -436,6 +436,9 @@ static int ipvlan_process_v4_outbound(struct sk_buff *skb)
 		goto err;
 	}
 	skb_dst_set(skb, &rt->dst);
+
+	memset(skb->cb 0, sizeof(struct inet_skb_parm));
+
 	err = ip_local_out(net, skb->sk, skb);
 	if (unlikely(net_xmit_eval(err)))
 		dev->stats.tx_errors++;
@@ -474,6 +477,9 @@ static int ipvlan_process_v6_outbound(struct sk_buff *skb)
 		goto err;
 	}
 	skb_dst_set(skb, dst);
+
+	memset(skb->cb 0, sizeof(struct inet6_skb_parm));
+
 	err = ip6_local_out(net, skb->sk, skb);
 	if (unlikely(net_xmit_eval(err)))
 		dev->stats.tx_errors++;