Received: by 2002:a05:6358:c692:b0:131:369:b2a3 with SMTP id fe18csp5388551rwb; Tue, 1 Aug 2023 01:28:48 -0700 (PDT) X-Google-Smtp-Source: APBJJlGDpBffk9dh2+9spVywrSu36+RTKjsZuMYR/r3l3mB6Y1Y4Dy4jl+VS1Y80OAUzertaepwf X-Received: by 2002:a17:902:f686:b0:1bb:673f:36ae with SMTP id l6-20020a170902f68600b001bb673f36aemr13196585plg.15.1690878528649; Tue, 01 Aug 2023 01:28:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690878528; cv=none; d=google.com; s=arc-20160816; b=Cewknl7C/xKjCiV/0xSMFRIWzJ5pIjaD+SGPXxZ0m4diX+kaKmD+bk1qxSw5wth7Un N6vdiGtYwTruxGCP0uBjgYt3iUrxKKqjkmTqQJfUasiV3RMsOmyJ4SsSKaZjDErpkDBl OjQJEaxA1VPN7BVQkw8XJq3roFJc8fKE4C3RHnhXRdJ/4S0/hT3aJctgbI8p7dN1WRzY U5/1nzUYcGAgoc2JalbRnKIYObozsLbqh/MrsBF8gzVra/wmAj9jXXeUgKiyTE+SMDcC ob0Z4oq6fdYI74ba0OhsO2tBzeAWaGcPi05qV0n/Qn0sixFL26lj4Ij18vsIJ8QpIItf w2AQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=/W1Bm9fAQmPCctHEmx+9krGOwdheTJeGpcAF1GiQb/8=; fh=H/6WOgxCvn/dxOmxfn46S8XGVJcfiSGsw877iZd5AP0=; b=oOZdY79UBP5j6qZ/YTh4qvyqlgIVnCozQQM0vCt61S2ngY64kHeTpLpqoCo3t+eVTz B42ZrjWfaJX2YCBvu6RU4bU7thACL4Z9w4vd9/+61+7w8fp+TItImXFST4aeQPKyEv7x fV2y677gFt2Vg1JvN0D2vf9JH+smGNez8ZtVTgQWpYG4V1PHokL8214L6Taid3iTbyu9 PlG9VRKn/VSjT7XQo9tewyu1PNkU9UGIAiTGUXNk2bIc2RWqIOz7YGao5A44DWAC5l2W WUtn7WX66gVaEc022SVI/05ZHdPY1JdmBGvNAP3CbTARY/0TX7RWDMEEtbdD1RUdD/xw pnhg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=DtuZq5iS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l16-20020a170903121000b001b8b4330585si9151120plh.510.2023.08.01.01.28.36; Tue, 01 Aug 2023 01:28:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=DtuZq5iS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229936AbjHAHvp (ORCPT + 99 others); Tue, 1 Aug 2023 03:51:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54526 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232054AbjHAHvn (ORCPT ); Tue, 1 Aug 2023 03:51:43 -0400 Received: from mail-qt1-x832.google.com (mail-qt1-x832.google.com [IPv6:2607:f8b0:4864:20::832]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7FD1D1BF2 for ; Tue, 1 Aug 2023 00:51:41 -0700 (PDT) Received: by mail-qt1-x832.google.com with SMTP id d75a77b69052e-40c72caec5cso220961cf.0 for ; Tue, 01 Aug 2023 00:51:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1690876300; x=1691481100; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=/W1Bm9fAQmPCctHEmx+9krGOwdheTJeGpcAF1GiQb/8=; b=DtuZq5iSCkvuEd2bHHOIg0sceaYNHEbJT6Thk8u2Rq4t2dwZghPeQfyErzd4jBB/BV j9YqxyHg1SjCXmLu8o4iKF45r8n2s2UMl4wRKhe2KwfsOFLlQ47w3r5VvP0B3Vaxpqw9 ShZbEyfQn4CkgZkmlLietqTe8qTJdhP+qsd8PTYdiPNbWi4T33Zyt1mNW3GMeDSIZDL5 3Jbi9GJ/ese2TjuW5kCQUg3ZHIwyZV6er0yIZIcfs3UBaN1Wuy++KIyeeSQw7K2xYZge YcMvmnHgc6ONYFi4gP1UmPwYxAFW7TnghAvZWrmbM13ruqO4MMf2pH3KuVdYZU4QuTFy song== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690876300; x=1691481100; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/W1Bm9fAQmPCctHEmx+9krGOwdheTJeGpcAF1GiQb/8=; b=FHnVux5hCtt4BZxuXfZ/i0jtztj3SCkitndWrMc3fClORPHN6Weaan2c53TP1DW555 XG9HxCmSRcd1F8sfA6BSbirreWUMlRU5xlY9Hdz/5YfKoRlbXVpDaELAuNOoRrWr3b/F wKiUc/M+KuHhFg2IezTunNgVGD7dySZsKUgvjOrCo7pEZQx6uYPbuiwZmdKWFVNZxSwz Qdf9pol1LHxILD4sT6q92f5kojmNb4SvwLmLSUEsd4vfWr8fZ96YvH1LrND6Hxn7E2V6 NvOeb4qN18EDVVSsTvsFO00s20PeWsXEe468/a3a1YnQfq5nNrVjnT1AjeOjPYpK7jYq dVkw== X-Gm-Message-State: ABy/qLawZ3Fo4ukgMwDBpgJVq0sG3SHTzlyWqfKhsu1kTeahSIOcftcz sxMLb8pJIrAoteLpJrQoO2z6lSrUieZRUD38/Xp19g== X-Received: by 2002:a05:622a:19a4:b0:3f8:5b2:aef2 with SMTP id u36-20020a05622a19a400b003f805b2aef2mr649047qtc.26.1690876300384; Tue, 01 Aug 2023 00:51:40 -0700 (PDT) MIME-Version: 1.0 References: <20230801064318.34408-1-yuehaibing@huawei.com> In-Reply-To: <20230801064318.34408-1-yuehaibing@huawei.com> From: Eric Dumazet Date: Tue, 1 Aug 2023 09:51:29 +0200 Message-ID: Subject: Re: [PATCH v3] ip6mr: Fix skb_under_panic in ip6mr_cache_report() To: Yue Haibing Cc: davem@davemloft.net, dsahern@kernel.org, kuba@kernel.org, pabeni@redhat.com, yoshfuji@linux-ipv6.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, simon.horman@corigine.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Aug 1, 2023 at 8:45=E2=80=AFAM Yue Haibing = wrote: > > skbuff: skb_under_panic: text:ffffffff88771f69 len:56 put:-4 > head:ffff88805f86a800 data:ffff887f5f86a850 tail:0x88 end:0x2c0 dev:pim6= reg > > When setup a vlan device on dev pim6reg, DAD ns packet may sent on reg_vi= f_xmit(). > reg_vif_xmit() > ip6mr_cache_report() > skb_push(skb, -skb_network_offset(pkt));//skb_network_offset(pkt)= is 4 > And skb_push declared as: > void *skb_push(struct sk_buff *skb, unsigned int len); > skb->data -=3D len; > //0xffff88805f86a84c - 0xfffffffc =3D 0xffff887f5f86a850 > skb->data is set to 0xffff887f5f86a850, which is invalid mem addr, lead t= o skb_push() fails. > > Fixes: 14fb64e1f449 ("[IPV6] MROUTE: Support PIM-SM (SSM).") > Signed-off-by: Yue Haibing > --- > v3: drop unnecessary nhoff change > v2: Use __skb_pull() and fix commit log. > --- > net/ipv6/ip6mr.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c > index cc3d5ad17257..67a3b8f6e72b 100644 > --- a/net/ipv6/ip6mr.c > +++ b/net/ipv6/ip6mr.c > @@ -1073,7 +1073,7 @@ static int ip6mr_cache_report(const struct mr_table= *mrt, struct sk_buff *pkt, > And all this only to mangle msg->im6_msgtype and > to set msg->im6_mbz to "mbz" :-) > */ > - skb_push(skb, -skb_network_offset(pkt)); > + __skb_pull(skb, skb_network_offset(pkt)); > > skb_push(skb, sizeof(*msg)); > skb_reset_transport_header(skb); Presumably this code has never been tested :/ Reviewed-by: Eric Dumazet