Received: by 2002:ab2:6857:0:b0:1ef:ffd0:ce49 with SMTP id l23csp2582645lqp; Mon, 25 Mar 2024 03:29:59 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCX+fRapNBayUZlw7j8XoD6TLwPkMqIRAtM+SUKAnTdP0iXdCKQKmW8RG9VNWykq3mgg683UU76fI/MstaHkmSzQ69rEQ+3XG9EwoDz6qw== X-Google-Smtp-Source: AGHT+IHeXw755LBdIUiSGRdm8KXVuWPkeqm4C9qK+b8Q9BkdkXiEJnQ9FKCQ4je9pt1rQ8nWeDgb X-Received: by 2002:a17:90a:8e82:b0:2a0:39e8:91b5 with SMTP id f2-20020a17090a8e8200b002a039e891b5mr5208225pjo.33.1711362598977; Mon, 25 Mar 2024 03:29:58 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1711362598; cv=pass; d=google.com; s=arc-20160816; b=SCR7vk5i52FOROjyPkYozpaIyEVlfJYyY+X6F3TI+T4sF+BHiDM4fase7WReRIxI0H VDcXKyBOz/c9934aB4Zr9cGMriwblM9j+IikLKv9gqHAfUVC4OAq6EL/cEF2AwsqQE17 LaJcDHa9LnuRn+32ZI14PxpEEoY9i7c+iWJw5pdjyHIFErfwn1V5XieCZv0w+31LCAVx 2yf1ww1a3J8FfGeqL3dWkraZmYwKrQvVo4bS406KY6I6N6gJO2Uz+26xqkHxofPM+mqm vQ7gqERn4XfxGms4YXGT92uKqKdI0mA9Y686FOK2yx7fQb/I0nLdeJWQcq5O7i/SXvKL gVmA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=Xrtc/R/qw0dC/CRfw0RXekcxLUpwXGnRThvknWO5qUs=; fh=yYqyQZ0YhoEM3CnC7QVRCzKIatuOcUDpIcLmjax3yME=; b=eaYoy3tVjfaBO2+u5Ji5vMINiL+XV/4y8WmRFeHPwTquJs+n8sTQSyHsKl/axKUMtb l7Wp8miEF1mOJcidb+lksurPN1naHbX66q9WY7Rjq6pLS4Vpif3/W3WCcek3iD7Kt+OR EUNGZcTY9wvwi9TDcKVRqRHvrApeeQEVK08UDy5J1fOQCqBQGI2JP8adfZIZCleuAgga VkoaE3fkaOO6Ah03kc7+yKjPC+C3/RDTwxK6DE9j4T8neB/1xEWY5nEU5/q17WE6TgRC sTwwqezp9iGIfkBDo2T8ejxbE1I9eFDHMmdjbM516eNZba73xgnFxG4ozZFAqPvwOfIO X28g==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=P+8oMkmO; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-116156-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-116156-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id r8-20020a17090a1bc800b0029fe01314f0si10956333pjr.109.2024.03.25.03.29.58 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 Mar 2024 03:29:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-116156-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=P+8oMkmO; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-116156-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-116156-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id BFF3229FCF3 for ; Mon, 25 Mar 2024 10:14:57 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id BABE12827C6; Mon, 25 Mar 2024 03:32:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="P+8oMkmO" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 176AE17B4FC; Sun, 24 Mar 2024 23:42:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711323722; cv=none; b=FPHNGLz8EG3yIcd2K3lzxtGdnfEMuOFxJtmggN6iTBytQ/9RZCVztAN0KVyZF/Hwz5ASdt8G0ypnPOExwgKjtfkYxwDsBXK167qniszwkAltah1f8Ahjxed1CBc+sfX48V45s8whhg/6fvICmKrReohvq9Qjt5Ql3YMPhsEsOLk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711323722; c=relaxed/simple; bh=cz1y+q+Z5z7IyMiHJUHME9ZXUzKZvyn6wvUz2dLX3uU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=gm/hCyywMs7AaGdAlR8FYLkaJD9D+39RbJga3Xr7sKuVlgaE5/GQaz3JzGQGRg0EFAKDY1ohEHv4gAVq+EVgJ2Nbgtv4rfuOacgIShN+TEG6rIXIqB7E0VorVMM+mTS8NAsue7+2L7TYkWdRs6qTaVNNM5oo5aaPp4+Rt8/BCNY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=P+8oMkmO; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3B68FC433C7; Sun, 24 Mar 2024 23:42:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1711323721; bh=cz1y+q+Z5z7IyMiHJUHME9ZXUzKZvyn6wvUz2dLX3uU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=P+8oMkmO3E0yphUf5yfNZgGn2CyzE9Vfe9xXcNZbP+2CUrdGRnpOOVEePxE/Uzmd/ dS+fZOsloRTTvDw7gEIAAOCcq7rq3ifBzV8Pr26xoSRvT/bZJvmExggMG9hunAUBW4 /ISmsz+4Wfje6tue1FzfVvOnSNI/mUNnbSSnyBrt42FTB+/Ci9HYsY1OZq0EeSRIKq 48TaP6N6WQmuqOS+xkLJ4SVPHQ1KUVqP3Vt+iGr8Acu34vFFWHG4fnvPuT3Nkzdr4J M0dhVPexbzdM2IKz8DcdHjS9QDl+80KuCyn5RtYTRko4nlrBlV7juxJqvRypYXnk+z zzO0lby/hOJRg== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Eric Dumazet , syzbot , "David S . Miller" , Sasha Levin Subject: [PATCH 5.10 094/238] net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv() Date: Sun, 24 Mar 2024 19:38:02 -0400 Message-ID: <20240324234027.1354210-95-sashal@kernel.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240324234027.1354210-1-sashal@kernel.org> References: <20240324234027.1354210-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit From: Eric Dumazet [ Upstream commit b0ec2abf98267f14d032102551581c833b0659d3 ] Apply the same fix than ones found in : 8d975c15c0cd ("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()") 1ca1ba465e55 ("geneve: make sure to pull inner header in geneve_rx()") We have to save skb->network_header in a temporary variable in order to be able to recompute the network_header pointer after a pskb_inet_may_pull() call. pskb_inet_may_pull() makes sure the needed headers are in skb->head. syzbot reported: BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline] BUG: KMSAN: uninit-value in ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline] ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409 __ipgre_rcv+0x9bc/0xbc0 net/ipv4/ip_gre.c:389 ipgre_rcv net/ipv4/ip_gre.c:411 [inline] gre_rcv+0x423/0x19f0 net/ipv4/ip_gre.c:447 gre_rcv+0x2a4/0x390 net/ipv4/gre_demux.c:163 ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233 NF_HOOK include/linux/netfilter.h:314 [inline] ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254 dst_input include/net/dst.h:461 [inline] ip_rcv_finish net/ipv4/ip_input.c:449 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569 __netif_receive_skb_one_core net/core/dev.c:5534 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648 netif_receive_skb_internal net/core/dev.c:5734 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5793 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1556 tun_get_user+0x53b9/0x66e0 drivers/net/tun.c:2009 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055 call_write_iter include/linux/fs.h:2087 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0xb6b/0x1520 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: __alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4590 alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133 alloc_pages+0x1be/0x1e0 mm/mempolicy.c:2204 skb_page_frag_refill+0x2bf/0x7c0 net/core/sock.c:2909 tun_build_skb drivers/net/tun.c:1686 [inline] tun_get_user+0xe0a/0x66e0 drivers/net/tun.c:1826 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055 call_write_iter include/linux/fs.h:2087 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0xb6b/0x1520 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.") Reported-by: syzbot Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/ipv4/ip_tunnel.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c index 50f8231e9daec..0953d805cbbee 100644 --- a/net/ipv4/ip_tunnel.c +++ b/net/ipv4/ip_tunnel.c @@ -364,7 +364,7 @@ int ip_tunnel_rcv(struct ip_tunnel *tunnel, struct sk_buff *skb, bool log_ecn_error) { const struct iphdr *iph = ip_hdr(skb); - int err; + int nh, err; #ifdef CONFIG_NET_IPGRE_BROADCAST if (ipv4_is_multicast(iph->daddr)) { @@ -390,8 +390,21 @@ int ip_tunnel_rcv(struct ip_tunnel *tunnel, struct sk_buff *skb, tunnel->i_seqno = ntohl(tpi->seq) + 1; } + /* Save offset of outer header relative to skb->head, + * because we are going to reset the network header to the inner header + * and might change skb->head. + */ + nh = skb_network_header(skb) - skb->head; + skb_set_network_header(skb, (tunnel->dev->type == ARPHRD_ETHER) ? ETH_HLEN : 0); + if (!pskb_inet_may_pull(skb)) { + DEV_STATS_INC(tunnel->dev, rx_length_errors); + DEV_STATS_INC(tunnel->dev, rx_errors); + goto drop; + } + iph = (struct iphdr *)(skb->head + nh); + err = IP_ECN_decapsulate(iph, skb); if (unlikely(err)) { if (log_ecn_error) -- 2.43.0