Return-Path: Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 11.4 \(3445.8.2\)) Subject: Re: [PATCH] 6lowpan: iphc: reset mac_header after decompress to fix panic From: Marcel Holtmann In-Reply-To: <20180619234406.8217-1-michael@opensourcefoundries.com> Date: Fri, 6 Jul 2018 12:46:20 +0200 Cc: Alexander Aring , Jukka Rissanen , "David S. Miller" , linux-bluetooth@vger.kernel.org, linux-wpan@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Message-Id: <3AAE601A-9D04-4BC5-8D96-5570F4C53F3B@holtmann.org> References: <20180619234406.8217-1-michael@opensourcefoundries.com> To: Michael Scott Sender: linux-bluetooth-owner@vger.kernel.org List-ID: Hi Michael, > After decompression of 6lowpan socket data, an IPv6 header is inserted > before the existing socket payload. After this, we reset the > network_header value of the skb to account for the difference in payload > size from prior to decompression + the addition of the IPv6 header. > > However, we fail to reset the mac_header value. > > Leaving the mac_header value untouched here, can cause a calculation > error in net/packet/af_packet.c packet_rcv() function when an > AF_PACKET socket is opened in SOCK_RAW mode for use on a 6lowpan > interface. > > On line 2088, the data pointer is moved backward by the value returned > from skb_mac_header(). If skb->data is adjusted so that it is before > the skb->head pointer (which can happen when an old value of mac_header > is left in place) the kernel generates a panic in net/core/skbuff.c > line 1717. > > This panic can be generated by BLE 6lowpan interfaces (such as bt0) and > 802.15.4 interfaces (such as lowpan0) as they both use the same 6lowpan > sources for compression and decompression. > > Signed-off-by: Michael Scott > --- > net/6lowpan/iphc.c | 1 + > 1 file changed, 1 insertion(+) patch has been applied to bluetooth-next tree. Regards Marcel