AcoSail/kernel_optimize_test
8
0
Fork 0
forked from luck/tmp_suning_uos_patched
Code Pull Requests Activity
45b69848a2
kernel_optimize_test/include/net
History
Ziyang Xuan 8008e797ec ipv6/addrconf: fix a null-ptr-deref bug for ip6_ptr 
commit 85f0173df35e5462d89947135a6a5599c6c3ef6f upstream.

Change net device's MTU to smaller than IPV6_MIN_MTU or unregister
device while matching route. That may trigger null-ptr-deref bug
for ip6_ptr probability as following.

=========================================================
BUG: KASAN: null-ptr-deref in find_match.part.0+0x70/0x134
Read of size 4 at addr 0000000000000308 by task ping6/263

CPU: 2 PID: 263 Comm: ping6 Not tainted 5.19.0-rc7+ #14
Call trace:
 dump_backtrace+0x1a8/0x230
 show_stack+0x20/0x70
 dump_stack_lvl+0x68/0x84
 print_report+0xc4/0x120
 kasan_report+0x84/0x120
 __asan_load4+0x94/0xd0
 find_match.part.0+0x70/0x134
 __find_rr_leaf+0x408/0x470
 fib6_table_lookup+0x264/0x540
 ip6_pol_route+0xf4/0x260
 ip6_pol_route_output+0x58/0x70
 fib6_rule_lookup+0x1a8/0x330
 ip6_route_output_flags_noref+0xd8/0x1a0
 ip6_route_output_flags+0x58/0x160
 ip6_dst_lookup_tail+0x5b4/0x85c
 ip6_dst_lookup_flow+0x98/0x120
 rawv6_sendmsg+0x49c/0xc70
 inet_sendmsg+0x68/0x94

Reproducer as following:
Firstly, prepare conditions:
$ip netns add ns1
$ip netns add ns2
$ip link add veth1 type veth peer name veth2
$ip link set veth1 netns ns1
$ip link set veth2 netns ns2
$ip netns exec ns1 ip -6 addr add 2001:0db8:0:f101::1/64 dev veth1
$ip netns exec ns2 ip -6 addr add 2001:0db8:0:f101::2/64 dev veth2
$ip netns exec ns1 ifconfig veth1 up
$ip netns exec ns2 ifconfig veth2 up
$ip netns exec ns1 ip -6 route add 2000::/64 dev veth1 metric 1
$ip netns exec ns2 ip -6 route add 2001::/64 dev veth2 metric 1

Secondly, execute the following two commands in two ssh windows
respectively:
$ip netns exec ns1 sh
$while true; do ip -6 addr add 2001:0db8:0:f101::1/64 dev veth1; ip -6 route add 2000::/64 dev veth1 metric 1; ping6 2000::2; done

$ip netns exec ns1 sh
$while true; do ip link set veth1 mtu 1000; ip link set veth1 mtu 1500; sleep 5; done

It is because ip6_ptr has been assigned to NULL in addrconf_ifdown() firstly,
then ip6_ignore_linkdown() accesses ip6_ptr directly without NULL check.

	cpu0			cpu1
fib6_table_lookup
__find_rr_leaf
			addrconf_notify [ NETDEV_CHANGEMTU ]
			addrconf_ifdown
			RCU_INIT_POINTER(dev->ip6_ptr, NULL)
find_match
ip6_ignore_linkdown

So we can add NULL check for ip6_ptr before using in ip6_ignore_linkdown() to
fix the null-ptr-deref bug.

Fixes: dcd1f57295 ("net/ipv6: Remove fib6_idev")
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/20220728013307.656257-1-william.xuanziyang@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-08-03 12:00:46 +02:00
..
9p
bluetooth Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put 2022-08-03 12:00:43 +02:00
caif net: caif: add proper error handling 2021-06-10 13:39:24 +02:00
iucv
netfilter netfilter: nftables: add nft_parse_register_store() and use it 2022-06-29 08:59:46 +02:00
netns xfrm: rework default policy structure 2022-05-25 09:17:58 +02:00
nfc NFC: add NCI_UNREG flag to eliminate the race 2021-11-26 10:39:18 +01:00
phonet
sctp sctp: use call_rcu to free endpoint 2022-01-05 12:40:30 +01:00
tc_act net/sched: act_pedit: really ensure the skb is writable 2022-05-18 10:23:44 +02:00
6lowpan.h
act_api.h net: sched: fix err handler in tcf_action_init() 2021-04-14 08:42:05 +02:00
addrconf.h ipv6/addrconf: fix a null-ptr-deref bug for ip6_ptr 2022-08-03 12:00:46 +02:00
af_ieee802154.h
af_rxrpc.h
af_unix.h
af_vsock.h vsock: each transport cycles only on its own sockets 2022-03-23 09:13:27 +01:00
ah.h
arp.h ipv4: Invalidate neighbour for broadcast address upon address addition 2022-04-13 21:00:57 +02:00
atmclip.h
ax25.h ax25: fix reference count leaks of ax25_dev 2022-04-20 09:23:31 +02:00
ax88796.h
bareudp.h
bond_3ad.h bonding: fix data-races around agg_select_timer 2022-02-23 12:01:02 +01:00
bond_alb.h bonding: make tx_rebalance_counter an atomic 2021-12-14 11:32:36 +01:00
bond_options.h
bonding.h bonding: Add struct bond_ipesc to manage SA 2021-07-28 14:35:33 +02:00
bpf_sk_storage.h bpf: Change bpf_sk_storage_*() to accept ARG_PTR_TO_BTF_ID_SOCK_COMMON 2020-09-25 13:58:01 -07:00
busy_poll.h net: annotate data race around sk_ll_usec 2021-07-31 08:16:11 +02:00
calipso.h
cfg80211-wext.h
cfg80211.h cfg80211: fix management registrations locking 2021-11-02 19:48:20 +01:00
cfg802154.h
checksum.h net: Force inlining of checksum functions in net/checksum.h 2022-03-02 11:42:50 +01:00
cipso_ipv4.h
cls_cgroup.h
codel_impl.h
codel_qdisc.h
codel.h
compat.h
datalink.h
dcbevent.h
dcbnl.h
devlink.h devlink: Add enable_remote_dev_reset generic parameter 2020-10-09 12:06:53 -07:00
dn_dev.h
dn_fib.h
dn_neigh.h
dn_nsp.h
dn_route.h
dn.h
dsa.h net: dsa: propagate switchdev vlan_filtering prepare phase to drivers 2020-10-05 05:56:48 -07:00
dsfield.h
dst_cache.h wireguard: device: reset peer src endpoint when netns exits 2021-12-08 09:03:22 +01:00
dst_metadata.h net: fix a memleak when uncloning an skb dst and its metadata 2022-02-16 12:54:26 +01:00
dst_ops.h
dst.h net: Consolidate common blackhole dst ops 2021-03-30 14:32:05 +02:00
erspan.h
esp.h esp: limit skb_page_frag_refill use to a single page 2022-04-27 13:53:48 +02:00
espintcp.h
ethoc.h
failover.h
fib_notifier.h
fib_rules.h ipv6: fix memory leak in fib6_rule_suppress 2021-12-08 09:03:21 +01:00
firewire.h
flow_dissector.h net/sched: flower: fix parsing of ethertype following VLAN header 2022-04-20 09:23:11 +02:00
flow_offload.h netfilter: nf_tables: bail out early if hardware offload is not supported 2022-06-14 18:32:40 +02:00
flow.h lsm,selinux: pass flowi_common instead of flowi to the LSM hooks 2022-06-09 10:21:09 +02:00
fou.h
fq_impl.h
fq.h
garp.h
gen_stats.h
genetlink.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-10-05 18:40:01 -07:00
geneve.h
gre.h
gro_cells.h
gtp.h
gue.h
hwbm.h
icmp.h net: icmp: pass zeroed opts from icmp{,v6}_ndo_send before sending 2021-03-04 11:38:46 +01:00
ieee80211_radiotap.h
ieee802154_netdev.h
if_inet6.h ipv6: fix locking issues with loops over idev->addr_list 2022-06-09 10:20:50 +02:00
ife.h
ila.h
inet_common.h
inet_connection_sock.h Revert "tcp: change pingpong threshold to 3" 2022-08-03 12:00:45 +02:00
inet_ecn.h inet_ecn: Fix endianness of checksum update when setting ECT(1) 2020-12-01 17:16:54 -08:00
inet_frag.h inet: frags: annotate races around fqdir->dead and fqdir->high_thresh 2022-01-27 10:54:33 +01:00
inet_hashtables.h secure_seq: use the 64 bits of the siphash for port offset calculation 2022-05-30 09:33:23 +02:00
inet_sock.h tcp/dccp: Fix a data-race around sysctl_tcp_fwmark_accept. 2022-07-29 17:19:13 +02:00
inet_timewait_sock.h
inet6_connection_sock.h
inet6_hashtables.h
inetpeer.h
ip_fib.h ipv4: convert fib_num_tclassid_users to atomic_t 2021-12-08 09:03:26 +01:00
ip_tunnels.h ip_gre, ip6_gre: Fix race condition on o_seqno in collect_md mode 2022-05-09 09:05:04 +02:00
ip_vs.h
ip.h ip: Fix data-races around sysctl_ip_prot_sock. 2022-07-29 17:19:20 +02:00
ip6_checksum.h
ip6_fib.h ipv6: annotate accesses to fn->fn_sernum 2022-02-01 17:25:44 +01:00
ip6_route.h net: ipv6: fix returned variable type in ip6_skb_dst_mtu 2021-08-12 13:22:07 +02:00
ip6_tunnel.h ip_gre, ip6_gre: Fix race condition on o_seqno in collect_md mode 2022-05-09 09:05:04 +02:00
ipcomp.h
ipconfig.h
ipv6_frag.h inet: frags: annotate races around fqdir->dead and fqdir->high_thresh 2022-01-27 10:54:33 +01:00
ipv6_stubs.h net: ipv6: add fib6_nh_release_dsts stub 2021-12-01 09:19:05 +01:00
ipv6.h ipv6: per-netns exclusive flowlabel checks 2022-02-23 12:01:01 +01:00
ipx.h
iw_handler.h
kcm.h
l3mdev.h
lag.h
lapb.h
lib80211.h
llc_c_ac.h
llc_c_ev.h
llc_c_st.h
llc_conn.h
llc_if.h
llc_pdu.h net: llc: fix skb_over_panic 2021-08-04 12:46:43 +02:00
llc_s_ac.h
llc_s_ev.h
llc_s_st.h
llc_sap.h
llc.h llc: fix out-of-bound array index in llc_sk_dev_hash() 2021-11-18 14:04:27 +01:00
lwtunnel.h
mac80211.h mac80211: Fix NULL ptr deref for injected rate info 2021-06-23 14:42:52 +02:00
mac802154.h
macsec.h net: macsec: fix the length used to copy the key for offloading 2021-07-14 16:56:28 +02:00
mip6.h
mld.h
mpls_iptunnel.h
mpls.h
mptcp.h net: tcp: drop unused function argument from mptcp_incoming_options 2020-09-24 20:17:01 -07:00
mrp.h
ncsi.h
ndisc.h
neighbour.h net, neigh: Enable state migration between NUD_PERMANENT and NTF_USE 2021-11-18 14:04:29 +01:00
net_failover.h
net_namespace.h net: make get_net_ns return error if NET_NS is disabled 2021-06-23 14:42:44 +02:00
net_ratelimit.h
netevent.h
netlabel.h
netlink.h netlink: export policy in extended ACK 2020-10-09 20:22:32 -07:00
netprio_cgroup.h
netrom.h
nexthop.h net: ipv4: Fix rtnexthop len when RTA_FLOW is present 2021-10-06 15:55:53 +02:00
nl802154.h net: ieee802154: handle iftypes as u32 2021-12-01 09:19:03 +01:00
nsh.h
p8022.h
page_pool.h mm: fix struct page layout on 32-bit systems 2021-05-19 10:13:17 +02:00
pie.h
ping.h
pkt_cls.h net: zero-initialize tc skb extension on allocation 2021-06-03 09:00:51 +02:00
pkt_sched.h net: prevent user from passing illegal stab size 2021-10-17 10:43:33 +02:00
pptp.h
protocol.h
psample.h psample: Add a fwd declaration for skbuff 2021-08-18 08:59:11 +02:00
psnap.h
raw.h raw: Fix a data-race around sysctl_raw_l3mdev_accept. 2022-07-21 21:20:10 +02:00
rawv6.h
red.h sch_red: fix off-by-one checks in red_check_params() 2021-04-14 08:42:07 +02:00
regulatory.h
request_sock.h
rose.h
route.h lsm,selinux: pass flowi_common instead of flowi to the LSM hooks 2022-06-09 10:21:09 +02:00
rpl.h
rsi_91x.h
rtnetlink.h can: dev: Move device back to init netns on owning netns delete 2021-03-30 14:32:08 +02:00
rtnh.h
sch_generic.h net: sched: add barrier to fix packet stuck problem for lockless qdisc 2022-06-14 18:32:36 +02:00
scm.h
secure_seq.h secure_seq: use the 64 bits of the siphash for port offset calculation 2022-05-30 09:33:23 +02:00
seg6_hmac.h
seg6_local.h
seg6.h
slhc_vj.h
smc.h net/smc: introduce CHID callback for ISM devices 2020-09-28 15:19:03 -07:00
snmp.h
sock_reuseport.h
sock.h net: Fix data-races around sysctl_mem. 2022-07-21 21:20:07 +02:00
Space.h
stp.h
strparser.h bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding 2021-11-18 14:04:27 +01:00
switchdev.h switchdev: mrp: Remove SWITCHDEV_ATTR_ID_MRP_PORT_STAT 2021-02-17 11:02:29 +01:00
tcp_states.h
tcp.h tcp: Fix a data-race around sysctl_tcp_adv_win_scale. 2022-08-03 12:00:44 +02:00
timewait_sock.h
tipc.h
tls_toe.h
tls.h net/tls: Check for errors in tls_device_init 2022-07-21 21:20:13 +02:00
transp_v6.h
tso.h
tun_proto.h
udp_tunnel.h udp: call udp_encap_enable for v6 sockets when enabling encap 2022-04-08 14:39:54 +02:00
udp.h udp: Fix a data-race around sysctl_udp_l3mdev_accept. 2022-07-29 17:19:21 +02:00
udplite.h
vsock_addr.h
vxlan.h net: sched: only keep the available bits when setting vxlan md->gbp 2020-09-14 16:49:39 -07:00
wext.h
wimax.h
x25.h
x25device.h
xdp_priv.h
xdp_sock_drv.h
xdp_sock.h xsk: Fix race in SKB mode transmit with shared cq 2021-01-17 14:17:05 +01:00
xdp.h xdp: Remove the xdp_attachment_flags_ok() callback 2020-12-09 16:27:42 +01:00
xfrm.h xfrm: fix "disable_policy" flag use when arriving from different devices 2022-05-25 09:17:58 +02:00
xsk_buff_pool.h xsk: Fix missing validation for skb and unaligned mode 2021-07-14 16:56:23 +02:00