UbiquitousOS
/
OpenCloudOS-Kernel
mirror of https://gitee.com/OpenCloudOS/OpenCloudOS-Kernel.git
11
0
Fork 0
Code Issues Projects Releases Wiki Activity
OpenCloudOS-Kernel/drivers
History
Guillaume Nault 02612bb05e pppoe: take ->needed_headroom of lower device into account on xmit 
In pppoe_sendmsg(), reserving dev->hard_header_len bytes of headroom
was probably fine before the introduction of ->needed_headroom in
commit f5184d267c ("net: Allow netdevices to specify needed head/tailroom").

But now, virtual devices typically advertise the size of their overhead
in dev->needed_headroom, so we must also take it into account in
skb_reserve().
Allocation size of skb is also updated to take dev->needed_tailroom
into account and replace the arbitrary 32 bytes with the real size of
a PPPoE header.

This issue was discovered by syzbot, who connected a pppoe socket to a
gre device which had dev->header_ops->create == ipgre_header and
dev->hard_header_len == 0. Therefore, PPPoE didn't reserve any
headroom, and dev_hard_header() crashed when ipgre_header() tried to
prepend its header to skb->data.

skbuff: skb_under_panic: text:000000001d390b3a len:31 put:24
head:00000000d8ed776f data:000000008150e823 tail:0x7 end:0xc0 dev:gre0
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:104!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
    (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 3670 Comm: syzkaller801466 Not tainted
4.15.0-rc7-next-20180115+ #97
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:skb_panic+0x162/0x1f0 net/core/skbuff.c:100
RSP: 0018:ffff8801d9bd7840 EFLAGS: 00010282
RAX: 0000000000000083 RBX: ffff8801d4f083c0 RCX: 0000000000000000
RDX: 0000000000000083 RSI: 1ffff1003b37ae92 RDI: ffffed003b37aefc
RBP: ffff8801d9bd78a8 R08: 1ffff1003b37ae8a R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffffffff86200de0
R13: ffffffff84a981ad R14: 0000000000000018 R15: ffff8801d2d34180
FS:  00000000019c4880(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000208bc000 CR3: 00000001d9111001 CR4: 00000000001606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
  skb_under_panic net/core/skbuff.c:114 [inline]
  skb_push+0xce/0xf0 net/core/skbuff.c:1714
  ipgre_header+0x6d/0x4e0 net/ipv4/ip_gre.c:879
  dev_hard_header include/linux/netdevice.h:2723 [inline]
  pppoe_sendmsg+0x58e/0x8b0 drivers/net/ppp/pppoe.c:890
  sock_sendmsg_nosec net/socket.c:630 [inline]
  sock_sendmsg+0xca/0x110 net/socket.c:640
  sock_write_iter+0x31a/0x5d0 net/socket.c:909
  call_write_iter include/linux/fs.h:1775 [inline]
  do_iter_readv_writev+0x525/0x7f0 fs/read_write.c:653
  do_iter_write+0x154/0x540 fs/read_write.c:932
  vfs_writev+0x18a/0x340 fs/read_write.c:977
  do_writev+0xfc/0x2a0 fs/read_write.c:1012
  SYSC_writev fs/read_write.c:1085 [inline]
  SyS_writev+0x27/0x30 fs/read_write.c:1082
  entry_SYSCALL_64_fastpath+0x29/0xa0

Admittedly PPPoE shouldn't be allowed to run on non Ethernet-like
interfaces, but reserving space for ->needed_headroom is a more
fundamental issue that needs to be addressed first.

Same problem exists for __pppoe_xmit(), which also needs to take
dev->needed_headroom into account in skb_cow_head().

Fixes: f5184d267c ("net: Allow netdevices to specify needed head/tailroom")
Reported-by: syzbot+ed0838d0fa4c4f2b528e20286e6dc63effc7c14d@syzkaller.appspotmail.com
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
 		2018-01-23 19:44:44 -05:00
..
accessibility License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
acpi Merge branch 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm 2017-12-23 13:47:22 -08:00
amba A couple of dma-mapping updates: 2017-11-14 16:54:12 -08:00
android binder: fix proc->files use-after-free 2017-12-18 15:47:12 +01:00
ata libata: apply MAX_SEC_1024 to all LITEON EP1 series devices 2017-12-19 05:30:38 -08:00
atm Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-29 13:10:25 -08:00
auxdisplay auxdisplay: img-ascii-lcd: Only build on archs that have IOMEM 2017-11-27 12:36:45 -08:00
base Merge branch 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2018-01-14 09:51:25 -08:00
bcma bcma: Fix 'allmodconfig' and BCMA builds on MIPS targets 2018-01-16 21:13:55 +02:00
block Two rbd fixes for 4.12 and 4.2 issues respectively, marked for stable. 2018-01-11 16:57:32 -08:00
bluetooth Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-04 09:26:51 +09:00
bus Allwinner fixes for 4.15 2018-01-04 17:06:25 +01:00
cdrom Merge branch 'for-4.15/block' of git://git.kernel.dk/linux-block 2017-11-14 15:32:19 -08:00
char The big changes for IPMI that just went in had a few problems. These 2017-12-11 17:01:59 -08:00
clk clk: use atomic runtime pm api in clk_core_is_enabled 2017-12-26 17:34:03 -08:00
clocksource - final batch of "non trivial" timer conversions (multi-tree dependencies, 2017-11-23 16:29:05 +01:00
connector
cpufreq cpufreq: governor: Ensure sufficiently large sampling intervals 2017-12-18 12:09:39 +01:00
cpuidle powerpc updates for 4.15 2017-11-16 12:47:46 -08:00
crypto crypto: inside-secure - do not use areq->result for partial results 2017-12-22 19:48:01 +11:00
dax device-dax: implement ->split() to catch invalid munmap attempts 2017-11-29 18:40:42 -08:00
dca
devfreq Merge branches 'pm-devfreq' and 'pm-tools' 2017-11-13 01:41:39 +01:00
dio License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dma dmaengine: fsl-edma: disable clks on all error paths 2017-12-15 09:53:04 +05:30
dma-buf Tracing updates for 4.15: 2017-11-17 14:58:01 -08:00
edac Modules updates for v4.15 2017-11-15 13:46:33 -08:00
eisa License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
extcon USB/PHY patches for 4.15-rc1 2017-11-13 21:14:07 -08:00
firewire Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-11-13 17:56:58 -08:00
firmware efi/capsule-loader: Reinstate virtual capsule mapping 2018-01-03 13:54:31 +01:00
fmc License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
fpga Char/Misc patches for 4.15-rc1 2017-11-16 09:10:59 -08:00
fsi
gpio gpio: mmio: Also read bits that are zero 2018-01-16 23:42:36 +01:00
gpu Display corruption regression bugfix with both a prep patch and a 2018-01-19 12:40:07 +10:00
hid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid 2017-12-30 10:16:51 -08:00
hsi HSI changes for the v4.15 series 2017-11-15 13:35:43 -08:00
hv vmbus: unregister device_obj->channels_kset 2017-12-18 15:47:12 +01:00
hwmon hwmon: Deal with errors from the thermal subsystem 2017-12-26 11:53:24 -08:00
hwspinlock hwspinlock update for v4.15 2017-11-17 20:16:20 -08:00
hwtracing tracing: Pass export pointer as argument to ->write() 2017-12-04 07:14:30 -05:00
i2c i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA 2018-01-17 15:35:21 +01:00
ide Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/ide 2017-11-19 08:04:41 -10:00
idle Merge branch 'pm-cpuidle' 2017-11-13 01:34:14 +01:00
iio iio: health: max30102: Temperature should be in milli Celsius 2017-12-02 11:15:14 +00:00
infiniband Fifth pull request for 4.15-rc 2018-01-16 16:47:40 -08:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2018-01-19 11:36:09 -08:00
iommu iommu/arm-smmu-v3: Cope with duplicated Stream IDs 2018-01-02 16:45:51 +00:00
ipack
irqchip genirq/irqdomain: Rename early argument of irq_domain_activate_irq() 2017-12-29 21:13:04 +01:00
isdn treewide: setup_timer() -> timer_setup() (2 field) 2017-11-21 15:57:09 -08:00
leds leds: core: Fix regression caused by commit 2b83ff96f5 2018-01-07 13:27:07 +01:00
lightnvm lightnvm: Convert timers to use timer_setup() 2017-11-21 15:46:44 -08:00
macintosh Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-11-13 17:56:58 -08:00
mailbox Change to POLL api and fixes for FlexRM and OMAP driver 2017-11-15 13:39:18 -08:00
mcb License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
md dm crypt: fix error return code in crypt_ctr() 2018-01-17 09:10:55 -05:00
media media fixes for v4.15-rc3 2017-12-08 13:18:47 -08:00
memory ARM: SoC driver updates for v4.15 2017-11-16 16:05:01 -08:00
memstick treewide: setup_timer() -> timer_setup() 2017-11-21 15:57:07 -08:00
message Modules updates for v4.15 2017-11-15 13:46:33 -08:00
mfd mfd: rtsx: Release IRQ during shutdown 2018-01-05 11:14:57 +00:00
misc Merge branch 'WIP.x86-pti.base.prep-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-12-17 13:54:31 -08:00
mmc mmc: sdhci-esdhc-imx: Fix i.MX53 eSDHCv3 clock 2018-01-15 13:50:19 +01:00
mtd mtd: nand: pxa3xx: Fix READOOB implementation 2018-01-06 23:06:58 +01:00
mux mux: core: fix double get_device() 2018-01-09 14:19:41 +01:00
net pppoe: take ->needed_headroom of lower device into account on xmit 2018-01-23 19:44:44 -05:00
nfc treewide: setup_timer() -> timer_setup() (2 field) 2017-11-21 15:57:09 -08:00
ntb treewide: setup_timer() -> timer_setup() 2017-11-21 15:57:07 -08:00
nubus m68k updates for 4.15 2017-11-13 12:10:24 -08:00
nvdimm libnvdimm, btt: Fix an incompatibility in the log layout 2017-12-21 14:59:27 -08:00
nvme nvme-pci: take sglist coalescing in dma_map_sg into account 2018-01-17 14:05:35 -07:00
nvmem nvmem: meson-mx-efuse: fix reading from an offset other than 0 2017-12-23 16:46:23 +01:00
of of_mdio: avoid MDIO bus removal when a PHY is missing 2018-01-10 15:07:47 -05:00
opp
oprofile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
parisc parisc: Show unhashed EISA EEPROM address 2018-01-02 21:01:02 +01:00
parport Char/Misc patches for 4.15-rc1 2017-11-16 09:10:59 -08:00
pci Merge branch 'x86/urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-12-31 13:13:56 -08:00
pcmcia drivers/pcmcia/sa1111_badge4.c: avoid unused function warning 2017-11-17 16:10:04 -08:00
perf arm64 updates for 4.15 2017-11-15 10:56:56 -08:00
phy phy: work around 'phys' references to usb-nop-xceiv devices 2018-01-19 16:12:37 +01:00
pinctrl genirq/irqdomain: Rename early argument of irq_domain_activate_irq() 2017-12-29 21:13:04 +01:00
platform platform/x86: wmi: Call acpi_wmi_init() later 2018-01-08 10:47:48 -08:00
pnp License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
power power supply and reset changes for the v4.15 series 2017-11-15 13:37:15 -08:00
powercap
pps treewide: setup_timer() -> timer_setup() 2017-11-21 15:57:07 -08:00
ps3
ptp xen: features and fixes for v4.15-rc1 2017-11-16 13:06:27 -08:00
pwm pwm: Changes for v4.15-rc1 2017-11-22 21:09:18 -10:00
rapidio Merge branch 'akpm' (patches from Andrew) 2017-11-17 16:56:17 -08:00
ras Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-11-13 17:56:58 -08:00
regulator - New Drivers 2017-11-16 09:15:57 -08:00
remoteproc remoteproc updates for v4.15 2017-11-17 20:14:10 -08:00
reset ARM: SoC driver updates for v4.15 2017-11-16 16:05:01 -08:00
rpmsg rpmsg updates for v4.15 2017-11-17 20:12:08 -08:00
rtc Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-11-25 08:37:16 -10:00
s390 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux 2018-01-05 12:17:33 -08:00
sbus Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc 2017-11-17 20:21:44 -08:00
scsi SCSI fixes on 20180119 2018-01-19 15:20:00 -08:00
sfi
sh A couple of dma-mapping updates: 2017-11-14 16:54:12 -08:00
sn
soc meson-gx-socinfo: Fix package id parsing 2017-11-30 15:29:44 -08:00
spi Merge remote-tracking branches 'spi/fix/armada', 'spi/fix/atmel', 'spi/fix/doc', 'spi/fix/imx', 'spi/fix/rspi', 'spi/fix/sun4i' and 'spi/fix/xilinx' into spi-linus 2017-12-19 11:07:00 +00:00
spmi
ssb ssb: Disable PCI host for PCI_DRIVERS_GENERIC 2018-01-16 21:15:58 +02:00
staging staging: android: ashmem: fix a race condition in ASHMEM_SET_SIZE ioctl 2018-01-09 15:32:11 +01:00
target block: fix blk_rq_append_bio 2017-12-18 13:55:43 -07:00
tc
tee optee: fix invalid of_node_put() in optee_driver_init() 2017-11-29 10:24:57 +01:00
thermal Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux 2017-11-17 14:31:27 -08:00
thunderbolt thunderbolt: Mask ring interrupt properly when polling starts 2017-12-16 16:37:51 +01:00
tty n_tty: fix EXTPROC vs ICANON interaction with TIOCINQ (aka FIONREAD) 2017-12-21 11:19:22 +01:00
uio License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
usb usb: misc: usb3503: make sure reset is low for at least 100us 2018-01-11 18:39:52 +01:00
uwb treewide: setup_timer() -> timer_setup() 2017-11-21 15:57:07 -08:00
vfio VFIO Updates for Linux v4.15 2017-11-14 16:47:47 -08:00
vhost vhost: fix skb leak in handle_rx() 2017-12-02 21:31:03 -05:00
video fbdev changes for v4.15: 2017-11-20 21:50:24 -10:00
virt
virtio virtio_mmio: fix devm cleanup 2017-12-14 21:01:40 +02:00
vlynq
vme Char/Misc patches for 4.15-rc1 2017-11-16 09:10:59 -08:00
w1 Char/Misc patches for 4.15-rc1 2017-11-16 09:10:59 -08:00
watchdog treewide: setup_timer() -> timer_setup() 2017-11-21 15:57:07 -08:00
xen xen: fixes for 4.15-rc8 2018-01-12 10:00:15 -08:00
zorro License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
Kconfig Merge branches 'pm-cpufreq-sched' and 'pm-opp' 2017-11-13 01:40:52 +01:00
Makefile usb: build drivers/usb/common/ when USB_SUPPORT is set 2017-11-28 15:17:49 +01:00