redonkable/remarkable-linux
redonkable/remarkable-linux
1
0
Fork 0
Code Releases Activity
remarkable-linux/net
History
David Ahern 79dc7e3f1c net: handle no dst on skb in icmp6_send 
Andrey reported the following while fuzzing the kernel with syzkaller:

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 0 PID: 3859 Comm: a.out Not tainted 4.9.0-rc6+ #429
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff8800666d4200 task.stack: ffff880067348000
RIP: 0010:[<ffffffff833617ec>]  [<ffffffff833617ec>]
icmp6_send+0x5fc/0x1e30 net/ipv6/icmp.c:451
RSP: 0018:ffff88006734f2c0  EFLAGS: 00010206
RAX: ffff8800666d4200 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 0000000000000018
RBP: ffff88006734f630 R08: ffff880064138418 R09: 0000000000000003
R10: dffffc0000000000 R11: 0000000000000005 R12: 0000000000000000
R13: ffffffff84e7e200 R14: ffff880064138484 R15: ffff8800641383c0
FS:  00007fb3887a07c0(0000) GS:ffff88006cc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000000 CR3: 000000006b040000 CR4: 00000000000006f0
Stack:
 ffff8800666d4200 ffff8800666d49f8 ffff8800666d4200 ffffffff84c02460
 ffff8800666d4a1a 1ffff1000ccdaa2f ffff88006734f498 0000000000000046
 ffff88006734f440 ffffffff832f4269 ffff880064ba7456 0000000000000000
Call Trace:
 [<ffffffff83364ddc>] icmpv6_param_prob+0x2c/0x40 net/ipv6/icmp.c:557
 [<     inline     >] ip6_tlvopt_unknown net/ipv6/exthdrs.c:88
 [<ffffffff83394405>] ip6_parse_tlv+0x555/0x670 net/ipv6/exthdrs.c:157
 [<ffffffff8339a759>] ipv6_parse_hopopts+0x199/0x460 net/ipv6/exthdrs.c:663
 [<ffffffff832ee773>] ipv6_rcv+0xfa3/0x1dc0 net/ipv6/ip6_input.c:191
 ...

icmp6_send / icmpv6_send is invoked for both rx and tx paths. In both
cases the dst->dev should be preferred for determining the L3 domain
if the dst has been set on the skb. Fallback to the skb->dev if it has
not. This covers the case reported here where icmp6_send is invoked on
Rx before the route lookup.

Fixes: 5d41ce29e ("net: icmp6_send should use dst dev to determine L3 domain")
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-11-28 16:13:01 -05:00
..
6lowpan
9p
802
8021q net: add recursion limit to GRO 2016-10-20 14:32:22 -04:00
appletalk
atm
ax25
batman-adv batman-adv: Detect missing primaryif during tp_send as error 2016-11-04 12:27:39 +01:00
bluetooth Bluetooth: Fix using the correct source address type 2016-11-22 22:50:46 +01:00
bridge bridge: multicast: restore perm router ports on multicast enable 2016-10-18 13:52:13 -04:00
caif
can can: bcm: fix support for CAN FD frames 2016-11-23 15:22:18 +01:00
ceph libceph: initialize last_linger_id with a large integer 2016-11-10 20:13:08 +01:00
core Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 2016-11-27 20:21:48 -05:00
dcb
dccp ipv6: dccp: add missing bind_conflict to dccp_ipv6_mapped 2016-11-03 16:50:27 -04:00
decnet
dns_resolver
dsa net: dsa: fix fixed-link-phy device leaks 2016-11-27 20:01:15 -05:00
ethernet net: add recursion limit to GRO 2016-10-20 14:32:22 -04:00
hsr net/hsr: Remove unused but set variable 2016-10-18 10:28:18 -04:00
ieee802154
ipv4 tcp: Set DEFAULT_TCP_CONG to bbr if DEFAULT_BBR is set 2016-11-28 12:15:00 -05:00
ipv6 net: handle no dst on skb in icmp6_send 2016-11-28 16:13:01 -05:00
ipx
irda
iucv
kcm
key
l2tp net: revert "net: l2tp: Treat NET_XMIT_CN as success in l2tp_eth_dev_xmit" 2016-11-23 20:18:36 -05:00
l3mdev
lapb
llc
mac80211 mac80211: fix A-MSDU aggregation with fast-xmit + txq 2016-11-15 14:37:30 +01:00
mac802154
mpls
ncsi net/ncsi: Improve HNCDSC AEN handler 2016-10-20 11:23:08 -04:00
netfilter netfilter: nf_tables: fix oops when inserting an element into a verdict map 2016-11-08 23:53:39 +01:00
netlabel
netlink genetlink: fix a memory leak on error path 2016-11-03 16:52:29 -04:00
netrom
nfc
openvswitch openvswitch: add NETIF_F_HW_VLAN_STAG_TX to internal dev 2016-10-13 10:03:23 -04:00
packet packet: on direct_xmit, limit tso and csum to supported devices 2016-10-29 15:02:15 -04:00
phonet
qrtr
rds rds: debug messages are enabled by default 2016-10-29 15:55:57 -04:00
rfkill
rose
rxrpc rxrpc: Fix checking of error from ip6_route_output() 2016-10-13 08:43:17 +01:00
sched net, sched: respect rcu grace period on cls destruction 2016-11-28 10:47:35 -05:00
sctp sctp: change sk state only when it has assocs in sctp_shutdown 2016-11-14 16:22:33 -05:00
strparser strparser: Propagate correct error code in strp_recv() 2016-10-12 01:51:49 -04:00
sunrpc One fix for an NFS/RDMA crash. 2016-11-18 16:32:21 -08:00
switchdev switchdev: Execute bridge ndos only for bridge ports 2016-10-19 10:58:04 -04:00
tipc tipc: fix link statistics counter errors 2016-11-27 20:35:55 -05:00
unix af_unix: conditionally use freezable blocking calls in read 2016-11-18 13:58:39 -05:00
vmw_vsock
wimax
wireless cfg80211: limit scan results cache size 2016-11-18 08:44:44 +01:00
x25
xfrm xfrm: unbreak xfrm_sk_policy_lookup 2016-11-18 07:00:05 +01:00
compat.c
Kconfig
Makefile
socket.c xattr: Fix setting security xattrs on sockfs 2016-11-17 00:00:23 -05:00
sysctl_net.c