KASAN: slab-out-of-bounds Read in ip6_xmit (2)
65 views
Skip to first unread message
syzbot
Mar 7, 2018, 1:59:04 AM3/7/18
to da...@davemloft.net, kuz...@ms2.inr.ac.ru, linux-...@vger.kernel.org, net...@vger.kernel.org, syzkall...@googlegroups.com, yosh...@linux-ipv6.org
Hello,
syzbot hit the following crash on net-next commit
0f3e9c97eb5a97972b0c0076a5cc01bb142f8e70 (Tue Mar 6 05:53:44 2018 +0000)
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
So far this crash happened 21 times on net-next, upstream.
C reproducer is attached.
syzkaller reproducer is attached.
Raw console output is attached.
compiler: gcc (GCC) 7.1.1 20170620
.config is attached.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+92fa32...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
8021q: adding VLAN 0 to HW filter on device bond0
IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
audit: type=1400 audit(1520381312.479:10): avc: denied { sys_chroot }
for pid=4238 comm="syzkaller248290" capability=18
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns
permissive=1
==================================================================
BUG: KASAN: slab-out-of-bounds in ip6_dst_idev include/net/ip6_fib.h:192
[inline]
BUG: KASAN: slab-out-of-bounds in ip6_xmit+0x1f76/0x2260
net/ipv6/ip6_output.c:264
Read of size 8 at addr ffff8801aff89718 by task syzkaller248290/4238
CPU: 1 PID: 4238 Comm: syzkaller248290 Not tainted 4.16.0-rc4+ #254
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x24d lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report+0x23c/0x360 mm/kasan/report.c:412
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
ip6_dst_idev include/net/ip6_fib.h:192 [inline]
ip6_xmit+0x1f76/0x2260 net/ipv6/ip6_output.c:264
inet6_csk_xmit+0x2fc/0x580 net/ipv6/inet6_connection_sock.c:139
l2tp_xmit_core net/l2tp/l2tp_core.c:1053 [inline]
l2tp_xmit_skb+0x105f/0x1410 net/l2tp/l2tp_core.c:1148
pppol2tp_sendmsg+0x470/0x670 net/l2tp/l2tp_ppp.c:341
sock_sendmsg_nosec net/socket.c:629 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:639
___sys_sendmsg+0x767/0x8b0 net/socket.c:2047
__sys_sendmsg+0xe5/0x210 net/socket.c:2081
SYSC_sendmsg net/socket.c:2092 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2088
do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x441ef9
RSP: 002b:00000000007dfea8 EFLAGS: 00000217 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000000001a RCX: 0000000000441ef9
RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000004
RBP: 00000000004a3f26 R08: 0000000120080522 R09: 0000000120080522
R10: 0000000120080522 R11: 0000000000000217 R12: 00000000007dff70
R13: 0000000000402f30 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 0:
(stack is not available)
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff8801aff89700
which belongs to the cache ip_dst_cache of size 160
The buggy address is located 24 bytes inside of
160-byte region [ffff8801aff89700, ffff8801aff897a0)
The buggy address belongs to the page:
page:ffffea0006bfe240 count:1 mapcount:0 mapping:ffff8801aff89000 index:0x0
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801aff89000 0000000000000000 0000000100000010
raw: ffff8801d5b67d48 ffff8801d5b67d48 ffff8801d5b66680 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801aff89600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8801aff89680: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8801aff89700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8801aff89780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801aff89800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
syzbot hit the following crash on net-next commit
0f3e9c97eb5a97972b0c0076a5cc01bb142f8e70 (Tue Mar 6 05:53:44 2018 +0000)
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
So far this crash happened 21 times on net-next, upstream.
C reproducer is attached.
syzkaller reproducer is attached.
Raw console output is attached.
compiler: gcc (GCC) 7.1.1 20170620
.config is attached.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+92fa32...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
8021q: adding VLAN 0 to HW filter on device bond0
IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
audit: type=1400 audit(1520381312.479:10): avc: denied { sys_chroot }
for pid=4238 comm="syzkaller248290" capability=18
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns
permissive=1
==================================================================
BUG: KASAN: slab-out-of-bounds in ip6_dst_idev include/net/ip6_fib.h:192
[inline]
BUG: KASAN: slab-out-of-bounds in ip6_xmit+0x1f76/0x2260
net/ipv6/ip6_output.c:264
Read of size 8 at addr ffff8801aff89718 by task syzkaller248290/4238
CPU: 1 PID: 4238 Comm: syzkaller248290 Not tainted 4.16.0-rc4+ #254
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x24d lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report+0x23c/0x360 mm/kasan/report.c:412
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
ip6_dst_idev include/net/ip6_fib.h:192 [inline]
ip6_xmit+0x1f76/0x2260 net/ipv6/ip6_output.c:264
inet6_csk_xmit+0x2fc/0x580 net/ipv6/inet6_connection_sock.c:139
l2tp_xmit_core net/l2tp/l2tp_core.c:1053 [inline]
l2tp_xmit_skb+0x105f/0x1410 net/l2tp/l2tp_core.c:1148
pppol2tp_sendmsg+0x470/0x670 net/l2tp/l2tp_ppp.c:341
sock_sendmsg_nosec net/socket.c:629 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:639
___sys_sendmsg+0x767/0x8b0 net/socket.c:2047
__sys_sendmsg+0xe5/0x210 net/socket.c:2081
SYSC_sendmsg net/socket.c:2092 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2088
do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x441ef9
RSP: 002b:00000000007dfea8 EFLAGS: 00000217 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000000001a RCX: 0000000000441ef9
RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000004
RBP: 00000000004a3f26 R08: 0000000120080522 R09: 0000000120080522
R10: 0000000120080522 R11: 0000000000000217 R12: 00000000007dff70
R13: 0000000000402f30 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 0:
(stack is not available)
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff8801aff89700
which belongs to the cache ip_dst_cache of size 160
The buggy address is located 24 bytes inside of
160-byte region [ffff8801aff89700, ffff8801aff897a0)
The buggy address belongs to the page:
page:ffffea0006bfe240 count:1 mapcount:0 mapping:ffff8801aff89000 index:0x0
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801aff89000 0000000000000000 0000000100000010
raw: ffff8801d5b67d48 ffff8801d5b67d48 ffff8801d5b66680 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801aff89600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8801aff89680: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8801aff89700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8801aff89780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801aff89800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
Paolo Abeni
Mar 7, 2018, 5:32:51 AM3/7/18
to syzbot, syzkall...@googlegroups.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master
---
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index fbf08ce3f5ab..0c167fbfb82f 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -146,10 +146,12 @@ int __ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr,
struct sockaddr_in6 *usin = (struct sockaddr_in6 *) uaddr;
struct inet_sock *inet = inet_sk(sk);
struct ipv6_pinfo *np = inet6_sk(sk);
- struct in6_addr *daddr;
+ struct in6_addr *daddr, old_daddr;
+ __be32 fl6_flowlabel = 0;
+ __be32 old_fl6_flowlabel;
+ __be32 old_dport;
int addr_type;
int err;
- __be32 fl6_flowlabel = 0;
if (usin->sin6_family == AF_INET) {
if (__ipv6_only_sock(sk))
@@ -238,9 +240,13 @@ int __ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr,
}
}
+ /* save the current socket peer information before updating it */
+ old_daddr = sk->sk_v6_daddr;
+ old_fl6_flowlabel = np->flow_label;
+ old_dport = inet->inet_dport;
+
sk->sk_v6_daddr = *daddr;
np->flow_label = fl6_flowlabel;
-
inet->inet_dport = usin->sin6_port;
/*
@@ -250,11 +256,12 @@ int __ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr,
err = ip6_datagram_dst_update(sk, true);
if (err) {
- /* Reset daddr and dport so that udp_v6_early_demux()
- * fails to find this socket
+ /* Restore the socket peer info, to keep it consistent with
+ * the old socket state
*/
- memset(&sk->sk_v6_daddr, 0, sizeof(sk->sk_v6_daddr));
- inet->inet_dport = 0;
+ sk->sk_v6_daddr = old_daddr;
+ np->flow_label = old_fl6_flowlabel;
+ inet->inet_dport = old_dport;
goto out;
}
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 83421c6f0bef..13b2a33ade0e 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1449,6 +1449,13 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
err = -EINVAL;
goto err;
}
+
+ /* Reject unconnected sockets */
+ if (sk->sk_state != TCP_ESTABLISHED) {
+ pr_err("tunl %u: sock fd=%d is unconnected\n",
+ tunnel_id, fd);
+ goto err;
+ }
}
sk = sock->sk;
---
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index fbf08ce3f5ab..0c167fbfb82f 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -146,10 +146,12 @@ int __ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr,
struct sockaddr_in6 *usin = (struct sockaddr_in6 *) uaddr;
struct inet_sock *inet = inet_sk(sk);
struct ipv6_pinfo *np = inet6_sk(sk);
- struct in6_addr *daddr;
+ struct in6_addr *daddr, old_daddr;
+ __be32 fl6_flowlabel = 0;
+ __be32 old_fl6_flowlabel;
+ __be32 old_dport;
int addr_type;
int err;
- __be32 fl6_flowlabel = 0;
if (usin->sin6_family == AF_INET) {
if (__ipv6_only_sock(sk))
@@ -238,9 +240,13 @@ int __ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr,
}
}
+ /* save the current socket peer information before updating it */
+ old_daddr = sk->sk_v6_daddr;
+ old_fl6_flowlabel = np->flow_label;
+ old_dport = inet->inet_dport;
+
sk->sk_v6_daddr = *daddr;
np->flow_label = fl6_flowlabel;
-
inet->inet_dport = usin->sin6_port;
/*
@@ -250,11 +256,12 @@ int __ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr,
err = ip6_datagram_dst_update(sk, true);
if (err) {
- /* Reset daddr and dport so that udp_v6_early_demux()
- * fails to find this socket
+ /* Restore the socket peer info, to keep it consistent with
+ * the old socket state
*/
- memset(&sk->sk_v6_daddr, 0, sizeof(sk->sk_v6_daddr));
- inet->inet_dport = 0;
+ sk->sk_v6_daddr = old_daddr;
+ np->flow_label = old_fl6_flowlabel;
+ inet->inet_dport = old_dport;
goto out;
}
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 83421c6f0bef..13b2a33ade0e 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1449,6 +1449,13 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
err = -EINVAL;
goto err;
}
+
+ /* Reject unconnected sockets */
+ if (sk->sk_state != TCP_ESTABLISHED) {
+ pr_err("tunl %u: sock fd=%d is unconnected\n",
+ tunnel_id, fd);
+ goto err;
+ }
}
sk = sock->sk;
syzbot
Mar 7, 2018, 5:45:02 AM3/7/18
to pab...@redhat.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered
crash:
general protection fault in l2tp_tunnel_create
IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 5512 Comm: syz-executor4 Not tainted 4.16.0-rc4+ #63
IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
RSP: 0018:ffff8801caf276d8 EFLAGS: 00010293
RDX: 0000000000000000 RSI: 1ffff100395e4eb1 RDI: ffff8801cc232830
RBP: ffff8801caf27990 R08: 0000000000000000 R09: 1ffff100395e4e88
R10: ffff8801caf27408 R11: 0000000000000001 R12: ffff8801cc232800
R13: ffff8801caf27c00 R14: ffff8801caf27b20 R15: ffff8801caf27748
IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
FS: 00007f4ed11cd700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb058ceb010 CR3: 00000001cf627005 CR4: 00000000001606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
Call Trace:
IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
SyS_connect+0x24/0x30 net/socket.c:1620
IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
RIP: 0033:0x453e69
RAX: ffffffffffffffda RBX: 00007f4ed11cd6d4 RCX: 0000000000453e69
RDX: 000000000000002e RSI: 00000000205fafd2 RDI: 0000000000000004
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 000000000000005c R14: 00000000006f0940 R15: 0000000000000000
Code:
ff ff 49 39 44 24 30 0f 85 db 12 00 00 e8 51 fd 26 fc <a0> 02 00 00 00 00
fc ff df 3c 02 7f 08 84 c0 0f 85 ba 11 00 00
ffff8801caf276d8
---[ end trace 61f421c2bd0222a9 ]---
Tested on net commit
2cbb4ea7de167b02ffa63e9cdfdb07a7e7094615 (Fri Feb 16 19:03:03 2018 +0000)
net: Only honor ifindex in IP_PKTINFO if non-0
compiler: gcc (GCC) 7.1.1 20170620
Patch is attached.
Kernel config is attached.
syzbot has tested the proposed patch but the reproducer still triggered
crash:
general protection fault in l2tp_tunnel_create
IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 5512 Comm: syz-executor4 Not tainted 4.16.0-rc4+ #63
IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:l2tp_tunnel_create+0x1df/0x1860 net/l2tp/l2tp_core.c:1454
Google 01/01/2011
RSP: 0018:ffff8801caf276d8 EFLAGS: 00010293
8021q: adding VLAN 0 to HW filter on device bond0
RAX: ffff8801c2d2e100 RBX: ffff8801caf27968 RCX: ffffffff854a08df
RDX: 0000000000000000 RSI: 1ffff100395e4eb1 RDI: ffff8801cc232830
RBP: ffff8801caf27990 R08: 0000000000000000 R09: 1ffff100395e4e88
R10: ffff8801caf27408 R11: 0000000000000001 R12: ffff8801cc232800
R13: ffff8801caf27c00 R14: ffff8801caf27b20 R15: ffff8801caf27748
IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
FS: 00007f4ed11cd700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb058ceb010 CR3: 00000001cf627005 CR4: 00000000001606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
Call Trace:
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
pppol2tp_connect+0x14b8/0x1dd0 net/l2tp/l2tp_ppp.c:698
IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
8021q: adding VLAN 0 to HW filter on device bond0
SYSC_connect+0x213/0x4a0 net/socket.c:1639
SyS_connect+0x24/0x30 net/socket.c:1620
IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
8021q: adding VLAN 0 to HW filter on device bond0
IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
entry_SYSCALL_64_after_hwframe+0x42/0xb7
IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
RIP: 0033:0x453e69
IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
RSP: 002b:00007f4ed11ccc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 00007f4ed11cd6d4 RCX: 0000000000453e69
RDX: 000000000000002e RSI: 00000000205fafd2 RDI: 0000000000000004
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 000000000000005c R14: 00000000006f0940 R15: 0000000000000000
Code:
IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
7c 24 30 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 70 15 00 00 48 8b 85 80 fd
ff ff 49 39 44 24 30 0f 85 db 12 00 00 e8 51 fd 26 fc <a0> 02 00 00 00 00
fc ff df 3c 02 7f 08 84 c0 0f 85 ba 11 00 00
IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
RIP: l2tp_tunnel_create+0x1df/0x1860 net/l2tp/l2tp_core.c:1454 RSP:
ffff8801caf276d8
---[ end trace 61f421c2bd0222a9 ]---
Tested on net commit
2cbb4ea7de167b02ffa63e9cdfdb07a7e7094615 (Fri Feb 16 19:03:03 2018 +0000)
net: Only honor ifindex in IP_PKTINFO if non-0
compiler: gcc (GCC) 7.1.1 20170620
Kernel config is attached.
Paolo Abeni
Mar 7, 2018, 5:50:49 AM3/7/18
to syzbot, syzkall...@googlegroups.com
Oops... fixed typo from previous attempt (sk -> sock->sk)
---
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index fbf08ce3f5ab..8a9ac2d0f5d3 100644
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -146,10 +146,12 @@ int __ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr,
struct sockaddr_in6 *usin = (struct sockaddr_in6 *) uaddr;
struct inet_sock *inet = inet_sk(sk);
struct ipv6_pinfo *np = inet6_sk(sk);
- struct in6_addr *daddr;
+ struct in6_addr *daddr, old_daddr;
+ __be32 fl6_flowlabel = 0;
+ __be32 old_fl6_flowlabel;
+ __be32 old_dport;
int addr_type;
int err;
- __be32 fl6_flowlabel = 0;
if (usin->sin6_family == AF_INET) {
if (__ipv6_only_sock(sk))
@@ -238,9 +240,13 @@ int __ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr,
}
}
+ /* save the current peer information before updating it */
+++ b/net/ipv6/datagram.c
@@ -146,10 +146,12 @@ int __ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr,
struct sockaddr_in6 *usin = (struct sockaddr_in6 *) uaddr;
struct inet_sock *inet = inet_sk(sk);
struct ipv6_pinfo *np = inet6_sk(sk);
- struct in6_addr *daddr;
+ struct in6_addr *daddr, old_daddr;
+ __be32 fl6_flowlabel = 0;
+ __be32 old_fl6_flowlabel;
+ __be32 old_dport;
int addr_type;
int err;
- __be32 fl6_flowlabel = 0;
if (usin->sin6_family == AF_INET) {
if (__ipv6_only_sock(sk))
@@ -238,9 +240,13 @@ int __ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr,
}
}
+ old_daddr = sk->sk_v6_daddr;
+ old_fl6_flowlabel = np->flow_label;
+ old_dport = inet->inet_dport;
+
sk->sk_v6_daddr = *daddr;
np->flow_label = fl6_flowlabel;
-
inet->inet_dport = usin->sin6_port;
/*
@@ -250,11 +256,12 @@ int __ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr,
err = ip6_datagram_dst_update(sk, true);
if (err) {
- /* Reset daddr and dport so that udp_v6_early_demux()
- * fails to find this socket
+ /* Restore the socket peer info, to keep it consistent with
+ * the old socket state
*/
- memset(&sk->sk_v6_daddr, 0, sizeof(sk->sk_v6_daddr));
- inet->inet_dport = 0;
+ sk->sk_v6_daddr = old_daddr;
+ np->flow_label = old_fl6_flowlabel;
+ inet->inet_dport = old_dport;
goto out;
}
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 83421c6f0bef..fd18f081e25a 100644
+ old_fl6_flowlabel = np->flow_label;
+ old_dport = inet->inet_dport;
+
sk->sk_v6_daddr = *daddr;
np->flow_label = fl6_flowlabel;
-
inet->inet_dport = usin->sin6_port;
/*
@@ -250,11 +256,12 @@ int __ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr,
err = ip6_datagram_dst_update(sk, true);
if (err) {
- /* Reset daddr and dport so that udp_v6_early_demux()
- * fails to find this socket
+ /* Restore the socket peer info, to keep it consistent with
+ * the old socket state
*/
- memset(&sk->sk_v6_daddr, 0, sizeof(sk->sk_v6_daddr));
- inet->inet_dport = 0;
+ sk->sk_v6_daddr = old_daddr;
+ np->flow_label = old_fl6_flowlabel;
+ inet->inet_dport = old_dport;
goto out;
}
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1449,6 +1449,13 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
err = -EINVAL;
goto err;
}
+
+ /* Reject unconnected sockets */
+ if (sock->sk->sk_state != TCP_ESTABLISHED) {
+++ b/net/l2tp/l2tp_core.c
@@ -1449,6 +1449,13 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
err = -EINVAL;
goto err;
}
+
+ /* Reject unconnected sockets */
syzbot
Mar 7, 2018, 5:56:02 AM3/7/18
to pab...@redhat.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered
crash:
KASAN: use-after-free Read in ip6_xmit
syzbot has tested the proposed patch but the reproducer still triggered
crash:
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
==================================================================
BUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:192
[inline]
BUG: KASAN: use-after-free in ip6_xmit+0x1f76/0x2260
net/ipv6/ip6_output.c:264
Read of size 8 at addr ffff8801aaa65a18 by task syz-executor6/6647
CPU: 0 PID: 6647 Comm: syz-executor6 Not tainted 4.16.0-rc4+ #64
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x24d lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report+0x23c/0x360 mm/kasan/report.c:412
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
ip6_dst_idev include/net/ip6_fib.h:192 [inline]
ip6_xmit+0x1f76/0x2260 net/ipv6/ip6_output.c:264
inet6_csk_xmit+0x2fc/0x580 net/ipv6/inet6_connection_sock.c:139
l2tp_xmit_core net/l2tp/l2tp_core.c:1053 [inline]
l2tp_xmit_skb+0x105f/0x1410 net/l2tp/l2tp_core.c:1148
pppol2tp_sendmsg+0x470/0x670 net/l2tp/l2tp_ppp.c:341
sock_sendmsg_nosec net/socket.c:630 [inline]
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x24d lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report+0x23c/0x360 mm/kasan/report.c:412
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
ip6_dst_idev include/net/ip6_fib.h:192 [inline]
ip6_xmit+0x1f76/0x2260 net/ipv6/ip6_output.c:264
inet6_csk_xmit+0x2fc/0x580 net/ipv6/inet6_connection_sock.c:139
l2tp_xmit_core net/l2tp/l2tp_core.c:1053 [inline]
l2tp_xmit_skb+0x105f/0x1410 net/l2tp/l2tp_core.c:1148
pppol2tp_sendmsg+0x470/0x670 net/l2tp/l2tp_ppp.c:341
sock_sendmsg+0xca/0x110 net/socket.c:640
___sys_sendmsg+0x767/0x8b0 net/socket.c:2046
__sys_sendmsg+0xe5/0x210 net/socket.c:2080
SYSC_sendmsg net/socket.c:2091 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2087
do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x453e69
RSP: 002b:00007fd904722c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fd9047236d4 RCX: 0000000000453e69
RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000004
RBP: 000000000072bf58 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000004c3 R14: 00000000006f72e8 R15: 0000000000000001
Allocated by task 6642:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
kmem_cache_alloc+0x12e/0x760 mm/slab.c:3541
dst_alloc+0x11f/0x1a0 net/core/dst.c:104
rt_dst_alloc+0xe9/0x520 net/ipv4/route.c:1507
__mkroute_output net/ipv4/route.c:2251 [inline]
ip_route_output_key_hash_rcu+0xa59/0x2f00 net/ipv4/route.c:2479
ip_route_output_key_hash+0x20b/0x370 net/ipv4/route.c:2308
__ip_route_output_key include/net/route.h:125 [inline]
ip_route_connect include/net/route.h:300 [inline]
__ip4_datagram_connect+0xa67/0x1240 net/ipv4/datagram.c:51
__ip6_datagram_connect+0xc12/0x12b0 net/ipv6/datagram.c:198
ip6_datagram_connect+0x2f/0x50 net/ipv6/datagram.c:280
inet_dgram_connect+0x16b/0x1f0 net/ipv4/af_inet.c:542
SYSC_connect+0x213/0x4a0 net/socket.c:1639
SyS_connect+0x24/0x30 net/socket.c:1620
do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
SyS_connect+0x24/0x30 net/socket.c:1620
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 6651:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
__kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:520
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527
__cache_free mm/slab.c:3485 [inline]
kmem_cache_free+0x83/0x2a0 mm/slab.c:3743
dst_destroy+0x257/0x370 net/core/dst.c:140
dst_destroy_rcu+0x16/0x20 net/core/dst.c:153
__rcu_reclaim kernel/rcu/rcu.h:172 [inline]
rcu_do_batch kernel/rcu/tree.c:2674 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2933 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2900 [inline]
rcu_process_callbacks+0xd6c/0x17f0 kernel/rcu/tree.c:2917
__do_softirq+0x2d7/0xb85 kernel/softirq.c:285
The buggy address belongs to the object at ffff8801aaa65a00
which belongs to the cache ip_dst_cache of size 168
The buggy address is located 24 bytes inside of
168-byte region [ffff8801aaa65a00, ffff8801aaa65aa8)
The buggy address belongs to the page:
page:ffffea0006aa9940 count:1 mapcount:0 mapping:ffff8801aaa65000 index:0x0
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801aaa65000 0000000000000000 0000000100000010
raw: ffffea00075ddde0 ffffea0006e427e0 ffff8801d5b88680 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801aaa65900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Memory state around the buggy address:
ffff8801aaa65980: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
> ffff8801aaa65a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801aaa65a80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
ffff8801aaa65b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Paolo Abeni
Mar 7, 2018, 8:51:26 AM3/7/18
to syzbot, syzkall...@googlegroups.com
On Wed, 2018-03-07 at 02:56 -0800, syzbot wrote:
> syzbot has tested the proposed patch but the reproducer still triggered
> crash:
> KASAN: use-after-free Read in ip6_xmit
Uh, I can't reproduce the issue locally, with the patch applied.
> syzbot has tested the proposed patch but the reproducer still triggered
> crash:
> KASAN: use-after-free Read in ip6_xmit
Also there is something weird in this report...
> CPU: 0 PID: 6647 Comm: syz-executor6 Not tainted 4.16.0-rc4+ #64
6647...
process. Am I missing something?!?
Thanks,
Paolo
Dmitry Vyukov
Mar 7, 2018, 9:04:11 AM3/7/18
to Paolo Abeni, syzbot, syzkall...@googlegroups.com
Yes, it was initially reproduced as single-threaded, from here:
#{Threaded:false Collide:false Repeat:false Procs:1 Sandbox:namespace
Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true
HandleSegv:false WaitRepeat:false Debug:false Repro:false}
However, when syzbot tests patches it specifically switches back to
multithreaded/racy mode of execution:
https://github.com/google/syzkaller/blob/master/syz-ci/jobs.go#L328
The idea was that the multithreaded mode is strictly better (finds
more bugs) than single-threaded mode.
So perhaps there is another bug around?
Paolo Abeni
Mar 7, 2018, 9:45:31 AM3/7/18
to Dmitry Vyukov, syzbot, syzkall...@googlegroups.com
Hi,
Thank you for the prompt reply!
Understood. I agree it's reasonable for verifying the bugs.
> So perhaps there is another bug around?
I think this report shows a slightly different bug - which should be
fixed, too.
Is there an easy way to get the c reproducer in multi-thread mode?
Thanks,
Paolo
Understood. I agree it's reasonable for verifying the bugs.
> So perhaps there is another bug around?
fixed, too.
Is there an easy way to get the c reproducer in multi-thread mode?
Thanks,
Paolo
Paolo Abeni
Mar 7, 2018, 11:10:11 AM3/7/18
to Dmitry Vyukov, syzbot, syzkall...@googlegroups.com
threaded mode:
cat repro.syz
# See https://goo.gl/kgGztJ for information about syzkaller reproducers.
#{Threaded:false Collide:false Repeat:false Procs:1 Sandbox:namespace Fault:false FaultCall:-1 FaultNth:0 EnableTun:true UseTmpDir:true HandleSegv:false WaitRepeat:false Debug:false Repro:false}
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e20, 0x5000000000000, @ipv4={[], [0xff, 0xff], @loopback=0x7f000001}, 0x5}, 0x1c)
connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x4e22, 0xdba, @mcast1={0xff, 0x1, [], 0x1}, 0x9}, 0x1c)
r1 = socket$l2tp(0x18, 0x1, 0x1)
connect$l2tp(r1, &(0x7f00005fafd2)=@pppol2tpv3={0x18, 0x1, {0x0, r0, {0x2, 0x4e21, @multicast2=0xe0000002}, 0x4, 0x0, 0x2}}, 0x2e)
sendmsg$nl_crypto(r1, &(0x7f000037ffc8)={&(0x7f0000041000)={0x10, 0x0, 0x0, 0x2}, 0xc, &(0x7f0000000140)={&(0x7f0000000100)=@delrng={0x10, 0x14, 0x200, 0x0, 0x3, "", []}, 0x10}, 0x1, 0x0, 0x0, 0x20000000}, 0x81)
syz_emit_ethernet(0x2e, &(0x7f0000000080)={@link_local={0x1, 0x80, 0xc2}, @broadcast=[0xff, 0xff, 0xff, 0xff, 0xff, 0xff], [{[], {0x8100}}], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, @dev={0xac, 0x14}, @multicast1=0xe0000001, {[]}}, @igmp={0x0, 0x0, 0x0, @multicast1=0xe0000001}}}}}, &(0x7f0000003fec)={0x0, 0x1})
syz-execprog -cover=false -collide=true -procs=16 -repeat=0 -timeout=30s -executor /bin/syz-executor repro.syz
but no luck so far.
Can you please check the above command line?
Thanks,
Paolo
Dmitry Vyukov
Mar 7, 2018, 11:11:24 AM3/7/18
to Paolo Abeni, syzbot, syzkall...@googlegroups.com
C code with lots of tunables (e.g. single-threaded/multi-threaded).
We did not have it described on syzbot page, so I've just extended the docs:
https://github.com/google/syzkaller/commit/d50edb7e5cb52fbee77145ae4c2ff82470ee268a
Here is this program converted to C with -threaded and -collide flags:
https://gist.githubusercontent.com/dvyukov/979d638c821f8d1a23a83250f78f0e2a/raw/aa063bb5bf810dd5b85fc09f18a879afc44b735b/gistfile1.txt
Dmitry Vyukov
Mar 7, 2018, 11:13:48 AM3/7/18
to Paolo Abeni, syzbot, syzkall...@googlegroups.com
Dmitry Vyukov
Mar 7, 2018, 11:14:49 AM3/7/18
to Paolo Abeni, syzbot, syzkall...@googlegroups.com
indeed triggers this crash on this program and the crash looks the
same.
Paolo Abeni
Mar 7, 2018, 11:18:14 AM3/7/18
to syzbot, syzkall...@googlegroups.com
trying again to ensure that the 2# crash is reproducible
syzbot
Mar 7, 2018, 11:26:02 AM3/7/18
to pab...@redhat.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered
crash:
KASAN: use-after-free Read in ip6_xmit
CPU: 0 PID: 23448 Comm: syz-executor4 Not tainted 4.16.0-rc4+ #65
RAX: ffffffffffffffda RBX: 00007f819593d6d4 RCX: 0000000000453e69
Allocated by task 23363:
ip_route_input_rcu+0x194f/0x3200 net/ipv4/route.c:2143
ip_route_input_noref+0xf5/0x1e0 net/ipv4/route.c:2095
ip_rcv_finish+0x3a6/0x2040 net/ipv4/ip_input.c:348
NF_HOOK include/linux/netfilter.h:288 [inline]
ip_rcv+0xb76/0x1820 net/ipv4/ip_input.c:493
__netif_receive_skb_core+0x1a41/0x3460 net/core/dev.c:4554
__netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4619
netif_receive_skb_internal+0x10b/0x670 net/core/dev.c:4693
netif_receive_skb+0xae/0x390 net/core/dev.c:4717
tun_rx_batched.isra.52+0x5ee/0x870 drivers/net/tun.c:1554
tun_get_user+0x25a5/0x3810 drivers/net/tun.c:1961
tun_chr_write_iter+0xb9/0x160 drivers/net/tun.c:1989
call_write_iter include/linux/fs.h:1781 [inline]
do_iter_readv_writev+0x55c/0x830 fs/read_write.c:653
do_iter_write+0x154/0x540 fs/read_write.c:932
vfs_writev+0x18a/0x340 fs/read_write.c:977
do_writev+0xfc/0x2a0 fs/read_write.c:1012
SYSC_writev fs/read_write.c:1085 [inline]
SyS_writev+0x27/0x30 fs/read_write.c:1082
do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 23357:
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801bd949000 0000000000000000 0000000100000010
raw: ffffea0006f6eb60 ffffea00073e64a0 ffff8801d6bc2040 0000000000000000
ffff8801bd949280: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
> ffff8801bd949300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801bd949380: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
ffff8801bd949400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
dt-bindings: net: renesas-ravb: Make stream buffer optional
syzbot has tested the proposed patch but the reproducer still triggered
crash:
KASAN: use-after-free Read in ip6_xmit
IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
==================================================================
BUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:192
[inline]
BUG: KASAN: use-after-free in ip6_xmit+0x1f76/0x2260
net/ipv6/ip6_output.c:264
Read of size 8 at addr ffff8801bd949318 by task syz-executor4/23448
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
==================================================================
BUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:192
[inline]
BUG: KASAN: use-after-free in ip6_xmit+0x1f76/0x2260
net/ipv6/ip6_output.c:264
CPU: 0 PID: 23448 Comm: syz-executor4 Not tainted 4.16.0-rc4+ #65
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x24d lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report+0x23c/0x360 mm/kasan/report.c:412
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
ip6_dst_idev include/net/ip6_fib.h:192 [inline]
ip6_xmit+0x1f76/0x2260 net/ipv6/ip6_output.c:264
inet6_csk_xmit+0x2fc/0x580 net/ipv6/inet6_connection_sock.c:139
l2tp_xmit_core net/l2tp/l2tp_core.c:1053 [inline]
l2tp_xmit_skb+0x105f/0x1410 net/l2tp/l2tp_core.c:1148
pppol2tp_sendmsg+0x470/0x670 net/l2tp/l2tp_ppp.c:341
sock_sendmsg_nosec net/socket.c:630 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:640
___sys_sendmsg+0x767/0x8b0 net/socket.c:2046
__sys_sendmsg+0xe5/0x210 net/socket.c:2080
SYSC_sendmsg net/socket.c:2091 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2087
do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x453e69
RSP: 002b:00007f819593cc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x24d lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report+0x23c/0x360 mm/kasan/report.c:412
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
ip6_dst_idev include/net/ip6_fib.h:192 [inline]
ip6_xmit+0x1f76/0x2260 net/ipv6/ip6_output.c:264
inet6_csk_xmit+0x2fc/0x580 net/ipv6/inet6_connection_sock.c:139
l2tp_xmit_core net/l2tp/l2tp_core.c:1053 [inline]
l2tp_xmit_skb+0x105f/0x1410 net/l2tp/l2tp_core.c:1148
pppol2tp_sendmsg+0x470/0x670 net/l2tp/l2tp_ppp.c:341
sock_sendmsg_nosec net/socket.c:630 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:640
___sys_sendmsg+0x767/0x8b0 net/socket.c:2046
__sys_sendmsg+0xe5/0x210 net/socket.c:2080
SYSC_sendmsg net/socket.c:2091 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2087
do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x453e69
RAX: ffffffffffffffda RBX: 00007f819593d6d4 RCX: 0000000000453e69
RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000004
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000004c3 R14: 00000000006f72e8 R15: 0000000000000000
Allocated by task 23363:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
kmem_cache_alloc+0x12e/0x760 mm/slab.c:3541
dst_alloc+0x11f/0x1a0 net/core/dst.c:104
rt_dst_alloc+0xe9/0x520 net/ipv4/route.c:1507
ip_route_input_mc net/ipv4/route.c:1580 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
kmem_cache_alloc+0x12e/0x760 mm/slab.c:3541
dst_alloc+0x11f/0x1a0 net/core/dst.c:104
rt_dst_alloc+0xe9/0x520 net/ipv4/route.c:1507
ip_route_input_rcu+0x194f/0x3200 net/ipv4/route.c:2143
ip_route_input_noref+0xf5/0x1e0 net/ipv4/route.c:2095
ip_rcv_finish+0x3a6/0x2040 net/ipv4/ip_input.c:348
NF_HOOK include/linux/netfilter.h:288 [inline]
ip_rcv+0xb76/0x1820 net/ipv4/ip_input.c:493
__netif_receive_skb_core+0x1a41/0x3460 net/core/dev.c:4554
__netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4619
netif_receive_skb_internal+0x10b/0x670 net/core/dev.c:4693
netif_receive_skb+0xae/0x390 net/core/dev.c:4717
tun_rx_batched.isra.52+0x5ee/0x870 drivers/net/tun.c:1554
tun_get_user+0x25a5/0x3810 drivers/net/tun.c:1961
tun_chr_write_iter+0xb9/0x160 drivers/net/tun.c:1989
call_write_iter include/linux/fs.h:1781 [inline]
do_iter_readv_writev+0x55c/0x830 fs/read_write.c:653
do_iter_write+0x154/0x540 fs/read_write.c:932
vfs_writev+0x18a/0x340 fs/read_write.c:977
do_writev+0xfc/0x2a0 fs/read_write.c:1012
SYSC_writev fs/read_write.c:1085 [inline]
SyS_writev+0x27/0x30 fs/read_write.c:1082
do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 23357:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
set_track mm/kasan/kasan.c:459 [inline]
__kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:520
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527
__cache_free mm/slab.c:3485 [inline]
kmem_cache_free+0x83/0x2a0 mm/slab.c:3743
dst_destroy+0x257/0x370 net/core/dst.c:140
dst_destroy_rcu+0x16/0x20 net/core/dst.c:153
__rcu_reclaim kernel/rcu/rcu.h:172 [inline]
rcu_do_batch kernel/rcu/tree.c:2674 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2933 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2900 [inline]
rcu_process_callbacks+0xd6c/0x17f0 kernel/rcu/tree.c:2917
__do_softirq+0x2d7/0xb85 kernel/softirq.c:285
The buggy address belongs to the object at ffff8801bd949300
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527
__cache_free mm/slab.c:3485 [inline]
kmem_cache_free+0x83/0x2a0 mm/slab.c:3743
dst_destroy+0x257/0x370 net/core/dst.c:140
dst_destroy_rcu+0x16/0x20 net/core/dst.c:153
__rcu_reclaim kernel/rcu/rcu.h:172 [inline]
rcu_do_batch kernel/rcu/tree.c:2674 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2933 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2900 [inline]
rcu_process_callbacks+0xd6c/0x17f0 kernel/rcu/tree.c:2917
__do_softirq+0x2d7/0xb85 kernel/softirq.c:285
which belongs to the cache ip_dst_cache of size 168
The buggy address is located 24 bytes inside of
168-byte region [ffff8801bd949300, ffff8801bd9493a8)
The buggy address is located 24 bytes inside of
The buggy address belongs to the page:
page:ffffea0006f65240 count:1 mapcount:0 mapping:ffff8801bd949000 index:0x0
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801bd949000 0000000000000000 0000000100000010
raw: ffffea0006f6eb60 ffffea00073e64a0 ffff8801d6bc2040 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801bd949200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Memory state around the buggy address:
ffff8801bd949280: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
> ffff8801bd949300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801bd949380: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
ffff8801bd949400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on net commit
25b5cdfcce1b57971840505dfc78556bd12dea6d (Fri Mar 2 15:01:48 2018 +0000)
Tested on net commit
dt-bindings: net: renesas-ravb: Make stream buffer optional
Dmitry Vyukov
Mar 7, 2018, 11:45:21 AM3/7/18
to syzbot, Paolo Abeni, syzkall...@googlegroups.com
For completeness you can also make sure that you checked out syzkaller
on c8a1847658268fbadf20aa486107f2e553a8c768, which is the revision on
which the crash happened.
There is also another, simpler option. If your patch fixes the
original bug, we can mark the commit as fixing this bug, then syzbot
will wait till the commit reaches all trees, and then it will
hopefully report the multi-threaded crash again. However, this will
have long turn-around time.
Paolo Abeni
Mar 7, 2018, 12:21:54 PM3/7/18
to Dmitry Vyukov, syzbot, syzkall...@googlegroups.com
I'll try to spend a little more time to track the second splat before
going the easy option.
Cheers,
Paolo
Paolo Abeni
Mar 7, 2018, 1:28:30 PM3/7/18
to syzbot, syzkall...@googlegroups.com, paolo...@gmail.com
tentative fix the race uncovered by the MT reproducer: don't trust the
cached v4mapped flag
index 83421c6f0bef..49d0791c50e2 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1049,7 +1049,8 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb,
/* Queue the packet to IP for output */
skb->ignore_df = 1;
#if IS_ENABLED(CONFIG_IPV6)
- if (tunnel->sock->sk_family == PF_INET6 && !tunnel->v4mapped)
+ if (tunnel->sock->sk_family == PF_INET6 &&
+ !ipv6_addr_v4mapped(&tunnel->sock->sk_v6_daddr))
error = inet6_csk_xmit(tunnel->sock, skb, NULL);
else
#endif
@@ -1131,7 +1132,8 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len
/* Calculate UDP checksum if configured to do so */
#if IS_ENABLED(CONFIG_IPV6)
- if (sk->sk_family == PF_INET6 && !tunnel->v4mapped)
+ if (sk->sk_family == PF_INET6 &&
+ ipv6_addr_v4mapped(&sk->sk_v6_daddr))
udp6_set_csum(udp_get_no_check6_tx(sk),
skb, &inet6_sk(sk)->saddr,
&sk->sk_v6_daddr, udp_len);
@@ -1449,6 +1451,13 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
cached v4mapped flag
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1049,7 +1049,8 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb,
/* Queue the packet to IP for output */
skb->ignore_df = 1;
#if IS_ENABLED(CONFIG_IPV6)
- if (tunnel->sock->sk_family == PF_INET6 && !tunnel->v4mapped)
+ if (tunnel->sock->sk_family == PF_INET6 &&
+ !ipv6_addr_v4mapped(&tunnel->sock->sk_v6_daddr))
error = inet6_csk_xmit(tunnel->sock, skb, NULL);
else
#endif
@@ -1131,7 +1132,8 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len
/* Calculate UDP checksum if configured to do so */
#if IS_ENABLED(CONFIG_IPV6)
- if (sk->sk_family == PF_INET6 && !tunnel->v4mapped)
+ if (sk->sk_family == PF_INET6 &&
+ ipv6_addr_v4mapped(&sk->sk_v6_daddr))
udp6_set_csum(udp_get_no_check6_tx(sk),
skb, &inet6_sk(sk)->saddr,
&sk->sk_v6_daddr, udp_len);
@@ -1449,6 +1451,13 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
syzbot
Mar 7, 2018, 1:45:03 PM3/7/18
to pab...@redhat.com, paolo...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger
crash:
Reported-and-tested-by:
syzbot+92fa32...@syzkaller.appspotmail.com
Note: the tag will also help syzbot to understand when the bug is fixed.
Tested on net commit
e06513d78d54e6c7026c9043a39e2c01ee25bdbe (Tue Mar 6 15:00:06 2018 +0000)
net: smsc911x: Fix unload crash when link is up
compiler: gcc (GCC) 7.1.1 20170620
Patch is attached.
Kernel config is attached.
---
There is no WARRANTY for the result, to the extent permitted by applicable
law.
Except when otherwise stated in writing syzbot provides the result "AS IS"
without warranty of any kind, either expressed or implied, but not limited
to,
the implied warranties of merchantability and fittness for a particular
purpose.
The entire risk as to the quality of the result is with you. Should the
result
prove defective, you assume the cost of all necessary servicing, repair or
correction.
syzbot has tested the proposed patch and the reproducer did not trigger
crash:
Reported-and-tested-by:
syzbot+92fa32...@syzkaller.appspotmail.com
Note: the tag will also help syzbot to understand when the bug is fixed.
Tested on net commit
e06513d78d54e6c7026c9043a39e2c01ee25bdbe (Tue Mar 6 15:00:06 2018 +0000)
net: smsc911x: Fix unload crash when link is up
compiler: gcc (GCC) 7.1.1 20170620
Patch is attached.
Kernel config is attached.
There is no WARRANTY for the result, to the extent permitted by applicable
law.
Except when otherwise stated in writing syzbot provides the result "AS IS"
without warranty of any kind, either expressed or implied, but not limited
to,
the implied warranties of merchantability and fittness for a particular
purpose.
The entire risk as to the quality of the result is with you. Should the
result
prove defective, you assume the cost of all necessary servicing, repair or
correction.
Paolo Abeni
Mar 8, 2018, 6:45:43 AM3/8/18
to syzbot, syzkall...@googlegroups.com
hopefully more comprehensive and clean fix
index 83421c6f0bef..ad6aa9b64415 100644
goto out_unlock;
}
+ /* User-space may change the connection status for the user-space
+ * provided socket at run time: we must check it under the socket lock
+ */
+ inet = inet_sk(sk);
+ if (tunnel->fd >= 0) {
+ goto out_unlock;
+ }
+
+ /* if the uses space changes the ipv4-mapped ipv6 address,
+ * the kernel copy of the ipv4 address is not updated.
+ * Refresh it only if needed, to avoid dirtying the socket
+ * on each packet.
+ */
+ if (l2tp_sk_is_v4mapped(sk) &&
+ inet->inet_daddr != sk->sk_v6_daddr.s6_addr32[3])
+ inet->inet_daddr = sk->sk_v6_daddr.s6_addr32[3];
+ }
+
/* Get routing info from the tunnel socket */
skb_dst_drop(skb);
skb_dst_set(skb, dst_clone(__sk_dst_check(sk, 0)));
- inet = inet_sk(sk);
fl = &inet->cork.fl;
switch (tunnel->encap) {
case L2TP_ENCAPTYPE_UDP:
@@ -1130,15 +1150,13 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len
uh->len = htons(udp_len);
/* Calculate UDP checksum if configured to do so */
-#if IS_ENABLED(CONFIG_IPV6)
-#endif
- udp_set_csum(sk->sk_no_check_tx, skb, inet->inet_saddr,
- inet->inet_daddr, udp_len);
+ udp_set_csum(sk->sk_no_check_tx, skb, inet->inet_saddr,
+ inet->inet_daddr, udp_len);
break;
case L2TP_ENCAPTYPE_IP:
@@ -1449,6 +1467,13 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
if (cfg != NULL)
tunnel->debug = cfg->debug;
-#if IS_ENABLED(CONFIG_IPV6)
- if (sk->sk_family == PF_INET6) {
+ if (l2tp_sk_is_v4mapped(sk)) {
- if (ipv6_addr_v4mapped(&np->saddr) &&
- ipv6_addr_v4mapped(&sk->sk_v6_daddr)) {
- struct inet_sock *inet = inet_sk(sk);
-
- tunnel->v4mapped = true;
- inet->inet_saddr = np->saddr.s6_addr32[3];
- inet->inet_rcv_saddr = sk->sk_v6_rcv_saddr.s6_addr32[3];
- inet->inet_daddr = sk->sk_v6_daddr.s6_addr32[3];
- } else {
- tunnel->v4mapped = false;
- }
+ inet->inet_saddr = np->saddr.s6_addr32[3];
+ inet->inet_rcv_saddr = sk->sk_v6_rcv_saddr.s6_addr32[3];
+ inet->inet_daddr = sk->sk_v6_daddr.s6_addr32[3];
}
-#endif
/* Mark socket as an encapsulation socket. See net/ipv4/udp.c */
tunnel->encap = encap;
diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h
index a1aa9550f04e..c042aaeb074b 100644
--- a/net/l2tp/l2tp_core.h
+++ b/net/l2tp/l2tp_core.h
@@ -188,9 +188,6 @@ struct l2tp_tunnel {
struct sock *sock; /* Parent socket */
int fd; /* Parent fd, if tunnel socket
* was created by userspace */
-#if IS_ENABLED(CONFIG_IPV6)
- bool v4mapped;
-#endif
struct work_struct del_work;
@@ -214,6 +211,16 @@ static inline void *l2tp_session_priv(struct l2tp_session *session)
return &session->priv[0];
}
+static bool l2tp_sk_is_v4mapped(struct sock *sk)
+{
+#if IS_ENABLED(CONFIG_IPV6)
+ return sk->sk_family == PF_INET6 &&
+ ipv6_addr_v4mapped(&sk->sk_v6_daddr);
+#else
+ return 0;
+#endif
+}
+
struct l2tp_tunnel *l2tp_tunnel_get(const struct net *net, u32 tunnel_id);
void l2tp_tunnel_free(struct l2tp_tunnel *tunnel);
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1049,7 +1049,8 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb,
/* Queue the packet to IP for output */
skb->ignore_df = 1;
#if IS_ENABLED(CONFIG_IPV6)
- if (tunnel->sock->sk_family == PF_INET6 && !tunnel->v4mapped)
+ if (tunnel->sock->sk_family == PF_INET6 &&
+ !ipv6_addr_v4mapped(&tunnel->sock->sk_v6_daddr))
error = inet6_csk_xmit(tunnel->sock, skb, NULL);
else
#endif
@@ -1112,11 +1113,30 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len
+++ b/net/l2tp/l2tp_core.c
@@ -1049,7 +1049,8 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb,
/* Queue the packet to IP for output */
skb->ignore_df = 1;
#if IS_ENABLED(CONFIG_IPV6)
- if (tunnel->sock->sk_family == PF_INET6 && !tunnel->v4mapped)
+ if (tunnel->sock->sk_family == PF_INET6 &&
+ !ipv6_addr_v4mapped(&tunnel->sock->sk_v6_daddr))
error = inet6_csk_xmit(tunnel->sock, skb, NULL);
else
#endif
goto out_unlock;
}
+ /* User-space may change the connection status for the user-space
+ * provided socket at run time: we must check it under the socket lock
+ */
+ inet = inet_sk(sk);
+ if (tunnel->fd >= 0) {
+ if (sk->sk_state != TCP_ESTABLISHED) {
+ ret = NET_XMIT_DROP;
+ goto out_unlock;
+ }
+
+ /* if the uses space changes the ipv4-mapped ipv6 address,
+ * the kernel copy of the ipv4 address is not updated.
+ * Refresh it only if needed, to avoid dirtying the socket
+ * on each packet.
+ */
+ if (l2tp_sk_is_v4mapped(sk) &&
+ inet->inet_daddr != sk->sk_v6_daddr.s6_addr32[3])
+ inet->inet_daddr = sk->sk_v6_daddr.s6_addr32[3];
+ }
+
/* Get routing info from the tunnel socket */
skb_dst_drop(skb);
skb_dst_set(skb, dst_clone(__sk_dst_check(sk, 0)));
- inet = inet_sk(sk);
fl = &inet->cork.fl;
switch (tunnel->encap) {
case L2TP_ENCAPTYPE_UDP:
@@ -1130,15 +1150,13 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len
uh->len = htons(udp_len);
/* Calculate UDP checksum if configured to do so */
- if (sk->sk_family == PF_INET6 && !tunnel->v4mapped)
+ if (l2tp_sk_is_v4mapped(sk))
udp6_set_csum(udp_get_no_check6_tx(sk),
skb, &inet6_sk(sk)->saddr,
&sk->sk_v6_daddr, udp_len);
else
skb, &inet6_sk(sk)->saddr,
&sk->sk_v6_daddr, udp_len);
-#endif
- udp_set_csum(sk->sk_no_check_tx, skb, inet->inet_saddr,
- inet->inet_daddr, udp_len);
+ udp_set_csum(sk->sk_no_check_tx, skb, inet->inet_saddr,
+ inet->inet_daddr, udp_len);
break;
case L2TP_ENCAPTYPE_IP:
@@ -1449,6 +1467,13 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
err = -EINVAL;
goto err;
}
+
+ /* Reject unconnected sockets */
+ if (sock->sk->sk_state != TCP_ESTABLISHED) {
+ pr_err("tunl %u: sock fd=%d is unconnected\n",
+ tunnel_id, fd);
+ goto err;
+ }
}
sk = sock->sk;
@@ -1507,23 +1532,14 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
goto err;
}
+
+ /* Reject unconnected sockets */
+ if (sock->sk->sk_state != TCP_ESTABLISHED) {
+ pr_err("tunl %u: sock fd=%d is unconnected\n",
+ tunnel_id, fd);
+ goto err;
+ }
}
sk = sock->sk;
if (cfg != NULL)
tunnel->debug = cfg->debug;
-#if IS_ENABLED(CONFIG_IPV6)
- if (sk->sk_family == PF_INET6) {
+ if (l2tp_sk_is_v4mapped(sk)) {
struct ipv6_pinfo *np = inet6_sk(sk);
+ struct inet_sock *inet = inet_sk(sk);
- if (ipv6_addr_v4mapped(&np->saddr) &&
- ipv6_addr_v4mapped(&sk->sk_v6_daddr)) {
- struct inet_sock *inet = inet_sk(sk);
-
- tunnel->v4mapped = true;
- inet->inet_saddr = np->saddr.s6_addr32[3];
- inet->inet_rcv_saddr = sk->sk_v6_rcv_saddr.s6_addr32[3];
- inet->inet_daddr = sk->sk_v6_daddr.s6_addr32[3];
- } else {
- tunnel->v4mapped = false;
- }
+ inet->inet_saddr = np->saddr.s6_addr32[3];
+ inet->inet_rcv_saddr = sk->sk_v6_rcv_saddr.s6_addr32[3];
+ inet->inet_daddr = sk->sk_v6_daddr.s6_addr32[3];
}
-#endif
/* Mark socket as an encapsulation socket. See net/ipv4/udp.c */
tunnel->encap = encap;
diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h
index a1aa9550f04e..c042aaeb074b 100644
--- a/net/l2tp/l2tp_core.h
+++ b/net/l2tp/l2tp_core.h
@@ -188,9 +188,6 @@ struct l2tp_tunnel {
struct sock *sock; /* Parent socket */
int fd; /* Parent fd, if tunnel socket
* was created by userspace */
-#if IS_ENABLED(CONFIG_IPV6)
- bool v4mapped;
-#endif
struct work_struct del_work;
@@ -214,6 +211,16 @@ static inline void *l2tp_session_priv(struct l2tp_session *session)
return &session->priv[0];
}
+static bool l2tp_sk_is_v4mapped(struct sock *sk)
+{
+#if IS_ENABLED(CONFIG_IPV6)
+ return sk->sk_family == PF_INET6 &&
+ ipv6_addr_v4mapped(&sk->sk_v6_daddr);
+#else
+ return 0;
+#endif
+}
+
struct l2tp_tunnel *l2tp_tunnel_get(const struct net *net, u32 tunnel_id);
void l2tp_tunnel_free(struct l2tp_tunnel *tunnel);
syzbot
Mar 8, 2018, 8:45:02 AM3/8/18
to pab...@redhat.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger
crash:
Reported-and-tested-by:
syzbot+92fa32...@syzkaller.appspotmail.com
Note: the tag will also help syzbot to understand when the bug is fixed.
Tested on net commit
cfda06d7362b4151ad9acc4765ad15e8dd969e4a (Thu Mar 8 01:27:51 2018 +0000)
syzbot has tested the proposed patch and the reproducer did not trigger
crash:
Reported-and-tested-by:
syzbot+92fa32...@syzkaller.appspotmail.com
Note: the tag will also help syzbot to understand when the bug is fixed.
Tested on net commit
Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf
Paolo Abeni
Mar 9, 2018, 12:43:08 PM3/9/18
to syzbot, syzkall...@googlegroups.com
testing once again as upstream requested several changes...
index e22512e32827..87e07080c8e9 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -111,6 +111,13 @@ struct l2tp_net {
spinlock_t l2tp_session_hlist_lock;
};
+#if IS_ENABLED(CONFIG_IPV6)
+static bool l2tp_sk_is_v6(struct sock *sk)
+{
+}
+#endif
static inline struct l2tp_tunnel *l2tp_tunnel(struct sock *sk)
{
@@ -1049,7 +1056,7 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb,
goto out_unlock;
}
+ /* The user-space may change the connection status for the user-space
/* Calculate UDP checksum if configured to do so */
-
-#endif
-
diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h
index a1aa9550f04e..2718d0b284d0 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -111,6 +111,13 @@ struct l2tp_net {
spinlock_t l2tp_session_hlist_lock;
};
+#if IS_ENABLED(CONFIG_IPV6)
+static bool l2tp_sk_is_v6(struct sock *sk)
+{
+ return sk->sk_family == PF_INET6 &&
+ !ipv6_addr_v4mapped(&sk->sk_v6_daddr);
+}
+#endif
static inline struct l2tp_tunnel *l2tp_tunnel(struct sock *sk)
{
@@ -1049,7 +1056,7 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb,
/* Queue the packet to IP for output */
skb->ignore_df = 1;
#if IS_ENABLED(CONFIG_IPV6)
- if (tunnel->sock->sk_family == PF_INET6 && !tunnel->v4mapped)
+ if (l2tp_sk_is_v6(tunnel->sock))
skb->ignore_df = 1;
#if IS_ENABLED(CONFIG_IPV6)
- if (tunnel->sock->sk_family == PF_INET6 && !tunnel->v4mapped)
error = inet6_csk_xmit(tunnel->sock, skb, NULL);
else
#endif
@@ -1112,11 +1119,21 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len
else
#endif
goto out_unlock;
}
+ /* The user-space may change the connection status for the user-space
+ * provided socket at run time: we must check it under the socket lock
+ */
+ inet = inet_sk(sk);
+ if (tunnel->fd >= 0) {
+ if (sk->sk_state != TCP_ESTABLISHED) {
+ ret = NET_XMIT_DROP;
+ goto out_unlock;
+ }
+ }
+
+ */
+ inet = inet_sk(sk);
+ if (tunnel->fd >= 0) {
+ if (sk->sk_state != TCP_ESTABLISHED) {
+ ret = NET_XMIT_DROP;
+ goto out_unlock;
+ }
+ }
+
/* Get routing info from the tunnel socket */
skb_dst_drop(skb);
skb_dst_set(skb, dst_clone(__sk_dst_check(sk, 0)));
- inet = inet_sk(sk);
fl = &inet->cork.fl;
switch (tunnel->encap) {
case L2TP_ENCAPTYPE_UDP:
@@ -1131,7 +1148,7 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len
skb_dst_drop(skb);
skb_dst_set(skb, dst_clone(__sk_dst_check(sk, 0)));
- inet = inet_sk(sk);
fl = &inet->cork.fl;
switch (tunnel->encap) {
case L2TP_ENCAPTYPE_UDP:
/* Calculate UDP checksum if configured to do so */
#if IS_ENABLED(CONFIG_IPV6)
- if (sk->sk_family == PF_INET6 && !tunnel->v4mapped)
+ if (l2tp_sk_is_v6(sk))
- if (sk->sk_family == PF_INET6 && !tunnel->v4mapped)
udp6_set_csum(udp_get_no_check6_tx(sk),
skb, &inet6_sk(sk)->saddr,
&sk->sk_v6_daddr, udp_len);
@@ -1511,24 +1528,6 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
skb, &inet6_sk(sk)->saddr,
&sk->sk_v6_daddr, udp_len);
if (cfg != NULL)
tunnel->debug = cfg->debug;
-#if IS_ENABLED(CONFIG_IPV6)
- if (sk->sk_family == PF_INET6) {
- struct ipv6_pinfo *np = inet6_sk(sk);
tunnel->debug = cfg->debug;
-#if IS_ENABLED(CONFIG_IPV6)
- if (sk->sk_family == PF_INET6) {
-
- if (ipv6_addr_v4mapped(&np->saddr) &&
- ipv6_addr_v4mapped(&sk->sk_v6_daddr)) {
- struct inet_sock *inet = inet_sk(sk);
-
- tunnel->v4mapped = true;
- inet->inet_saddr = np->saddr.s6_addr32[3];
- inet->inet_rcv_saddr = sk->sk_v6_rcv_saddr.s6_addr32[3];
- inet->inet_daddr = sk->sk_v6_daddr.s6_addr32[3];
- } else {
- tunnel->v4mapped = false;
- }
- }
- ipv6_addr_v4mapped(&sk->sk_v6_daddr)) {
- struct inet_sock *inet = inet_sk(sk);
-
- tunnel->v4mapped = true;
- inet->inet_saddr = np->saddr.s6_addr32[3];
- inet->inet_rcv_saddr = sk->sk_v6_rcv_saddr.s6_addr32[3];
- inet->inet_daddr = sk->sk_v6_daddr.s6_addr32[3];
- } else {
- tunnel->v4mapped = false;
- }
-#endif
-
/* Mark socket as an encapsulation socket. See net/ipv4/udp.c */
tunnel->encap = encap;
if (encap == L2TP_ENCAPTYPE_UDP) {
tunnel->encap = encap;
diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h
index a1aa9550f04e..2718d0b284d0 100644
syzbot
Mar 9, 2018, 1:08:03 PM3/9/18
to pab...@redhat.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger
crash:
Reported-and-tested-by:
syzbot+92fa32...@syzkaller.appspotmail.com
Note: the tag will also help syzbot to understand when the bug is fixed.
Tested on net commit
d06cbe9cbb8905df21b11d1cf789c9b2947688e9 (Fri Mar 9 06:27:20 2018 +0000)
syzbot has tested the proposed patch and the reproducer did not trigger
crash:
Reported-and-tested-by:
syzbot+92fa32...@syzkaller.appspotmail.com
Note: the tag will also help syzbot to understand when the bug is fixed.
Tested on net commit
net: ethernet: ave: enable Rx drop interrupt
Reply all
Reply to author
Forward
0 new messages