TWxSoftware/twx-linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
v5.19
twx-linux/include/net
History
Ziyang Xuan 85f0173df3 ipv6/addrconf: fix a null-ptr-deref bug for ip6_ptr 
Change net device's MTU to smaller than IPV6_MIN_MTU or unregister
device while matching route. That may trigger null-ptr-deref bug
for ip6_ptr probability as following.

=========================================================
BUG: KASAN: null-ptr-deref in find_match.part.0+0x70/0x134
Read of size 4 at addr 0000000000000308 by task ping6/263

CPU: 2 PID: 263 Comm: ping6 Not tainted 5.19.0-rc7+ #14
Call trace:
 dump_backtrace+0x1a8/0x230
 show_stack+0x20/0x70
 dump_stack_lvl+0x68/0x84
 print_report+0xc4/0x120
 kasan_report+0x84/0x120
 __asan_load4+0x94/0xd0
 find_match.part.0+0x70/0x134
 __find_rr_leaf+0x408/0x470
 fib6_table_lookup+0x264/0x540
 ip6_pol_route+0xf4/0x260
 ip6_pol_route_output+0x58/0x70
 fib6_rule_lookup+0x1a8/0x330
 ip6_route_output_flags_noref+0xd8/0x1a0
 ip6_route_output_flags+0x58/0x160
 ip6_dst_lookup_tail+0x5b4/0x85c
 ip6_dst_lookup_flow+0x98/0x120
 rawv6_sendmsg+0x49c/0xc70
 inet_sendmsg+0x68/0x94

Reproducer as following:
Firstly, prepare conditions:
$ip netns add ns1
$ip netns add ns2
$ip link add veth1 type veth peer name veth2
$ip link set veth1 netns ns1
$ip link set veth2 netns ns2
$ip netns exec ns1 ip -6 addr add 2001:0db8:0:f101::1/64 dev veth1
$ip netns exec ns2 ip -6 addr add 2001:0db8:0:f101::2/64 dev veth2
$ip netns exec ns1 ifconfig veth1 up
$ip netns exec ns2 ifconfig veth2 up
$ip netns exec ns1 ip -6 route add 2000::/64 dev veth1 metric 1
$ip netns exec ns2 ip -6 route add 2001::/64 dev veth2 metric 1

Secondly, execute the following two commands in two ssh windows
respectively:
$ip netns exec ns1 sh
$while true; do ip -6 addr add 2001:0db8:0:f101::1/64 dev veth1; ip -6 route add 2000::/64 dev veth1 metric 1; ping6 2000::2; done

$ip netns exec ns1 sh
$while true; do ip link set veth1 mtu 1000; ip link set veth1 mtu 1500; sleep 5; done

It is because ip6_ptr has been assigned to NULL in addrconf_ifdown() firstly,
then ip6_ignore_linkdown() accesses ip6_ptr directly without NULL check.

	cpu0			cpu1
fib6_table_lookup
__find_rr_leaf
			addrconf_notify [ NETDEV_CHANGEMTU ]
			addrconf_ifdown
			RCU_INIT_POINTER(dev->ip6_ptr, NULL)
find_match
ip6_ignore_linkdown

So we can add NULL check for ip6_ptr before using in ip6_ignore_linkdown() to
fix the null-ptr-deref bug.

Fixes: dcd1f572954f ("net/ipv6: Remove fib6_idev")
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/20220728013307.656257-1-william.xuanziyang@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2022-07-28 10:42:44 -07:00
..
9p net/p9: load default transports 2022-01-10 10:00:09 +09:00
bluetooth Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put 2022-07-26 13:35:24 -07:00
caif
iucv
netfilter netfilter: nf_tables: replace BUG_ON by element length check 2022-07-09 16:25:09 +02:00
netns Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next 2022-05-16 10:10:37 +01:00
nfc
phonet
sctp net: remove noblock parameter from recvmsg() entities 2022-04-12 15:00:25 +02:00
tc_act Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-05-12 16:15:30 -07:00
6lowpan.h
act_api.h net/sched: act_api: Add extack to offload_act_setup() callback 2022-04-08 13:45:43 +01:00
addrconf.h ipv6/addrconf: fix a null-ptr-deref bug for ip6_ptr 2022-07-28 10:42:44 -07:00
af_ieee802154.h
af_rxrpc.h
af_unix.h
af_vsock.h vsock: each transport cycles only on its own sockets 2022-03-11 23:14:19 -08:00
ah.h
amt.h amt: use workqueue for gateway side message handling 2022-07-19 12:37:02 +02:00
arp.h ipv4: Invalidate neighbour for broadcast address upon address addition 2022-02-21 11:44:30 +00:00
atmclip.h
ax25.h ax25: Fix ax25 session cleanup problems 2022-06-02 10:37:57 +02:00
ax88796.h
bareudp.h bareudp: Move definition of struct bareudp_conf to bareudp.c 2021-12-13 12:34:09 +00:00
bond_3ad.h bonding: fix data-races around agg_select_timer 2022-02-15 14:35:18 +00:00
bond_alb.h
bond_options.h bonding: add new option ns_ip6_target 2022-02-21 12:13:45 +00:00
bonding.h bonding: guard ns_targets by CONFIG_IPV6 2022-06-01 11:18:55 +02:00
bpf_sk_storage.h
busy_poll.h
calipso.h
cfg80211-wext.h
cfg80211.h wifi: mac80211: add gfp_t parameter to ieeee80211_obss_color_collision_notify 2022-06-29 11:43:15 +02:00
cfg802154.h net: wrap the wireless pointers in struct net_device in an ifdef 2022-05-22 21:51:54 +01:00
checksum.h powerpc/net: Implement powerpc specific csum_shift() to remove branch 2022-03-11 10:57:22 +00:00
cipso_ipv4.h
cls_cgroup.h
codel_impl.h codel: remove unnecessary sock.h include 2021-12-22 15:03:47 -08:00
codel_qdisc.h codel: remove unnecessary pkt_sched.h include 2021-12-22 15:03:51 -08:00
codel.h codel: remove unnecessary pkt_sched.h include 2021-12-22 15:03:51 -08:00
compat.h
datalink.h
dcbevent.h
dcbnl.h
devlink.h Revert "Merge branch 'mlxsw-line-card-model'" 2022-05-05 15:47:23 -07:00
dn_dev.h
dn_fib.h
dn_neigh.h
dn_nsp.h
dn_route.h
dn.h
dsa.h net: dsa: remove port argument from ->change_tag_protocol() 2022-05-12 16:38:55 -07:00
dsfield.h
dst_cache.h
dst_metadata.h net: fix a memleak when uncloning an skb dst and its metadata 2022-02-09 11:41:47 +00:00
dst_ops.h
dst.h
erspan.h
esp.h esp: limit skb_page_frag_refill use to a single page 2022-04-13 10:16:11 +02:00
espintcp.h
ethoc.h
failover.h
fib_notifier.h
fib_rules.h fib: expand fib_rule_policy 2021-12-16 07:18:35 -08:00
firewire.h
flow_dissector.h flow_dissector: Add number of vlan tags dissector 2022-04-20 11:09:13 +01:00
flow_offload.h net/sched: act_police: allow 'continue' action offload 2022-07-06 12:44:39 +01:00
flow.h net: Add l3mdev index to flow struct and avoid oif reset for port devices 2022-03-15 20:20:02 -07:00
fou.h
fq_impl.h
fq.h
garp.h
gen_stats.h
genetlink.h
geneve.h
gre.h
gro_cells.h
gro.h net: gro: Fix a 'directive in macro's argument list' sparse warning 2022-02-18 11:00:25 +00:00
gtp.h gtp: Add support for checking GTP device type 2022-03-11 08:28:27 -08:00
gue.h
hwbm.h
icmp.h
ieee80211_radiotap.h ieee80211: radiotap: fix -Wcast-qual warnings 2022-02-04 16:25:21 +01:00
ieee802154_netdev.h
if_inet6.h ipv6: fix locking issues with loops over idev->addr_list 2022-04-06 22:09:39 -07:00
ife.h
ila.h
inet6_connection_sock.h
inet6_hashtables.h ipv6: add READ_ONCE(sk->sk_bound_dev_if) in INET6_MATCH() 2022-05-16 10:31:06 +01:00
inet_common.h
inet_connection_sock.h Revert "tcp: change pingpong threshold to 3" 2022-07-22 15:09:10 -07:00
inet_dscp.h ipv6: Define dscp_t and stop taking ECN bits into account in fib6-rules 2022-02-07 20:12:45 -08:00
inet_ecn.h
inet_frag.h net: ip: Handle delivery_time in ip defrag 2022-03-03 14:38:48 +00:00
inet_hashtables.h tcp: Fix data-races around sysctl_tcp_l3mdev_accept. 2022-07-15 11:49:55 +01:00
inet_sock.h tcp: Fix data-races around sysctl_tcp_l3mdev_accept. 2022-07-15 11:49:55 +01:00
inet_timewait_sock.h Revert "tcp/dccp: get rid of inet_twsk_purge()" 2022-05-13 12:24:12 +01:00
inetpeer.h
ioam6.h treewide: Replace zero-length arrays with flexible-array members 2022-02-17 07:00:39 -06:00
ip6_checksum.h
ip6_fib.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-02-17 11:44:20 -08:00
ip6_route.h
ip6_tunnel.h ip_gre, ip6_gre: Fix race condition on o_seqno in collect_md mode 2022-04-25 11:40:45 +01:00
ip_fib.h ipv4: Use dscp_t in struct fib_entry_notifier_info 2022-04-11 17:37:50 -07:00
ip_tunnels.h ip_gre, ip6_gre: Fix race condition on o_seqno in collect_md mode 2022-04-25 11:40:45 +01:00
ip_vs.h
ip.h ip: Fix data-races around sysctl_ip_prot_sock. 2022-07-20 10:14:49 +01:00
ipcomp.h
ipconfig.h
ipv6_frag.h net: don't include ndisc.h from ipv6.h 2022-02-04 14:15:11 -08:00
ipv6_stubs.h
ipv6.h ipv6: Fix signed integer overflow in __ip6_append_data 2022-06-08 10:56:43 -07:00
iw_handler.h
kcm.h
l3mdev.h
lag.h
lapb.h
lib80211.h
llc_c_ac.h
llc_c_ev.h
llc_c_st.h
llc_conn.h llc: add net device refcount tracker 2021-12-07 20:44:59 -08:00
llc_if.h
llc_pdu.h
llc_s_ac.h
llc_s_ev.h
llc_s_st.h
llc_sap.h
llc.h
lwtunnel.h
mac80211.h wifi: mac80211: add gfp_t parameter to ieeee80211_obss_color_collision_notify 2022-06-29 11:43:15 +02:00
mac802154.h net: mac802154: Create an error helper for asynchronous offloading errors 2022-04-25 20:51:12 +02:00
macsec.h
mctp.h mctp: Use output netdev to allocate skb headroom 2022-04-01 12:04:15 +01:00
mctpdevice.h
mip6.h
mld.h
mpls_iptunnel.h
mpls.h
mptcp.h Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2022-05-23 16:07:14 -07:00
mrp.h
ncsi.h
ndisc.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-03-03 11:55:12 -08:00
neighbour.h net, neigh: Do not trigger immediate probes on NUD_FAILED from neigh_managed_work 2022-02-02 20:30:18 -08:00
net_debug.h net: add CONFIG_DEBUG_NET 2022-05-11 12:43:10 +01:00
net_failover.h
net_namespace.h net: make net->dev_unreg_count atomic 2022-02-10 15:30:26 +00:00
net_ratelimit.h
net_trackers.h net: add networking namespace refcount tracker 2021-12-10 06:38:26 -08:00
netevent.h
netlabel.h
netlink.h
netprio_cgroup.h
netrom.h
nexthop.h
nl802154.h
nsh.h
p8022.h
page_pool.h net: page_pool: introduce ethtool stats 2022-04-15 10:43:47 +01:00
pie.h
ping.h net: remove noblock parameter from recvmsg() entities 2022-04-12 15:00:25 +02:00
pkt_cls.h net/sched: act_api: Add extack to offload_act_setup() callback 2022-04-08 13:45:43 +01:00
pkt_sched.h net: sched: remove psched_tdiff_bounded() 2022-01-27 13:53:27 +00:00
pptp.h
protocol.h tcp/udp: Make early_demux back namespacified. 2022-07-15 18:50:35 -07:00
psample.h
psnap.h
raw.h raw: Fix a data-race around sysctl_raw_l3mdev_accept. 2022-07-13 12:56:49 +01:00
rawv6.h
red.h
regulatory.h
request_sock.h tcp: Use BPF timeout setting for SYN ACK RTO 2022-02-02 14:45:18 +00:00
rose.h
route.h ip: Fix data-races around sysctl_ip_default_ttl. 2022-07-15 11:49:55 +01:00
rpl.h
rsi_91x.h
rtnetlink.h net: rtnetlink: add bulk delete support flag 2022-04-13 12:46:26 +01:00
rtnh.h
sch_generic.h net: sched: add barrier to fix packet stuck problem for lockless qdisc 2022-05-31 20:39:28 -07:00
scm.h
secure_seq.h secure_seq: use the 64 bits of the siphash for port offset calculation 2022-05-04 19:22:20 -07:00
seg6_hmac.h
seg6_local.h
seg6.h udp6: Use Segment Routing Header for dest address if present 2022-01-04 12:17:35 +00:00
selftests.h
slhc_vj.h
smc.h
snmp.h
sock_reuseport.h
sock.h net: Fix data-races around sysctl_[rw]mem(_offset)?. 2022-07-25 12:42:09 +01:00
Space.h
stp.h
strparser.h tls: rx: don't store the decryption status in socket context 2022-04-08 11:49:08 +01:00
switchdev.h net: bridge: mst: Notify switchdev drivers of MST state changes 2022-03-17 16:49:58 -07:00
tcp_states.h
tcp.h tcp: Fix a data-race around sysctl_tcp_adv_win_scale. 2022-07-22 12:06:17 +01:00
timewait_sock.h
tipc.h
tls_toe.h
tls.h net/tls: Check for errors in tls_device_init 2022-07-14 10:12:39 -07:00
transp_v6.h
tso.h
tun_proto.h
udp_tunnel.h
udp.h udp: Fix a data-race around sysctl_udp_l3mdev_accept. 2022-07-20 10:14:49 +01:00
udplite.h udplite: remove udplite_csum_outgoing() 2022-01-27 13:53:27 +00:00
vsock_addr.h
vxlan.h drivers: vxlan: vnifilter: per vni stats 2022-03-01 08:38:02 +00:00
wext.h
x25.h
x25device.h
xdp_priv.h xsk: Wipe out dead zero_copy_allocator declarations 2021-12-14 00:24:24 +01:00
xdp_sock_drv.h i40e: xsk: Move tmp desc array from driver to pool 2022-01-27 17:25:32 +01:00
xdp_sock.h net: Don't include filter.h from net/sock.h 2021-12-29 08:48:14 -08:00
xdp.h net: veth: Account total xdp_frame len running ndo_xdp_xmit 2022-03-17 20:33:52 +01:00
xfrm.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-05-19 11:23:59 -07:00
xsk_buff_pool.h xsk: Fix possible crash when multiple sockets are created 2022-04-26 16:19:54 +02:00