You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
ipv6: sit: fix skb_under_panic with overflowed needed_headroom
When create ipip6 tunnel, if tunnel->parms.link is assigned to the previous
created tunnel device, the dev->needed_headroom will increase based on the
previous one.
If the number of tunnel device is sufficient, the needed_headroom can be
overflowed. The overflow happens like this:
ipip6_newlink
ipip6_tunnel_create
register_netdevice
ipip6_tunnel_init
ipip6_tunnel_bind_dev
t_hlen = tunnel->hlen + sizeof(struct iphdr); // 40
hlen = tdev->hard_header_len + tdev->needed_headroom; // 65496
dev->needed_headroom = t_hlen + hlen; // 65536 -> 0
The value of LL_RESERVED_SPACE(rt->dst.dev) may be HH_DATA_MOD, that leads
to a small skb allocated in __ip_append_data(), which triggers a
skb_under_panic:
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:209!
Oops: invalid opcode: 0000 [kernel-patches#1] PREEMPT SMP KASAN PTI
CPU: 0 UID: 0 PID: 23587 Comm: test Tainted: G W 6.14.0-00624-g2f2d52945852-dirty kernel-patches#15
Tainted: [W]=WARN
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:skb_panic (net/core/skbuff.c:209 (discriminator 4))
Call Trace:
<TASK>
skb_push (net/core/skbuff.c:2544)
fou_build_udp (net/ipv4/fou_core.c:1041)
gue_build_header (net/ipv4/fou_core.c:1085)
ip_tunnel_xmit (net/ipv4/ip_tunnel.c:780)
sit_tunnel_xmit__.isra.0 (net/ipv6/sit.c:1065)
sit_tunnel_xmit (net/ipv6/sit.c:1076)
dev_hard_start_xmit (net/core/dev.c:3816)
__dev_queue_xmit (net/core/dev.c:4653)
neigh_connected_output (net/core/neighbour.c:1543)
ip_finish_output2 (net/ipv4/ip_output.c:236)
__ip_finish_output (net/ipv4/ip_output.c:314)
ip_finish_output (net/ipv4/ip_output.c:324)
ip_mc_output (net/ipv4/ip_output.c:421)
ip_send_skb (net/ipv4/ip_output.c:1502)
udp_send_skb (net/ipv4/udp.c:1197)
udp_sendmsg (net/ipv4/udp.c:1484)
udpv6_sendmsg (net/ipv6/udp.c:1545)
inet6_sendmsg (net/ipv6/af_inet6.c:659)
____sys_sendmsg (net/socket.c:2573)
___sys_sendmsg (net/socket.c:2629)
__sys_sendmmsg (net/socket.c:2719)
__x64_sys_sendmmsg (net/socket.c:2740)
do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
</TASK>
---[ end trace 0000000000000000 ]---
Fix this by add check for needed_headroom in ipip6_tunnel_bind_dev().
Reported-by: [email protected]
Closes: https://syzkaller.appspot.com/bug?extid=4c63f36709a642f801c5
Fixes: c88f8d5 ("sit: update dev->needed_headroom in ipip6_tunnel_bind_dev()")
Signed-off-by: Wang Liang <[email protected]>
Signed-off-by: NipaLocal <nipa@local>
0 commit comments