ipv6: sit: fix skb_under_panic with overflowed needed_headroom

Wang Liang · NipaLocal · commit c91bbfda7bcb · 2025-04-01T17:00:31.000-07:00
When create ipip6 tunnel, if tunnel->parms.link is assigned to the previous created tunnel device, the dev->needed_headroom will increase based on the previous one. If the number of tunnel device is sufficient, the needed_headroom can be overflowed. The overflow happens like this: ipip6_newlink ipip6_tunnel_create register_netdevice ipip6_tunnel_init ipip6_tunnel_bind_dev t_hlen = tunnel->hlen + sizeof(struct iphdr); // 40 hlen = tdev->hard_header_len + tdev->needed_headroom; // 65496 dev->needed_headroom = t_hlen + hlen; // 65536 -> 0 The value of LL_RESERVED_SPACE(rt->dst.dev) may be HH_DATA_MOD, that leads to a small skb allocated in __ip_append_data(), which triggers a skb_under_panic: ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:209! Oops: invalid opcode: 0000 [kernel-patches#1] PREEMPT SMP KASAN PTI CPU: 0 UID: 0 PID: 23587 Comm: test Tainted: G W 6.14.0-00624-g2f2d52945852-dirty kernel-patches#15 Tainted: [W]=WARN Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:skb_panic (net/core/skbuff.c:209 (discriminator 4)) Call Trace: <TASK> skb_push (net/core/skbuff.c:2544) fou_build_udp (net/ipv4/fou_core.c:1041) gue_build_header (net/ipv4/fou_core.c:1085) ip_tunnel_xmit (net/ipv4/ip_tunnel.c:780) sit_tunnel_xmit__.isra.0 (net/ipv6/sit.c:1065) sit_tunnel_xmit (net/ipv6/sit.c:1076) dev_hard_start_xmit (net/core/dev.c:3816) __dev_queue_xmit (net/core/dev.c:4653) neigh_connected_output (net/core/neighbour.c:1543) ip_finish_output2 (net/ipv4/ip_output.c:236) __ip_finish_output (net/ipv4/ip_output.c:314) ip_finish_output (net/ipv4/ip_output.c:324) ip_mc_output (net/ipv4/ip_output.c:421) ip_send_skb (net/ipv4/ip_output.c:1502) udp_send_skb (net/ipv4/udp.c:1197) udp_sendmsg (net/ipv4/udp.c:1484) udpv6_sendmsg (net/ipv6/udp.c:1545) inet6_sendmsg (net/ipv6/af_inet6.c:659) ____sys_sendmsg (net/socket.c:2573) ___sys_sendmsg (net/socket.c:2629) __sys_sendmmsg (net/socket.c:2719) __x64_sys_sendmmsg (net/socket.c:2740) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) </TASK> ---[ end trace 0000000000000000 ]--- Fix this by add check for needed_headroom in ipip6_tunnel_bind_dev(). Reported-by: syzbot+4c63f36709a642f801c5@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=4c63f36709a642f801c5 Fixes: c88f8d5 ("sit: update dev->needed_headroom in ipip6_tunnel_bind_dev()") Signed-off-by: Wang Liang <wangliang74@huawei.com> Signed-off-by: NipaLocal <nipa@local>
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
@@ -1096,7 +1096,7 @@ static netdev_tx_t sit_tunnel_xmit(struct sk_buff *skb,
 
 }
 
-static void ipip6_tunnel_bind_dev(struct net_device *dev)
+static int ipip6_tunnel_bind_dev(struct net_device *dev)
 {
 	struct ip_tunnel *tunnel = netdev_priv(dev);
 	int t_hlen = tunnel->hlen + sizeof(struct iphdr);
@@ -1135,7 +1135,12 @@ static void ipip6_tunnel_bind_dev(struct net_device *dev)
 		WRITE_ONCE(dev->mtu, mtu);
 		hlen = tdev->hard_header_len + tdev->needed_headroom;
 	}
+
+	if (t_hlen + hlen > U16_MAX)
+		return -EOVERFLOW;
+
 	dev->needed_headroom = t_hlen + hlen;
+	return 0;
 }
 
 static void ipip6_tunnel_update(struct ip_tunnel *t,
@@ -1452,7 +1457,9 @@ static int ipip6_tunnel_init(struct net_device *dev)
 	tunnel->dev = dev;
 	strcpy(tunnel->parms.name, dev->name);
 
-	ipip6_tunnel_bind_dev(dev);
+	err = ipip6_tunnel_bind_dev(dev);
+	if (err)
+		return err;
 
 	err = dst_cache_init(&tunnel->dst_cache, GFP_KERNEL);
 	if (err)
