android_kernel_oneplus_msm8998/net/ipv6
Alexey Kodanev 93040aa178 vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit
[ Upstream commit 36f6ee22d2d66046e369757ec6bbe1c482957ba6 ]

When running LTP IPsec tests, KASan might report:

BUG: KASAN: use-after-free in vti_tunnel_xmit+0xeee/0xff0 [ip_vti]
Read of size 4 at addr ffff880dc6ad1980 by task swapper/0/0
...
Call Trace:
  <IRQ>
  dump_stack+0x63/0x89
  print_address_description+0x7c/0x290
  kasan_report+0x28d/0x370
  ? vti_tunnel_xmit+0xeee/0xff0 [ip_vti]
  __asan_report_load4_noabort+0x19/0x20
  vti_tunnel_xmit+0xeee/0xff0 [ip_vti]
  ? vti_init_net+0x190/0x190 [ip_vti]
  ? save_stack_trace+0x1b/0x20
  ? save_stack+0x46/0xd0
  dev_hard_start_xmit+0x147/0x510
  ? icmp_echo.part.24+0x1f0/0x210
  __dev_queue_xmit+0x1394/0x1c60
...
Freed by task 0:
  save_stack_trace+0x1b/0x20
  save_stack+0x46/0xd0
  kasan_slab_free+0x70/0xc0
  kmem_cache_free+0x81/0x1e0
  kfree_skbmem+0xb1/0xe0
  kfree_skb+0x75/0x170
  kfree_skb_list+0x3e/0x60
  __dev_queue_xmit+0x1298/0x1c60
  dev_queue_xmit+0x10/0x20
  neigh_resolve_output+0x3a8/0x740
  ip_finish_output2+0x5c0/0xe70
  ip_finish_output+0x4ba/0x680
  ip_output+0x1c1/0x3a0
  xfrm_output_resume+0xc65/0x13d0
  xfrm_output+0x1e4/0x380
  xfrm4_output_finish+0x5c/0x70

Can be fixed if we get skb->len before dst_output().

Fixes: b9959fd3b0 ("vti: switch to new ip tunnel code")
Fixes: 22e1b23daf ("vti6: Support inter address family tunneling.")
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-10-21 17:09:02 +02:00
..
netfilter Revert "net: fix percpu memory leaks" 2017-09-27 11:00:11 +02:00
addrconf.c ipv6: fix sparse warning on rt6i_node 2017-09-27 11:00:10 +02:00
addrconf_core.c ipv6: change ipv6_stub_impl.ipv6_dst_lookup to take net argument 2015-07-31 15:21:30 -07:00
addrlabel.c ipv6/addrlabel: fix ip6addrlbl_get() 2015-12-22 15:57:54 -05:00
af_inet6.c net: add validation for the socket syscall protocol argument 2015-12-14 16:09:30 -05:00
ah6.c ah6: fix error return code 2015-08-25 13:37:31 -07:00
anycast.c ipv6: coding style: comparison for equality with NULL 2015-03-31 13:51:54 -04:00
datagram.c ipv6: Handle IPv4-mapped src to in6addr_any dst. 2017-06-17 06:39:35 +02:00
esp6.c esp6: Fix integrity verification when ESN are used 2016-12-10 19:07:26 +01:00
exthdrs.c ipv6: add complete rcu protection around np->opt 2015-12-02 23:37:16 -05:00
exthdrs_core.c ipv6: re-enable fragment header matching in ipv6_find_hdr 2016-04-20 15:41:59 +09:00
exthdrs_offload.c ipv6: fix exthdrs offload registration in out_rt path 2015-09-02 15:31:00 -07:00
fib6_rules.c ipv6: Do not leak throw route references 2017-07-05 14:37:14 +02:00
icmp.c ipv6: kill sk_dst_lock 2015-12-03 11:32:06 -05:00
ila.c dst: Pass net into dst->output 2015-10-08 04:27:03 -07:00
inet6_connection_sock.c ipv6: kill sk_dst_lock 2015-12-03 11:32:06 -05:00
inet6_hashtables.c net: SO_INCOMING_CPU setsockopt() support 2015-10-12 19:28:20 -07:00
ip6_checksum.c udp: Generic functions to set checksum 2014-06-04 22:46:38 -07:00
ip6_fib.c ipv6: fix typo in fib6_net_exit() 2017-09-27 11:00:12 +02:00
ip6_flowlabel.c ipv6: fix a lockdep splat 2016-03-03 15:07:05 -08:00
ip6_gre.c ip6_gre: skb_push ipv6hdr before packing the header in ip6gre_header 2017-10-21 17:09:02 +02:00
ip6_icmp.c ipv6: White-space cleansing : Line Layouts 2014-08-24 22:37:52 -07:00
ip6_input.c netfilter: Pass net into okfn 2015-09-17 17:18:37 -07:00
ip6_offload.c ipv6: Fix leak in ipv6_gso_segment(). 2017-06-14 13:16:19 +02:00
ip6_offload.h ipv6: Pull IPv6 GSO registration out of the module 2012-11-15 17:39:24 -05:00
ip6_output.c net: account for current skb length when deciding about UFO 2017-08-12 19:29:09 -07:00
ip6_tunnel.c ipv6: check skb->protocol before lookup for nexthop 2017-05-02 21:19:54 -07:00
ip6_udp_tunnel.c vxlan: do not receive IPv4 packets on IPv6 socket 2015-08-29 13:07:54 -07:00
ip6_vti.c vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit 2017-10-21 17:09:02 +02:00
ip6mr.c ip6mr: fix notification device destruction 2017-05-02 21:19:54 -07:00
ipcomp6.c ipv6: White-space cleansing : Structure layouts 2014-08-24 22:37:52 -07:00
ipv6_sockglue.c ipv6: add complete rcu protection around np->opt 2015-12-02 23:37:16 -05:00
Kconfig net: Identifier Locator Addressing module 2015-08-17 21:33:06 -07:00
Makefile net: Identifier Locator Addressing module 2015-08-17 21:33:06 -07:00
mcast.c mld, igmp: Fix reserved tailroom calculation 2016-04-20 15:41:58 +09:00
mcast_snoop.c net: fix wrong skb_get() usage / crash in IGMP/MLD parsing code 2015-08-13 17:08:39 -07:00
mip6.c ipv6: use ktime_t for internal timestamps 2015-10-05 03:16:47 -07:00
ndisc.c ipv6: honor ifindex in case we receive ll addresses in router advertisements 2015-12-23 22:03:54 -05:00
netfilter.c ipv6: Pass struct net into ip6_route_me_harder 2015-09-29 20:21:32 +02:00
output_core.c ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt() 2017-09-27 11:00:10 +02:00
ping.c net: ping: do not abuse udp_poll() 2017-06-14 13:16:19 +02:00
proc.c udp: Increment UDP_MIB_IGNOREDMULTI for arriving unmatched multicasts 2014-11-07 15:45:50 -05:00
protocol.c net: Export inet_offloads and inet6_offloads 2014-09-19 17:15:31 -04:00
raw.c net: ping: do not abuse udp_poll() 2017-06-14 13:16:19 +02:00
reassembly.c Revert "net: fix percpu memory leaks" 2017-09-27 11:00:11 +02:00
route.c ipv6: fix sparse warning on rt6i_node 2017-09-27 11:00:10 +02:00
sit.c sit: fix a double free on error path 2017-02-18 16:39:27 +01:00
syncookies.c ipv4: ipv6: initialize treq->txhash in cookie_v[46]_check() 2017-08-11 09:08:51 -07:00
sysctl_net_ipv6.c ipv6: Implement different admin modes for automatic flow labels 2015-07-31 17:07:11 -07:00
tcp_ipv6.c ipv6: Handle IPv4-mapped src to in6addr_any dst. 2017-06-17 06:39:35 +02:00
tcpv6_offload.c tcp: cleanup static functions 2015-02-28 16:56:51 -05:00
tunnel6.c ipv6: fix tunnel error handling 2015-11-03 10:52:13 -05:00
udp.c udpv6: Fix the checksum computation when HW checksum does not apply 2017-10-21 17:09:02 +02:00
udp_impl.h net: Remove iocb argument from sendmsg and recvmsg 2015-03-02 13:06:31 -05:00
udp_offload.c net: avoid skb_warn_bad_offload false positives on UFO 2017-08-12 19:29:08 -07:00
udplite.c net: Eliminate no_check from protosw 2014-05-23 16:28:53 -04:00
xfrm6_input.c netfilter: Pass struct net into the netfilter hooks 2015-09-17 17:18:37 -07:00
xfrm6_mode_beet.c xfrm: simplify xfrm_address_t use 2015-03-31 13:58:35 -04:00
xfrm6_mode_ro.c ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() 2017-06-14 13:16:19 +02:00
xfrm6_mode_transport.c ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() 2017-06-14 13:16:19 +02:00
xfrm6_mode_tunnel.c ipv6: update skb->csum when CE mark is propagated 2016-01-31 11:29:01 -08:00
xfrm6_output.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-10-24 06:54:12 -07:00
xfrm6_policy.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 2015-12-22 16:26:31 -05:00
xfrm6_protocol.c xfrm6: Properly handle unsupported protocols 2014-05-06 07:08:38 +02:00
xfrm6_state.c ipv6: White-space cleansing : Line Layouts 2014-08-24 22:37:52 -07:00
xfrm6_tunnel.c ipv6: White-space cleansing : gaps between function and symbol export 2014-08-24 22:37:52 -07:00