search for: __netif_receive_skb_core

...syzkaller.appspotmail.com #syz dup: KASAN: stack-out-of-bounds Read in timerqueue_add > ================================================================== > BUG: KASAN: stack-out-of-bounds in __read_once_size > include/linux/compiler.h:188 [inline] > BUG: KASAN: stack-out-of-bounds in __netif_receive_skb_core+0x2e09/0x3680 > net/core/dev.c:4657 > Read of size 8 at addr ffff8801a852d1e8 by task swapper/0/0 > > CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.18.0-rc3+ #45 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > <...

...t; > > > For example, just to give you the idea: > > > > > > diff --git a/net/core/dev.c b/net/core/dev.c > > > index 683d493..4faa7ef 100644 > > > --- a/net/core/dev.c > > > +++ b/net/core/dev.c > > > @@ -3625,6 +3625,7 @@ static int __netif_receive_skb_core(struct sk_buff *skb, bool pfmemalloc) > > > trace_netif_receive_skb(skb); > > > > > > orig_dev = skb->dev; > > > + skb_shinfo(skb)->ip6_frag_id = skb->dev->ifindex; > > > > > > skb_reset_network_header(skb); > > >...

...t; > > > For example, just to give you the idea: > > > > > > diff --git a/net/core/dev.c b/net/core/dev.c > > > index 683d493..4faa7ef 100644 > > > --- a/net/core/dev.c > > > +++ b/net/core/dev.c > > > @@ -3625,6 +3625,7 @@ static int __netif_receive_skb_core(struct sk_buff *skb, bool pfmemalloc) > > > trace_netif_receive_skb(skb); > > > > > > orig_dev = skb->dev; > > > + skb_shinfo(skb)->ip6_frag_id = skb->dev->ifindex; > > > > > > skb_reset_network_header(skb); > > >...

...harder by mixing in some > data per input and/or output devices. > > For example, just to give you the idea: > > diff --git a/net/core/dev.c b/net/core/dev.c > index 683d493..4faa7ef 100644 > --- a/net/core/dev.c > +++ b/net/core/dev.c > @@ -3625,6 +3625,7 @@ static int __netif_receive_skb_core(struct sk_buff *skb, bool pfmemalloc) > trace_netif_receive_skb(skb); > > orig_dev = skb->dev; > + skb_shinfo(skb)->ip6_frag_id = skb->dev->ifindex; > > skb_reset_network_header(skb); > if (!skb_transport_header_was_set(skb)) > diff --git a/net/ipv6/i...

...harder by mixing in some > data per input and/or output devices. > > For example, just to give you the idea: > > diff --git a/net/core/dev.c b/net/core/dev.c > index 683d493..4faa7ef 100644 > --- a/net/core/dev.c > +++ b/net/core/dev.c > @@ -3625,6 +3625,7 @@ static int __netif_receive_skb_core(struct sk_buff *skb, bool pfmemalloc) > trace_netif_receive_skb(skb); > > orig_dev = skb->dev; > + skb_shinfo(skb)->ip6_frag_id = skb->dev->ifindex; > > skb_reset_network_header(skb); > if (!skb_transport_header_was_set(skb)) > diff --git a/net/ipv6/i...

...+0x18/0x20 Apr 02 14:20:59 helium kernel: ? pcpu_alloc+0x2ce/0x630 Apr 02 14:20:59 helium kernel: ? ip6_finish_output+0xab/0x1c0 Apr 02 14:20:59 helium kernel: nft_do_chain_netdev+0x66/0x250 [nf_tables_netdev] Apr 02 14:20:59 helium kernel: nf_hook_slow+0x2a/0xb0 Apr 02 14:20:59 helium kernel: __netif_receive_skb_core+0x820/0xa80 Apr 02 14:20:59 helium kernel: __netif_receive_skb+0x18/0x60 Apr 02 14:20:59 helium kernel: process_backlog+0x9f/0x160 Apr 02 14:20:59 helium kernel: net_rx_action+0x242/0x3d0 Apr 02 14:20:59 helium kernel: __do_softirq+0x104/0x2e1 Apr 02 14:20:59 helium kernel: irq_exit+0xb6/0xc0...

...nput and/or output devices. > > > > For example, just to give you the idea: > > > > diff --git a/net/core/dev.c b/net/core/dev.c > > index 683d493..4faa7ef 100644 > > --- a/net/core/dev.c > > +++ b/net/core/dev.c > > @@ -3625,6 +3625,7 @@ static int __netif_receive_skb_core(struct sk_buff *skb, bool pfmemalloc) > > trace_netif_receive_skb(skb); > > > > orig_dev = skb->dev; > > + skb_shinfo(skb)->ip6_frag_id = skb->dev->ifindex; > > > > skb_reset_network_header(skb); > > if (!skb_transport_header_was_set...

...nput and/or output devices. > > > > For example, just to give you the idea: > > > > diff --git a/net/core/dev.c b/net/core/dev.c > > index 683d493..4faa7ef 100644 > > --- a/net/core/dev.c > > +++ b/net/core/dev.c > > @@ -3625,6 +3625,7 @@ static int __netif_receive_skb_core(struct sk_buff *skb, bool pfmemalloc) > > trace_netif_receive_skb(skb); > > > > orig_dev = skb->dev; > > + skb_shinfo(skb)->ip6_frag_id = skb->dev->ifindex; > > > > skb_reset_network_header(skb); > > if (!skb_transport_header_was_set...

..., just to give you the idea: > > > > > > > > diff --git a/net/core/dev.c b/net/core/dev.c > > > > index 683d493..4faa7ef 100644 > > > > --- a/net/core/dev.c > > > > +++ b/net/core/dev.c > > > > @@ -3625,6 +3625,7 @@ static int __netif_receive_skb_core(struct sk_buff *skb, bool pfmemalloc) > > > > trace_netif_receive_skb(skb); > > > > > > > > orig_dev = skb->dev; > > > > + skb_shinfo(skb)->ip6_frag_id = skb->dev->ifindex; > > > > > > > > skb_reset_networ...

..., just to give you the idea: > > > > > > > > diff --git a/net/core/dev.c b/net/core/dev.c > > > > index 683d493..4faa7ef 100644 > > > > --- a/net/core/dev.c > > > > +++ b/net/core/dev.c > > > > @@ -3625,6 +3625,7 @@ static int __netif_receive_skb_core(struct sk_buff *skb, bool pfmemalloc) > > > > trace_netif_receive_skb(skb); > > > > > > > > orig_dev = skb->dev; > > > > + skb_shinfo(skb)->ip6_frag_id = skb->dev->ifindex; > > > > > > > > skb_reset_networ...

vhost_net_ubuf_put_and_wait has a confusing name: it will actually also free it's argument. Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01 "vhost-net: flush outstanding DMAs on memory change" vhost_net_flush tries to use the argument after passing it to vhost_net_ubuf_put_and_wait, this results in use after free. To fix, don't free the argument in

vhost_net_ubuf_put_and_wait has a confusing name: it will actually also free it's argument. Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01 "vhost-net: flush outstanding DMAs on memory change" vhost_net_flush tries to use the argument after passing it to vhost_net_ubuf_put_and_wait, this results in use after free. To fix, don't free the argument in

...t; >> > >> For example, just to give you the idea: > >> > >> diff --git a/net/core/dev.c b/net/core/dev.c > >> index 683d493..4faa7ef 100644 > >> --- a/net/core/dev.c > >> +++ b/net/core/dev.c > >> @@ -3625,6 +3625,7 @@ static int __netif_receive_skb_core(struct sk_buff *skb, bool pfmemalloc) > >> trace_netif_receive_skb(skb); > >> > >> orig_dev = skb->dev; > >> + skb_shinfo(skb)->ip6_frag_id = skb->dev->ifindex; > >> > >> skb_reset_network_header(skb); > >> if (!...

...t; >> > >> For example, just to give you the idea: > >> > >> diff --git a/net/core/dev.c b/net/core/dev.c > >> index 683d493..4faa7ef 100644 > >> --- a/net/core/dev.c > >> +++ b/net/core/dev.c > >> @@ -3625,6 +3625,7 @@ static int __netif_receive_skb_core(struct sk_buff *skb, bool pfmemalloc) > >> trace_netif_receive_skb(skb); > >> > >> orig_dev = skb->dev; > >> + skb_shinfo(skb)->ip6_frag_id = skb->dev->ifindex; > >> > >> skb_reset_network_header(skb); > >> if (!...

...782.525596] ip_vs_remote_request4+0x47/0xa0 [ip_vs] [ 782.525598] ? ip_vs_in.part.29.constprop.36+0x640/0x640 [ip_vs] [ 782.525600] nf_hook_slow+0x43/0xc0 [ 782.525602] ip_local_deliver+0xac/0xc0 [ 782.525604] ? ip_rcv_finish+0x400/0x400 [ 782.525606] ip_rcv+0x26c/0x380 [ 782.525610] __netif_receive_skb_core+0x3a0/0xb10 [ 782.525629] ? inet_gro_receive+0x23c/0x2b0 [ 782.525631] ? netif_receive_skb_internal+0x24/0xb0 [ 782.525633] netif_receive_skb_internal+0x24/0xb0 [ 782.525635] napi_gro_receive+0xb8/0xe0 [ 782.525638] xennet_poll+0x676/0xb40 [xen_netfront] [ 782.525641] net_rx_action+0x13...

...air summary? If yes, we can make this a bit harder by mixing in some data per input and/or output devices. For example, just to give you the idea: diff --git a/net/core/dev.c b/net/core/dev.c index 683d493..4faa7ef 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -3625,6 +3625,7 @@ static int __netif_receive_skb_core(struct sk_buff *skb, bool pfmemalloc) trace_netif_receive_skb(skb); orig_dev = skb->dev; + skb_shinfo(skb)->ip6_frag_id = skb->dev->ifindex; skb_reset_network_header(skb); if (!skb_transport_header_was_set(skb)) diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c inde...

...air summary? If yes, we can make this a bit harder by mixing in some data per input and/or output devices. For example, just to give you the idea: diff --git a/net/core/dev.c b/net/core/dev.c index 683d493..4faa7ef 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -3625,6 +3625,7 @@ static int __netif_receive_skb_core(struct sk_buff *skb, bool pfmemalloc) trace_netif_receive_skb(skb); orig_dev = skb->dev; + skb_shinfo(skb)->ip6_frag_id = skb->dev->ifindex; skb_reset_network_header(skb); if (!skb_transport_header_was_set(skb)) diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c inde...

Hello, On Di, 2015-01-27 at 18:08 +0200, Michael S. Tsirkin wrote: > On Tue, Jan 27, 2015 at 05:02:31PM +0100, Hannes Frederic Sowa wrote: > > On Di, 2015-01-27 at 09:26 -0500, Vlad Yasevich wrote: > > > On 01/27/2015 08:47 AM, Hannes Frederic Sowa wrote: > > > > On Di, 2015-01-27 at 10:42 +0200, Michael S. Tsirkin wrote: > > > >> On Tue, Jan 27, 2015

Hello, On Di, 2015-01-27 at 18:08 +0200, Michael S. Tsirkin wrote: > On Tue, Jan 27, 2015 at 05:02:31PM +0100, Hannes Frederic Sowa wrote: > > On Di, 2015-01-27 at 09:26 -0500, Vlad Yasevich wrote: > > > On 01/27/2015 08:47 AM, Hannes Frederic Sowa wrote: > > > > On Di, 2015-01-27 at 10:42 +0200, Michael S. Tsirkin wrote: > > > >> On Tue, Jan 27, 2015

...data per input and/or output devices. >> >> For example, just to give you the idea: >> >> diff --git a/net/core/dev.c b/net/core/dev.c >> index 683d493..4faa7ef 100644 >> --- a/net/core/dev.c >> +++ b/net/core/dev.c >> @@ -3625,6 +3625,7 @@ static int __netif_receive_skb_core(struct sk_buff *skb, bool pfmemalloc) >> trace_netif_receive_skb(skb); >> >> orig_dev = skb->dev; >> + skb_shinfo(skb)->ip6_frag_id = skb->dev->ifindex; >> >> skb_reset_network_header(skb); >> if (!skb_transport_header_was_set(skb))...