From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org,
"David S. Miller" <davem@davemloft.net>,
"Jakub Sitnicki" <jkbs@redhat.com>,
"Ji Jianwen" <jiji@redhat.com>,
"Hannes Frederic Sowa" <hannes@stressinduktion.org>
Subject: [PATCH 3.2 112/115] ipv6: Count in extension headers in skb->network_header
Date: Wed, 27 Apr 2016 01:02:24 +0200 [thread overview]
Message-ID: <lsq.1461711744.29929570@decadent.org.uk> (raw)
In-Reply-To: <lsq.1461711744.351546278@decadent.org.uk>
3.2.80-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Sitnicki <jkbs@redhat.com>
[ Upstream commit 3ba3458fb9c050718b95275a3310b74415e767e2 ]
When sending a UDPv6 message longer than MTU, account for the length
of fragmentable IPv6 extension headers in skb->network_header offset.
Same as we do in alloc_new_skb path in __ip6_append_data().
This ensures that later on __ip6_make_skb() will make space in
headroom for fragmentable extension headers:
/* move skb->data to ip header from ext header */
if (skb->data < skb_network_header(skb))
__skb_pull(skb, skb_network_offset(skb));
Prevents a splat due to skb_under_panic:
skbuff: skb_under_panic: text:ffffffff8143397b len:2126 put:14 \
head:ffff880005bacf50 data:ffff880005bacf4a tail:0x48 end:0xc0 dev:lo
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:104!
invalid opcode: 0000 [#1] KASAN
CPU: 0 PID: 160 Comm: reproducer Not tainted 4.6.0-rc2 #65
[...]
Call Trace:
[<ffffffff813eb7b9>] skb_push+0x79/0x80
[<ffffffff8143397b>] eth_header+0x2b/0x100
[<ffffffff8141e0d0>] neigh_resolve_output+0x210/0x310
[<ffffffff814eab77>] ip6_finish_output2+0x4a7/0x7c0
[<ffffffff814efe3a>] ip6_output+0x16a/0x280
[<ffffffff815440c1>] ip6_local_out+0xb1/0xf0
[<ffffffff814f1115>] ip6_send_skb+0x45/0xd0
[<ffffffff81518836>] udp_v6_send_skb+0x246/0x5d0
[<ffffffff8151985e>] udpv6_sendmsg+0xa6e/0x1090
[...]
Reported-by: Ji Jianwen <jiji@redhat.com>
Signed-off-by: Jakub Sitnicki <jkbs@redhat.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv6/ip6_output.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1109,9 +1109,8 @@ static inline int ip6_ufo_append_data(st
int getfrag(void *from, char *to, int offset, int len,
int odd, struct sk_buff *skb),
void *from, int length, int hh_len, int fragheaderlen,
- int transhdrlen, int mtu,unsigned int flags,
- struct rt6_info *rt)
-
+ int exthdrlen, int transhdrlen, int mtu,
+ unsigned int flags, struct rt6_info *rt)
{
struct sk_buff *skb;
int err;
@@ -1136,7 +1135,7 @@ static inline int ip6_ufo_append_data(st
skb_put(skb,fragheaderlen + transhdrlen);
/* initialize network header pointer */
- skb_reset_network_header(skb);
+ skb_set_network_header(skb, exthdrlen);
/* initialize protocol header pointer */
skb->transport_header = skb->network_header + fragheaderlen;
@@ -1342,7 +1341,7 @@ int ip6_append_data(struct sock *sk, int
(rt->dst.dev->features & NETIF_F_UFO) &&
(sk->sk_type == SOCK_DGRAM)) {
err = ip6_ufo_append_data(sk, getfrag, from, length,
- hh_len, fragheaderlen,
+ hh_len, fragheaderlen, exthdrlen,
transhdrlen, mtu, flags, rt);
if (err)
goto error;
next prev parent reply other threads:[~2016-04-26 23:27 UTC|newest]
Thread overview: 143+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-26 23:02 [PATCH 3.2 000/115] 3.2.80-rc1 review Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 020/115] KVM: i8254: change PIT discard tick policy Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 054/115] ppp: take reference on channels netns Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 099/115] bio: return EINTR if copying to user space got interrupted Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 040/115] x86/iopl: Fix iopl capability check on Xen PV Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 092/115] af_iucv: Validate socket address length in iucv_sock_bind() Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 039/115] x86/iopl/64: Properly context-switch IOPL on Xen PV Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 063/115] ALSA: usb-audio: Fix double-free in error paths after snd_usb_add_audio_stream() call Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 061/115] usb: renesas_usbhs: disable TX IRQ before starting TX DMAC transfer Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 048/115] lpfc: fix misleading indentation Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 050/115] splice: handle zero nr_pages in splice_to_pipe() Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 081/115] usbnet: cleanup after bind() in probe() Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 017/115] xfs: fix two memory leaks in xfs_attr_list.c error paths Ben Hutchings
2016-04-26 23:02 ` Ben Hutchings [this message]
2016-04-26 23:02 ` [PATCH 3.2 078/115] netfilter: x_tables: make sure e->next_offset covers remaining blob size Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 046/115] USB: cdc-acm: more sanity checking Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 058/115] ocfs2/dlm: fix BUG in dlm_move_lockres_to_recovery_list Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 113/115] jme: Do not enable NIC WoL functions on S0 Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 100/115] serial: sh-sci: Remove cpufreq notifier to fix crash/deadlock Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 024/115] be2iscsi: set the boot_kset pointer to NULL in case of failure Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 011/115] mac80211: fix memory leak Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 080/115] x86/mm/32: Enable full randomization on i386 and X86_32 Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 044/115] USB: iowarrior: fix oops with malicious USB descriptors Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 023/115] x86/PCI: Mark Broadwell-EP Home Agent & PCU as having non-compliant BARs Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 055/115] Input: ati_remote2 - fix crashes on detecting device with invalid descriptor Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 028/115] Bluetooth: btusb: Add a new AR3012 ID 13d3:3472 Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 102/115] sctp: lack the check for ports in sctp_v6_cmp_addr Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 077/115] netfilter: x_tables: validate e->target_offset early Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 034/115] ath9k: fix buffer overrun for ar9287 Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 069/115] ALSA: timer: Use mod_timer() for rearming the system timer Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 036/115] ALSA: usb-audio: Add sanity checks for endpoint accesses Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 070/115] xen/events: Mask a moving irq Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 064/115] USB: mct_u232: add sanity checking in probe Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 056/115] MAINTAINERS: Update mailing list and web page for hwmon subsystem Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 007/115] Bluetooth: btusb: Add new AR3012 ID 13d3:3395 Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 021/115] sched/cputime: Fix steal time accounting vs. CPU hotplug Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 103/115] cdc_ncm: toggle altsetting to force reset before setup Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 037/115] nfsd: fix deadlock secinfo+readdir compound Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 095/115] net/ipv6: add sysctl option accept_ra_min_hop_limit Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 032/115] Input: powermate - fix oops with malicious USB descriptors Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 085/115] veth: don’t modify ip_summed; doing so treats packets with bad checksums as good Ben Hutchings
2016-04-27 15:59 ` Ben Greear
2016-04-27 18:07 ` Ben Hutchings
2016-04-28 0:00 ` Hannes Frederic Sowa
2016-04-28 0:14 ` Ben Greear
2016-04-28 10:29 ` Sabrina Dubroca
2016-04-28 13:45 ` Ben Greear
2016-04-30 19:18 ` Ben Hutchings
2016-04-30 18:33 ` Ben Hutchings
2016-04-30 19:40 ` Ben Greear
2016-04-30 19:54 ` Tom Herbert
2016-04-30 20:59 ` Ben Greear
2016-04-30 21:13 ` Vijay Pandurangan
2016-04-30 21:29 ` Ben Greear
2016-04-30 21:36 ` Vijay Pandurangan
2016-04-30 21:52 ` Ben Greear
2016-04-30 22:01 ` Vijay Pandurangan
2016-04-30 22:43 ` Ben Greear
2016-05-01 5:30 ` [PATCH 3.2 085/115] veth: don???t " Willy Tarreau
2016-05-13 16:57 ` Ben Greear
2016-05-13 18:21 ` David Miller
2016-05-13 18:23 ` Ben Greear
2016-04-30 22:42 ` [PATCH 3.2 085/115] veth: don’t " Tom Herbert
2016-04-30 20:15 ` Vijay Pandurangan
2016-04-26 23:02 ` [PATCH 3.2 101/115] net: jme: fix suspend/resume on JMC260 Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 051/115] ethernet: micrel: fix some error codes Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 018/115] drivers/misc/ad525x_dpot: AD5274 fix RDAC read back errors Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 094/115] ipv6/udp: use sticky pktinfo egress ifindex on connect() Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 052/115] fs/coredump: prevent fsuid=0 dumps into user-controlled directories Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 073/115] USB: serial: cp210x: Adding GE Healthcare Device ID Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 079/115] x86: standardize mmap_rnd() usage Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 003/115] 8250: use callbacks to access UART_DLL/UART_DLM Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 027/115] jbd2: fix FS corruption possibility in jbd2_journal_destroy() on umount path Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 093/115] net: dp83640: Fix tx timestamp overflow handling Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 010/115] mac80211: avoid excessive stack usage in sta_info Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 071/115] usb: renesas_usbhs: fix to avoid using a disabled ep in usbhsg_queue_done() Ben Hutchings
2016-04-28 15:45 ` Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 106/115] sh_eth: fix NULL pointer dereference in sh_eth_ring_format() Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 041/115] raid1: include bio_end_io_list in nr_queued to prevent freeze_array hang Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 109/115] qlge: Fix receive packets drop Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 033/115] net: Fix use after free in the recvmmsg exit path Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 097/115] pppoe: fix reference counting in PPPoE proxy Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 091/115] ipv6: update skb->csum when CE mark is propagated Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 086/115] sctp: sctp should release assoc when sctp_make_abort_user return NULL in sctp_close Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 047/115] tracing: Have preempt(irqs)off trace preempt disabled functions Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 088/115] bridge: Only call /sbin/bridge-stp for the initial network namespace Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 030/115] ALSA: intel8x0: Add clock quirk entry for AD1981B on IBM ThinkPad X41 Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 035/115] ALSA: usb-audio: Fix NULL dereference in create_fixed_stream_quirk() Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 114/115] jme: Fix device PM wakeup API usage Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 006/115] [media] saa7134: Fix bytesperline not being set correctly for planar formats Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 045/115] USB: usb_driver_claim_interface: add sanity checking Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 012/115] PCI: Disable IO/MEM decoding for devices with non-compliant BARs Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 090/115] phonet: properly unshare skbs in phonet_rcv() Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 060/115] usb: renesas_usbhs: avoid NULL pointer derefernce in usbhsf_pkt_handler() Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 026/115] sg: fix dxferp in from_to case Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 015/115] watchdog: rc32434_wdt: fix ioctl error handling Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 107/115] macvtap: always pass ethernet header in linear Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 084/115] ext4: fix NULL pointer dereference in ext4_mark_inode_dirty() Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 022/115] ipvs: correct initial offset of Call-ID header search in SIP persistence engine Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 096/115] ipv4: fix memory leaks in ip_cmsg_send() callers Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 001/115] EDAC, amd64_edac: Shift wrapping issue in f1x_get_norm_dct_addr() Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 038/115] ppp: ensure file->private_data can't be overridden Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 014/115] [media] bttv: Width must be a multiple of 16 when capturing planar formats Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 043/115] Input: synaptics - handle spurious release of trackstick buttons, again Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 019/115] usb: hub: fix a typo in hub_port_init() leading to wrong logic Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 108/115] farsync: fix off-by-one bug in fst_add_one Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 067/115] sd: Fix excessive capacity printing on devices with blocks bigger than 512 bytes Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 089/115] tcp_yeah: don't set ssthresh below 2 Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 013/115] Bluetooth: btusb: Add a new AR3012 ID 04ca:3014 Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 062/115] ALSA: usb-audio: Minor code cleanup in create_fixed_stream_quirk() Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 016/115] nfsd4: fix bad bounds checking Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 105/115] ax25: add link layer header validation function Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 115/115] netfilter: x_tables: fix unconditional helper Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 098/115] sctp: Fix port hash table size computation Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 083/115] ipv4: Don't do expensive useless work during inetdev destroy Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 002/115] [media] pwc: Add USB id for Philips Spc880nc webcam Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 005/115] usb: retry reset if a device times out Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 072/115] USB: serial: ftdi_sio: Add support for ICP DAS I-756xU devices Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 087/115] connector: bump skb->users before callback invocation Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 104/115] net: validate variable length ll headers Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 076/115] parisc: Unbreak handling exceptions from kernel modules Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 068/115] KVM: x86: Inject pending interrupt even if pending nmi exist Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 008/115] Bluetooth: Add new AR3012 ID 0489:e095 Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 059/115] hwmon: (max1111) Return -ENODEV from max1111_read_channel if not instantiated Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 009/115] aacraid: Fix memory leak in aac_fib_map_free Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 074/115] parisc: Avoid function pointers for kernel exception routines Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 082/115] USB: usbip: fix potential out-of-bounds write Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 053/115] rapidio/rionet: fix deadlock on SMP Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 075/115] parisc: Fix kernel crash with reversed copy_from_user() Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 042/115] raid10: include bio_end_io_list in nr_queued to prevent freeze_array hang Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 110/115] xfrm: Fix crash observed during device unregistration and decryption Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 031/115] rtc: vr41xx: Wire up alarm_irq_enable Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 025/115] drm/radeon: Don't drop DP 2.7 Ghz link setup on some cards Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 004/115] net: irda: Fix use-after-free in irtty_open() Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 065/115] USB: cypress_m8: add endpoint sanity check Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 029/115] dm snapshot: disallow the COW and origin devices from being identical Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 111/115] ipv4: l2tp: fix a potential issue in l2tp_ip_recv Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 049/115] tracing: Fix crash from reading trace_pipe with sendfile Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 066/115] USB: digi_acceleport: do sanity checking for the number of ports Ben Hutchings
2016-04-26 23:02 ` [PATCH 3.2 057/115] ocfs2/dlm: fix race between convert and recovery Ben Hutchings
2016-04-27 3:38 ` [PATCH 3.2 000/115] 3.2.80-rc1 review Guenter Roeck
2016-04-28 16:05 ` Ben Hutchings
2016-04-27 21:19 ` Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=lsq.1461711744.29929570@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=akpm@linux-foundation.org \
--cc=davem@davemloft.net \
--cc=hannes@stressinduktion.org \
--cc=jiji@redhat.com \
--cc=jkbs@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).