From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?UTF-8?Q?Maciej_=C5=BBenczykowski?= Subject: crash in xt_policy due to skb_dst_drop() in nf_ct_frag6_gather() Date: Mon, 15 Oct 2018 21:13:25 -0700 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable To: Lorenzo Colitti , Eric Dumazet , Florian Westphal , Linux NetDev , Maciej Zenczykowski , =?UTF-8?Q?Maciej_=C5=BBenczykowski?= Return-path: Received: from mail-ua1-f52.google.com ([209.85.222.52]:41280 "EHLO mail-ua1-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728568AbeJPMBt (ORCPT ); Tue, 16 Oct 2018 08:01:49 -0400 Received: by mail-ua1-f52.google.com with SMTP id o17so93347uad.8 for ; Mon, 15 Oct 2018 21:13:26 -0700 (PDT) Sender: netdev-owner@vger.kernel.org List-ID: I believe that: commit ad8b1ffc3efae2f65080bdb11145c87d299b8f9a Author: Florian Westphal netfilter: ipv6: nf_defrag: drop skb dst before queueing +++ b/net/ipv6/netfilter/nf_conntrack_reasm.c @@ -618,6 +618,8 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user) fq->q.meat =3D=3D fq->q.len && nf_ct_frag6_reasm(fq, skb, dev)) ret =3D 0; + else + skb_dst_drop(skb); out_unlock: spin_unlock_bh(&fq->q.lock); Is causing a crash on android after upgrading from 4.9.96 to 4.9.119 This is because clatd ipv4 to ipv6 translation user space daemon is functionally equivalent to the syzkaller reproducer. It will convert ipv4 frags it receives via tap into ipv6 frags which it will write out via rawv6 sendmsg. However we are also using xt_policy, after stripping cruft this is basicall= y: ip6tables -A OUTPUT -m policy --dir out --pol ipsec Crash is: match_policy_out() const struct dst_entry *dst =3D skb_dst(skb); // returns NULL if (dst->xfrm =3D=3D NULL) <-- dst =3D=3D NULL -> panic [ 1136.606948] c1 2675 [] policy_mt+0x34/0x18c [ 1136.606954] c1 2675 [] ip6t_do_table+0x280/0x684 [ 1136.606961] c1 2675 [] ip6table_filter_hook+0x20/0x2= 8 [ 1136.606969] c1 2675 [] nf_hook_slow+0x98/0x154 [ 1136.606977] c1 2675 [] rawv6_sendmsg+0xd14/0x1520 [ 1136.606985] c1 2675 [] inet_sendmsg+0x100/0x1b0 [ 1136.606993] c1 2675 [] ___sys_sendmsg+0x2a0/0x414 [ 1136.606999] c1 2675 [] SyS_sendmsg+0x94/0xe4 Just checking for NULL in xt_policy.c:match_policy_out() and returning 0 or 1 unconditionally seems to be the wrong thing to do, since after all prior to skb_dst_drop() the skb->dst->xfrm might not have been NULL. Maciej =C5=BBenczykowski, Kernel Networking Developer @ Google