linux-stable.git/drivers/net/ipvlan/ipvlan_core.c, branch linux-5.4.y

ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound

2024-06-16T11:28:48+00:00

[ Upstream commit b3dc6e8003b500861fa307e9a3400c52e78e4d3a ]

Raw packet from PF_PACKET socket ontop of an IPv6-backed ipvlan device will
hit WARN_ON_ONCE() in sk_mc_loop() through sch_direct_xmit() path.

WARNING: CPU: 2 PID: 0 at net/core/sock.c:775 sk_mc_loop+0x2d/0x70
Modules linked in: sch_netem ipvlan rfkill cirrus drm_shmem_helper sg drm_kms_helper
CPU: 2 PID: 0 Comm: swapper/2 Kdump: loaded Not tainted 6.9.0+ #279
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:sk_mc_loop+0x2d/0x70
Code: fa 0f 1f 44 00 00 65 0f b7 15 f7 96 a3 4f 31 c0 66 85 d2 75 26 48 85 ff 74 1c
RSP: 0018:ffffa9584015cd78 EFLAGS: 00010212
RAX: 0000000000000011 RBX: ffff91e585793e00 RCX: 0000000002c6a001
RDX: 0000000000000000 RSI: 0000000000000040 RDI: ffff91e589c0f000
RBP: ffff91e5855bd100 R08: 0000000000000000 R09: 3d00545216f43d00
R10: ffff91e584fdcc50 R11: 00000060dd8616f4 R12: ffff91e58132d000
R13: ffff91e584fdcc68 R14: ffff91e5869ce800 R15: ffff91e589c0f000
FS:  0000000000000000(0000) GS:ffff91e898100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f788f7c44c0 CR3: 0000000008e1a000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:

 ? __warn (kernel/panic.c:693)
 ? sk_mc_loop (net/core/sock.c:760)
 ? report_bug (lib/bug.c:201 lib/bug.c:219)
 ? handle_bug (arch/x86/kernel/traps.c:239)
 ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1))
 ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621)
 ? sk_mc_loop (net/core/sock.c:760)
 ip6_finish_output2 (net/ipv6/ip6_output.c:83 (discriminator 1))
 ? nf_hook_slow (net/netfilter/core.c:626)
 ip6_finish_output (net/ipv6/ip6_output.c:222)
 ? __pfx_ip6_finish_output (net/ipv6/ip6_output.c:215)
 ipvlan_xmit_mode_l3 (drivers/net/ipvlan/ipvlan_core.c:602) ipvlan
 ipvlan_start_xmit (drivers/net/ipvlan/ipvlan_main.c:226) ipvlan
 dev_hard_start_xmit (net/core/dev.c:3594)
 sch_direct_xmit (net/sched/sch_generic.c:343)
 __qdisc_run (net/sched/sch_generic.c:416)
 net_tx_action (net/core/dev.c:5286)
 handle_softirqs (kernel/softirq.c:555)
 __irq_exit_rcu (kernel/softirq.c:589)
 sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1043)

The warning triggers as this:
packet_sendmsg
   packet_snd //skb->sk is packet sk
      __dev_queue_xmit
         __dev_xmit_skb //q->enqueue is not NULL
             __qdisc_run
               sch_direct_xmit
                 dev_hard_start_xmit
                   ipvlan_start_xmit
                      ipvlan_xmit_mode_l3 //l3 mode
                        ipvlan_process_outbound //vepa flag
                          ipvlan_process_v6_outbound
                            ip6_local_out
                                __ip6_finish_output
                                  ip6_finish_output2 //multicast packet
                                    sk_mc_loop //sk->sk_family is AF_PACKET

Call ip{6}_local_out() with NULL sk in ipvlan as other tunnels to fix this.

Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.")
Suggested-by: Eric Dumazet 
Signed-off-by: Yue Haibing 
Reviewed-by: Eric Dumazet 
Link: https://lore.kernel.org/r/20240529095633.613103-1-yuehaibing@huawei.com
Signed-off-by: Paolo Abeni 
Signed-off-by: Sasha Levin

ipvlan: add ipvlan_route_v6_outbound() helper

2023-11-28T16:50:16+00:00

[ Upstream commit 18f039428c7df183b09c69ebf10ffd4e521035d2 ]

Inspired by syzbot reports using a stack of multiple ipvlan devices.

Reduce stack size needed in ipvlan_process_v6_outbound() by moving
the flowi6 struct used for the route lookup in an non inlined
helper. ipvlan_route_v6_outbound() needs 120 bytes on the stack,
immediately reclaimed.

Also make sure ipvlan_process_v4_outbound() is not inlined.

We might also have to lower MAX_NEST_DEV, because only syzbot uses
setups with more than four stacked devices.

BUG: TASK stack guard page was hit at ffffc9000e803ff8 (stack is ffffc9000e804000..ffffc9000e808000)
stack guard page: 0000 [#1] SMP KASAN
CPU: 0 PID: 13442 Comm: syz-executor.4 Not tainted 6.1.52-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
RIP: 0010:kasan_check_range+0x4/0x2a0 mm/kasan/generic.c:188
Code: 48 01 c6 48 89 c7 e8 db 4e c1 03 31 c0 5d c3 cc 0f 0b eb 02 0f 0b b8 ea ff ff ff 5d c3 cc 00 00 cc cc 00 00 cc cc 55 48 89 e5 <41> 57 41 56 41 55 41 54 53 b0 01 48 85 f6 0f 84 a4 01 00 00 48 89
RSP: 0018:ffffc9000e804000 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817e5bf2
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff887c6568
RBP: ffffc9000e804000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff92001d0080c
R13: dffffc0000000000 R14: ffffffff87e6b100 R15: 0000000000000000
FS: 00007fd0c55826c0(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc9000e803ff8 CR3: 0000000170ef7000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<#DF>


[] __kasan_check_read+0x11/0x20 mm/kasan/shadow.c:31
[] instrument_atomic_read include/linux/instrumented.h:72 [inline]
[] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
[] cpumask_test_cpu include/linux/cpumask.h:506 [inline]
[] cpu_online include/linux/cpumask.h:1092 [inline]
[] trace_lock_acquire include/trace/events/lock.h:24 [inline]
[] lock_acquire+0xe2/0x590 kernel/locking/lockdep.c:5632
[] rcu_lock_acquire+0x2e/0x40 include/linux/rcupdate.h:306
[] rcu_read_lock include/linux/rcupdate.h:747 [inline]
[] ip6_pol_route+0x15d/0x1440 net/ipv6/route.c:2221
[] ip6_pol_route_output+0x50/0x80 net/ipv6/route.c:2606
[] pol_lookup_func include/net/ip6_fib.h:584 [inline]
[] fib6_rule_lookup+0x265/0x620 net/ipv6/fib6_rules.c:116
[] ip6_route_output_flags_noref+0x2d9/0x3a0 net/ipv6/route.c:2638
[] ip6_route_output_flags+0xca/0x340 net/ipv6/route.c:2651
[] ip6_route_output include/net/ip6_route.h:100 [inline]
[] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:473 [inline]
[] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline]
[] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
[] ipvlan_queue_xmit+0xc33/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677
[] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229
[] netdev_start_xmit include/linux/netdevice.h:4966 [inline]
[] xmit_one net/core/dev.c:3644 [inline]
[] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660
[] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324
[] dev_queue_xmit include/linux/netdevice.h:3067 [inline]
[] neigh_hh_output include/net/neighbour.h:529 [inline]
[] neigh_output include/net/neighbour.h:543 [inline]
[] ip6_finish_output2+0x160d/0x1ae0 net/ipv6/ip6_output.c:139
[] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline]
[] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211
[] NF_HOOK_COND include/linux/netfilter.h:298 [inline]
[] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232
[] dst_output include/net/dst.h:444 [inline]
[] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161
[] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline]
[] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline]
[] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
[] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677
[] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229
[] netdev_start_xmit include/linux/netdevice.h:4966 [inline]
[] xmit_one net/core/dev.c:3644 [inline]
[] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660
[] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324
[] dev_queue_xmit include/linux/netdevice.h:3067 [inline]
[] neigh_hh_output include/net/neighbour.h:529 [inline]
[] neigh_output include/net/neighbour.h:543 [inline]
[] ip6_finish_output2+0x160d/0x1ae0 net/ipv6/ip6_output.c:139
[] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline]
[] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211
[] NF_HOOK_COND include/linux/netfilter.h:298 [inline]
[] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232
[] dst_output include/net/dst.h:444 [inline]
[] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161
[] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline]
[] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline]
[] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
[] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677
[] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229
[] netdev_start_xmit include/linux/netdevice.h:4966 [inline]
[] xmit_one net/core/dev.c:3644 [inline]
[] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660
[] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324
[] dev_queue_xmit include/linux/netdevice.h:3067 [inline]
[] neigh_hh_output include/net/neighbour.h:529 [inline]
[] neigh_output include/net/neighbour.h:543 [inline]
[] ip6_finish_output2+0x160d/0x1ae0 net/ipv6/ip6_output.c:139
[] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline]
[] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211
[] NF_HOOK_COND include/linux/netfilter.h:298 [inline]
[] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232
[] dst_output include/net/dst.h:444 [inline]
[] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161
[] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline]
[] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline]
[] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
[] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677
[] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229
[] netdev_start_xmit include/linux/netdevice.h:4966 [inline]
[] xmit_one net/core/dev.c:3644 [inline]
[] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660
[] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324
[] dev_queue_xmit include/linux/netdevice.h:3067 [inline]
[] neigh_hh_output include/net/neighbour.h:529 [inline]
[] neigh_output include/net/neighbour.h:543 [inline]
[] ip6_finish_output2+0x160d/0x1ae0 net/ipv6/ip6_output.c:139
[] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline]
[] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211
[] NF_HOOK_COND include/linux/netfilter.h:298 [inline]
[] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232
[] dst_output include/net/dst.h:444 [inline]
[] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161
[] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline]
[] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline]
[] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
[] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677
[] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229
[] netdev_start_xmit include/linux/netdevice.h:4966 [inline]
[] xmit_one net/core/dev.c:3644 [inline]
[] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660
[] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324
[] dev_queue_xmit include/linux/netdevice.h:3067 [inline]
[] neigh_resolve_output+0x64e/0x750 net/core/neighbour.c:1560
[] neigh_output include/net/neighbour.h:545 [inline]
[] ip6_finish_output2+0x1643/0x1ae0 net/ipv6/ip6_output.c:139
[] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline]
[] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211
[] NF_HOOK_COND include/linux/netfilter.h:298 [inline]
[] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232
[] dst_output include/net/dst.h:444 [inline]
[] NF_HOOK include/linux/netfilter.h:309 [inline]
[] ip6_xmit+0x11a4/0x1b20 net/ipv6/ip6_output.c:352
[] sctp_v6_xmit+0x9ae/0x1230 net/sctp/ipv6.c:250
[] sctp_packet_transmit+0x25de/0x2bc0 net/sctp/output.c:653
[] sctp_packet_singleton+0x202/0x310 net/sctp/outqueue.c:783
[] sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline]
[] sctp_outq_flush+0x661/0x3d40 net/sctp/outqueue.c:1212
[] sctp_outq_uncork+0x79/0xb0 net/sctp/outqueue.c:764
[] sctp_side_effects net/sctp/sm_sideeffect.c:1199 [inline]
[] sctp_do_sm+0x55c0/0x5c30 net/sctp/sm_sideeffect.c:1170
[] sctp_primitive_ASSOCIATE+0x97/0xc0 net/sctp/primitive.c:73
[] sctp_sendmsg_to_asoc+0xf62/0x17b0 net/sctp/socket.c:1839
[] sctp_sendmsg+0x212e/0x33b0 net/sctp/socket.c:2029
[] inet_sendmsg+0x149/0x310 net/ipv4/af_inet.c:849
[] sock_sendmsg_nosec net/socket.c:716 [inline]
[] sock_sendmsg net/socket.c:736 [inline]
[] ____sys_sendmsg+0x572/0x8c0 net/socket.c:2504
[] ___sys_sendmsg net/socket.c:2558 [inline]
[] __sys_sendmsg+0x271/0x360 net/socket.c:2587
[] __do_sys_sendmsg net/socket.c:2596 [inline]
[] __se_sys_sendmsg net/socket.c:2594 [inline]
[] __x64_sys_sendmsg+0x7f/0x90 net/socket.c:2594
[] do_syscall_x64 arch/x86/entry/common.c:51 [inline]
[] do_syscall_64+0x53/0x80 arch/x86/entry/common.c:84
[] entry_SYSCALL_64_after_hwframe+0x63/0xcd

Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.")
Reported-by: syzbot 
Signed-off-by: Eric Dumazet 
Cc: Mahesh Bandewar 
Cc: Willem de Bruijn 
Reviewed-by: Willem de Bruijn 
Signed-off-by: David S. Miller 
Signed-off-by: Sasha Levin

ipvlan: properly track tx_errors

2023-11-20T09:30:10+00:00

[ Upstream commit ff672b9ffeb3f82135488ac16c5c5eb4b992999b ]

Both ipvlan_process_v4_outbound() and ipvlan_process_v6_outbound()
increment dev->stats.tx_errors in case of errors.

Unfortunately there are two issues :

1) ipvlan_get_stats64() does not propagate dev->stats.tx_errors to user.

2) Increments are not atomic. KCSAN would complain eventually.

Use DEV_STATS_INC() to not miss an update, and change ipvlan_get_stats64()
to copy the value back to user.

Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.")
Signed-off-by: Eric Dumazet 
Cc: Mahesh Bandewar 
Link: https://lore.kernel.org/r/20231026131446.3933175-1-edumazet@google.com
Signed-off-by: Jakub Kicinski 
Signed-off-by: Sasha Levin

ipvlan: Fix return value of ipvlan_queue_xmit()

2023-07-27T06:37:12+00:00

[ Upstream commit 8a9922e7be6d042fa00f894c376473b17a162b66 ]

ipvlan_queue_xmit() should return NET_XMIT_XXX, but
ipvlan_xmit_mode_l2/l3() returns rx_handler_result_t or NET_RX_XXX
in some cases. ipvlan_rcv_frame() will only return RX_HANDLER_CONSUMED
in ipvlan_xmit_mode_l2/l3() because 'local' is true. It's equal to
NET_XMIT_SUCCESS. But dev_forward_skb() can return NET_RX_SUCCESS or
NET_RX_DROP, and returning NET_RX_DROP(NET_XMIT_DROP) will increase
both ipvlan and ipvlan->phy_dev drops counter.

The skb to forward can be treated as xmitted successfully. This patch
makes ipvlan_queue_xmit() return NET_XMIT_SUCCESS for forward skb.

Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.")
Signed-off-by: Cambda Zhu 
Link: https://lore.kernel.org/r/20230626093347.7492-1-cambda@linux.alibaba.com
Signed-off-by: Paolo Abeni 
Signed-off-by: Sasha Levin

ipvlan:Fix out-of-bounds caused by unclear skb->cb

2023-05-30T11:44:01+00:00

[ Upstream commit 90cbed5247439a966b645b34eb0a2e037836ea8e ]

If skb enqueue the qdisc, fq_skb_cb(skb)->time_to_send is changed which
is actually skb->cb, and IPCB(skb_in)->opt will be used in
__ip_options_echo. It is possible that memcpy is out of bounds and lead
to stack overflow.
We should clear skb->cb before ip_local_out or ip6_local_out.

v2:
1. clean the stack info
2. use IPCB/IP6CB instead of skb->cb

crash on stable-5.10(reproduce in kasan kernel).
Stack info:
[ 2203.651571] BUG: KASAN: stack-out-of-bounds in
__ip_options_echo+0x589/0x800
[ 2203.653327] Write of size 4 at addr ffff88811a388f27 by task
swapper/3/0
[ 2203.655460] CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Not tainted
5.10.0-60.18.0.50.h856.kasan.eulerosv2r11.x86_64 #1
[ 2203.655466] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.10.2-0-g5f4c7b1-20181220_000000-szxrtosci10000 04/01/2014
[ 2203.655475] Call Trace:
[ 2203.655481]  
[ 2203.655501]  dump_stack+0x9c/0xd3
[ 2203.655514]  print_address_description.constprop.0+0x19/0x170
[ 2203.655530]  __kasan_report.cold+0x6c/0x84
[ 2203.655586]  kasan_report+0x3a/0x50
[ 2203.655594]  check_memory_region+0xfd/0x1f0
[ 2203.655601]  memcpy+0x39/0x60
[ 2203.655608]  __ip_options_echo+0x589/0x800
[ 2203.655654]  __icmp_send+0x59a/0x960
[ 2203.655755]  nf_send_unreach+0x129/0x3d0 [nf_reject_ipv4]
[ 2203.655763]  reject_tg+0x77/0x1bf [ipt_REJECT]
[ 2203.655772]  ipt_do_table+0x691/0xa40 [ip_tables]
[ 2203.655821]  nf_hook_slow+0x69/0x100
[ 2203.655828]  __ip_local_out+0x21e/0x2b0
[ 2203.655857]  ip_local_out+0x28/0x90
[ 2203.655868]  ipvlan_process_v4_outbound+0x21e/0x260 [ipvlan]
[ 2203.655931]  ipvlan_xmit_mode_l3+0x3bd/0x400 [ipvlan]
[ 2203.655967]  ipvlan_queue_xmit+0xb3/0x190 [ipvlan]
[ 2203.655977]  ipvlan_start_xmit+0x2e/0xb0 [ipvlan]
[ 2203.655984]  xmit_one.constprop.0+0xe1/0x280
[ 2203.655992]  dev_hard_start_xmit+0x62/0x100
[ 2203.656000]  sch_direct_xmit+0x215/0x640
[ 2203.656028]  __qdisc_run+0x153/0x1f0
[ 2203.656069]  __dev_queue_xmit+0x77f/0x1030
[ 2203.656173]  ip_finish_output2+0x59b/0xc20
[ 2203.656244]  __ip_finish_output.part.0+0x318/0x3d0
[ 2203.656312]  ip_finish_output+0x168/0x190
[ 2203.656320]  ip_output+0x12d/0x220
[ 2203.656357]  __ip_queue_xmit+0x392/0x880
[ 2203.656380]  __tcp_transmit_skb+0x1088/0x11c0
[ 2203.656436]  __tcp_retransmit_skb+0x475/0xa30
[ 2203.656505]  tcp_retransmit_skb+0x2d/0x190
[ 2203.656512]  tcp_retransmit_timer+0x3af/0x9a0
[ 2203.656519]  tcp_write_timer_handler+0x3ba/0x510
[ 2203.656529]  tcp_write_timer+0x55/0x180
[ 2203.656542]  call_timer_fn+0x3f/0x1d0
[ 2203.656555]  expire_timers+0x160/0x200
[ 2203.656562]  run_timer_softirq+0x1f4/0x480
[ 2203.656606]  __do_softirq+0xfd/0x402
[ 2203.656613]  asm_call_irq_on_stack+0x12/0x20
[ 2203.656617]  
[ 2203.656623]  do_softirq_own_stack+0x37/0x50
[ 2203.656631]  irq_exit_rcu+0x134/0x1a0
[ 2203.656639]  sysvec_apic_timer_interrupt+0x36/0x80
[ 2203.656646]  asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 2203.656654] RIP: 0010:default_idle+0x13/0x20
[ 2203.656663] Code: 89 f0 5d 41 5c 41 5d 41 5e c3 cc cc cc cc cc cc cc
cc cc cc cc cc cc 0f 1f 44 00 00 0f 1f 44 00 00 0f 00 2d 9f 32 57 00 fb
f4  cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 54 be 08
[ 2203.656668] RSP: 0018:ffff88810036fe78 EFLAGS: 00000256
[ 2203.656676] RAX: ffffffffaf2a87f0 RBX: ffff888100360000 RCX:
ffffffffaf290191
[ 2203.656681] RDX: 0000000000098b5e RSI: 0000000000000004 RDI:
ffff88811a3c4f60
[ 2203.656686] RBP: 0000000000000000 R08: 0000000000000001 R09:
ffff88811a3c4f63
[ 2203.656690] R10: ffffed10234789ec R11: 0000000000000001 R12:
0000000000000003
[ 2203.656695] R13: ffff888100360000 R14: 0000000000000000 R15:
0000000000000000
[ 2203.656729]  default_idle_call+0x5a/0x150
[ 2203.656735]  cpuidle_idle_call+0x1c6/0x220
[ 2203.656780]  do_idle+0xab/0x100
[ 2203.656786]  cpu_startup_entry+0x19/0x20
[ 2203.656793]  secondary_startup_64_no_verify+0xc2/0xcb

[ 2203.657409] The buggy address belongs to the page:
[ 2203.658648] page:0000000027a9842f refcount:1 mapcount:0
mapping:0000000000000000 index:0x0 pfn:0x11a388
[ 2203.658665] flags:
0x17ffffc0001000(reserved|node=0|zone=2|lastcpupid=0x1fffff)
[ 2203.658675] raw: 0017ffffc0001000 ffffea000468e208 ffffea000468e208
0000000000000000
[ 2203.658682] raw: 0000000000000000 0000000000000000 00000001ffffffff
0000000000000000
[ 2203.658686] page dumped because: kasan: bad access detected

To reproduce(ipvlan with IPVLAN_MODE_L3):
Env setting:
=======================================================
modprobe ipvlan ipvlan_default_mode=1
sysctl net.ipv4.conf.eth0.forwarding=1
iptables -t nat -A POSTROUTING -s 20.0.0.0/255.255.255.0 -o eth0 -j
MASQUERADE
ip link add gw link eth0 type ipvlan
ip -4 addr add 20.0.0.254/24 dev gw
ip netns add net1
ip link add ipv1 link eth0 type ipvlan
ip link set ipv1 netns net1
ip netns exec net1 ip link set ipv1 up
ip netns exec net1 ip -4 addr add 20.0.0.4/24 dev ipv1
ip netns exec net1 route add default gw 20.0.0.254
ip netns exec net1 tc qdisc add dev ipv1 root netem loss 10%
ifconfig gw up
iptables -t filter -A OUTPUT -p tcp --dport 8888 -j REJECT --reject-with
icmp-port-unreachable
=======================================================
And then excute the shell(curl any address of eth0 can reach):

for((i=1;i<=100000;i++))
do
        ip netns exec net1 curl x.x.x.x:8888
done
=======================================================

Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.")
Signed-off-by: "t.feng" 
Suggested-by: Florian Westphal 
Reviewed-by: Paolo Abeni 
Signed-off-by: David S. Miller 
Signed-off-by: Sasha Levin

ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header

2022-09-28T09:04:05+00:00

[ Upstream commit 81225b2ea161af48e093f58e8dfee6d705b16af4 ]

If an AF_PACKET socket is used to send packets through ipvlan and the
default xmit function of the AF_PACKET socket is changed from
dev_queue_xmit() to packet_direct_xmit() via setsockopt() with the option
name of PACKET_QDISC_BYPASS, the skb->mac_header may not be reset and
remains as the initial value of 65535, this may trigger slab-out-of-bounds
bugs as following:

=================================================================
UG: KASAN: slab-out-of-bounds in ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan]
PU: 2 PID: 1768 Comm: raw_send Kdump: loaded Not tainted 6.0.0-rc4+ #6
ardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33
all Trace:
print_address_description.constprop.0+0x1d/0x160
print_report.cold+0x4f/0x112
kasan_report+0xa3/0x130
ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan]
ipvlan_start_xmit+0x29/0xa0 [ipvlan]
__dev_direct_xmit+0x2e2/0x380
packet_direct_xmit+0x22/0x60
packet_snd+0x7c9/0xc40
sock_sendmsg+0x9a/0xa0
__sys_sendto+0x18a/0x230
__x64_sys_sendto+0x74/0x90
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd

The root cause is:
  1. packet_snd() only reset skb->mac_header when sock->type is SOCK_RAW
     and skb->protocol is not specified as in packet_parse_headers()

  2. packet_direct_xmit() doesn't reset skb->mac_header as dev_queue_xmit()

In this case, skb->mac_header is 65535 when ipvlan_xmit_mode_l2() is
called. So when ipvlan_xmit_mode_l2() gets mac header with eth_hdr() which
use "skb->head + skb->mac_header", out-of-bound access occurs.

This patch replaces eth_hdr() with skb_eth_hdr() in ipvlan_xmit_mode_l2()
and reset mac header in multicast to solve this out-of-bound bug.

Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.")
Signed-off-by: Lu Wei 
Reviewed-by: Eric Dumazet 
Signed-off-by: David S. Miller 
Signed-off-by: Sasha Levin

ipvlan: don't deref eth hdr before checking it's set

2020-03-18T06:17:39+00:00

[ Upstream commit ad8192767c9f9cf97da57b9ffcea70fb100febef ]

IPvlan in L3 mode discards outbound multicast packets but performs
the check before ensuring the ether-header is set or not. This is
an error that Eric found through code browsing.

Fixes: 2ad7bf363841 (“ipvlan: Initial check-in of the IPVLAN driver.”)
Signed-off-by: Mahesh Bandewar 
Reported-by: Eric Dumazet 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman

ipvlan: do not use cond_resched_rcu() in ipvlan_process_multicast()

2020-03-18T06:17:39+00:00

[ Upstream commit afe207d80a61e4d6e7cfa0611a4af46d0ba95628 ]

Commit e18b353f102e ("ipvlan: add cond_resched_rcu() while
processing muticast backlog") added a cond_resched_rcu() in a loop
using rcu protection to iterate over slaves.

This is breaking rcu rules, so lets instead use cond_resched()
at a point we can reschedule

Fixes: e18b353f102e ("ipvlan: add cond_resched_rcu() while processing muticast backlog")
Signed-off-by: Eric Dumazet 
Cc: Mahesh Bandewar 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman

ipvlan: add cond_resched_rcu() while processing muticast backlog

2020-03-18T06:17:38+00:00

[ Upstream commit e18b353f102e371580f3f01dd47567a25acc3c1d ]

If there are substantial number of slaves created as simulated by
Syzbot, the backlog processing could take much longer and result
into the issue found in the Syzbot report.

INFO: rcu_sched detected stalls on CPUs/tasks:
        (detected by 1, t=10502 jiffies, g=5049, c=5048, q=752)
All QSes seen, last rcu_sched kthread activity 10502 (4294965563-4294955061), jiffies_till_next_fqs=1, root ->qsmask 0x0
syz-executor.1  R  running task on cpu   1  10984 11210   3866 0x30020008 179034491270
Call Trace:
 
 [] _sched_show_task kernel/sched/core.c:8063 [inline]
 [] _sched_show_task.cold+0x2fd/0x392 kernel/sched/core.c:8030
 [] sched_show_task+0xb/0x10 kernel/sched/core.c:8073
 [] print_other_cpu_stall kernel/rcu/tree.c:1577 [inline]
 [] check_cpu_stall kernel/rcu/tree.c:1695 [inline]
 [] __rcu_pending kernel/rcu/tree.c:3478 [inline]
 [] rcu_pending kernel/rcu/tree.c:3540 [inline]
 [] rcu_check_callbacks.cold+0xbb4/0xc29 kernel/rcu/tree.c:2876
 [] update_process_times+0x32/0x80 kernel/time/timer.c:1635
 [] tick_sched_handle+0xa0/0x180 kernel/time/tick-sched.c:161
 [] tick_sched_timer+0x44/0x130 kernel/time/tick-sched.c:1193
 [] __run_hrtimer kernel/time/hrtimer.c:1393 [inline]
 [] __hrtimer_run_queues+0x307/0xd90 kernel/time/hrtimer.c:1455
 [] hrtimer_interrupt+0x2ea/0x730 kernel/time/hrtimer.c:1513
 [] local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1031 [inline]
 [] smp_apic_timer_interrupt+0x144/0x5e0 arch/x86/kernel/apic/apic.c:1056
 [] apic_timer_interrupt+0x8e/0xa0 arch/x86/entry/entry_64.S:778
RIP: 0010:do_raw_read_lock+0x22/0x80 kernel/locking/spinlock_debug.c:153
RSP: 0018:ffff8801dad07ab8 EFLAGS: 00000a02 ORIG_RAX: ffffffffffffff12
RAX: 0000000000000000 RBX: ffff8801c4135680 RCX: 0000000000000000
RDX: 1ffff10038826afe RSI: ffff88019d816bb8 RDI: ffff8801c41357f0
RBP: ffff8801dad07ac0 R08: 0000000000004b15 R09: 0000000000310273
R10: ffff88019d816bb8 R11: 0000000000000001 R12: ffff8801c41357e8
R13: 0000000000000000 R14: ffff8801cfb19850 R15: ffff8801cfb198b0
 [] __raw_read_lock_bh include/linux/rwlock_api_smp.h:177 [inline]
 [] _raw_read_lock_bh+0x3e/0x50 kernel/locking/spinlock.c:240
 [] ipv6_chk_mcast_addr+0x11a/0x6f0 net/ipv6/mcast.c:1006
 [] ip6_mc_input+0x319/0x8e0 net/ipv6/ip6_input.c:482
 [] dst_input include/net/dst.h:449 [inline]
 [] ip6_rcv_finish+0x408/0x610 net/ipv6/ip6_input.c:78
 [] NF_HOOK include/linux/netfilter.h:292 [inline]
 [] NF_HOOK include/linux/netfilter.h:286 [inline]
 [] ipv6_rcv+0x10e/0x420 net/ipv6/ip6_input.c:278
 [] __netif_receive_skb_one_core+0x12a/0x1f0 net/core/dev.c:5303
 [] __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:5417
 [] process_backlog+0x216/0x6c0 net/core/dev.c:6243
 [] napi_poll net/core/dev.c:6680 [inline]
 [] net_rx_action+0x47b/0xfb0 net/core/dev.c:6748
 [] __do_softirq+0x2c8/0x99a kernel/softirq.c:317
 [] invoke_softirq kernel/softirq.c:399 [inline]
 [] irq_exit+0x16a/0x1a0 kernel/softirq.c:439
 [] exiting_irq arch/x86/include/asm/apic.h:561 [inline]
 [] smp_apic_timer_interrupt+0x165/0x5e0 arch/x86/kernel/apic/apic.c:1058
 [] apic_timer_interrupt+0x8e/0xa0 arch/x86/entry/entry_64.S:778
 
RIP: 0010:__sanitizer_cov_trace_pc+0x26/0x50 kernel/kcov.c:102
RSP: 0018:ffff880196033bd8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff12
RAX: ffff88019d8161c0 RBX: 00000000ffffffff RCX: ffffc90003501000
RDX: 0000000000000002 RSI: ffffffff816236d1 RDI: 0000000000000005
RBP: ffff880196033bd8 R08: ffff88019d8161c0 R09: 0000000000000000
R10: 1ffff10032c067f0 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000080 R14: 0000000000000000 R15: 0000000000000000
 [] do_futex+0x151/0x1d50 kernel/futex.c:3548
 [] C_SYSC_futex kernel/futex_compat.c:201 [inline]
 [] compat_SyS_futex+0x270/0x3b0 kernel/futex_compat.c:175
 [] do_syscall_32_irqs_on arch/x86/entry/common.c:353 [inline]
 [] do_fast_syscall_32+0x357/0xe1c arch/x86/entry/common.c:415
 [] entry_SYSENTER_compat+0x8b/0x9d arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7f23c69
RSP: 002b:00000000f5d1f12c EFLAGS: 00000282 ORIG_RAX: 00000000000000f0
RAX: ffffffffffffffda RBX: 000000000816af88 RCX: 0000000000000080
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000816af8c
RBP: 00000000f5d1f228 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
rcu_sched kthread starved for 10502 jiffies! g5049 c5048 f0x2 RCU_GP_WAIT_FQS(3) ->state=0x0 ->cpu=1
rcu_sched       R  running task on cpu   1  13048     8      2 0x90000000 179099587640
Call Trace:
 [] context_switch+0x60f/0xa60 kernel/sched/core.c:3209
 [] __schedule+0x5aa/0x1da0 kernel/sched/core.c:3934
 [] schedule+0x8f/0x1b0 kernel/sched/core.c:4011
 [] schedule_timeout+0x50d/0xee0 kernel/time/timer.c:1803
 [] rcu_gp_kthread+0xda1/0x3b50 kernel/rcu/tree.c:2327
 [] kthread+0x348/0x420 kernel/kthread.c:246
 [] ret_from_fork+0x56/0x70 arch/x86/entry/entry_64.S:393

Fixes: ba35f8588f47 (“ipvlan: Defer multicast / broadcast processing to a work-queue”)
Signed-off-by: Mahesh Bandewar 
Reported-by: syzbot 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152

2019-05-30T18:26:32+00:00

Based on 1 normalized pattern(s):

  this program is free software you can redistribute it and or modify
  it under the terms of the gnu general public license as published by
  the free software foundation either version 2 of the license or at
  your option any later version

extracted by the scancode license scanner the SPDX license identifier

  GPL-2.0-or-later

has been chosen to replace the boilerplate/reference in 3029 file(s).

Signed-off-by: Thomas Gleixner 
Reviewed-by: Allison Randal 
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190527070032.746973796@linutronix.de
Signed-off-by: Greg Kroah-Hartman