[thirdparty/kernel/stable-queue.git] / releases / 4.4.160 / 6lowpan-iphc-reset-mac_header-after-decompress-to-fix-panic.patch

From foo@baz Sat Sep 29 04:30:43 PDT 2018
From: Michael Scott <michael@opensourcefoundries.com>
Date: Tue, 19 Jun 2018 16:44:06 -0700
Subject: 6lowpan: iphc: reset mac_header after decompress to fix panic

From: Michael Scott <michael@opensourcefoundries.com>

[ Upstream commit 03bc05e1a4972f73b4eb8907aa373369e825c252 ]

After decompression of 6lowpan socket data, an IPv6 header is inserted
before the existing socket payload.  After this, we reset the
network_header value of the skb to account for the difference in payload
size from prior to decompression + the addition of the IPv6 header.

However, we fail to reset the mac_header value.

Leaving the mac_header value untouched here, can cause a calculation
error in net/packet/af_packet.c packet_rcv() function when an
AF_PACKET socket is opened in SOCK_RAW mode for use on a 6lowpan
interface.

On line 2088, the data pointer is moved backward by the value returned
from skb_mac_header().  If skb->data is adjusted so that it is before
the skb->head pointer (which can happen when an old value of mac_header
is left in place) the kernel generates a panic in net/core/skbuff.c
line 1717.

This panic can be generated by BLE 6lowpan interfaces (such as bt0) and
802.15.4 interfaces (such as lowpan0) as they both use the same 6lowpan
sources for compression and decompression.

Signed-off-by: Michael Scott <michael@opensourcefoundries.com>
Acked-by: Alexander Aring <aring@mojatatu.com>
Acked-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/6lowpan/iphc.c |    1 +
 1 file changed, 1 insertion(+)

--- a/net/6lowpan/iphc.c
+++ b/net/6lowpan/iphc.c
@@ -569,6 +569,7 @@ int lowpan_header_decompress(struct sk_b
 		hdr.hop_limit, &hdr.daddr);
 
 	skb_push(skb, sizeof(hdr));
+	skb_reset_mac_header(skb);
 	skb_reset_network_header(skb);
 	skb_copy_to_linear_data(skb, &hdr, sizeof(hdr));
Commit	Line	Data
46eff07a GKH	1	From foo@baz Sat Sep 29 04:30:43 PDT 2018
	2	From: Michael Scott <michael@opensourcefoundries.com>
	3	Date: Tue, 19 Jun 2018 16:44:06 -0700
	4	Subject: 6lowpan: iphc: reset mac_header after decompress to fix panic
	5
	6	From: Michael Scott <michael@opensourcefoundries.com>
	7
	8	[ Upstream commit 03bc05e1a4972f73b4eb8907aa373369e825c252 ]
	9
	10	After decompression of 6lowpan socket data, an IPv6 header is inserted
	11	before the existing socket payload. After this, we reset the
	12	network_header value of the skb to account for the difference in payload
	13	size from prior to decompression + the addition of the IPv6 header.
	14
	15	However, we fail to reset the mac_header value.
	16
	17	Leaving the mac_header value untouched here, can cause a calculation
	18	error in net/packet/af_packet.c packet_rcv() function when an
	19	AF_PACKET socket is opened in SOCK_RAW mode for use on a 6lowpan
	20	interface.
	21
	22	On line 2088, the data pointer is moved backward by the value returned
	23	from skb_mac_header(). If skb->data is adjusted so that it is before
	24	the skb->head pointer (which can happen when an old value of mac_header
	25	is left in place) the kernel generates a panic in net/core/skbuff.c
	26	line 1717.
	27
	28	This panic can be generated by BLE 6lowpan interfaces (such as bt0) and
	29	802.15.4 interfaces (such as lowpan0) as they both use the same 6lowpan
	30	sources for compression and decompression.
	31
	32	Signed-off-by: Michael Scott <michael@opensourcefoundries.com>
	33	Acked-by: Alexander Aring <aring@mojatatu.com>
	34	Acked-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
	35	Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
	36	Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
	37	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	38	---
	39	net/6lowpan/iphc.c \| 1 +
	40	1 file changed, 1 insertion(+)
	41
	42	--- a/net/6lowpan/iphc.c
	43	+++ b/net/6lowpan/iphc.c
	44	@@ -569,6 +569,7 @@ int lowpan_header_decompress(struct sk_b
	45	hdr.hop_limit, &hdr.daddr);
	46
	47	skb_push(skb, sizeof(hdr));
	48	+ skb_reset_mac_header(skb);
	49	skb_reset_network_header(skb);
	50	skb_copy_to_linear_data(skb, &hdr, sizeof(hdr));
	51