From: Greg Kroah-Hartman Date: Sun, 17 Jun 2018 11:23:04 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.16.17~28 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=43c39fbbde0f29ccc5957076d3f202b8027ff266;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: atm-zatm-fix-memcmp-casting.patch ipvs-fix-buffer-overflow-with-sync-daemon-and-service.patch net-qmi_wwan-add-netgear-aircard-779s.patch net-sonic-use-dma_mapping_error.patch netfilter-ebtables-handle-string-from-userspace-with-care.patch xfrm6-avoid-potential-infinite-loop-in-_decode_session6.patch --- diff --git a/queue-4.4/atm-zatm-fix-memcmp-casting.patch b/queue-4.4/atm-zatm-fix-memcmp-casting.patch new file mode 100644 index 00000000000..1b787a603cc --- /dev/null +++ b/queue-4.4/atm-zatm-fix-memcmp-casting.patch @@ -0,0 +1,34 @@ +From foo@baz Sun Jun 17 13:05:08 CEST 2018 +From: Ivan Bornyakov +Date: Fri, 25 May 2018 20:49:52 +0300 +Subject: atm: zatm: fix memcmp casting + +From: Ivan Bornyakov + +[ Upstream commit f9c6442a8f0b1dde9e755eb4ff6fa22bcce4eabc ] + +memcmp() returns int, but eprom_try_esi() cast it to unsigned char. One +can lose significant bits and get 0 from non-0 value returned by the +memcmp(). + +Signed-off-by: Ivan Bornyakov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/atm/zatm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/atm/zatm.c ++++ b/drivers/atm/zatm.c +@@ -1149,8 +1149,8 @@ static void eprom_get_byte(struct zatm_d + } + + +-static unsigned char eprom_try_esi(struct atm_dev *dev, unsigned short cmd, +- int offset, int swap) ++static int eprom_try_esi(struct atm_dev *dev, unsigned short cmd, int offset, ++ int swap) + { + unsigned char buf[ZEPROM_SIZE]; + struct zatm_dev *zatm_dev; diff --git a/queue-4.4/ipvs-fix-buffer-overflow-with-sync-daemon-and-service.patch b/queue-4.4/ipvs-fix-buffer-overflow-with-sync-daemon-and-service.patch new file mode 100644 index 00000000000..ccaec114828 --- /dev/null +++ b/queue-4.4/ipvs-fix-buffer-overflow-with-sync-daemon-and-service.patch @@ -0,0 +1,146 @@ +From foo@baz Sun Jun 17 13:05:08 CEST 2018 +From: Julian Anastasov +Date: Sat, 19 May 2018 18:22:35 +0300 +Subject: ipvs: fix buffer overflow with sync daemon and service + +From: Julian Anastasov + +[ Upstream commit 52f96757905bbf0edef47f3ee6c7c784e7f8ff8a ] + +syzkaller reports for buffer overflow for interface name +when starting sync daemons [1] + +What we do is that we copy user structure into larger stack +buffer but later we search NUL past the stack buffer. +The same happens for sched_name when adding/editing virtual server. + +We are restricted by IP_VS_SCHEDNAME_MAXLEN and IP_VS_IFNAME_MAXLEN +being used as size in include/uapi/linux/ip_vs.h, so they +include the space for NUL. + +As using strlcpy is wrong for unsafe source, replace it with +strscpy and add checks to return EINVAL if source string is not +NUL-terminated. The incomplete strlcpy fix comes from 2.6.13. + +For the netlink interface reduce the len parameter for +IPVS_DAEMON_ATTR_MCAST_IFN and IPVS_SVC_ATTR_SCHED_NAME, +so that we get proper EINVAL. + +[1] +kernel BUG at lib/string.c:1052! +invalid opcode: 0000 [#1] SMP KASAN +Dumping ftrace buffer: + (ftrace buffer empty) +Modules linked in: +CPU: 1 PID: 373 Comm: syz-executor936 Not tainted 4.17.0-rc4+ #45 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 01/01/2011 +RIP: 0010:fortify_panic+0x13/0x20 lib/string.c:1051 +RSP: 0018:ffff8801c976f800 EFLAGS: 00010282 +RAX: 0000000000000022 RBX: 0000000000000040 RCX: 0000000000000000 +RDX: 0000000000000022 RSI: ffffffff8160f6f1 RDI: ffffed00392edef6 +RBP: ffff8801c976f800 R08: ffff8801cf4c62c0 R09: ffffed003b5e4fb0 +R10: ffffed003b5e4fb0 R11: ffff8801daf27d87 R12: ffff8801c976fa20 +R13: ffff8801c976fae4 R14: ffff8801c976fae0 R15: 000000000000048b +FS: 00007fd99f75e700(0000) GS:ffff8801daf00000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00000000200001c0 CR3: 00000001d6843000 CR4: 00000000001406e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + strlen include/linux/string.h:270 [inline] + strlcpy include/linux/string.h:293 [inline] + do_ip_vs_set_ctl+0x31c/0x1d00 net/netfilter/ipvs/ip_vs_ctl.c:2388 + nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] + nf_setsockopt+0x7d/0xd0 net/netfilter/nf_sockopt.c:115 + ip_setsockopt+0xd8/0xf0 net/ipv4/ip_sockglue.c:1253 + udp_setsockopt+0x62/0xa0 net/ipv4/udp.c:2487 + ipv6_setsockopt+0x149/0x170 net/ipv6/ipv6_sockglue.c:917 + tcp_setsockopt+0x93/0xe0 net/ipv4/tcp.c:3057 + sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3046 + __sys_setsockopt+0x1bd/0x390 net/socket.c:1903 + __do_sys_setsockopt net/socket.c:1914 [inline] + __se_sys_setsockopt net/socket.c:1911 [inline] + __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911 + do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x447369 +RSP: 002b:00007fd99f75dda8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 +RAX: ffffffffffffffda RBX: 00000000006e39e4 RCX: 0000000000447369 +RDX: 000000000000048b RSI: 0000000000000000 RDI: 0000000000000003 +RBP: 0000000000000000 R08: 0000000000000018 R09: 0000000000000000 +R10: 00000000200001c0 R11: 0000000000000246 R12: 00000000006e39e0 +R13: 75a1ff93f0896195 R14: 6f745f3168746576 R15: 0000000000000001 +Code: 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 48 89 df e8 d2 8f 48 fa eb +de 55 48 89 fe 48 c7 c7 60 65 64 88 48 89 e5 e8 91 dd f3 f9 <0f> 0b 90 90 +90 90 90 90 90 90 90 90 90 55 48 89 e5 41 57 41 56 +RIP: fortify_panic+0x13/0x20 lib/string.c:1051 RSP: ffff8801c976f800 + +Reported-and-tested-by: syzbot+aac887f77319868646df@syzkaller.appspotmail.com +Fixes: e4ff67513096 ("ipvs: add sync_maxlen parameter for the sync daemon") +Fixes: 4da62fc70d7c ("[IPVS]: Fix for overflows") +Signed-off-by: Julian Anastasov +Acked-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/ipvs/ip_vs_ctl.c | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -2349,8 +2349,10 @@ do_ip_vs_set_ctl(struct sock *sk, int cm + struct ipvs_sync_daemon_cfg cfg; + + memset(&cfg, 0, sizeof(cfg)); +- strlcpy(cfg.mcast_ifn, dm->mcast_ifn, +- sizeof(cfg.mcast_ifn)); ++ ret = -EINVAL; ++ if (strscpy(cfg.mcast_ifn, dm->mcast_ifn, ++ sizeof(cfg.mcast_ifn)) <= 0) ++ goto out_dec; + cfg.syncid = dm->syncid; + ret = start_sync_thread(ipvs, &cfg, dm->state); + } else { +@@ -2388,12 +2390,19 @@ do_ip_vs_set_ctl(struct sock *sk, int cm + } + } + ++ if ((cmd == IP_VS_SO_SET_ADD || cmd == IP_VS_SO_SET_EDIT) && ++ strnlen(usvc.sched_name, IP_VS_SCHEDNAME_MAXLEN) == ++ IP_VS_SCHEDNAME_MAXLEN) { ++ ret = -EINVAL; ++ goto out_unlock; ++ } ++ + /* Check for valid protocol: TCP or UDP or SCTP, even for fwmark!=0 */ + if (usvc.protocol != IPPROTO_TCP && usvc.protocol != IPPROTO_UDP && + usvc.protocol != IPPROTO_SCTP) { +- pr_err("set_ctl: invalid protocol: %d %pI4:%d %s\n", ++ pr_err("set_ctl: invalid protocol: %d %pI4:%d\n", + usvc.protocol, &usvc.addr.ip, +- ntohs(usvc.port), usvc.sched_name); ++ ntohs(usvc.port)); + ret = -EFAULT; + goto out_unlock; + } +@@ -2822,7 +2831,7 @@ static const struct nla_policy ip_vs_cmd + static const struct nla_policy ip_vs_daemon_policy[IPVS_DAEMON_ATTR_MAX + 1] = { + [IPVS_DAEMON_ATTR_STATE] = { .type = NLA_U32 }, + [IPVS_DAEMON_ATTR_MCAST_IFN] = { .type = NLA_NUL_STRING, +- .len = IP_VS_IFNAME_MAXLEN }, ++ .len = IP_VS_IFNAME_MAXLEN - 1 }, + [IPVS_DAEMON_ATTR_SYNC_ID] = { .type = NLA_U32 }, + [IPVS_DAEMON_ATTR_SYNC_MAXLEN] = { .type = NLA_U16 }, + [IPVS_DAEMON_ATTR_MCAST_GROUP] = { .type = NLA_U32 }, +@@ -2840,7 +2849,7 @@ static const struct nla_policy ip_vs_svc + [IPVS_SVC_ATTR_PORT] = { .type = NLA_U16 }, + [IPVS_SVC_ATTR_FWMARK] = { .type = NLA_U32 }, + [IPVS_SVC_ATTR_SCHED_NAME] = { .type = NLA_NUL_STRING, +- .len = IP_VS_SCHEDNAME_MAXLEN }, ++ .len = IP_VS_SCHEDNAME_MAXLEN - 1 }, + [IPVS_SVC_ATTR_PE_NAME] = { .type = NLA_NUL_STRING, + .len = IP_VS_PENAME_MAXLEN }, + [IPVS_SVC_ATTR_FLAGS] = { .type = NLA_BINARY, diff --git a/queue-4.4/net-qmi_wwan-add-netgear-aircard-779s.patch b/queue-4.4/net-qmi_wwan-add-netgear-aircard-779s.patch new file mode 100644 index 00000000000..7415777cca5 --- /dev/null +++ b/queue-4.4/net-qmi_wwan-add-netgear-aircard-779s.patch @@ -0,0 +1,30 @@ +From foo@baz Sun Jun 17 13:05:08 CEST 2018 +From: Josh Hill +Date: Sun, 27 May 2018 20:10:41 -0400 +Subject: net: qmi_wwan: Add Netgear Aircard 779S + +From: Josh Hill + +[ Upstream commit 2415f3bd059fe050eb98aedf93664d000ceb4e92 ] + +Add support for Netgear Aircard 779S + +Signed-off-by: Josh Hill +Acked-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -635,6 +635,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x05c6, 0x920d, 0)}, + {QMI_FIXED_INTF(0x05c6, 0x920d, 5)}, + {QMI_FIXED_INTF(0x0846, 0x68a2, 8)}, ++ {QMI_FIXED_INTF(0x0846, 0x68d3, 8)}, /* Netgear Aircard 779S */ + {QMI_FIXED_INTF(0x12d1, 0x140c, 1)}, /* Huawei E173 */ + {QMI_FIXED_INTF(0x12d1, 0x14ac, 1)}, /* Huawei E1820 */ + {QMI_FIXED_INTF(0x1435, 0xd181, 3)}, /* Wistron NeWeb D18Q1 */ diff --git a/queue-4.4/net-sonic-use-dma_mapping_error.patch b/queue-4.4/net-sonic-use-dma_mapping_error.patch new file mode 100644 index 00000000000..d87cb1eba21 --- /dev/null +++ b/queue-4.4/net-sonic-use-dma_mapping_error.patch @@ -0,0 +1,34 @@ +From foo@baz Sun Jun 17 13:05:08 CEST 2018 +From: Finn Thain +Date: Wed, 30 May 2018 13:03:51 +1000 +Subject: net/sonic: Use dma_mapping_error() + +From: Finn Thain + +[ Upstream commit 26de0b76d9ba3200f09c6cb9d9618bda338be5f7 ] + +With CONFIG_DMA_API_DEBUG=y, calling sonic_open() produces the +message, "DMA-API: device driver failed to check map error". +Add the missing dma_mapping_error() call. + +Cc: Thomas Bogendoerfer +Signed-off-by: Finn Thain +Acked-by: Thomas Bogendoerfer +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/natsemi/sonic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/natsemi/sonic.c ++++ b/drivers/net/ethernet/natsemi/sonic.c +@@ -71,7 +71,7 @@ static int sonic_open(struct net_device + for (i = 0; i < SONIC_NUM_RRS; i++) { + dma_addr_t laddr = dma_map_single(lp->device, skb_put(lp->rx_skb[i], SONIC_RBSIZE), + SONIC_RBSIZE, DMA_FROM_DEVICE); +- if (!laddr) { ++ if (dma_mapping_error(lp->device, laddr)) { + while(i > 0) { /* free any that were mapped successfully */ + i--; + dma_unmap_single(lp->device, lp->rx_laddr[i], SONIC_RBSIZE, DMA_FROM_DEVICE); diff --git a/queue-4.4/netfilter-ebtables-handle-string-from-userspace-with-care.patch b/queue-4.4/netfilter-ebtables-handle-string-from-userspace-with-care.patch new file mode 100644 index 00000000000..dc35fbad3ae --- /dev/null +++ b/queue-4.4/netfilter-ebtables-handle-string-from-userspace-with-care.patch @@ -0,0 +1,100 @@ +From foo@baz Sun Jun 17 13:05:08 CEST 2018 +From: Paolo Abeni +Date: Fri, 27 Apr 2018 10:45:31 +0200 +Subject: netfilter: ebtables: handle string from userspace with care + +From: Paolo Abeni + +[ Upstream commit 94c752f99954797da583a84c4907ff19e92550a4 ] + +strlcpy() can't be safely used on a user-space provided string, +as it can try to read beyond the buffer's end, if the latter is +not NULL terminated. + +Leveraging the above, syzbot has been able to trigger the following +splat: + +BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300 +[inline] +BUG: KASAN: stack-out-of-bounds in compat_mtw_from_user +net/bridge/netfilter/ebtables.c:1957 [inline] +BUG: KASAN: stack-out-of-bounds in ebt_size_mwt +net/bridge/netfilter/ebtables.c:2059 [inline] +BUG: KASAN: stack-out-of-bounds in size_entry_mwt +net/bridge/netfilter/ebtables.c:2155 [inline] +BUG: KASAN: stack-out-of-bounds in compat_copy_entries+0x96c/0x14a0 +net/bridge/netfilter/ebtables.c:2194 +Write of size 33 at addr ffff8801b0abf888 by task syz-executor0/4504 + +CPU: 0 PID: 4504 Comm: syz-executor0 Not tainted 4.17.0-rc2+ #40 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1b9/0x294 lib/dump_stack.c:113 + print_address_description+0x6c/0x20b mm/kasan/report.c:256 + kasan_report_error mm/kasan/report.c:354 [inline] + kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 + check_memory_region_inline mm/kasan/kasan.c:260 [inline] + check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 + memcpy+0x37/0x50 mm/kasan/kasan.c:303 + strlcpy include/linux/string.h:300 [inline] + compat_mtw_from_user net/bridge/netfilter/ebtables.c:1957 [inline] + ebt_size_mwt net/bridge/netfilter/ebtables.c:2059 [inline] + size_entry_mwt net/bridge/netfilter/ebtables.c:2155 [inline] + compat_copy_entries+0x96c/0x14a0 net/bridge/netfilter/ebtables.c:2194 + compat_do_replace+0x483/0x900 net/bridge/netfilter/ebtables.c:2285 + compat_do_ebt_set_ctl+0x2ac/0x324 net/bridge/netfilter/ebtables.c:2367 + compat_nf_sockopt net/netfilter/nf_sockopt.c:144 [inline] + compat_nf_setsockopt+0x9b/0x140 net/netfilter/nf_sockopt.c:156 + compat_ip_setsockopt+0xff/0x140 net/ipv4/ip_sockglue.c:1279 + inet_csk_compat_setsockopt+0x97/0x120 net/ipv4/inet_connection_sock.c:1041 + compat_tcp_setsockopt+0x49/0x80 net/ipv4/tcp.c:2901 + compat_sock_common_setsockopt+0xb4/0x150 net/core/sock.c:3050 + __compat_sys_setsockopt+0x1ab/0x7c0 net/compat.c:403 + __do_compat_sys_setsockopt net/compat.c:416 [inline] + __se_compat_sys_setsockopt net/compat.c:413 [inline] + __ia32_compat_sys_setsockopt+0xbd/0x150 net/compat.c:413 + do_syscall_32_irqs_on arch/x86/entry/common.c:323 [inline] + do_fast_syscall_32+0x345/0xf9b arch/x86/entry/common.c:394 + entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 +RIP: 0023:0xf7fb3cb9 +RSP: 002b:00000000fff0c26c EFLAGS: 00000282 ORIG_RAX: 000000000000016e +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000000 +RDX: 0000000000000080 RSI: 0000000020000300 RDI: 00000000000005f4 +RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + +The buggy address belongs to the page: +page:ffffea0006c2afc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 +flags: 0x2fffc0000000000() +raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff +raw: 0000000000000000 ffffea0006c20101 0000000000000000 0000000000000000 +page dumped because: kasan: bad access detected + +Fix the issue replacing the unsafe function with strscpy() and +taking care of possible errors. + +Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support") +Reported-and-tested-by: syzbot+4e42a04e0bc33cb6c087@syzkaller.appspotmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/netfilter/ebtables.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -1912,7 +1912,8 @@ static int compat_mtw_from_user(struct c + int off, pad = 0; + unsigned int size_kern, match_size = mwt->match_size; + +- strlcpy(name, mwt->u.name, sizeof(name)); ++ if (strscpy(name, mwt->u.name, sizeof(name)) < 0) ++ return -EINVAL; + + if (state->buf_kern_start) + dst = state->buf_kern_start + state->buf_kern_offset; diff --git a/queue-4.4/series b/queue-4.4/series new file mode 100644 index 00000000000..6fea996f6fc --- /dev/null +++ b/queue-4.4/series @@ -0,0 +1,6 @@ +xfrm6-avoid-potential-infinite-loop-in-_decode_session6.patch +netfilter-ebtables-handle-string-from-userspace-with-care.patch +ipvs-fix-buffer-overflow-with-sync-daemon-and-service.patch +atm-zatm-fix-memcmp-casting.patch +net-qmi_wwan-add-netgear-aircard-779s.patch +net-sonic-use-dma_mapping_error.patch diff --git a/queue-4.4/xfrm6-avoid-potential-infinite-loop-in-_decode_session6.patch b/queue-4.4/xfrm6-avoid-potential-infinite-loop-in-_decode_session6.patch new file mode 100644 index 00000000000..7118d66808f --- /dev/null +++ b/queue-4.4/xfrm6-avoid-potential-infinite-loop-in-_decode_session6.patch @@ -0,0 +1,97 @@ +From foo@baz Sun Jun 17 13:05:08 CEST 2018 +From: Eric Dumazet +Date: Sat, 12 May 2018 02:49:30 -0700 +Subject: xfrm6: avoid potential infinite loop in _decode_session6() + +From: Eric Dumazet + +[ Upstream commit d9f92772e8ec388d070752ee8f187ef8fa18621f ] + +syzbot found a way to trigger an infinitie loop by overflowing +@offset variable that has been forced to use u16 for some very +obscure reason in the past. + +We probably want to look at NEXTHDR_FRAGMENT handling which looks +wrong, in a separate patch. + +In net-next, we shall try to use skb_header_pointer() instead of +pskb_may_pull(). + +watchdog: BUG: soft lockup - CPU#1 stuck for 134s! [syz-executor738:4553] +Modules linked in: +irq event stamp: 13885653 +hardirqs last enabled at (13885652): [] restore_regs_and_return_to_kernel+0x0/0x2b +hardirqs last disabled at (13885653): [] interrupt_entry+0xb5/0xf0 arch/x86/entry/entry_64.S:625 +softirqs last enabled at (13614028): [] tun_napi_alloc_frags drivers/net/tun.c:1478 [inline] +softirqs last enabled at (13614028): [] tun_get_user+0x1dd9/0x4290 drivers/net/tun.c:1825 +softirqs last disabled at (13614032): [] tun_get_user+0x313f/0x4290 drivers/net/tun.c:1942 +CPU: 1 PID: 4553 Comm: syz-executor738 Not tainted 4.17.0-rc3+ #40 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:check_kcov_mode kernel/kcov.c:67 [inline] +RIP: 0010:__sanitizer_cov_trace_pc+0x20/0x50 kernel/kcov.c:101 +RSP: 0018:ffff8801d8cfe250 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 +RAX: ffff8801d88a8080 RBX: ffff8801d7389e40 RCX: 0000000000000006 +RDX: 0000000000000000 RSI: ffffffff868da4ad RDI: ffff8801c8a53277 +RBP: ffff8801d8cfe250 R08: ffff8801d88a8080 R09: ffff8801d8cfe3e8 +R10: ffffed003b19fc87 R11: ffff8801d8cfe43f R12: ffff8801c8a5327f +R13: 0000000000000000 R14: ffff8801c8a4e5fe R15: ffff8801d8cfe3e8 +FS: 0000000000d88940(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffffffff600400 CR3: 00000001acab3000 CR4: 00000000001406e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + _decode_session6+0xc1d/0x14f0 net/ipv6/xfrm6_policy.c:150 + __xfrm_decode_session+0x71/0x140 net/xfrm/xfrm_policy.c:2368 + xfrm_decode_session_reverse include/net/xfrm.h:1213 [inline] + icmpv6_route_lookup+0x395/0x6e0 net/ipv6/icmp.c:372 + icmp6_send+0x1982/0x2da0 net/ipv6/icmp.c:551 + icmpv6_send+0x17a/0x300 net/ipv6/ip6_icmp.c:43 + ip6_input_finish+0x14e1/0x1a30 net/ipv6/ip6_input.c:305 + NF_HOOK include/linux/netfilter.h:288 [inline] + ip6_input+0xe1/0x5e0 net/ipv6/ip6_input.c:327 + dst_input include/net/dst.h:450 [inline] + ip6_rcv_finish+0x29c/0xa10 net/ipv6/ip6_input.c:71 + NF_HOOK include/linux/netfilter.h:288 [inline] + ipv6_rcv+0xeb8/0x2040 net/ipv6/ip6_input.c:208 + __netif_receive_skb_core+0x2468/0x3650 net/core/dev.c:4646 + __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4711 + netif_receive_skb_internal+0x126/0x7b0 net/core/dev.c:4785 + napi_frags_finish net/core/dev.c:5226 [inline] + napi_gro_frags+0x631/0xc40 net/core/dev.c:5299 + tun_get_user+0x3168/0x4290 drivers/net/tun.c:1951 + tun_chr_write_iter+0xb9/0x154 drivers/net/tun.c:1996 + call_write_iter include/linux/fs.h:1784 [inline] + do_iter_readv_writev+0x859/0xa50 fs/read_write.c:680 + do_iter_write+0x185/0x5f0 fs/read_write.c:959 + vfs_writev+0x1c7/0x330 fs/read_write.c:1004 + do_writev+0x112/0x2f0 fs/read_write.c:1039 + __do_sys_writev fs/read_write.c:1112 [inline] + __se_sys_writev fs/read_write.c:1109 [inline] + __x64_sys_writev+0x75/0xb0 fs/read_write.c:1109 + do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Cc: Steffen Klassert +Cc: Nicolas Dichtel +Reported-by: syzbot+0053c8...@syzkaller.appspotmail.com +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/xfrm6_policy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/xfrm6_policy.c ++++ b/net/ipv6/xfrm6_policy.c +@@ -121,7 +121,7 @@ _decode_session6(struct sk_buff *skb, st + struct flowi6 *fl6 = &fl->u.ip6; + int onlyproto = 0; + const struct ipv6hdr *hdr = ipv6_hdr(skb); +- u16 offset = sizeof(*hdr); ++ u32 offset = sizeof(*hdr); + struct ipv6_opt_hdr *exthdr; + const unsigned char *nh = skb_network_header(skb); + u16 nhoff = IP6CB(skb)->nhoff;