From patchwork Tue Mar 20 14:44:56 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Lebrun X-Patchwork-Id: 888250 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="pcQMbPMU"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 405G241RG4z9s0r for ; Wed, 21 Mar 2018 01:45:32 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751449AbeCTOpa (ORCPT ); Tue, 20 Mar 2018 10:45:30 -0400 Received: from mail-wm0-f68.google.com ([74.125.82.68]:52707 "EHLO mail-wm0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751391AbeCTOp2 (ORCPT ); Tue, 20 Mar 2018 10:45:28 -0400 Received: by mail-wm0-f68.google.com with SMTP id l9so3988680wmh.2 for ; Tue, 20 Mar 2018 07:45:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id; bh=Wcit05oegh5jWM5ceqUjWI6abzthfiB3cX/o7tEbkOM=; b=pcQMbPMUiFzq5f4zjV0v3qPbXGBlrYTODDsBqnaI4Xk2MDvIxWpZTxRCEJjn2kT5i9 PvBNjjAwEsZEh98L9KmoWbHxcm6UKjSI138A/yG1dMRKlsT2s56wxEXWePd50qLHngy+ QSgybDUx66HTCeJI7OgBYLf019YD015CJndSZB59lfVND8H5CU12NhATftlnEvL6lxfk fOunGCf+oZJG33X7q15LHPIxbwWnlNIGXIZN0Y+nBddoGRU77vV3zFUzHEoj1/6eBE3t 1bQl1uopfN1UEG+UweBk/ZfDrIiwYKBXR2B8afBnVnI5/4++pL5MCNPHh+hpyajKFQA7 U7ug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id; bh=Wcit05oegh5jWM5ceqUjWI6abzthfiB3cX/o7tEbkOM=; b=JWDf+QzXbLO6kUzTfOjA8SCfr3eeiZ//OUz7T0fQwvjuBfvNkvDbVuOC8HmQ7KZRVJ DkMqRhGJcyKm0e8n1PIya+WT/Gn606a+ggjRHH3CORqqlVO5oqcn+4+9U9rPvBlBNpGo m/larzQs7zUebqG2smE4KU8oyhQ2pEM/lu7H3lNOX8dwAYthsrulYTZJXgU7/KEATMXK OiMriIS3+j0WEPD8lKfk1bTYV4aqPtqjGWc7llZKxPaGSnTMXy7+lMPOPIztpo3jlOXg NQuphkEZsQ5AbOWJIIl/c4/Rd2H2MsifePZPGXmsXt7yucwKjsn9+MzbGtQ38AscIUiP n4bQ== X-Gm-Message-State: AElRT7F8jVIN7qE1RibtUHAVg2ih5G2PhJWMF+F4jDb3OzlveqgC+hwh joq+B2zaQ/TiTLQ/LzywND+e3nxRu4M= X-Google-Smtp-Source: AG47ELvNzks/qJaE0fH+s2SfDHEIIMfFxAmYJDiOUMLRHzHpiFhFcks3TXsdUPj09yE1QHr0Dkd/Fw== X-Received: by 10.80.168.69 with SMTP id j63mr1809004edc.152.1521557127119; Tue, 20 Mar 2018 07:45:27 -0700 (PDT) Received: from suzaku.dub.corp.google.com ([2620:0:1040:2012:569d:fe6f:1c9c:e2b]) by smtp.gmail.com with ESMTPSA id l91sm1893906ede.50.2018.03.20.07.45.26 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 20 Mar 2018 07:45:26 -0700 (PDT) From: David Lebrun To: netdev@vger.kernel.org Cc: David Lebrun , David Lebrun Subject: [PATCH net] ipv6: sr: fix NULL pointer dereference when setting encap source address Date: Tue, 20 Mar 2018 14:44:56 +0000 Message-Id: <20180320144456.223556-2-dav.lebrun@gmail.com> X-Mailer: git-send-email 2.16.2.804.g6dcf76e118-goog Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: David Lebrun When using seg6 in encap mode, we call ipv6_dev_get_saddr() to set the source address of the outer IPv6 header, in case none was specified. Using skb->dev can lead to BUG() when it is in an inconsistent state. This patch uses the net_device attached to the skb's dst instead. [940807.667429] BUG: unable to handle kernel NULL pointer dereference at 000000000000047c [940807.762427] IP: ipv6_dev_get_saddr+0x8b/0x1d0 [940807.815725] PGD 0 P4D 0 [940807.847173] Oops: 0000 [#1] SMP PTI [940807.890073] Modules linked in: [940807.927765] CPU: 6 PID: 0 Comm: swapper/6 Tainted: G W 4.16.0-rc1-seg6bpf+ #2 [940808.028988] Hardware name: HP ProLiant DL120 G6/ProLiant DL120 G6, BIOS O26 09/06/2010 [940808.128128] RIP: 0010:ipv6_dev_get_saddr+0x8b/0x1d0 [940808.187667] RSP: 0018:ffff88043fd836b0 EFLAGS: 00010206 [940808.251366] RAX: 0000000000000005 RBX: ffff88042cb1c860 RCX: 00000000000000fe [940808.338025] RDX: 00000000000002c0 RSI: ffff88042cb1c860 RDI: 0000000000004500 [940808.424683] RBP: ffff88043fd83740 R08: 0000000000000000 R09: ffffffffffffffff [940808.511342] R10: 0000000000000040 R11: 0000000000000000 R12: ffff88042cb1c850 [940808.598012] R13: ffffffff8208e380 R14: ffff88042ac8da00 R15: 0000000000000002 [940808.684675] FS: 0000000000000000(0000) GS:ffff88043fd80000(0000) knlGS:0000000000000000 [940808.783036] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [940808.852975] CR2: 000000000000047c CR3: 00000004255fe000 CR4: 00000000000006e0 [940808.939634] Call Trace: [940808.970041] [940808.995250] ? ip6t_do_table+0x265/0x640 [940809.043341] seg6_do_srh_encap+0x28f/0x300 [940809.093516] ? seg6_do_srh+0x1a0/0x210 [940809.139528] seg6_do_srh+0x1a0/0x210 [940809.183462] seg6_output+0x28/0x1e0 [940809.226358] lwtunnel_output+0x3f/0x70 [940809.272370] ip6_xmit+0x2b8/0x530 [940809.313185] ? ac6_proc_exit+0x20/0x20 [940809.359197] inet6_csk_xmit+0x7d/0xc0 [940809.404173] tcp_transmit_skb+0x548/0x9a0 [940809.453304] __tcp_retransmit_skb+0x1a8/0x7a0 [940809.506603] ? ip6_default_advmss+0x40/0x40 [940809.557824] ? tcp_current_mss+0x24/0x90 [940809.605925] tcp_retransmit_skb+0xd/0x80 [940809.654016] tcp_xmit_retransmit_queue.part.17+0xf9/0x210 [940809.719797] tcp_ack+0xa47/0x1110 [940809.760612] tcp_rcv_established+0x13c/0x570 [940809.812865] tcp_v6_do_rcv+0x151/0x3d0 [940809.858879] tcp_v6_rcv+0xa5c/0xb10 [940809.901770] ? seg6_output+0xdd/0x1e0 [940809.946745] ip6_input_finish+0xbb/0x460 [940809.994837] ip6_input+0x74/0x80 [940810.034612] ? ip6_rcv_finish+0xb0/0xb0 [940810.081663] ipv6_rcv+0x31c/0x4c0 ... Fixes: 6c8702c60b886 ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels") Reported-by: Tom Herbert Signed-off-by: David Lebrun --- net/ipv6/seg6_iptunnel.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/net/ipv6/seg6_iptunnel.c b/net/ipv6/seg6_iptunnel.c index 8367b859a934..7a78dcfda68a 100644 --- a/net/ipv6/seg6_iptunnel.c +++ b/net/ipv6/seg6_iptunnel.c @@ -93,7 +93,8 @@ static void set_tun_src(struct net *net, struct net_device *dev, /* encapsulate an IPv6 packet within an outer IPv6 header with a given SRH */ int seg6_do_srh_encap(struct sk_buff *skb, struct ipv6_sr_hdr *osrh, int proto) { - struct net *net = dev_net(skb_dst(skb)->dev); + struct dst_entry *dst = skb_dst(skb); + struct net *net = dev_net(dst->dev); struct ipv6hdr *hdr, *inner_hdr; struct ipv6_sr_hdr *isrh; int hdrlen, tot_len, err; @@ -134,7 +135,7 @@ int seg6_do_srh_encap(struct sk_buff *skb, struct ipv6_sr_hdr *osrh, int proto) isrh->nexthdr = proto; hdr->daddr = isrh->segments[isrh->first_segment]; - set_tun_src(net, skb->dev, &hdr->daddr, &hdr->saddr); + set_tun_src(net, ip6_dst_idev(dst)->dev, &hdr->daddr, &hdr->saddr); #ifdef CONFIG_IPV6_SEG6_HMAC if (sr_has_hmac(isrh)) {