AcoSail/kernel_optimize_test
8
0
Fork 0
forked from luck/tmp_suning_uos_patched
Code Pull Requests Activity
3c40584595
kernel_optimize_test/net/ipv4
History
Nikolay Aleksandrov b70ff391de net: nexthop: fix null pointer dereference when IPv6 is not enabled 
commit 1c743127cc54b112b155f434756bd4b5fa565a99 upstream.

When we try to add an IPv6 nexthop and IPv6 is not enabled
(!CONFIG_IPV6) we'll hit a NULL pointer dereference[1] in the error path
of nh_create_ipv6() due to calling ipv6_stub->fib6_nh_release. The bug
has been present since the beginning of IPv6 nexthop gateway support.
Commit 1aefd3de7b ("ipv6: Add fib6_nh_init and release to stubs") tells
us that only fib6_nh_init has a dummy stub because fib6_nh_release should
not be called if fib6_nh_init returns an error, but the commit below added
a call to ipv6_stub->fib6_nh_release in its error path. To fix it return
the dummy stub's -EAFNOSUPPORT error directly without calling
ipv6_stub->fib6_nh_release in nh_create_ipv6()'s error path.

[1]
 Output is a bit truncated, but it clearly shows the error.
 BUG: kernel NULL pointer dereference, address: 000000000000000000
 #PF: supervisor instruction fetch in kernel modede
 #PF: error_code(0x0010) - not-present pagege
 PGD 0 P4D 0
 Oops: 0010 [#1] PREEMPT SMP NOPTI
 CPU: 4 PID: 638 Comm: ip Kdump: loaded Not tainted 5.16.0-rc1+ #446
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/01/2014
 RIP: 0010:0x0
 Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
 RSP: 0018:ffff888109f5b8f0 EFLAGS: 00010286^Ac
 RAX: 0000000000000000 RBX: ffff888109f5ba28 RCX: 0000000000000000
 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8881008a2860
 RBP: ffff888109f5b9d8 R08: 0000000000000000 R09: 0000000000000000
 R10: ffff888109f5b978 R11: ffff888109f5b948 R12: 00000000ffffff9f
 R13: ffff8881008a2a80 R14: ffff8881008a2860 R15: ffff8881008a2840
 FS:  00007f98de70f100(0000) GS:ffff88822bf00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: ffffffffffffffd6 CR3: 0000000100efc000 CR4: 00000000000006e0
 Call Trace:
  <TASK>
  nh_create_ipv6+0xed/0x10c
  rtm_new_nexthop+0x6d7/0x13f3
  ? check_preemption_disabled+0x3d/0xf2
  ? lock_is_held_type+0xbe/0xfd
  rtnetlink_rcv_msg+0x23f/0x26a
  ? check_preemption_disabled+0x3d/0xf2
  ? rtnl_calcit.isra.0+0x147/0x147
  netlink_rcv_skb+0x61/0xb2
  netlink_unicast+0x100/0x187
  netlink_sendmsg+0x37f/0x3a0
  ? netlink_unicast+0x187/0x187
  sock_sendmsg_nosec+0x67/0x9b
  ____sys_sendmsg+0x19d/0x1f9
  ? copy_msghdr_from_user+0x4c/0x5e
  ? rcu_read_lock_any_held+0x2a/0x78
  ___sys_sendmsg+0x6c/0x8c
  ? asm_sysvec_apic_timer_interrupt+0x12/0x20
  ? lockdep_hardirqs_on+0xd9/0x102
  ? sockfd_lookup_light+0x69/0x99
  __sys_sendmsg+0x50/0x6e
  do_syscall_64+0xcb/0xf2
  entry_SYSCALL_64_after_hwframe+0x44/0xae
 RIP: 0033:0x7f98dea28914
 Code: 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 80 00 00 00 00 48 8d 05 e9 5d 0c 00 8b 00 85 c0 75 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 41 54 41 89 d4 55 48 89 f5 53
 RSP: 002b:00007fff859f5e68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e2e
 RAX: ffffffffffffffda RBX: 00000000619cb810 RCX: 00007f98dea28914
 RDX: 0000000000000000 RSI: 00007fff859f5ed0 RDI: 0000000000000003
 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000008
 R10: fffffffffffffce6 R11: 0000000000000246 R12: 0000000000000001
 R13: 000055c0097ae520 R14: 000055c0097957fd R15: 00007fff859f63a0
 </TASK>
 Modules linked in: bridge stp llc bonding virtio_net

Cc: stable@vger.kernel.org
Fixes: 53010f991a ("nexthop: Add support for IPv6 gateways")
Signed-off-by: Nikolay Aleksandrov <nikolay@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-12-01 09:18:59 +01:00
..
bpfilter
netfilter netfilter: arp_tables: add pre_exit hook for table unregister 2021-04-21 13:00:56 +02:00
af_inet.c inet: annotate data race in inet_send_prepare() and inet_dgram_connect() 2021-06-30 08:47:20 -04:00
ah4.c xfrm: Use actual socket sk instead of skb socket for xfrm_output_resume 2021-04-14 08:42:05 +02:00
arp.c net: Exempt multicast addresses from five-second neighbor lifetime 2020-11-13 14:24:39 -08:00
bpf_tcp_ca.c
cipso_ipv4.c net: ipv4: fix memory leak in netlbl_cipsov4_add_std 2021-06-23 14:42:41 +02:00
datagram.c
devinet.c net: ipv4: Remove unneed BUG() function 2021-06-30 08:47:20 -04:00
esp4_offload.c xfrm: Provide private skb extensions for segmented and hw offloaded ESP packets 2021-04-14 08:42:07 +02:00
esp4.c xfrm: xfrm_state_mtu should return at least 1280 for ipv6 2021-07-14 16:56:14 +02:00
fib_frontend.c net/ipv4: swap flow ports when validating source 2021-07-14 16:56:25 +02:00
fib_lookup.h
fib_notifier.c
fib_rules.c
fib_semantics.c net: ipv4: Fix rtnexthop len when RTA_FLOW is present 2021-10-06 15:55:53 +02:00
fib_trie.c
fou.c
gre_demux.c erspan: fix version 1 check in gre_parse_header() 2021-01-12 20:18:12 +01:00
gre_offload.c
icmp.c icmp: don't send out ICMP messages with a source address of 0.0.0.0 2021-06-23 14:42:47 +02:00
igmp.c igmp: Add ip_mc_list lock in ip_check_mc_rcu 2021-09-12 08:58:26 +02:00
inet_connection_sock.c tcp: switch orphan_count to bare per-cpu counters 2021-11-18 14:04:08 +01:00
inet_diag.c inet_diag: Fix error path to cancel the meseage in inet_req_diag_fill() 2020-11-17 16:08:36 -08:00
inet_fragment.c
inet_hashtables.c tcp: switch orphan_count to bare per-cpu counters 2021-11-18 14:04:08 +01:00
inet_timewait_sock.c
inetpeer.c
ip_forward.c
ip_fragment.c
ip_gre.c ip_gre: validate csum_start only on pull 2021-09-22 12:28:05 +02:00
ip_input.c
ip_options.c
ip_output.c ipv4: ip_output.c: Fix out-of-bounds warning in ip_copy_addrs() 2021-09-18 13:40:22 +02:00
ip_sockglue.c
ip_tunnel_core.c
ip_tunnel.c net: Set true network header for ECN decapsulation 2021-08-04 12:46:42 +02:00
ip_vti.c net: always use icmp{,v6}_ndo_send from ndo_start_xmit 2021-03-17 17:06:12 +01:00
ipcomp.c
ipconfig.c net: ipconfig: Don't override command-line hostnames or domains 2021-06-18 10:00:05 +02:00
ipip.c
ipmr_base.c
ipmr.c
Kconfig
Makefile
metrics.c
netfilter.c
netlink.c
nexthop.c net: nexthop: fix null pointer dereference when IPv6 is not enabled 2021-12-01 09:18:59 +01:00
ping.c ping: Check return value of function 'ping_queue_rcv_skb' 2021-06-30 08:47:20 -04:00
proc.c tcp: switch orphan_count to bare per-cpu counters 2021-11-18 14:04:08 +01:00
protocol.c
raw_diag.c
raw.c
route.c ipv4: fix endianness issue in inet_rtm_getroute_build_skb() 2021-09-15 09:50:46 +02:00
syncookies.c net: Update window_clamp if SOCK_RCVBUF is set 2020-11-10 17:42:35 -08:00
sysctl_net_ipv4.c net: Make tcp_allowed_congestion_control readonly in non-init netns 2021-04-21 13:00:57 +02:00
tcp_bbr.c tcp_bbr: fix u32 wrap bug in round logic if bbr_init() called after 2B packets 2021-08-18 08:59:13 +02:00
tcp_bic.c
tcp_bpf.c bpf, sockmap: Remove unhash handler for BPF sockmap usage 2021-11-18 14:04:27 +01:00
tcp_cdg.c
tcp_cong.c net: Only allow init netns to set default tcp cong to a restricted algo 2021-05-14 09:50:46 +02:00
tcp_cubic.c
tcp_dctcp.c
tcp_dctcp.h
tcp_diag.c
tcp_fastopen.c tcp: enable data-less, empty-cookie SYN with TFO_SERVER_COOKIE_NOT_REQD 2021-09-18 13:40:29 +02:00
tcp_highspeed.c
tcp_htcp.c
tcp_hybla.c
tcp_illinois.c
tcp_input.c tcp: fix tp->undo_retrans accounting in tcp_sacktag_one() 2021-09-22 12:27:58 +02:00
tcp_ipv4.c tcp: md5: Fix overlap between vrf and non-vrf keys 2021-10-27 09:56:48 +02:00
tcp_lp.c
tcp_metrics.c
tcp_minisocks.c tcp: relookup sock for RST+ACK packets handled by obsolete req sock 2021-03-30 14:31:59 +02:00
tcp_nv.c
tcp_offload.c net, gro: Set inner transport header offset in tcp/udp GRO hook 2021-08-12 13:22:05 +02:00
tcp_output.c ipv6: tcp: drop silly ICMPv6 packet too big messages 2021-07-25 14:36:21 +02:00
tcp_rate.c
tcp_recovery.c tcp: fix TLP timer not set when CA_STATE changes from DISORDER to OPEN 2021-02-03 23:28:52 +01:00
tcp_scalable.c
tcp_timer.c tcp: make TCP_USER_TIMEOUT accurate for zero window probes 2021-02-03 23:28:51 +01:00
tcp_ulp.c
tcp_vegas.c
tcp_vegas.h
tcp_veno.c
tcp_westwood.c
tcp_yeah.c
tcp.c tcp: Fix uninitialized access in skb frags array for Rx 0cp. 2021-11-26 10:39:14 +01:00
tunnel4.c
udp_bpf.c bpf, sockmap, udp: sk_prot needs inuse_idx set for proc stats 2021-07-28 14:35:37 +02:00
udp_diag.c
udp_impl.h
udp_offload.c net, gro: Set inner transport header offset in tcp/udp GRO hook 2021-08-12 13:22:05 +02:00
udp_tunnel_core.c
udp_tunnel_nic.c udp_tunnel: Fix udp_tunnel_nic work-queue type 2021-09-22 12:27:58 +02:00
udp_tunnel_stub.c
udp.c net: prefer socket bound to interface when not in VRF 2021-10-13 10:04:29 +02:00
udplite.c
xfrm4_input.c
xfrm4_output.c
xfrm4_policy.c
xfrm4_protocol.c
xfrm4_state.c
xfrm4_tunnel.c