github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-08 14:42:37 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
ab49c23668
linux/include/net
History
Eric Dumazet 45b7fca32b tcp: make sure treq->af_specific is initialized 
[ Upstream commit ba5a4fdd63 ]

syzbot complained about a recent change in TCP stack,
hitting a NULL pointer [1]

tcp request sockets have an af_specific pointer, which
was used before the blamed change only for SYNACK generation
in non SYNCOOKIE mode.

tcp requests sockets momentarily created when third packet
coming from client in SYNCOOKIE mode were not using
treq->af_specific.

Make sure this field is populated, in the same way normal
TCP requests sockets do in tcp_conn_request().

[1]
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 1 PID: 3695 Comm: syz-executor864 Not tainted 5.18.0-rc3-syzkaller-00224-g5fd1fe4807f9 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:tcp_create_openreq_child+0xe16/0x16b0 net/ipv4/tcp_minisocks.c:534
Code: 48 c1 ea 03 80 3c 02 00 0f 85 e5 07 00 00 4c 8b b3 28 01 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 7e 08 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 c9 07 00 00 48 8b 3c 24 48 89 de 41 ff 56 08 48
RSP: 0018:ffffc90000de0588 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff888076490330 RCX: 0000000000000100
RDX: 0000000000000001 RSI: ffffffff87d67ff0 RDI: 0000000000000008
RBP: ffff88806ee1c7f8 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff87d67f00 R11: 0000000000000000 R12: ffff88806ee1bfc0
R13: ffff88801b0e0368 R14: 0000000000000000 R15: 0000000000000000
FS:  00007f517fe58700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffcead76960 CR3: 000000006f97b000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 tcp_v6_syn_recv_sock+0x199/0x23b0 net/ipv6/tcp_ipv6.c:1267
 tcp_get_cookie_sock+0xc9/0x850 net/ipv4/syncookies.c:207
 cookie_v6_check+0x15c3/0x2340 net/ipv6/syncookies.c:258
 tcp_v6_cookie_check net/ipv6/tcp_ipv6.c:1131 [inline]
 tcp_v6_do_rcv+0x1148/0x13b0 net/ipv6/tcp_ipv6.c:1486
 tcp_v6_rcv+0x3305/0x3840 net/ipv6/tcp_ipv6.c:1725
 ip6_protocol_deliver_rcu+0x2e9/0x1900 net/ipv6/ip6_input.c:422
 ip6_input_finish+0x14c/0x2c0 net/ipv6/ip6_input.c:464
 NF_HOOK include/linux/netfilter.h:307 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 ip6_input+0x9c/0xd0 net/ipv6/ip6_input.c:473
 dst_input include/net/dst.h:461 [inline]
 ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline]
 NF_HOOK include/linux/netfilter.h:307 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 ipv6_rcv+0x27f/0x3b0 net/ipv6/ip6_input.c:297
 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5405
 __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5519
 process_backlog+0x3a0/0x7c0 net/core/dev.c:5847
 __napi_poll+0xb3/0x6e0 net/core/dev.c:6413
 napi_poll net/core/dev.c:6480 [inline]
 net_rx_action+0x8ec/0xc60 net/core/dev.c:6567
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558
 invoke_softirq kernel/softirq.c:432 [inline]
 __irq_exit_rcu+0x123/0x180 kernel/softirq.c:637
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097

Fixes: 5b0b9e4c2c ("tcp: md5: incorrect tcp_header_len for incoming connections")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Francesco Ruggeri <fruggeri@arista.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-05-09 09:14:37 +02:00
..
9p 9p: apply review requests for fid refcounting 2020-11-19 17:21:34 +01:00
bluetooth Bluetooth: Fix not checking for valid hdev on bt_dev_{info,warn,err,dbg} 2022-04-13 20:59:08 +02:00
caif net: remove the caif_hsi driver 2021-07-01 13:19:48 -07:00
iucv net/af_iucv: don't track individual TX skbs for TRANS_HIPER sockets 2021-01-28 20:36:21 -08:00
netfilter netfilter: conntrack: avoid useless indirection during conntrack destruction 2022-04-27 14:39:01 +02:00
netns ipv6: make ip6_rt_gc_expire an atomic_t 2022-04-27 14:38:54 +02:00
nfc NFC: add NCI_UNREG flag to eliminate the race 2021-11-25 09:48:40 +01:00
phonet
sctp sctp: hold endpoint before calling cb in sctp_transport_lookup_process 2022-01-11 15:35:14 +01:00
tc_act net/sched: act_vlan: Fix modify to allow 0 2021-06-01 16:54:42 -07:00
6lowpan.h
act_api.h net_sched: refactor TC action init API 2021-08-02 10:24:38 +01:00
addrconf.h ipv6: mcast: use rcu-safe version of ipv6_get_lladdr() 2022-02-23 12:03:10 +01:00
af_ieee802154.h
af_rxrpc.h afs: Don't truncate iter during data fetch 2021-04-23 10:17:26 +01:00
af_unix.h af_unix: Add unix_stream_proto for sockmap 2021-08-16 18:43:39 -07:00
af_vsock.h vsock: each transport cycles only on its own sockets 2022-03-23 09:16:41 +01:00
ah.h
arp.h ipv4: Invalidate neighbour for broadcast address upon address addition 2022-04-13 20:59:05 +02:00
atmclip.h
ax25.h ax25: fix reference count leaks of ax25_dev 2022-04-20 09:34:22 +02:00
ax88796.h ax88796: export ax_NS8390_init() hook 2021-08-03 13:05:25 +01:00
bareudp.h bareudp: Reverted support to enable & disable rx metadata collection 2020-07-21 18:30:47 -07:00
bond_3ad.h bonding: fix data-races around agg_select_timer 2022-02-23 12:03:12 +01:00
bond_alb.h bonding: make tx_rebalance_counter an atomic 2021-12-14 10:57:09 +01:00
bond_options.h bonding: add new option lacp_active 2021-08-03 11:50:22 +01:00
bonding.h bonding: remove extraneous definitions from bonding.h 2021-08-11 14:57:31 -07:00
bpf_sk_storage.h bpf: struct sock is declared twice in bpf_sk_storage header 2021-03-26 17:43:55 +01:00
busy_poll.h net: annotate data race around sk_ll_usec 2021-07-01 11:23:50 -07:00
calipso.h
cfg80211-wext.h
cfg80211.h cfg80211: fix management registrations locking 2021-10-25 15:20:22 +02:00
cfg802154.h
checksum.h net: Force inlining of checksum functions in net/checksum.h 2022-03-02 11:47:58 +01:00
cipso_ipv4.h cipso: Remove unused inline functions 2020-07-15 07:45:24 -07:00
cls_cgroup.h
codel_impl.h
codel_qdisc.h
codel.h
compat.h net/ipv4/ipv6: Replace one-element arraya with flexible-array members 2021-08-05 11:46:42 +01:00
datalink.h
dcbevent.h
dcbnl.h
devlink.h devlink: Use xarray to store devlink instances 2021-08-14 13:59:10 +01:00
dn_dev.h
dn_fib.h net: convert fib_treeref from int to refcount_t 2021-07-30 15:33:24 +02:00
dn_neigh.h
dn_nsp.h
dn_route.h
dn.h
dsa.h Revert "net: dsa: mv88e6xxx: flush switchdev FDB workqueue before removing VLAN" 2022-03-16 14:23:47 +01:00
dsfield.h
dst_cache.h wireguard: device: reset peer src endpoint when netns exits 2021-12-08 09:04:46 +01:00
dst_metadata.h net: fix a memleak when uncloning an skb dst and its metadata 2022-02-16 12:56:30 +01:00
dst_ops.h net/dst: use a smaller percpu_counter batch for dst entries accounting 2020-05-08 21:33:33 -07:00
dst.h sk_buff: track dst status in slow_gro 2021-07-29 12:18:11 +01:00
erspan.h
esp.h esp: limit skb_page_frag_refill use to a single page 2022-04-27 14:38:52 +02:00
espintcp.h
ethoc.h
failover.h
fib_notifier.h
fib_rules.h ipv6: fix memory leak in fib6_rule_suppress 2021-12-08 09:04:43 +01:00
firewire.h
flow_dissector.h net/sched: flower: fix parsing of ethertype following VLAN header 2022-04-20 09:34:09 +02:00
flow_offload.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-08-19 18:09:18 -07:00
flow.h flow: fix object-size-mismatch warning in flowi{4,6}_to_flowi_common() 2021-09-02 11:44:19 +01:00
fou.h
fq_impl.h net/fq_impl: do not maintain a backlog-sorted list of flows 2021-01-21 13:33:45 +01:00
fq.h net/fq_impl: do not maintain a backlog-sorted list of flows 2021-01-21 13:33:45 +01:00
garp.h
gen_stats.h
genetlink.h mptcp: avoid lock_fast usage in accept path 2021-02-12 16:31:46 -08:00
geneve.h
gre.h ip_gre: add csum offload support for gre header 2021-01-29 20:39:14 -08:00
gro_cells.h
gro.h gro: add combined call_gro_receive() + INDIRECT_CALL_INET() helper 2021-03-18 19:51:12 -07:00
gtp.h
gue.h GUE: Fix a typo 2020-06-22 21:12:44 -07:00
hwbm.h
icmp.h ipv6: ICMPV6: add response to ICMPV6 RFC 8335 PROBE messages 2021-06-28 14:29:45 -07:00
ieee80211_radiotap.h mac80211: Use flex-array for radiotap header bitmap 2021-08-13 09:58:25 +02:00
ieee802154_netdev.h
if_inet6.h ipv6: add IFLA_INET6_RA_MTU to expose mtu value 2021-08-27 17:29:18 -07:00
ife.h
ila.h
inet_common.h bpf: Allow rewriting to ports under ip_unprivileged_port_start 2021-01-27 18:18:15 -08:00
inet_connection_sock.h tcp: switch orphan_count to bare per-cpu counters 2021-11-18 19:16:33 +01:00
inet_ecn.h inet_ecn: Use csum16_add() helper for IP_ECN_set_* helpers 2020-12-14 18:38:58 -08:00
inet_frag.h inet: frags: annotate races around fqdir->dead and fqdir->high_thresh 2022-01-27 11:05:35 +01:00
inet_hashtables.h tcp: seq_file: Replace listening_hash with lhash2 2021-07-23 16:44:57 -07:00
inet_sock.h tcp: move inet->rx_dst_ifindex to sk->sk_rx_dst_ifindex 2021-12-29 12:28:42 +01:00
inet_timewait_sock.h
inet6_connection_sock.h
inet6_hashtables.h
inetpeer.h
ioam6.h ipv6: ioam: Support for IOAM injection with lwtunnels 2021-07-21 08:14:33 -07:00
ip_fib.h ipv4: convert fib_num_tclassid_users to atomic_t 2021-12-08 09:04:49 +01:00
ip_tunnels.h ip_gre, ip6_gre: Fix race condition on o_seqno in collect_md mode 2022-05-09 09:14:36 +02:00
ip_vs.h netfilter: move handlers to net/ip_vs.h 2021-02-04 18:37:57 -08:00
ip.h ipv4: avoid using shared IP generator for connected sockets 2022-02-01 17:27:08 +01:00
ip6_checksum.h tcp: remove indirect calls for icsk->icsk_af_ops->send_check 2020-06-20 17:47:53 -07:00
ip6_fib.h ipv6: fix data-race in fib6_info_hw_flags_set / fib6_purge_rt 2022-02-23 12:03:10 +01:00
ip6_route.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-08-05 15:08:47 -07:00
ip6_tunnel.h ip_gre, ip6_gre: Fix race condition on o_seqno in collect_md mode 2022-05-09 09:14:36 +02:00
ipcomp.h
ipconfig.h
ipv6_frag.h inet: frags: annotate races around fqdir->dead and fqdir->high_thresh 2022-01-27 11:05:35 +01:00
ipv6_stubs.h net: ipv6: add fib6_nh_release_dsts stub 2021-12-01 09:04:49 +01:00
ipv6.h ipv6: per-netns exclusive flowlabel checks 2022-02-23 12:03:10 +01:00
iw_handler.h
kcm.h
l3mdev.h l3mdev: add infrastructure for table to VRF mapping 2020-06-20 17:22:22 -07:00
lag.h
lapb.h net: lapb: Make "lapb_t1timer_running" able to detect an already running timer 2021-03-23 14:14:50 -07:00
lib80211.h
llc_c_ac.h
llc_c_ev.h
llc_c_st.h
llc_conn.h
llc_if.h
llc_pdu.h net: llc: fix skb_over_panic 2021-07-27 13:05:56 +01:00
llc_s_ac.h
llc_s_ev.h
llc_s_st.h
llc_sap.h
llc.h llc: fix out-of-bound array index in llc_sk_dev_hash() 2021-11-18 19:17:10 +01:00
lwtunnel.h netfilter: add netfilter hooks to SRv6 data plane 2021-08-30 01:51:36 +02:00
mac80211.h mac80211: Fix Ptk0 rekey documentation 2021-09-27 12:02:54 +02:00
mac802154.h
macsec.h net: macsec: fix the length used to copy the key for offloading 2021-06-24 12:41:12 -07:00
mctp.h mctp: unify sockaddr_mctp types 2021-10-18 13:47:09 +01:00
mctpdevice.h mctp: Remove the repeated declaration 2021-08-25 11:23:14 +01:00
mip6.h
mld.h mld: add new workqueues for process mld events 2021-03-26 15:14:56 -07:00
mpls_iptunnel.h
mpls.h net: Make mpls_entry_encode() available for generic users 2020-05-29 21:20:20 -07:00
mptcp.h mptcp: fix corrupt receiver key in MPC + data + checksum 2021-10-28 08:19:06 -07:00
mrp.h
ncsi.h
ndisc.h ipv6: fix skb drops in igmp6_event_query() and igmp6_event_report() 2022-03-08 19:12:33 +01:00
neighbour.h net, neigh: Enable state migration between NUD_PERMANENT and NTF_USE 2021-11-18 19:17:16 +01:00
net_failover.h
net_namespace.h net: initialize init_net earlier 2022-04-13 20:59:03 +02:00
net_ratelimit.h
netevent.h
netlabel.h
netlink.h net: netlink: add the case when nlh is NULL 2021-07-27 11:43:50 +01:00
netprio_cgroup.h
netrom.h
nexthop.h net: ipv4: Fix rtnexthop len when RTA_FLOW is present 2021-09-24 14:07:10 +01:00
nl802154.h net: ieee802154: handle iftypes as u32 2021-12-01 09:04:46 +01:00
nsh.h
p8022.h
page_pool.h page_pool: add frag page recycling support in page pool 2021-08-09 15:49:00 -07:00
pie.h
ping.h
pkt_cls.h sch_htb: Fix inconsistency when leaf qdisc creation fails 2021-08-30 16:33:59 -07:00
pkt_sched.h net: openvswitch: Fix ct_state nat flags for conns arriving from tc 2022-01-27 11:04:02 +01:00
pptp.h
protocol.h net: Remove the member netns_ok 2021-05-17 15:29:35 -07:00
psample.h psample: Add a fwd declaration for skbuff 2021-08-09 15:34:21 -07:00
psnap.h
raw.h
rawv6.h
red.h sch_red: fix off-by-one checks in red_check_params() 2021-03-25 17:40:43 -07:00
regulatory.h net/wireless: regulatory.h: drop duplicate word in comment 2020-07-31 09:24:23 +02:00
request_sock.h tcp: bpf: Optionally store mac header in TCP_SAVE_SYN 2020-08-24 14:35:00 -07:00
rose.h
route.h ipv4: remove sparse error in ip_neigh_gw4() 2022-02-01 17:27:14 +01:00
rpl.h net: ipv6: Use struct_size() helper and kcalloc() 2020-06-23 20:27:09 -07:00
rsi_91x.h
rtnetlink.h net: add extack arg for link ops 2021-08-04 10:01:26 +01:00
rtnh.h
sch_generic.h net_sched: restore "mpu xxx" handling 2022-01-27 11:05:40 +01:00
scm.h fs: Move __scm_install_fd() to __receive_fd() 2020-07-13 11:03:44 -07:00
secure_seq.h
seg6_hmac.h
seg6_local.h
seg6.h udp6: Use Segment Routing Header for dest address if present 2022-01-27 11:05:05 +01:00
selftests.h net: selftest: fix build issue if INET is disabled 2021-04-28 14:06:45 -07:00
slhc_vj.h
smc.h net/smc: introduce CHID callback for ISM devices 2020-09-28 15:19:03 -07:00
snmp.h
sock_reuseport.h tcp: Add reuseport_migrate_sock() to select a new listener. 2021-06-15 18:01:05 +02:00
sock.h net-timestamp: convert sk->sk_tskey to atomic_t 2022-03-02 11:48:01 +01:00
Space.h wan: remove sbni/granch driver 2021-08-03 13:05:26 +01:00
stp.h
strparser.h bpf, sockmap: sk_skb data_end access incorrect when src_reg = dst_reg 2021-11-18 19:17:11 +01:00
switchdev.h net: make switchdev_bridge_port_{,unoffload} loosely coupled with the bridge 2021-08-04 12:35:07 +01:00
tcp_states.h
tcp.h tcp: make sure treq->af_specific is initialized 2022-05-09 09:14:37 +02:00
timewait_sock.h
tipc.h
tls_toe.h
tls.h net/tls: Fix flipped sign in tls_err_abort() calls 2021-10-28 14:41:20 +01:00
transp_v6.h tcp: move ipv4_specific to tcp include file 2020-06-23 20:10:15 -07:00
tso.h net: tso: cache transport header length 2020-06-18 20:46:23 -07:00
tun_proto.h
udp_tunnel.h udp: call udp_encap_enable for v6 sockets when enabling encap 2021-02-04 18:37:14 -08:00
udp.h net: multicast: calculate csum of looped-back and forwarded packets 2021-10-26 13:09:22 +01:00
udplite.h
vsock_addr.h
vxlan.h net: sched: only keep the available bits when setting vxlan md->gbp 2020-09-14 16:49:39 -07:00
wext.h
x25.h
x25device.h
xdp_priv.h
xdp_sock_drv.h xsk: Introduce batched Tx descriptor interfaces 2020-11-17 22:07:40 +01:00
xdp_sock.h xdp: Add proper __rcu annotations to redirect map entries 2021-06-24 19:41:15 +02:00
xdp.h bpf: Add function for XDP meta data length check 2021-07-07 19:51:12 -07:00
xfrm.h xfrm: Check if_id in xfrm_migrate 2022-03-19 13:47:46 +01:00
xsk_buff_pool.h xsk: Fix missing validation for skb and unaligned mode 2021-06-18 16:57:19 +02:00