Mike Maloney 749439bfac ipv6: fix udpv6 sendmsg crash caused by too small MTU ... The logic in __ip6_append_data() assumes that the MTU is at least large enough for the headers. A device's MTU may be adjusted after being added while sendmsg() is processing data, resulting in __ip6_append_data() seeing any MTU. For an mtu smaller than the size of the fragmentation header, the math results in a negative 'maxfraglen', which causes problems when refragmenting any previous skb in the skb_write_queue, leaving it possibly malformed. Instead sendmsg returns EINVAL when the mtu is calculated to be less than IPV6_MIN_MTU. Found by syzkaller: kernel BUG at ./include/linux/skbuff.h:2064! invalid opcode: 0000 [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 14216 Comm: syz-executor5 Not tainted 4.13.0-rc4+ #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8801d0b68580 task.stack: ffff8801ac6b8000 RIP: 0010:__skb_pull include/linux/skbuff.h:2064 [inline] RIP: 0010:__ip6_make_skb+0x18cf/0x1f70 net/ipv6/ip6_output.c:1617 RSP: 0018:ffff8801ac6bf570 EFLAGS: 00010216 RAX: 0000000000010000 RBX: 0000000000000028 RCX: ffffc90003cce000 RDX: 00000000000001b8 RSI: ffffffff839df06f RDI: ffff8801d9478ca0 RBP: ffff8801ac6bf780 R08: ffff8801cc3f1dbc R09: 0000000000000000 R10: ffff8801ac6bf7a0 R11: 43cb4b7b1948a9e7 R12: ffff8801cc3f1dc8 R13: ffff8801cc3f1d40 R14: 0000000000001036 R15: dffffc0000000000 FS: 00007f43d740c700(0000) GS:ffff8801dc100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7834984000 CR3: 00000001d79b9000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ip6_finish_skb include/net/ipv6.h:911 [inline] udp_v6_push_pending_frames+0x255/0x390 net/ipv6/udp.c:1093 udpv6_sendmsg+0x280d/0x31a0 net/ipv6/udp.c:1363 inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:762 sock_sendmsg_nosec net/socket.c:633 [inline] sock_sendmsg+0xca/0x110 net/socket.c:643 SYSC_sendto+0x352/0x5a0 net/socket.c:1750 SyS_sendto+0x40/0x50 net/socket.c:1718 entry_SYSCALL_64_fastpath+0x1f/0xbe RIP: 0033:0x4512e9 RSP: 002b:00007f43d740bc08 EFLAGS: 00000216 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00000000007180a8 RCX: 00000000004512e9 RDX: 000000000000002e RSI: 0000000020d08000 RDI: 0000000000000005 RBP: 0000000000000086 R08: 00000000209c1000 R09: 000000000000001c R10: 0000000000040800 R11: 0000000000000216 R12: 00000000004b9c69 R13: 00000000ffffffff R14: 0000000000000005 R15: 00000000202c2000 Code: 9e 01 fe e9 c5 e8 ff ff e8 7f 9e 01 fe e9 4a ea ff ff 48 89 f7 e8 52 9e 01 fe e9 aa eb ff ff e8 a8 b6 cf fd 0f 0b e8 a1 b6 cf fd <0f> 0b 49 8d 45 78 4d 8d 45 7c 48 89 85 78 fe ff ff 49 8d 85 ba RIP: __skb_pull include/linux/skbuff.h:2064 [inline] RSP: ffff8801ac6bf570 RIP: __ip6_make_skb+0x18cf/0x1f70 net/ipv6/ip6_output.c:1617 RSP: ffff8801ac6bf570 Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: Mike Maloney <maloney@google.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>		2018-01-15 13:28:18 -05:00
..
ila	ila: Add a hook type for LWT routes	2017-11-08 11:20:49 +09:00
netfilter	netfilter: ip6t_MASQUERADE: add dependency on conntrack module	2017-12-11 17:04:50 +01:00
addrconf.c	treewide: setup_timer() -> timer_setup()	2017-11-21 15:57:07 -08:00
addrconf_core.c
addrlabel.c
af_inet6.c	net: reevalulate autoflowlabel setting after sysctl setting	2017-12-21 13:07:20 -05:00
ah6.c	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next	2017-11-15 11:56:19 -08:00
anycast.c
calipso.c
datagram.c
esp6.c	xfrm: Return error on unknown encap_type in init_state	2018-01-08 07:17:52 +01:00
esp6_offload.c	esp: Fix GRO when the headers not fully in the linear part of the skb.	2018-01-09 13:01:58 +01:00
exthdrs.c	ipv6: sr: fix TLVs not being copied using setsockopt	2018-01-10 16:03:55 -05:00
exthdrs_core.c
exthdrs_offload.c
fib6_notifier.c
fib6_rules.c
fou6.c
icmp.c
inet6_connection_sock.c
inet6_hashtables.c
ip6_checksum.c
ip6_fib.c	ipv6: remove null_entry before adding default route	2018-01-09 12:33:55 -05:00
ip6_flowlabel.c	treewide: Switch DEFINE_TIMER callbacks to struct timer_list *	2017-11-21 15:57:05 -08:00
ip6_gre.c	ip6_gre: fix device features for ioctl setup	2017-12-26 12:21:19 -05:00
ip6_icmp.c
ip6_input.c
ip6_offload.c
ip6_offload.h
ip6_output.c	ipv6: fix udpv6 sendmsg crash caused by too small MTU	2018-01-15 13:28:18 -05:00
ip6_tunnel.c	ip6_tunnel: allow ip6gre dev mtu to be set below 1280	2018-01-02 12:36:14 -05:00
ip6_udp_tunnel.c
ip6_vti.c
ip6mr.c	treewide: setup_timer() -> timer_setup()	2017-11-21 15:57:07 -08:00
ipcomp6.c
ipv6_sockglue.c	net: reevalulate autoflowlabel setting after sysctl setting	2017-12-21 13:07:20 -05:00
Kconfig
Makefile
mcast.c	ipv6: mcast: better catch silly mtu values	2017-12-13 13:13:15 -05:00
mcast_snoop.c
mip6.c
ndisc.c	net: ipv6: sysctl to specify IPv6 ND traffic class	2017-11-11 15:13:02 +09:00
netfilter.c
output_core.c	net: accept UFO datagrams from tuntap and packet	2017-11-24 01:37:35 +09:00
ping.c
proc.c
protocol.c
raw.c
reassembly.c
route.c	ipv6: Honor specified parameters in fibmatch lookup	2017-12-21 11:51:06 -05:00
seg6.c
seg6_hmac.c
seg6_iptunnel.c
seg6_local.c
sit.c	sit: update frag_off info	2017-11-30 10:25:41 -05:00
syncookies.c
sysctl_net_ipv6.c
tcp_ipv6.c	tcp md5sig: Use skb's saddr when replying to an incoming segment	2017-12-12 11:15:42 -05:00
tcpv6_offload.c
tunnel6.c
udp.c
udp_impl.h
udp_offload.c	net: accept UFO datagrams from tuntap and packet	2017-11-24 01:37:35 +09:00
udplite.c
xfrm6_input.c	xfrm: Reinject transport-mode packets through tasklet	2017-12-19 08:23:21 +01:00
xfrm6_mode_beet.c
xfrm6_mode_ro.c
xfrm6_mode_transport.c
xfrm6_mode_tunnel.c
xfrm6_output.c
xfrm6_policy.c
xfrm6_protocol.c
xfrm6_state.c
xfrm6_tunnel.c	xfrm6_tunnel: exit_net cleanup check added	2017-11-14 15:46:17 +09:00