• Eric Dumazet's avatar
    net: increment xmit_recursion level in dev_direct_xmit() · 0ad6f6e7
    Eric Dumazet authored
    Back in commit f60e5990 ("ipv6: protect skb->sk accesses
    from recursive dereference inside the stack") Hannes added code
    so that IPv6 stack would not trust skb->sk for typical cases
    where packet goes through 'standard' xmit path (__dev_queue_xmit())
    
    Alas af_packet had a dev_direct_xmit() path that was not
    dealing yet with xmit_recursion level.
    
    Also change sk_mc_loop() to dump a stack once only.
    
    Without this patch, syzbot was able to trigger :
    
    [1]
    [  153.567378] WARNING: CPU: 7 PID: 11273 at net/core/sock.c:721 sk_mc_loop+0x51/0x70
    [  153.567378] Modules linked in: nfnetlink ip6table_raw ip6table_filter iptable_raw iptable_nat nf_nat nf_conntrack nf_defrag_ipv4 nf_defrag_ipv6 iptable_filter macsec macvtap tap macvlan 8021q hsr wireguard libblake2s blake2s_x86_64 libblake2s_generic udp_tunnel ip6_udp_tunnel libchacha20poly1305 poly1305_x86_64 chacha_x86_64 libchacha curve25519_x86_64 libcurve25519_generic netdevsim batman_adv dummy team bridge stp llc w1_therm wire i2c_mux_pca954x i2c_mux cdc_acm ehci_pci ehci_hcd mlx4_en mlx4_ib ib_uverbs ib_core mlx4_core
    [  153.567386] CPU: 7 PID: 11273 Comm: b159172088 Not tainted 5.8.0-smp-DEV #273
    [  153.567387] RIP: 0010:sk_mc_loop+0x51/0x70
    [  153.567388] Code: 66 83 f8 0a 75 24 0f b6 4f 12 b8 01 00 00 00 31 d2 d3 e0 a9 bf ef ff ff 74 07 48 8b 97 f0 02 00 00 0f b6 42 3a 83 e0 01 5d c3 <0f> 0b b8 01 00 00 00 5d c3 0f b6 87 18 03 00 00 5d c0 e8 04 83 e0
    [  153.567388] RSP: 0018:ffff95c69bb93990 EFLAGS: 00010212
    [  153.567388] RAX: 0000000000000011 RBX: ffff95c6e0ee3e00 RCX: 0000000000000007
    [  153.567389] RDX: ffff95c69ae50000 RSI: ffff95c6c30c3000 RDI: ffff95c6c30c3000
    [  153.567389] RBP: ffff95c69bb93990 R08: ffff95c69a77f000 R09: 0000000000000008
    [  153.567389] R10: 0000000000000040 R11: 00003e0e00026128 R12: ffff95c6c30c3000
    [  153.567390] R13: ffff95c6cc4fd500 R14: ffff95c6f84500c0 R15: ffff95c69aa13c00
    [  153.567390] FS:  00007fdc3a283700(0000) GS:ffff95c6ff9c0000(0000) knlGS:0000000000000000
    [  153.567390] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [  153.567391] CR2: 00007ffee758e890 CR3: 0000001f9ba20003 CR4: 00000000001606e0
    [  153.567391] Call Trace:
    [  153.567391]  ip6_finish_output2+0x34e/0x550
    [  153.567391]  __ip6_finish_output+0xe7/0x110
    [  153.567391]  ip6_finish_output+0x2d/0xb0
    [  153.567392]  ip6_output+0x77/0x120
    [  153.567392]  ? __ip6_finish_output+0x110/0x110
    [  153.567392]  ip6_local_out+0x3d/0x50
    [  153.567392]  ipvlan_queue_xmit+0x56c/0x5e0
    [  153.567393]  ? ksize+0x19/0x30
    [  153.567393]  ipvlan_start_xmit+0x18/0x50
    [  153.567393]  dev_direct_xmit+0xf3/0x1c0
    [  153.567393]  packet_direct_xmit+0x69/0xa0
    [  153.567394]  packet_sendmsg+0xbf0/0x19b0
    [  153.567394]  ? plist_del+0x62/0xb0
    [  153.567394]  sock_sendmsg+0x65/0x70
    [  153.567394]  sock_write_iter+0x93/0xf0
    [  153.567394]  new_sync_write+0x18e/0x1a0
    [  153.567395]  __vfs_write+0x29/0x40
    [  153.567395]  vfs_write+0xb9/0x1b0
    [  153.567395]  ksys_write+0xb1/0xe0
    [  153.567395]  __x64_sys_write+0x1a/0x20
    [  153.567395]  do_syscall_64+0x43/0x70
    [  153.567396]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
    [  153.567396] RIP: 0033:0x453549
    [  153.567396] Code: Bad RIP value.
    [  153.567396] RSP: 002b:00007fdc3a282cc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
    [  153.567397] RAX: ffffffffffffffda RBX: 00000000004d32d0 RCX: 0000000000453549
    [  153.567397] RDX: 0000000000000020 RSI: 0000000020000300 RDI: 0000000000000003
    [  153.567398] RBP: 00000000004d32d8 R08: 0000000000000000 R09: 0000000000000000
    [  153.567398] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004d32dc
    [  153.567398] R13: 00007ffee742260f R14: 00007fdc3a282dc0 R15: 00007fdc3a283700
    [  153.567399] ---[ end trace c1d5ae2b1059ec62 ]---
    
    f60e5990 ("ipv6: protect skb->sk accesses from recursive dereference inside the stack")
    Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
    Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    0ad6f6e7
sock.c 89.2 KB