Skip to content

Commit

Permalink
net: ip6_gre: set dev->hard_header_len when using header_ops
Browse files Browse the repository at this point in the history 
[ Upstream commit 832ba59 ]

syzkaller managed to crash the kernel using an NBMA ip6gre interface. I
could reproduce it creating an NBMA ip6gre interface and forwarding
traffic to it:

  skbuff: skb_under_panic: text:ffffffff8250e927 len:148 put:44 head:ffff8c03c7a33
  ------------[ cut here ]------------
  kernel BUG at net/core/skbuff.c:109!
  Call Trace:
  skb_push+0x10/0x10
  ip6gre_header+0x47/0x1b0
  neigh_connected_output+0xae/0xf0

ip6gre tunnel provides its own header_ops->create, and sets it
conditionally when initializing the tunnel in NBMA mode. When
header_ops->create is used, dev->hard_header_len should reflect the
length of the header created. Otherwise, when not used,
dev->needed_headroom should be used.

Fixes: eb95f52 ("net: ipv6_gre: Fix GRO to work on IPv6 over GRE tap")
Cc: Maria Pasechnik <mariap@mellanox.com>
Signed-off-by: Antoine Tenart <atenart@kernel.org>
Link: https://lore.kernel.org/r/20201130161911.464106-1-atenart@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  • Loading branch information
@atenart @gregkh
atenart authored and gregkh committed Dec 8, 2020
1 parent 0d55568 commit d9897bb
Showing 1 changed file with 13 additions and 3 deletions.
16 changes: 13 additions & 3 deletions net/ipv6/ip6_gre.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1122,8 +1122,13 @@ static void ip6gre_tnl_link_config_route(struct ip6_tnl *t, int set_mtu,
return;

if (rt->dst.dev) {
dev->needed_headroom = rt->dst.dev->hard_header_len +
t_hlen;
unsigned short dst_len = rt->dst.dev->hard_header_len +
t_hlen;

if (t->dev->header_ops)
dev->hard_header_len = dst_len;
else
dev->needed_headroom = dst_len;

if (set_mtu) {
dev->mtu = rt->dst.dev->mtu - t_hlen;
Expand All @@ -1148,7 +1153,12 @@ static int ip6gre_calc_hlen(struct ip6_tnl *tunnel)
tunnel->hlen = tunnel->tun_hlen + tunnel->encap_hlen;

t_hlen = tunnel->hlen + sizeof(struct ipv6hdr);
tunnel->dev->needed_headroom = LL_MAX_HEADER + t_hlen;

if (tunnel->dev->header_ops)
tunnel->dev->hard_header_len = LL_MAX_HEADER + t_hlen;
else
tunnel->dev->needed_headroom = LL_MAX_HEADER + t_hlen;

return t_hlen;
}

Expand Down

0 comments on commit d9897bb

Please sign in to comment.