asgardius/android_kernel_motorola_sm6225
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Kernel sources for Moto G9 (Play) (Guamp)
809804 commits 1 branch 0 tags 1.7 GiB
C 98.1%
Assembly 1.2%
Makefile 0.3%
Shell 0.1%
Find a file
Dong Chenchen d2309e0cb2 net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment() 
[ Upstream commit c83b49383b595be50647f0c764a48c78b5f3c4f8 ]

As the call trace shows, skb_panic was caused by wrong skb->mac_header
in nsh_gso_segment():

invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 3 PID: 2737 Comm: syz Not tainted 6.3.0-next-20230505 #1
RIP: 0010:skb_panic+0xda/0xe0
call Trace:
 skb_push+0x91/0xa0
 nsh_gso_segment+0x4f3/0x570
 skb_mac_gso_segment+0x19e/0x270
 __skb_gso_segment+0x1e8/0x3c0
 validate_xmit_skb+0x452/0x890
 validate_xmit_skb_list+0x99/0xd0
 sch_direct_xmit+0x294/0x7c0
 __dev_queue_xmit+0x16f0/0x1d70
 packet_xmit+0x185/0x210
 packet_snd+0xc15/0x1170
 packet_sendmsg+0x7b/0xa0
 sock_sendmsg+0x14f/0x160

The root cause is:
nsh_gso_segment() use skb->network_header - nhoff to reset mac_header
in skb_gso_error_unwind() if inner-layer protocol gso fails.
However, skb->network_header may be reset by inner-layer protocol
gso function e.g. mpls_gso_segment. skb->mac_header reset by the
inaccurate network_header will be larger than skb headroom.

nsh_gso_segment
    nhoff = skb->network_header - skb->mac_header;
    __skb_pull(skb,nsh_len)
    skb_mac_gso_segment
        mpls_gso_segment
            skb_reset_network_header(skb);//skb->network_header+=nsh_len
            return -EINVAL;
    skb_gso_error_unwind
        skb_push(skb, nsh_len);
        skb->mac_header = skb->network_header - nhoff;
        // skb->mac_header > skb->headroom, cause skb_push panic

Use correct mac_offset to restore mac_header and get rid of nhoff.

Fixes: c411ed8545 ("nsh: add GSO support")
Reported-by: syzbot+632b5d9964208bfef8c0@syzkaller.appspotmail.com
Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-05-30 12:42:11 +01:00
arch ARM: dts: s5pv210: correct MIPI CSIS clock name 2023-05-17 11:13:26 +02:00
block block: bio-integrity: Copy flags when bio_integrity_payload is cloned 2023-03-11 16:31:33 +01:00
certs certs/blacklist_hashes.c: fix const confusion in certs blacklist 2022-06-25 11:49:16 +02:00
crypto crypto: drbg - Only fail when jent is unavailable in FIPS mode 2023-05-17 11:13:13 +02:00
Documentation media: uapi: add MEDIA_BUS_FMT_METADATA_FIXED media bus format. 2023-05-17 11:13:09 +02:00
drivers drm/exynos: fix g2d_open/close helper function definitions 2023-05-30 12:42:11 +01:00
firmware Fix built-in early-load Intel microcode alignment 2020-01-23 08:21:29 +01:00
fs btrfs: fix space cache inconsistency after error loading it from disk 2023-05-30 12:42:10 +01:00
include ip_gre, ip6_gre: Fix race condition on o_seqno in collect_md mode 2023-05-30 12:42:10 +01:00
init random: handle latent entropy and command line from random_init() 2022-06-25 11:49:11 +02:00
ipc ipc/sem: Fix dangling sem_array access in semtimedop race 2022-12-08 11:18:35 +01:00
kernel relayfs: fix out-of-bounds access in relay_file_read 2023-05-17 11:13:23 +02:00
lib lib: cpu_rmap: Avoid use after free on rmap->obj array entries 2023-05-30 12:42:09 +01:00
LICENSES LICENSES: Remove CC-BY-SA-4.0 license text 2018-10-18 11:28:50 +02:00
mm mm/page_alloc: fix potential deadlock on zonelist_update_seq seqlock 2023-05-17 11:13:28 +02:00
net net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment() 2023-05-30 12:42:11 +01:00
samples samples: vfio-mdev: Fix missing pci_disable_device() in mdpy_fb_probe() 2023-01-18 11:30:28 +01:00
scripts recordmcount: Fix memory leaks in the uwrite function 2023-05-30 12:42:10 +01:00
security selinux: ensure av_permissions.h is built when needed 2023-05-17 11:13:08 +02:00
sound ALSA: caiaq: input: Add error handling for unsupported input methods in snd_usb_caiaq_input_init 2023-05-17 11:13:24 +02:00
tools cpupower: Make TSC read per CPU for Mperf monitor 2023-05-30 12:42:10 +01:00
usr initramfs: restore default compression behavior 2020-04-13 10:44:59 +02:00
virt KVM: arm64: vgic: Fix exit condition in scan_its_table() 2022-11-03 23:52:24 +09:00
.clang-format clang-format: Set IndentWrappedFunctionNames false 2018-08-01 18:38:51 +02:00
.cocciconfig
.get_maintainer.ignore
.gitattributes .gitattributes: set git diff driver for C source code files 2016-10-07 18:46:30 -07:00
.gitignore Kbuild updates for v4.17 (2nd) 2018-04-15 17:21:30 -07:00
.mailmap libnvdimm-for-4.19_misc 2018-08-25 18:13:10 -07:00
COPYING COPYING: use the new text with points to the license files 2018-03-23 12:41:45 -06:00
CREDITS 9p: remove Ron Minnich from MAINTAINERS 2018-08-17 16:20:26 -07:00
Kbuild Kbuild updates for v4.15 2017-11-17 17:45:29 -08:00
Kconfig kconfig: move the "Executable file formats" menu to fs/Kconfig.binfmt 2018-08-02 08:06:55 +09:00
MAINTAINERS intel-ethernet: rename i40evf to iavf 2023-04-05 11:15:32 +02:00
Makefile Linux 4.19.283 2023-05-17 11:13:28 +02:00
README Docs: Added a pointer to the formatted docs to README 2018-03-21 09:02:53 -06:00

README 

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.
See Documentation/00-INDEX for a list of what is contained in each file.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.