• A
    net: ip6_gre: set dev->hard_header_len when using header_ops · 832ba596
    Antoine Tenart 提交于
    syzkaller managed to crash the kernel using an NBMA ip6gre interface. I
    could reproduce it creating an NBMA ip6gre interface and forwarding
    traffic to it:
    
      skbuff: skb_under_panic: text:ffffffff8250e927 len:148 put:44 head:ffff8c03c7a33
      ------------[ cut here ]------------
      kernel BUG at net/core/skbuff.c:109!
      Call Trace:
      skb_push+0x10/0x10
      ip6gre_header+0x47/0x1b0
      neigh_connected_output+0xae/0xf0
    
    ip6gre tunnel provides its own header_ops->create, and sets it
    conditionally when initializing the tunnel in NBMA mode. When
    header_ops->create is used, dev->hard_header_len should reflect the
    length of the header created. Otherwise, when not used,
    dev->needed_headroom should be used.
    
    Fixes: eb95f52f ("net: ipv6_gre: Fix GRO to work on IPv6 over GRE tap")
    Cc: Maria Pasechnik <mariap@mellanox.com>
    Signed-off-by: NAntoine Tenart <atenart@kernel.org>
    Link: https://lore.kernel.org/r/20201130161911.464106-1-atenart@kernel.orgSigned-off-by: NJakub Kicinski <kuba@kernel.org>
    832ba596
ip6_gre.c 58.2 KB