Description
In the Linux kernel, the following vulnerability has been resolved: ppp: associate skb with a device at tx Syzkaller triggered flow dissector warning with the following: r0 = openat$ppp(0xffffffffffffff9c, &(0x7f0000000000), 0xc0802, 0x0) ioctl$PPPIOCNEWUNIT(r0, 0xc004743e, &(0x7f00000000c0)) ioctl$PPPIOCSACTIVE(r0, 0x40107446, &(0x7f0000000240)={0x2, &(0x7f0000000180)=[{0x20, 0x0, 0x0, 0xfffff034}, {0x6}]}) pwritev(r0, &(0x7f0000000040)=[{&(0x7f0000000140)='\x00!', 0x2}], 0x1, 0x0, 0x0) [ 9.485814] WARNING: CPU: 3 PID: 329 at net/core/flow_dissector.c:1016 __skb_flow_dissect+0x1ee0/0x1fa0 [ 9.485929] skb_get_poff+0x53/0xa0 [ 9.485937] bpf_skb_get_pay_offset+0xe/0x20 [ 9.485944] ? ppp_send_frame+0xc2/0x5b0 [ 9.485949] ? _raw_spin_unlock_irqrestore+0x40/0x60 [ 9.485958] ? __ppp_xmit_process+0x7a/0xe0 [ 9.485968] ? ppp_xmit_process+0x5b/0xb0 [ 9.485974] ? ppp_write+0x12a/0x190 [ 9.485981] ? do_iter_write+0x18e/0x2d0 [ 9.485987] ? __import_iovec+0x30/0x130 [ 9.485997] ? do_pwritev+0x1b6/0x240 [ 9.486016] ? trace_hardirqs_on+0x47/0x50 [ 9.486023] ? __x64_sys_pwritev+0x24/0x30 [ 9.486026] ? do_syscall_64+0x3d/0x80 [ 9.486031] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd Flow dissector tries to find skb net namespace either via device or via socket. Neigher is set in ppp_send_frame, so let's manually use ppp->dev.
Product status
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before e387a25552951802102e279931d6f7dd2ecc34c1
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 30f186978e87bef2f22ed349010d3e23271e8d44
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before c2a698ff156974908308f42cf5991ab5c0c4b8cd
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 7da524781c531ebaf2f94c9dc4c541b82edecfed
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 148dcbd3af039ae39c3af697a3183008c7995805
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 4b8f3b939266c90f03b7cc7e26a4c28c7b64137b
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 18dc946360bfe0de016a59e3cc3ee1f450fceb9d
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before ee678b1f52f9439e930db2db3fd7e345d03e1a50
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 9f225444467b98579cf28d94f4ad053460dfdb84
4.9.337 (semver)
4.14.303 (semver)
4.19.270 (semver)
5.4.229 (semver)
5.10.163 (semver)
5.15.86 (semver)
6.0.16 (semver)
6.1.2 (semver)
6.2 (original_commit_for_fix)
References
git.kernel.org/...c/e387a25552951802102e279931d6f7dd2ecc34c1
git.kernel.org/...c/30f186978e87bef2f22ed349010d3e23271e8d44
git.kernel.org/...c/c2a698ff156974908308f42cf5991ab5c0c4b8cd
git.kernel.org/...c/7da524781c531ebaf2f94c9dc4c541b82edecfed
git.kernel.org/...c/148dcbd3af039ae39c3af697a3183008c7995805
git.kernel.org/...c/4b8f3b939266c90f03b7cc7e26a4c28c7b64137b
git.kernel.org/...c/18dc946360bfe0de016a59e3cc3ee1f450fceb9d
git.kernel.org/...c/ee678b1f52f9439e930db2db3fd7e345d03e1a50
git.kernel.org/...c/9f225444467b98579cf28d94f4ad053460dfdb84
