lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20251029075744.105113-1-qendrim.maxhuni@garderos.com>
Date: Wed, 29 Oct 2025 08:57:44 +0100
From: qendrim.maxhuni@...deros.com
To: netdev@...r.kernel.org
Cc: linux-usb@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	bjorn@...k.no,
	andrew+netdev@...n.ch,
	davem@...emloft.net,
	edumazet@...gle.com,
	kuba@...nel.org,
	pabeni@...hat.com,
	Qendrim Maxhuni <qendrim.maxhuni@...deros.com>
Subject: [PATCH] net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup

From: Qendrim Maxhuni <qendrim.maxhuni@...deros.com>

Raw IP packets have no MAC header, leaving skb->mac_header uninitialized.
This can trigger kernel panics on ARM64 when xfrm or other subsystems
access the offset due to strict alignment checks.

Initialize the MAC header to prevent such crashes.

This can trigger kernel panics on ARM when running IPsec over the
qmimux0 interface.

Example trace:

[  276.268068] Internal error: Oops: 000000009600004f [#1] SMP
[  276.313631] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.34-gbe78e49cb433 #1
[  276.321491] Hardware name: LS1028A RDB Board (DT)
[  276.326207] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[  276.333194] pc : xfrm_input+0xde8/0x1318
[  276.337134] lr : xfrm_input+0x61c/0x1318
[  276.341068] sp : ffff800080003b20
[  276.416041] Call trace:
[  276.418489]  xfrm_input+0xde8/0x1318
[  276.422074]  xfrm6_rcv+0x38/0x44
[  276.425314]  xfrm6_esp_rcv+0x48/0xa8
[  276.428898]  ip6_protocol_deliver_rcu+0x94/0x4b0
[  276.433530]  ip6_input_finish+0x44/0x70
[  276.437376]  ip6_input+0x44/0xc0
[  276.440612]  ipv6_rcv+0x6c/0x114
[  276.443848]  __netif_receive_skb_one_core+0x5c/0x8c
[  276.448743]  __netif_receive_skb+0x18/0x60
[  276.452851]  process_backlog+0x78/0x17c
[  276.456697]  __napi_poll+0x38/0x180
[  276.460194]  net_rx_action+0x168/0x2f0

Signed-off-by: Qendrim Maxhuni <qendrim.maxhuni@...deros.com>
---
 drivers/net/usb/qmi_wwan.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
index 11352d85475a..3a4985b582cb 100644
--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -192,6 +192,12 @@ static int qmimux_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
 		if (!skbn)
 			return 0;
 
+	       /* Raw IP packets don't have a MAC header, but other subsystems
+		* (like xfrm) may still access MAC header offsets, so they must
+		* be initialized.
+		*/
+		skb_reset_mac_header(skbn);
+
 		switch (skb->data[offset + qmimux_hdr_sz] & 0xf0) {
 		case 0x40:
 			skbn->protocol = htons(ETH_P_IP);
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ