net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup

[PATCH] net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup
Posted by qendrim.maxhuni@garderos.com 1 month, 2 weeks ago
From: Qendrim Maxhuni <qendrim.maxhuni@garderos.com>

Raw IP packets have no MAC header, leaving skb->mac_header uninitialized.
This can trigger kernel panics on ARM64 when xfrm or other subsystems
access the offset due to strict alignment checks.

Initialize the MAC header to prevent such crashes.

This can trigger kernel panics on ARM when running IPsec over the
qmimux0 interface.

Example trace:

[  276.268068] Internal error: Oops: 000000009600004f [#1] SMP
[  276.313631] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.34-gbe78e49cb433 #1
[  276.321491] Hardware name: LS1028A RDB Board (DT)
[  276.326207] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[  276.333194] pc : xfrm_input+0xde8/0x1318
[  276.337134] lr : xfrm_input+0x61c/0x1318
[  276.341068] sp : ffff800080003b20
[  276.416041] Call trace:
[  276.418489]  xfrm_input+0xde8/0x1318
[  276.422074]  xfrm6_rcv+0x38/0x44
[  276.425314]  xfrm6_esp_rcv+0x48/0xa8
[  276.428898]  ip6_protocol_deliver_rcu+0x94/0x4b0
[  276.433530]  ip6_input_finish+0x44/0x70
[  276.437376]  ip6_input+0x44/0xc0
[  276.440612]  ipv6_rcv+0x6c/0x114
[  276.443848]  __netif_receive_skb_one_core+0x5c/0x8c
[  276.448743]  __netif_receive_skb+0x18/0x60
[  276.452851]  process_backlog+0x78/0x17c
[  276.456697]  __napi_poll+0x38/0x180
[  276.460194]  net_rx_action+0x168/0x2f0

Signed-off-by: Qendrim Maxhuni <qendrim.maxhuni@garderos.com>
---
 drivers/net/usb/qmi_wwan.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
index 11352d85475a..3a4985b582cb 100644
--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -192,6 +192,12 @@ static int qmimux_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
 		if (!skbn)
 			return 0;
 
+	       /* Raw IP packets don't have a MAC header, but other subsystems
+		* (like xfrm) may still access MAC header offsets, so they must
+		* be initialized.
+		*/
+		skb_reset_mac_header(skbn);
+
 		switch (skb->data[offset + qmimux_hdr_sz] & 0xf0) {
 		case 0x40:
 			skbn->protocol = htons(ETH_P_IP);
-- 
2.43.0