mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-01 06:33:07 +00:00
Code Issues Releases Wiki Activity
linux-stable/net/core
History
Yan Zhai 046de74f9a net: fix NULL pointer in skb_segment_list 
commit 876e8ca836 upstream.

Commit 3a1296a38d ("net: Support GRO/GSO fraglist chaining.")
introduced UDP listifyed GRO. The segmentation relies on frag_list being
untouched when passing through the network stack. This assumption can be
broken sometimes, where frag_list itself gets pulled into linear area,
leaving frag_list being NULL. When this happens it can trigger
following NULL pointer dereference, and panic the kernel. Reverse the
test condition should fix it.

[19185.577801][    C1] BUG: kernel NULL pointer dereference, address:
...
[19185.663775][    C1] RIP: 0010:skb_segment_list+0x1cc/0x390
...
[19185.834644][    C1] Call Trace:
[19185.841730][    C1]  <TASK>
[19185.848563][    C1]  __udp_gso_segment+0x33e/0x510
[19185.857370][    C1]  inet_gso_segment+0x15b/0x3e0
[19185.866059][    C1]  skb_mac_gso_segment+0x97/0x110
[19185.874939][    C1]  __skb_gso_segment+0xb2/0x160
[19185.883646][    C1]  udp_queue_rcv_skb+0xc3/0x1d0
[19185.892319][    C1]  udp_unicast_rcv_skb+0x75/0x90
[19185.900979][    C1]  ip_protocol_deliver_rcu+0xd2/0x200
[19185.910003][    C1]  ip_local_deliver_finish+0x44/0x60
[19185.918757][    C1]  __netif_receive_skb_one_core+0x8b/0xa0
[19185.927834][    C1]  process_backlog+0x88/0x130
[19185.935840][    C1]  __napi_poll+0x27/0x150
[19185.943447][    C1]  net_rx_action+0x27e/0x5f0
[19185.951331][    C1]  ? mlx5_cq_tasklet_cb+0x70/0x160 [mlx5_core]
[19185.960848][    C1]  __do_softirq+0xbc/0x25d
[19185.968607][    C1]  irq_exit_rcu+0x83/0xb0
[19185.976247][    C1]  common_interrupt+0x43/0xa0
[19185.984235][    C1]  asm_common_interrupt+0x22/0x40
...
[19186.094106][    C1]  </TASK>

Fixes: 3a1296a38d ("net: Support GRO/GSO fraglist chaining.")
Suggested-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Yan Zhai <yan@cloudflare.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/r/Y9gt5EUizK1UImEP@debian
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-02-06 07:59:01 +01:00
..
bpf_sk_storage.c net: Fix data-races around sysctl_optmem_max. 2022-08-31 17:16:43 +02:00
datagram.c tcp: TX zerocopy should not sense pfmemalloc status 2022-09-15 11:30:05 +02:00
datagram.h
dev.c net: add atomic_long_t to net_device_stats fields 2022-12-31 13:14:42 +01:00
dev_addr_lists.c net: dev_addr_list: handle first address in __hw_addr_add_ex 2021-09-30 13:29:09 +01:00
dev_ioctl.c net: core: don't call SIOCBRADD/DELIF for non-bridge devices 2021-08-05 11:36:59 +01:00
devlink.c devlink: Fix use-after-free after a failed reload 2022-08-25 11:40:06 +02:00
drop_monitor.c net: skb: introduce kfree_skb_reason() 2022-07-29 17:25:15 +02:00
dst.c net: Remove redundant if statements 2021-08-05 13:27:50 +01:00
dst_cache.c wireguard: device: reset peer src endpoint when netns exits 2021-12-08 09:04:46 +01:00
failover.c
fib_notifier.c
fib_rules.c ipv6: fix memory leak in fib6_rule_suppress 2021-12-08 09:04:43 +01:00
filter.c bpf: pull before calling skb_postpull_rcsum() 2023-01-12 11:59:08 +01:00
flow_dissector.c netfilter: conntrack: Fix data-races around ct mark 2022-12-02 17:41:04 +01:00
flow_offload.c netfilter: nf_tables: bail out early if hardware offload is not supported 2022-06-14 18:36:17 +02:00
gen_estimator.c
gen_stats.c
gro_cells.c net: Fix data-races around netdev_max_backlog. 2022-08-31 17:16:42 +02:00
hwbm.c
link_watch.c net: Write lock dev_base_lock without disabling bottom halves. 2022-06-29 09:03:22 +02:00
lwt_bpf.c bpf, lwt: Fix crash when using bpf_skb_set_tunnel_key() from bpf_xmit lwt hook 2022-05-09 09:14:35 +02:00
lwtunnel.c lwtunnel: Validate RTA_ENCAP_TYPE attribute length 2022-01-11 15:35:14 +01:00
Makefile of: net: move of_net under net/ 2022-03-08 19:12:41 +01:00
neighbour.c net, neigh: Fix null-ptr-deref in neigh_table_clear() 2022-11-10 18:15:31 +01:00
net-procfs.c net-procfs: show net devices bound packet types 2022-02-01 17:27:08 +01:00
net-sysfs.c net: fix data-race in dev_isalive() 2022-06-29 09:03:22 +02:00
net-sysfs.h
net-traces.c tcp: add tracepoint for checksum errors 2021-05-14 15:26:03 -07:00
net_namespace.c net: fix UaF in netns ops registration error path 2023-02-01 08:27:26 +01:00
netclassid_cgroup.c bpf, cgroups: Fix cgroup v2 fallback on v1/v2 mixed mode 2021-09-13 16:35:58 -07:00
netevent.c net: core: Correct function name netevent_unregister_notifier() in the kerneldoc 2021-03-28 17:56:56 -07:00
netpoll.c asm-generic/unaligned: Unify asm/unaligned.h around struct helper 2021-07-02 12:43:40 -07:00
netprio_cgroup.c bpf, cgroups: Fix cgroup v2 fallback on v1/v2 mixed mode 2021-09-13 16:35:58 -07:00
of_net.c of: net: move of_net under net/ 2022-03-08 19:12:41 +01:00
page_pool.c page_pool: use relaxed atomic for release side accounting 2021-08-24 10:46:31 +01:00
pktgen.c pktgen: remove unused variable 2021-09-03 11:48:28 +01:00
ptp_classifier.c bpf: Refactor BPF_PROG_RUN into a function 2021-08-17 00:45:07 +02:00
request_sock.c
rtnetlink.c net: Write lock dev_base_lock without disabling bottom halves. 2022-06-29 09:03:22 +02:00
scm.c memcg: enable accounting for scm_fp_list objects 2021-07-20 06:00:38 -07:00
secure_seq.c tcp: Fix data-races around sysctl knobs related to SYN option. 2022-07-29 17:25:22 +02:00
selftests.c net: selftests: add MTU test 2021-07-22 00:52:04 -07:00
skbuff.c net: fix NULL pointer in skb_segment_list 2023-02-06 07:59:01 +01:00
skmsg.c bpf, sockmap: Fix missing BPF_F_INGRESS flag when using apply_bytes 2022-12-31 13:14:14 +01:00
sock.c soreuseport: Fix socket selection for SO_INCOMING_CPU. 2022-12-31 13:14:07 +01:00
sock_destructor.h skb_expand_head() adjust skb->truesize incorrectly 2021-10-22 12:35:51 -07:00
sock_diag.c
sock_map.c bpf, sockmap: fix race in sock_map_free() 2022-12-31 13:14:16 +01:00
sock_reuseport.c soreuseport: Fix socket selection for SO_INCOMING_CPU. 2022-12-31 13:14:07 +01:00
stream.c net: stream: purge sk_error_queue in sk_stream_kill_queues() 2022-12-31 13:14:39 +01:00
sysctl_net_core.c net: Fix data-races around weight_p and dev_weight_[rt]x_bias. 2022-08-31 17:16:42 +02:00
timestamping.c
tso.c
utils.c
xdp.c xdp: Move the rxq_info.mem clearing to unreg_mem_model() 2021-06-28 23:07:59 +02:00