mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-28 21:33:52 +00:00
Code Issues Releases Wiki Activity
linux-stable/net
History
Mohamed Khalfella d579038659 skbuff: skb_segment, Call zero copy functions before using skbuff frags 
commit 2ea35288c8 upstream.

Commit bf5c25d608 ("skbuff: in skb_segment, call zerocopy functions
once per nskb") added the call to zero copy functions in skb_segment().
The change introduced a bug in skb_segment() because skb_orphan_frags()
may possibly change the number of fragments or allocate new fragments
altogether leaving nrfrags and frag to point to the old values. This can
cause a panic with stacktrace like the one below.

[  193.894380] BUG: kernel NULL pointer dereference, address: 00000000000000bc
[  193.895273] CPU: 13 PID: 18164 Comm: vh-net-17428 Kdump: loaded Tainted: G           O      5.15.123+ #26
[  193.903919] RIP: 0010:skb_segment+0xb0e/0x12f0
[  194.021892] Call Trace:
[  194.027422]  <TASK>
[  194.072861]  tcp_gso_segment+0x107/0x540
[  194.082031]  inet_gso_segment+0x15c/0x3d0
[  194.090783]  skb_mac_gso_segment+0x9f/0x110
[  194.095016]  __skb_gso_segment+0xc1/0x190
[  194.103131]  netem_enqueue+0x290/0xb10 [sch_netem]
[  194.107071]  dev_qdisc_enqueue+0x16/0x70
[  194.110884]  __dev_queue_xmit+0x63b/0xb30
[  194.121670]  bond_start_xmit+0x159/0x380 [bonding]
[  194.128506]  dev_hard_start_xmit+0xc3/0x1e0
[  194.131787]  __dev_queue_xmit+0x8a0/0xb30
[  194.138225]  macvlan_start_xmit+0x4f/0x100 [macvlan]
[  194.141477]  dev_hard_start_xmit+0xc3/0x1e0
[  194.144622]  sch_direct_xmit+0xe3/0x280
[  194.147748]  __dev_queue_xmit+0x54a/0xb30
[  194.154131]  tap_get_user+0x2a8/0x9c0 [tap]
[  194.157358]  tap_sendmsg+0x52/0x8e0 [tap]
[  194.167049]  handle_tx_zerocopy+0x14e/0x4c0 [vhost_net]
[  194.173631]  handle_tx+0xcd/0xe0 [vhost_net]
[  194.176959]  vhost_worker+0x76/0xb0 [vhost]
[  194.183667]  kthread+0x118/0x140
[  194.190358]  ret_from_fork+0x1f/0x30
[  194.193670]  </TASK>

In this case calling skb_orphan_frags() updated nr_frags leaving nrfrags
local variable in skb_segment() stale. This resulted in the code hitting
i >= nrfrags prematurely and trying to move to next frag_skb using
list_skb pointer, which was NULL, and caused kernel panic. Move the call
to zero copy functions before using frags and nr_frags.

Fixes: bf5c25d608 ("skbuff: in skb_segment, call zerocopy functions once per nskb")
Signed-off-by: Mohamed Khalfella <mkhalfella@purestorage.com>
Reported-by: Amit Goyal <agoyal@purestorage.com>
Cc: stable@vger.kernel.org
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-09-19 12:22:49 +02:00
..
6lowpan
9p 9p: virtio: make sure 'offs' is initialized in zc_request 2023-09-19 12:22:27 +02:00
802
8021q vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit() 2023-05-24 17:36:52 +01:00
appletalk
atm atm: hide unused procfs functions 2023-06-09 10:32:26 +02:00
ax25
batman-adv batman-adv: Hold rtnl lock during MTU update via netlink 2023-08-30 16:18:18 +02:00
bluetooth Bluetooth: Fix potential use-after-free when clear keys 2023-09-19 12:22:33 +02:00
bpf
bpfilter
bridge bridge: Add extack warning when enabling STP in netns. 2023-07-27 08:46:59 +02:00
caif net: caif: Fix use-after-free in cfusbl_device_notify() 2023-03-17 08:48:54 +01:00
can can: raw: add missing refcount for memory leak fix 2023-08-30 16:18:20 +02:00
ceph libceph: fix potential hang in ceph_osdc_notify() 2023-08-11 15:13:55 +02:00
core skbuff: skb_segment, Call zero copy functions before using skbuff frags 2023-09-19 12:22:49 +02:00
dcb net: dcb: choose correct policy to parse DCB_ATTR_BCN 2023-08-11 15:13:53 +02:00
dccp dccp: annotate data-races in dccp_poll() 2023-08-30 16:18:14 +02:00
dns_resolver
dsa net: dsa: tag_sja1105: fix MAC DA patching from meta frames 2023-07-23 13:47:30 +02:00
ethernet
ethtool ethtool: Fix uninitialized number of lanes 2023-05-17 11:50:18 +02:00
hsr hsr: ratelimit only when errors are printed 2023-04-05 11:25:02 +02:00
ieee802154
ife
ipv4 igmp: limit igmpv3_newpack() packet size to IP_MAX_MTU 2023-09-19 12:22:49 +02:00
ipv6 lwt: Check LWTUNNEL_XMIT_CONTINUE strictly 2023-09-19 12:22:34 +02:00
iucv net/iucv: Fix size of interrupt data 2023-03-22 13:31:28 +01:00
kcm
key net: af_key: fix sadb_x_filter validation 2023-08-26 14:23:32 +02:00
l2tp inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy(). 2023-04-26 13:51:54 +02:00
l3mdev
lapb
llc llc: Don't drop packet from non-root netns. 2023-07-27 08:47:02 +02:00
mac80211 wifi: mac80211: simplify chanctx allocation 2023-06-09 10:32:25 +02:00
mac802154
mctp net: mctp: purge receive queues on sk destruction 2023-02-06 07:59:02 +01:00
mpls net: mpls: fix stale pointer if allocation fails during device rename 2023-02-22 12:57:09 +01:00
mptcp mptcp: consolidate fallback and non fallback state machine 2023-07-05 18:25:04 +01:00
ncsi net/ncsi: change from ndo_set_mac_address to dev_set_mac_address 2023-08-30 16:18:16 +02:00
netfilter netfilter: xt_sctp: validate the flag_info count 2023-09-19 12:22:49 +02:00
netlabel netlabel: fix shift wrapping bug in netlbl_catmap_setlong() 2023-09-19 12:22:29 +02:00
netlink netlink: Add __sock_i_ino() for __netlink_diag_dump(). 2023-07-23 13:46:56 +02:00
netrom netrom: Deny concurrent connect(). 2023-09-19 12:22:35 +02:00
nfc net: nfc: Fix use-after-free caused by nfc_llcp_find_local 2023-07-23 13:46:56 +02:00
nsh net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment() 2023-05-24 17:36:51 +01:00
openvswitch net: openvswitch: fix possible memory leak in ovs_meter_cmd_set() 2023-02-22 12:57:09 +01:00
packet net/packet: annotate data-races around tp->status 2023-08-16 18:22:01 +02:00
phonet
psample
qrtr net: qrtr: Fix an uninit variable access bug in qrtr_tx_resume() 2023-04-20 12:13:53 +02:00
rds rds: rds_rm_zerocopy_callback() correct order for list_add_tail() 2023-03-10 09:39:16 +01:00
rfkill
rose net/rose: Fix to not accept on connected socket 2023-02-22 12:57:02 +01:00
rxrpc rxrpc: Fix hard call timeout units 2023-05-17 11:50:17 +02:00
sched net/sched: sch_hfsc: Ensure inner classes have fsc curve 2023-09-19 12:22:35 +02:00
sctp sctp: handle invalid error codes without calling BUG() 2023-09-19 12:22:29 +02:00
smc net/smc: Avoid to access invalid RMBs' MRs in SMCRv1 ADD LINK CONT 2023-06-14 11:13:01 +02:00
strparser
sunrpc xprtrdma: Remap Receive buffers after a reconnect 2023-08-30 16:18:10 +02:00
switchdev
tipc tipc: stop tipc crypto on failure in tipc_node_create 2023-08-03 10:22:37 +02:00
tls net: tls: avoid discarding data on record close 2023-08-26 14:23:22 +02:00
unix af_unix: Fix null-ptr-deref in unix_stream_sendpage(). 2023-08-26 14:23:38 +02:00
vmw_vsock vsock: avoid to close connected socket after the timeout 2023-05-24 17:36:49 +01:00
wireless wifi: nl80211/cfg80211: add forgotten nla_policy for BSS color attribute 2023-09-19 12:22:34 +02:00
x25 net/x25: Fix to not accept on connected socket 2023-02-09 11:26:40 +01:00
xdp xsk: fix refcount underflow in error path 2023-08-16 18:22:01 +02:00
xfrm xfrm: add forgotten nla_policy for XFRMA_MTIMER_THRESH 2023-08-26 14:23:33 +02:00
compat.c
devres.c
Kconfig Remove DECnet support from kernel 2023-06-21 15:59:15 +02:00
Makefile Remove DECnet support from kernel 2023-06-21 15:59:15 +02:00
socket.c net: Avoid address overwrite in kernel_connect 2023-09-19 12:22:30 +02:00
sysctl_net.c