mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-29 13:53:33 +00:00
Code Issues Releases Wiki Activity
linux-stable/net/core
History
Yan Zhai 876e8ca836 net: fix NULL pointer in skb_segment_list 
Commit 3a1296a38d ("net: Support GRO/GSO fraglist chaining.")
introduced UDP listifyed GRO. The segmentation relies on frag_list being
untouched when passing through the network stack. This assumption can be
broken sometimes, where frag_list itself gets pulled into linear area,
leaving frag_list being NULL. When this happens it can trigger
following NULL pointer dereference, and panic the kernel. Reverse the
test condition should fix it.

[19185.577801][    C1] BUG: kernel NULL pointer dereference, address:
...
[19185.663775][    C1] RIP: 0010:skb_segment_list+0x1cc/0x390
...
[19185.834644][    C1] Call Trace:
[19185.841730][    C1]  <TASK>
[19185.848563][    C1]  __udp_gso_segment+0x33e/0x510
[19185.857370][    C1]  inet_gso_segment+0x15b/0x3e0
[19185.866059][    C1]  skb_mac_gso_segment+0x97/0x110
[19185.874939][    C1]  __skb_gso_segment+0xb2/0x160
[19185.883646][    C1]  udp_queue_rcv_skb+0xc3/0x1d0
[19185.892319][    C1]  udp_unicast_rcv_skb+0x75/0x90
[19185.900979][    C1]  ip_protocol_deliver_rcu+0xd2/0x200
[19185.910003][    C1]  ip_local_deliver_finish+0x44/0x60
[19185.918757][    C1]  __netif_receive_skb_one_core+0x8b/0xa0
[19185.927834][    C1]  process_backlog+0x88/0x130
[19185.935840][    C1]  __napi_poll+0x27/0x150
[19185.943447][    C1]  net_rx_action+0x27e/0x5f0
[19185.951331][    C1]  ? mlx5_cq_tasklet_cb+0x70/0x160 [mlx5_core]
[19185.960848][    C1]  __do_softirq+0xbc/0x25d
[19185.968607][    C1]  irq_exit_rcu+0x83/0xb0
[19185.976247][    C1]  common_interrupt+0x43/0xa0
[19185.984235][    C1]  asm_common_interrupt+0x22/0x40
...
[19186.094106][    C1]  </TASK>

Fixes: 3a1296a38d ("net: Support GRO/GSO fraglist chaining.")
Suggested-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Yan Zhai <yan@cloudflare.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/r/Y9gt5EUizK1UImEP@debian
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-01-31 21:07:04 -08:00
..
bpf_sk_storage.c bpf: Fix a compilation failure with clang lto build 2022-11-30 17:13:25 -08:00
datagram.c tcp: TX zerocopy should not sense pfmemalloc status 2022-09-02 12:29:02 +01:00
dev.c net: add netdev_sw_irq_coalesce_default_on() 2022-12-03 21:48:36 +00:00
dev.h net: add new helper unregister_netdevice_many_notify 2022-10-31 18:10:21 -07:00
dev_addr_lists.c
dev_addr_lists_test.c kunit: Use KUNIT_EXPECT_MEMEQ macro 2022-10-27 02:40:14 -06:00
dev_ioctl.c net: dev: Convert sa_data to flexible array in struct sockaddr 2022-10-25 11:44:20 -07:00
devlink.c devlink: protect devlink dump by the instance lock 2022-12-16 21:16:28 -08:00
drop_monitor.c genetlink: introduce split op representation 2022-11-07 12:30:16 +00:00
dst.c Networking changes for 6.2. 2022-12-13 15:47:48 -08:00
dst_cache.c
failover.c net: failover: use IFF_NO_ADDRCONF flag to prevent ipv6 addrconf 2022-12-12 15:18:25 -08:00
fib_notifier.c
fib_rules.c
filter.c bpf: pull before calling skb_postpull_rcsum() 2022-12-20 15:58:35 -08:00
flow_dissector.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-11-29 13:04:52 -08:00
flow_offload.c net: flow_offload: add support for ARP frame matching 2022-11-14 11:24:16 +00:00
gen_estimator.c treewide: Convert del_timer*() to timer_shutdown*() 2022-12-25 13:38:09 -08:00
gen_stats.c net: Remove the obsolte u64_stats_fetch_*_irq() users (net). 2022-10-28 20:13:54 -07:00
gro.c skb: Do mix page pool and page referenced frags in GRO 2023-01-27 23:21:27 -08:00
gro_cells.c net: drop the weight argument from netif_napi_add 2022-09-28 18:57:14 -07:00
hwbm.c
link_watch.c net: linkwatch: only report IF_OPER_LOWERLAYERDOWN if iflink is actually down 2022-11-16 09:45:00 +00:00
lwt_bpf.c
lwtunnel.c xfrm: lwtunnel: squelch kernel warning in case XFRM encap type is not available 2022-10-12 10:45:51 +02:00
Makefile net: skb: export skb drop reaons to user by TRACE_DEFINE_ENUM 2022-09-07 15:28:08 +01:00
neighbour.c Random number generator updates for Linux 6.2-rc1. 2022-12-12 16:22:22 -08:00
net-procfs.c
net-sysfs.c Driver Core changes for 6.2-rc1 2022-12-16 03:54:54 -08:00
net-sysfs.h
net-traces.c
net_namespace.c net: fix UaF in netns ops registration error path 2023-01-20 18:51:18 -08:00
netclassid_cgroup.c core: Variable type completion 2022-08-31 09:40:34 +01:00
netevent.c
netpoll.c net: move from strlcpy with unused retval to strscpy 2022-08-22 18:06:18 -07:00
netprio_cgroup.c
of_net.c of: net: export of_get_mac_address_nvmem() 2022-11-29 10:45:53 +01:00
page_pool.c
pktgen.c treewide: use get_random_u32_inclusive() when possible 2022-11-18 02:18:02 +01:00
ptp_classifier.c
request_sock.c
rtnetlink.c net: expose devlink port over rtnetlink 2022-11-03 20:48:37 -07:00
scm.c
secure_seq.c
selftests.c
skbuff.c net: fix NULL pointer in skb_segment_list 2023-01-31 21:07:04 -08:00
skmsg.c bpf, sockmap: Fix missing BPF_F_INGRESS flag when using apply_bytes 2022-12-01 01:07:32 +01:00
sock.c net: Introduce sk_use_task_frag in struct sock. 2022-12-19 17:28:49 -08:00
sock_destructor.h
sock_diag.c net: fix __sock_gen_cookie() 2022-11-21 20:36:30 -08:00
sock_map.c bpf, sockmap: Don't let sock_map_{close,destroy,unhash} call itself 2023-01-24 21:32:55 -08:00
sock_reuseport.c soreuseport: Fix socket selection for SO_INCOMING_CPU. 2022-10-25 11:35:16 +02:00
stream.c net: stream: purge sk_error_queue in sk_stream_kill_queues() 2022-12-19 12:33:16 +00:00
sysctl_net_core.c net: sysctl: remove unused variable long_max 2022-09-07 15:31:19 +01:00
timestamping.c
tso.c net: tso: inline tso_count_descs() 2022-12-12 15:04:39 -08:00
utils.c net: core: inet[46]_pton strlen len types 2022-11-01 21:14:39 -07:00
xdp.c xdp: improve page_pool xdp_return performance 2022-09-26 11:28:19 -07:00