mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/include/net
History
Eric Dumazet 720a6817e1 ip6: fix skb leak in ip6frag_expire_frag_queue() 
commit 47d3d7fdb1 upstream.

Since ip6frag_expire_frag_queue() now pulls the head skb
from frag queue, we should no longer use skb_get(), since
this leads to an skb leak.

Stefan Bader initially reported a problem in 4.4.stable [1] caused
by the skb_get(), so this patch should also fix this issue.

296583.091021] kernel BUG at /build/linux-6VmqmP/linux-4.4.0/net/core/skbuff.c:1207!
[296583.091734] Call Trace:
[296583.091749]  [<ffffffff81740e50>] __pskb_pull_tail+0x50/0x350
[296583.091764]  [<ffffffff8183939a>] _decode_session6+0x26a/0x400
[296583.091779]  [<ffffffff817ec719>] __xfrm_decode_session+0x39/0x50
[296583.091795]  [<ffffffff818239d0>] icmpv6_route_lookup+0xf0/0x1c0
[296583.091809]  [<ffffffff81824421>] icmp6_send+0x5e1/0x940
[296583.091823]  [<ffffffff81753238>] ? __netif_receive_skb+0x18/0x60
[296583.091838]  [<ffffffff817532b2>] ? netif_receive_skb_internal+0x32/0xa0
[296583.091858]  [<ffffffffc0199f74>] ? ixgbe_clean_rx_irq+0x594/0xac0 [ixgbe]
[296583.091876]  [<ffffffffc04eb260>] ? nf_ct_net_exit+0x50/0x50 [nf_defrag_ipv6]
[296583.091893]  [<ffffffff8183d431>] icmpv6_send+0x21/0x30
[296583.091906]  [<ffffffff8182b500>] ip6_expire_frag_queue+0xe0/0x120
[296583.091921]  [<ffffffffc04eb27f>] nf_ct_frag6_expire+0x1f/0x30 [nf_defrag_ipv6]
[296583.091938]  [<ffffffff810f3b57>] call_timer_fn+0x37/0x140
[296583.091951]  [<ffffffffc04eb260>] ? nf_ct_net_exit+0x50/0x50 [nf_defrag_ipv6]
[296583.091968]  [<ffffffff810f5464>] run_timer_softirq+0x234/0x330
[296583.091982]  [<ffffffff8108a339>] __do_softirq+0x109/0x2b0

Fixes: d4289fcc9b ("net: IP6 defrag: use rbtrees for IPv6 defrag")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Stefan Bader <stefan.bader@canonical.com>
Cc: Peter Oskolkov <posk@google.com>
Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2019-09-16 08:20:44 +02:00
..
9p 9p: Implement show_options 2017-07-11 06:08:58 -04:00
bluetooth Bluetooth: Align minimum encryption key size for LE and BR/EDR connections 2019-06-25 11:36:54 +08:00
caif caif: reduce stack size with KASAN 2019-05-08 07:20:45 +02:00
iucv License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
netfilter netfilter: ctnetlink: don't use conntrack/expect object addresses as id 2019-05-16 19:42:23 +02:00
netns tcp: add tcp_min_snd_mss sysctl 2019-06-17 19:52:44 +02:00
nfc nfc: nci: Potential off by one in ->pipes[] array 2019-05-16 19:42:32 +02:00
phonet phonet: fix building with clang 2019-03-23 14:35:16 +01:00
sctp sctp: avoid running the sctp state machine recursively 2019-05-08 07:20:44 +02:00
tc_act net/sched: don't dereference a->goto_chain to read the chain index 2019-05-04 09:15:20 +02:00
6lowpan.h
Space.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
act_api.h net_sched: fix a NULL pointer deref in ipt action 2019-09-10 10:32:20 +01:00
addrconf.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
af_ieee802154.h
af_rxrpc.h rxrpc: Allow failed client calls to be retried 2017-08-29 10:55:20 +01:00
af_unix.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
af_vsock.h VSOCK: use TCP state constants for sk_state 2019-08-04 09:31:59 +02:00
ah.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
arp.h ipv4: Define __ipv4_neigh_lookup_noref when CONFIG_INET is disabled 2019-06-11 12:21:51 +02:00
atmclip.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ax25.h ax25: fix possible use-after-free 2019-02-23 09:06:44 +01:00
ax88796.h
bond_3ad.h
bond_alb.h
bond_options.h bonding: Prevent duplicate userspace notification 2017-05-27 18:51:41 -04:00
bonding.h bonding: avoid possible dead-lock 2018-10-18 09:16:17 +02:00
busy_poll.h net: fix compilation when busy poll is not enabled 2017-08-11 14:59:24 -07:00
calipso.h net, calipso: convert calipso_doi.refcount from atomic_t to refcount_t 2017-07-04 22:35:16 +01:00
cfg80211-wext.h
cfg80211.h mac80211_hwsim: validate number of different channels 2018-02-25 11:07:45 +01:00
cfg802154.h
checksum.h
cipso_ipv4.h net, ipv4: convert cipso_v4_doi.refcount from atomic_t to refcount_t 2017-07-04 01:29:04 -07:00
cls_cgroup.h
codel.h
codel_impl.h
codel_qdisc.h
compat.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
datalink.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dcbevent.h
dcbnl.h
devlink.h devlink: Add IPv6 header for dpipe 2017-08-31 14:42:19 -07:00
dn.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dn_dev.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dn_fib.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dn_neigh.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dn_nsp.h
dn_route.h
dsa.h net: dsa: Allow switch drivers to indicate number of TX queues 2017-09-05 11:53:34 -07:00
dsfield.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dst.h net: make skb_dst_force return true when dst is refcounted 2019-07-31 07:28:46 +02:00
dst_cache.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dst_metadata.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dst_ops.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
erspan.h gre: introduce native tunnel support for ERSPAN 2017-08-22 14:29:30 -07:00
esp.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ethoc.h
fib_notifier.h net: Add module reference to FIB notifiers 2017-09-01 20:33:42 -07:00
fib_rules.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
firewire.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
flow.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
flow_dissector.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
fou.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
fq.h
fq_impl.h fq_impl: Properly enforce memory limit 2017-10-18 09:40:35 +02:00
garp.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
gen_stats.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
genetlink.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
geneve.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
gre.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
gro_cells.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
gtp.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
gue.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
hwbm.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
icmp.h net: Add __icmp_send helper. 2019-03-13 14:03:09 -07:00
ieee80211_radiotap.h
ieee802154_netdev.h
if_inet6.h net, ipv6: convert ifacaddr6.aca_refcnt from atomic_t to refcount_t 2017-07-04 01:29:04 -07:00
ife.h net: sched: ife: handle malformed tlv length 2018-04-29 11:33:13 +02:00
ila.h
inet6_connection_sock.h
inet6_hashtables.h net: ipv6: add second dif to inet6 socket lookups 2017-08-07 11:39:22 -07:00
inet_common.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
inet_connection_sock.h tcp: ULP infrastructure 2017-06-15 12:12:40 -04:00
inet_ecn.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
inet_frag.h net: IP defrag: encapsulate rbtree defrag code into callable functions 2019-04-27 09:35:40 +02:00
inet_hashtables.h net: ipv4: add second dif to inet socket lookups 2017-08-07 11:39:21 -07:00
inet_sock.h inet: make sure to grab rcu_read_lock before using ireq->ireq_opt 2018-10-18 09:16:21 +02:00
inet_timewait_sock.h soreuseport: initialise timewait reuseport field 2018-05-16 10:10:24 +02:00
inetpeer.h net: ipv4: use a dedicated counter for icmp_v4 redirect packets 2019-02-23 09:06:42 +01:00
ip.h vrf: check accept_source_route on the original netdevice 2019-04-17 08:37:48 +02:00
ip6_checksum.h
ip6_fib.h ipv6: fix the check before getting the cookie in rt6_get_cookie 2019-06-11 12:21:47 +02:00
ip6_route.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ip6_tunnel.h ip6_tunnel: allow not to count pkts on tstats by passing dev as NULL 2019-07-21 09:04:28 +02:00
ip_fib.h net: ipv4: Fix memory leak in network namespace dismantle 2019-01-31 08:13:42 +01:00
ip_tunnels.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ip_vs.h ipvs: fix tinfo memory leak in start_sync_thread 2019-07-31 07:28:29 +02:00
ipcomp.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ipconfig.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ipv6.h ipv6: remove dependency of nf_defrag_ipv6 on ipv6 module 2019-04-27 09:35:40 +02:00
ipv6_frag.h ip6: fix skb leak in ip6frag_expire_frag_queue() 2019-09-16 08:20:44 +02:00
ipx.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
iw_handler.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
kcm.h
l3mdev.h ipvlan, l3mdev: fix broken l3s mode wrt local routes 2019-02-06 17:31:33 +01:00
lapb.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
lib80211.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
llc.h llc: use refcount_inc_not_zero() for llc_sap_find() 2018-08-22 07:46:08 +02:00
llc_c_ac.h
llc_c_ev.h
llc_c_st.h
llc_conn.h llc: properly handle dev_queue_xmit() return value 2018-05-30 07:52:20 +02:00
llc_if.h
llc_pdu.h
llc_s_ac.h
llc_s_ev.h
llc_s_st.h
llc_sap.h
lwtunnel.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mac80211.h mac80211: round IEEE80211_TX_STATUS_HEADROOM up to multiple of 4 2018-05-30 07:51:58 +02:00
mac802154.h
mip6.h
mld.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mpls.h
mpls_iptunnel.h
mrp.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ncsi.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ndisc.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
neighbour.h neighbour: Avoid writing before skb->head in neigh_hh_output() 2018-12-17 09:28:45 +01:00
net_namespace.h netns: provide pure entropy for net_hash_mix() 2019-04-17 08:37:50 +02:00
net_ratelimit.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
netevent.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
netlabel.h net: convert netlbl_lsm_cache.refcount from atomic_t to refcount_t 2017-07-01 07:39:09 -07:00
netlink.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
netprio_cgroup.h
netrom.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
nexthop.h net: fix rtnh_ok() 2018-05-16 10:10:23 +02:00
nl802154.h
nsh.h net: add NSH header structures and helpers 2017-08-29 15:16:52 -07:00
p8022.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ping.h
pkt_cls.h net_sched: introduce tcf_exts_get_net() and tcf_exts_put_net() 2017-11-09 10:03:09 +09:00
pkt_sched.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
pptp.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
protocol.h IPv4: early demux can return an error code 2017-10-01 03:55:47 +01:00
psample.h net: sched: act_sample: fix psample group handling on overwrite 2019-09-10 10:32:21 +01:00
psnap.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
raw.h net: ipv4: add second dif to raw socket lookups 2017-08-07 11:39:21 -07:00
rawv6.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
red.h net_sched: red: Avoid illegal values 2018-02-25 11:07:59 +01:00
regulatory.h regulatory: add NUL to request alpha2 2018-05-30 07:52:01 +02:00
request_sock.h net: convert sock.sk_refcnt from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
rose.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
route.h ipv4: lock mtu in fnhe when received PMTU < net.ipv4.route.min_pmtu 2018-05-30 07:52:14 +02:00
rtnetlink.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
sch_generic.h sch_netem: fix skb leak in netem_enqueue() 2018-03-31 18:10:40 +02:00
scm.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
secure_seq.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
seg6.h ipv6: sr: add support for ip4ip6 encapsulation 2017-08-25 17:10:23 -07:00
seg6_hmac.h
slhc_vj.h slip: Check if rstate is initialized before uncompressing 2018-04-19 08:56:16 +02:00
smc.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
snmp.h
sock.h packets: Always register packet sk in the same order 2019-04-03 06:25:09 +02:00
sock_reuseport.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
stp.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
strparser.h strparser: Use delayed work instead of timer for msg timeout 2017-10-25 10:37:11 +09:00
switchdev.h net: switchdev: Remove bridge bypass support from switchdev 2017-08-07 14:48:48 -07:00
tcp.h tcp: fix tcp_rtx_queue_tail in case of empty retransmit queue 2019-09-06 10:20:49 +02:00
tcp_states.h
timewait_sock.h
tls.h tls: Fix TLS ulp context leak, when TLS_TX setsockopt is not used. 2018-12-05 19:41:10 +01:00
transp_v6.h udp: fix rx queue len reported by diag and proc interface 2018-06-26 08:06:28 +08:00
tso.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
tun_proto.h vxlan: factor out VXLAN-GPE next protocol 2017-08-29 15:16:52 -07:00
udp.h udp: fix rx queue len reported by diag and proc interface 2018-06-26 08:06:28 +08:00
udp_tunnel.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
udplite.h udplite: fix partial checksum initialization 2018-03-08 22:41:10 -08:00
vsock_addr.h
vxlan.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
wext.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
wimax.h
x25.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
x25device.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
xfrm.h xfrm: clean up xfrm protocol checks 2019-09-16 08:20:44 +02:00