mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-03 23:58:05 +00:00
Code Issues Releases Wiki Activity
linux-stable/net
History
Jiri Benc 598d9e3092 net: gso: fix panic on frag_list with mixed head alloc types 
[ Upstream commit 9e4b7a99a0 ]

Since commit 3dcbdb134f ("net: gso: Fix skb_segment splat when
splitting gso_size mangled skb having linear-headed frag_list"), it is
allowed to change gso_size of a GRO packet. However, that commit assumes
that "checking the first list_skb member suffices; i.e if either of the
list_skb members have non head_frag head, then the first one has too".

It turns out this assumption does not hold. We've seen BUG_ON being hit
in skb_segment when skbs on the frag_list had differing head_frag with
the vmxnet3 driver. This happens because __netdev_alloc_skb and
__napi_alloc_skb can return a skb that is page backed or kmalloced
depending on the requested size. As the result, the last small skb in
the GRO packet can be kmalloced.

There are three different locations where this can be fixed:

(1) We could check head_frag in GRO and not allow GROing skbs with
    different head_frag. However, that would lead to performance
    regression on normal forward paths with unmodified gso_size, where
    !head_frag in the last packet is not a problem.

(2) Set a flag in bpf_skb_net_grow and bpf_skb_net_shrink indicating
    that NETIF_F_SG is undesirable. That would need to eat a bit in
    sk_buff. Furthermore, that flag can be unset when all skbs on the
    frag_list are page backed. To retain good performance,
    bpf_skb_net_grow/shrink would have to walk the frag_list.

(3) Walk the frag_list in skb_segment when determining whether
    NETIF_F_SG should be cleared. This of course slows things down.

This patch implements (3). To limit the performance impact in
skb_segment, the list is walked only for skbs with SKB_GSO_DODGY set
that have gso_size changed. Normal paths thus will not hit it.

We could check only the last skb but since we need to walk the whole
list anyway, let's stay on the safe side.

Fixes: 3dcbdb134f ("net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list")
Signed-off-by: Jiri Benc <jbenc@redhat.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://lore.kernel.org/r/e04426a6a91baf4d1081e1b478c82b5de25fdf21.1667407944.git.jbenc@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-11-16 10:03:53 +01:00
..
6lowpan
9p iov_iter stuff, part 2, rebased 2022-08-08 20:04:35 -07:00
802
8021q Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-07-14 15:27:35 -07:00
appletalk
atm net/atm: fix proc_mpc_write incorrect return value 2022-10-29 10:08:32 +02:00
ax25 net: avoid overflow when rose /proc displays timer information. 2022-08-05 19:00:02 -07:00
batman-adv batman-adv: Fix hang up with small MTU hard-interface 2022-08-20 14:17:45 +02:00
bluetooth Bluetooth: L2CAP: Fix attempting to access uninitialized memory 2022-11-10 18:17:30 +01:00
bpf bpf: Allow calling bpf_prog_test kfuncs in tracing programs 2022-08-09 18:46:11 -07:00
bpfilter
bridge bridge: Fix flushing of dynamic FDB entries 2022-11-10 18:17:22 +01:00
caif caif: Fix bitmap data type in "struct caifsock" 2022-07-22 12:51:45 +01:00
can can: j1939: transport: j1939_session_skb_drop_old(): spin_unlock_irqrestore() before kfree_skb() 2022-11-04 00:00:17 +09:00
ceph libceph: clean up ceph_osdc_start_request prototype 2022-08-03 14:05:39 +02:00
core net: gso: fix panic on frag_list with mixed head alloc types 2022-11-16 10:03:53 +01:00
dcb
dccp dccp: put dccp_qpolicy_full() and dccp_qpolicy_push() in the same lock 2022-08-01 12:11:56 -07:00
decnet dn_route: replace "jiffies-now>0" with "jiffies!=now" 2022-07-29 20:12:49 -07:00
dns_resolver
dsa net: dsa: fall back to default tagger if we can't load the one from DT 2022-11-10 18:17:16 +01:00
ethernet
ethtool ethtool: eeprom: fix null-deref on genl_info in dump 2022-11-04 00:00:24 +09:00
hsr net: hsr: avoid possible NULL deref in skb_clone() 2022-10-29 10:08:34 +02:00
ieee802154 net: ieee802154: fix error return code in dgram_bind() 2022-11-04 00:00:25 +09:00
ife
ipv4 bpf, sockmap: Fix the sk->sk_forward_alloc warning of sk_stream_kill_queues 2022-11-16 10:03:51 +01:00
ipv6 ipv6: fix WARNING in ip6_route_net_exit_late() 2022-11-10 18:17:22 +01:00
iucv
kcm kcm: do not sense pfmemalloc status in kcm_sendpage() 2022-11-04 00:00:34 +09:00
key Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 2022-08-24 12:51:50 +01:00
l2tp l2tp: l2tp_debugfs: fix Clang -Wformat warnings 2022-07-08 12:14:36 +01:00
l3mdev
lapb
llc
mac80211 wifi: mac80211: Set TWT Information Frame Disabled bit as 1 2022-11-16 10:03:51 +01:00
mac802154 mac802154: Fix LQI recording 2022-11-04 00:00:21 +09:00
mctp mctp: prevent double key removal and unref 2022-10-15 08:02:58 +02:00
mpls net: Use u64_stats_fetch_begin_irq() for stats fetch. 2022-08-29 13:02:27 +01:00
mptcp mptcp: set msk local address earlier 2022-11-04 00:00:31 +09:00
ncsi
netfilter netfilter: ipset: enforce documented limit to prevent allocating huge memory 2022-11-10 18:17:20 +01:00
netlabel netlabel: fix typo in comment 2022-08-10 09:24:41 +01:00
netlink net: genl: fix error path memory leak in policy dumping 2022-08-18 10:20:48 -07:00
netrom
nfc
nsh
openvswitch openvswitch: switch from WARN to pr_warn 2022-11-04 00:00:33 +09:00
packet net/af_packet: check len when min_header_len equals to 0 2022-07-29 12:09:27 +01:00
phonet
psample
qrtr net: qrtr: start MHI channel after endpoit creation 2022-08-15 11:21:42 +01:00
rds net: rds: don't hold sock lock when cancelling work from rds_tcp_reset_callbacks() 2022-10-21 12:38:20 +02:00
rfkill
rose rose: Fix NULL pointer dereference in rose_send_frame() 2022-11-10 18:17:19 +01:00
rxrpc rxrpc: Remove rxrpc_get_reply_time() which is no longer used 2022-09-01 11:44:13 +01:00
sched net: sched: Fix use after free in red_enqueue() 2022-11-10 18:17:17 +01:00
sctp sctp: handle the error returned from sctp_auth_asoc_init_active_key 2022-10-21 12:38:19 +02:00
smc net/smc: Fix possible leaked pernet namespace in smc_init() 2022-11-10 18:17:22 +01:00
strparser strparser: pad sk_skb_cb to avoid straddling cachelines 2022-07-08 18:38:44 -07:00
sunrpc SUNRPC: Fix null-ptr-deref when xps sysfs alloc failed 2022-11-10 18:17:15 +01:00
switchdev
tipc tipc: fix a null-ptr-deref in tipc_topsrv_accept 2022-11-04 00:00:29 +09:00
tls tls: strp: make sure the TCP skbs do not have overlapping data 2022-10-29 10:08:32 +02:00
unix net: remove SOCK_SUPPORT_ZC from sockmap 2022-11-10 18:17:35 +01:00
vmw_vsock vsock: fix possible infinite sleep in vsock_connectible_wait_data() 2022-11-10 18:17:22 +01:00
wireless wifi: cfg80211: fix memory leak in query_regdb_file() 2022-11-16 10:03:50 +01:00
x25 net/x25: fix call timeouts in blocking connects 2022-08-08 20:48:51 -07:00
xdp xsk: Fix backpressure mechanism on Tx 2022-10-21 12:38:05 +02:00
xfrm xfrm: Update ipcomp_scratches with NULL when freed 2022-10-21 12:39:07 +02:00
compat.c net: clear msg_get_inq in __get_compat_msghdr() 2022-09-20 08:23:20 -07:00
devres.c
Kconfig
Kconfig.debug
Makefile
socket.c net: Fix a data-race around sysctl_somaxconn. 2022-08-24 13:46:58 +01:00
sysctl_net.c