iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Yan Zhai 6446369fb9 net: fix NULL pointer in skb_segment_list 
commit 876e8ca8366735a604bac86ff7e2732fc9d85d2d upstream.

Commit 3a1296a38d0c ("net: Support GRO/GSO fraglist chaining.")
introduced UDP listifyed GRO. The segmentation relies on frag_list being
untouched when passing through the network stack. This assumption can be
broken sometimes, where frag_list itself gets pulled into linear area,
leaving frag_list being NULL. When this happens it can trigger
following NULL pointer dereference, and panic the kernel. Reverse the
test condition should fix it.

[19185.577801][    C1] BUG: kernel NULL pointer dereference, address:
...
[19185.663775][    C1] RIP: 0010:skb_segment_list+0x1cc/0x390
...
[19185.834644][    C1] Call Trace:
[19185.841730][    C1]  <TASK>
[19185.848563][    C1]  __udp_gso_segment+0x33e/0x510
[19185.857370][    C1]  inet_gso_segment+0x15b/0x3e0
[19185.866059][    C1]  skb_mac_gso_segment+0x97/0x110
[19185.874939][    C1]  __skb_gso_segment+0xb2/0x160
[19185.883646][    C1]  udp_queue_rcv_skb+0xc3/0x1d0
[19185.892319][    C1]  udp_unicast_rcv_skb+0x75/0x90
[19185.900979][    C1]  ip_protocol_deliver_rcu+0xd2/0x200
[19185.910003][    C1]  ip_local_deliver_finish+0x44/0x60
[19185.918757][    C1]  __netif_receive_skb_one_core+0x8b/0xa0
[19185.927834][    C1]  process_backlog+0x88/0x130
[19185.935840][    C1]  __napi_poll+0x27/0x150
[19185.943447][    C1]  net_rx_action+0x27e/0x5f0
[19185.951331][    C1]  ? mlx5_cq_tasklet_cb+0x70/0x160 [mlx5_core]
[19185.960848][    C1]  __do_softirq+0xbc/0x25d
[19185.968607][    C1]  irq_exit_rcu+0x83/0xb0
[19185.976247][    C1]  common_interrupt+0x43/0xa0
[19185.984235][    C1]  asm_common_interrupt+0x22/0x40
...
[19186.094106][    C1]  </TASK>

Fixes: 3a1296a38d0c ("net: Support GRO/GSO fraglist chaining.")
Suggested-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Yan Zhai <yan@cloudflare.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/r/Y9gt5EUizK1UImEP@debian
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-02-06 07:56:16 +01:00
..
6lowpan
6lowpan: iphc: Fix an off-by-one check of array index
2021-09-15 09:50:34 +02:00
9p
9p/xen: check logical size for buffer size
2022-12-14 11:31:54 +01:00
802
mrp: introduce active flags to prevent UAF when applicant uninit
2023-01-14 10:16:18 +01:00
8021q
net: make free_netdev() more lenient with unregistering devices
2022-07-29 17:19:07 +02:00
appletalk
appletalk: Fix skb allocation size in loopback case
2021-04-07 15:00:08 +02:00
atm
net/atm: fix proc_mpc_write incorrect return value
2022-10-30 09:41:16 +01:00
ax25
net: ax25: Fix deadlock caused by skb_recv_datagram in ax25_recvmsg
2022-06-22 14:13:17 +02:00
batman-adv
batman-adv: Don't skb_split skbuffs with frag_list
2022-05-18 10:23:42 +02:00
bluetooth
Bluetooth: fix null ptr deref on hci_sync_conn_complete_evt
2023-02-06 07:56:16 +01:00
bpf
bpf: Move skb->len == 0 checks into __bpf_redirect
2023-01-14 10:15:31 +01:00
bpfilter
bpfilter: Specify the log level for the kmsg message
2021-07-14 16:56:29 +02:00
bridge
bridge: switchdev: Fix memory leaks when changing VLAN protocol
2022-12-02 17:39:57 +01:00
caif
caif: fix memory leak in cfctrl_linkup_request()
2023-01-14 10:16:48 +01:00
can
can: af_can: fix NULL pointer dereference in can_rcv_filter
2022-12-14 11:31:59 +01:00
ceph
libceph: fix potential use-after-free on linger ping and resends
2022-05-25 09:17:56 +02:00
core
net: fix NULL pointer in skb_segment_list
2023-02-06 07:56:16 +01:00
dcb
net: dcb: disable softirqs in dcbnl_flush_dev()
2022-03-08 19:09:37 +01:00
dccp
dccp/tcp: Reset saddr on failure after inet6?_hash_connect().
2022-12-02 17:40:01 +01:00
decnet
net: Fix data-races around sysctl_[rw]mem(_offset)?.
2022-08-31 17:15:19 +02:00
dns_resolver
dsa
net: dsa: ksz: Check return value
2022-12-14 11:32:01 +01:00
ethernet
ethtool
net/ethtool/ioctl: return -EOPNOTSUPP if we have no phy stats
2023-01-24 07:19:55 +01:00
hsr
hsr: Synchronize sequence number updates.
2023-01-14 10:15:37 +01:00
ieee802154
net: ieee802154: fix error return code in dgram_bind()
2022-11-03 23:57:51 +09:00
ife
ipv4
ipv4: prevent potential spectre v1 gadget in fib_metrics_match()
2023-02-01 08:23:25 +01:00
ipv6
ipv6: raw: Deduct extension header length in rawv6_push_pending_frames
2023-01-18 11:44:55 +01:00
iucv
net/af_iucv: remove WARN_ONCE on malformed RX packets
2021-03-07 12:34:05 +01:00
kcm
kcm: close race conditions on sk_receive_queue
2022-11-25 17:45:56 +01:00
key
af_key: Fix send_acquire race with pfkey_register
2022-12-02 17:39:58 +01:00
l2tp
l2tp: prevent lockdep issue in l2tp_tunnel_register()
2023-02-01 08:23:14 +01:00
l3mdev
l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu
2022-04-27 13:53:50 +02:00
lapb
net: lapb: Copy the skb before sending a packet
2021-02-10 09:29:14 +01:00
llc
llc: only change llc->dev when bind() succeeds
2022-03-28 09:57:10 +02:00
mac80211
Revert "wifi: mac80211: fix memory leak in ieee80211_if_add()"
2023-01-24 07:20:01 +01:00
mac802154
mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()
2022-12-14 11:32:01 +01:00
mpls
net: Use u64_stats_fetch_begin_irq() for stats fetch.
2022-09-08 11:11:40 +02:00
mptcp
mptcp: use proper req destructor for IPv6
2023-01-14 10:16:52 +01:00
ncsi
net/ncsi: check for error return from call to nla_put_u32
2022-01-05 12:40:32 +01:00
netfilter
netfilter: conntrack: unify established states for SCTP paths
2023-02-01 08:23:27 +01:00
netlabel
netlabel: fix out-of-bounds memory accesses
2022-04-13 21:01:00 +02:00
netlink
netlink: annotate data races around sk_state
2023-02-01 08:23:24 +01:00
netrom
netrom: Fix use-after-free of a listening socket.
2023-02-01 08:23:25 +01:00
nfc
net: nfc: Fix use-after-free in local_cleanup()
2023-02-01 08:23:12 +01:00
nsh
openvswitch
openvswitch: Fix flow lookup to use unmasked key
2023-01-14 10:16:12 +01:00
packet
net/af_packet: make sure to pull mac header
2023-01-14 10:16:29 +01:00
phonet
phonet: refcount leak in pep_sock_accep
2022-01-11 15:25:01 +01:00
psample
net: psample: Fix netlink skb length with tunnel info
2021-03-07 12:34:07 +01:00
qrtr
qrtr: Convert qrtr_ports from IDR to XArray
2022-08-25 11:38:23 +02:00
rds
net: rds: don't hold sock lock when cancelling work from rds_tcp_reset_callbacks()
2022-10-26 13:25:23 +02:00
rfkill
rfkill: Fix use-after-free in rfkill_resume()
2020-11-12 09:18:06 +01:00
rose
rose: Fix NULL pointer dereference in rose_send_frame()
2022-11-10 18:14:19 +01:00
rxrpc
rxrpc: Fix missing unlock in rxrpc_do_sendmsg()
2023-01-14 10:16:12 +01:00
sched
net/sched: sch_taprio: do not schedule in taprio_reset()
2023-02-01 08:23:25 +01:00
sctp
sctp: fail if no bound addresses can be used for a given scope
2023-02-01 08:23:25 +01:00
smc
net/smc: Stop the CLC flow if no link to map buffers on
2022-09-28 11:10:36 +02:00
strparser
bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding
2021-11-18 14:04:27 +01:00
sunrpc
SUNRPC: ensure the matching upcall is in-flight upon downcall
2023-01-14 10:16:44 +01:00
switchdev
net: switchdev: don't set port_obj_info->handled true when -EOPNOTSUPP
2021-02-07 15:37:12 +01:00
tipc
tipc: fix unexpected link reset due to discovery messages
2023-01-18 11:44:58 +01:00
tls
net/tls: Remove the context from the list in tls_device_down
2022-08-03 12:00:46 +02:00
unix
af_unix: Get user_ns from in_skb in unix_diag_get_exact().
2022-12-14 11:32:01 +01:00
vmw_vsock
net: vmw_vsock: vmci: Check memcpy_from_msg()
2023-01-14 10:15:42 +01:00
wimax
wireless
wifi: cfg80211: Fix not unregister reg_pdev when load_builtin_regdb_keys() fails
2023-01-14 10:15:36 +01:00
x25
net/x25: Fix skb leak in x25_lapb_receive_frame()
2022-11-25 17:45:47 +01:00
xdp
xsk: Inherit need_wakeup flag for shared sockets
2022-10-15 07:55:51 +02:00
xfrm
xfrm: fix rcu lock in xfrm_notify_userpolicy()
2023-01-18 11:44:57 +01:00
compat.c
net: Return the correct errno code
2021-06-18 10:00:06 +02:00
devres.c
Kconfig
Makefile
socket.c
net: remove cmsg restriction from io_uring based send/recvmsg calls
2023-01-04 11:39:24 +01:00
sysctl_net.c