From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Felix Kaechele <felix@kaechele.ca>,
Sven Eckelmann <sven@narfation.org>,
Simon Wunderlich <sw@simonwunderlich.de>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 01/43] batman-adv: Dont skb_split skbuffs with frag_list
Date: Mon, 16 May 2022 21:36:12 +0200 [thread overview]
Message-ID: <20220516193614.760369751@linuxfoundation.org> (raw)
In-Reply-To: <20220516193614.714657361@linuxfoundation.org>
From: Sven Eckelmann <sven@narfation.org>
[ Upstream commit a063f2fba3fa633a599253b62561051ac185fa99 ]
The receiving interface might have used GRO to receive more fragments than
MAX_SKB_FRAGS fragments. In this case, these will not be stored in
skb_shinfo(skb)->frags but merged into the frag list.
batman-adv relies on the function skb_split to split packets up into
multiple smaller packets which are not larger than the MTU on the outgoing
interface. But this function cannot handle frag_list entries and is only
operating on skb_shinfo(skb)->frags. If it is still trying to split such an
skb and xmit'ing it on an interface without support for NETIF_F_FRAGLIST,
then validate_xmit_skb() will try to linearize it. But this fails due to
inconsistent information. And __pskb_pull_tail will trigger a BUG_ON after
skb_copy_bits() returns an error.
In case of entries in frag_list, just linearize the skb before operating on
it with skb_split().
Reported-by: Felix Kaechele <felix@kaechele.ca>
Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Tested-by: Felix Kaechele <felix@kaechele.ca>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/fragmentation.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
index 0da90e73c79b..f33a7f7a1249 100644
--- a/net/batman-adv/fragmentation.c
+++ b/net/batman-adv/fragmentation.c
@@ -478,6 +478,17 @@ int batadv_frag_send_packet(struct sk_buff *skb,
goto free_skb;
}
+ /* GRO might have added fragments to the fragment list instead of
+ * frags[]. But this is not handled by skb_split and must be
+ * linearized to avoid incorrect length information after all
+ * batman-adv fragments were created and submitted to the
+ * hard-interface
+ */
+ if (skb_has_frag_list(skb) && __skb_linearize(skb)) {
+ ret = -ENOMEM;
+ goto free_skb;
+ }
+
/* Create one header to be copied to all fragments */
frag_header.packet_type = BATADV_UNICAST_FRAG;
frag_header.version = BATADV_COMPAT_VERSION;
--
2.35.1
next prev parent reply other threads:[~2022-05-16 19:47 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-16 19:36 [PATCH 5.4 00/43] 5.4.195-rc1 review Greg Kroah-Hartman
2022-05-16 19:36 ` Greg Kroah-Hartman [this message]
2022-05-16 19:36 ` [PATCH 5.4 02/43] hwmon: (tmp401) Add OF device ID table Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 03/43] mac80211: Reset MBSSID parameters upon connection Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 04/43] net: Fix features skip in for_each_netdev_feature() Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 05/43] ipv4: drop dst in multicast routing path Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 06/43] drm/nouveau: Fix a potential theorical leak in nouveau_get_backlight_name() Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 07/43] netlink: do not reset transport header in netlink_recvmsg() Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 08/43] mac80211_hwsim: call ieee80211_tx_prepare_skb under RCU protection Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 09/43] dim: initialize all struct fields Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 10/43] hwmon: (ltq-cputemp) restrict it to SOC_XWAY Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 11/43] s390/ctcm: fix variable dereferenced before check Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 12/43] s390/ctcm: fix potential memory leak Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 13/43] s390/lcs: fix variable dereferenced before check Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 14/43] net/sched: act_pedit: really ensure the skb is writable Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 15/43] net/smc: non blocking recvmsg() return -EAGAIN when no data and signal_pending Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 16/43] net: sfc: ef10: fix memory leak in efx_ef10_mtd_probe() Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 17/43] gfs2: Fix filesystem block deallocation for short writes Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 18/43] hwmon: (f71882fg) Fix negative temperature Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 19/43] ASoC: max98090: Reject invalid values in custom control put() Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 20/43] ASoC: max98090: Generate notifications on changes for custom control Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 21/43] ASoC: ops: Validate input values in snd_soc_put_volsw_range() Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 22/43] s390: disable -Warray-bounds Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 23/43] net: emaclite: Dont advertise 1000BASE-T and do auto negotiation Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 24/43] tcp: resalt the secret every 10 seconds Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 25/43] tty: n_gsm: fix mux activation issues in gsm_config() Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 26/43] usb: cdc-wdm: fix reading stuck on device close Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 27/43] usb: typec: tcpci: Dont skip cleanup in .remove() on error Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 28/43] USB: serial: pl2303: add device id for HP LM930 Display Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 29/43] USB: serial: qcserial: add support for Sierra Wireless EM7590 Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 30/43] USB: serial: option: add Fibocom L610 modem Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 31/43] USB: serial: option: add Fibocom MA510 modem Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 32/43] slimbus: qcom: Fix IRQ check in qcom_slim_probe Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 33/43] serial: 8250_mtk: Fix UART_EFR register address Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 34/43] serial: 8250_mtk: Fix register address for XON/XOFF character Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 35/43] drm/nouveau/tegra: Stop using iommu_present() Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 36/43] i40e: i40e_main: fix a missing check on list iterator Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 37/43] cgroup/cpuset: Remove cpus_allowed/mems_allowed setup in cpuset_init_smp() Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 38/43] drm/vmwgfx: Initialize drm_mode_fb_cmd2 Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 39/43] MIPS: fix build with gcc-12 Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 40/43] net: phy: Fix race condition on link status change Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 41/43] arm[64]/memremap: dont abuse pfn_valid() to ensure presence of linear map Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 42/43] ping: fix address binding wrt vrf Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 5.4 43/43] tty/serial: digicolor: fix possible null-ptr-deref in digicolor_uart_probe() Greg Kroah-Hartman
2022-05-17 3:25 ` [PATCH 5.4 00/43] 5.4.195-rc1 review Florian Fainelli
2022-05-17 4:12 ` Shuah Khan
2022-05-17 7:38 ` Jon Hunter
2022-05-17 11:01 ` Sudip Mukherjee
2022-05-17 13:07 ` Samuel Zou
2022-05-17 14:16 ` Naresh Kamboju
2022-05-17 19:30 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220516193614.760369751@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=felix@kaechele.ca \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=sven@narfation.org \
--cc=sw@simonwunderlich.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.