* Patch "ipv4: Avoid crashing in ip_error" has been added to the 4.0-stable tree
@ 2015-06-13 17:02 gregkh
0 siblings, 0 replies; only message in thread
From: gregkh @ 2015-06-13 17:02 UTC (permalink / raw)
To: ebiederm, davem, edumazet, gregkh, linuxbugs; +Cc: stable, stable-commits
This is a note to let you know that I've just added the patch titled
ipv4: Avoid crashing in ip_error
to the 4.0-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
ipv4-avoid-crashing-in-ip_error.patch
and it can be found in the queue-4.0 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.
>From foo@baz Sat Jun 13 09:48:35 PDT 2015
From: "Eric W. Biederman" <ebiederm@xmission.com>
Date: Fri, 22 May 2015 04:58:12 -0500
Subject: ipv4: Avoid crashing in ip_error
From: "Eric W. Biederman" <ebiederm@xmission.com>
[ Upstream commit 381c759d9916c42959515ad34a6d467e24a88e93 ]
ip_error does not check if in_dev is NULL before dereferencing it.
IThe following sequence of calls is possible:
CPU A CPU B
ip_rcv_finish
ip_route_input_noref()
ip_route_input_slow()
inetdev_destroy()
dst_input()
With the result that a network device can be destroyed while processing
an input packet.
A crash was triggered with only unicast packets in flight, and
forwarding enabled on the only network device. The error condition
was created by the removal of the network device.
As such it is likely the that error code was -EHOSTUNREACH, and the
action taken by ip_error (if in_dev had been accessible) would have
been to not increment any counters and to have tried and likely failed
to send an icmp error as the network device is going away.
Therefore handle this weird case by just dropping the packet if
!in_dev. It will result in dropping the packet sooner, and will not
result in an actual change of behavior.
Fixes: 251da4130115b ("ipv4: Cache ip_error() routes even when not forwarding.")
Reported-by: Vittorio Gambaletta <linuxbugs@vittgam.net>
Tested-by: Vittorio Gambaletta <linuxbugs@vittgam.net>
Signed-off-by: Vittorio Gambaletta <linuxbugs@vittgam.net>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/route.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -903,6 +903,10 @@ static int ip_error(struct sk_buff *skb)
bool send;
int code;
+ /* IP on this device is disabled. */
+ if (!in_dev)
+ goto out;
+
net = dev_net(rt->dst.dev);
if (!IN_DEV_FORWARD(in_dev)) {
switch (rt->dst.error) {
Patches currently in stable-queue which might be from ebiederm@xmission.com are
queue-4.0/ipv4-avoid-crashing-in-ip_error.patch
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2015-06-13 17:02 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-06-13 17:02 Patch "ipv4: Avoid crashing in ip_error" has been added to the 4.0-stable tree gregkh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.