From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org, Denis Kirjanov <kda@linux-powerpc.org>,
"David S. Miller" <davem@davemloft.net>,
"syzbot" <syzkaller@googlegroups.com>,
"Eric Dumazet" <edumazet@google.com>
Subject: [PATCH 3.16 40/87] net-gro: fix use-after-free read in napi_gro_frags()
Date: Wed, 02 Oct 2019 20:06:51 +0100 [thread overview]
Message-ID: <lsq.1570043211.104471262@decadent.org.uk> (raw)
In-Reply-To: <lsq.1570043210.379046399@decadent.org.uk>
3.16.75-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit a4270d6795b0580287453ea55974d948393e66ef upstream.
If a network driver provides to napi_gro_frags() an
skb with a page fragment of exactly 14 bytes, the call
to gro_pull_from_frag0() will 'consume' the fragment
by calling skb_frag_unref(skb, 0), and the page might
be freed and reused.
Reading eth->h_proto at the end of napi_frags_skb() might
read mangled data, or crash under specific debugging features.
BUG: KASAN: use-after-free in napi_frags_skb net/core/dev.c:5833 [inline]
BUG: KASAN: use-after-free in napi_gro_frags+0xc6f/0xd10 net/core/dev.c:5841
Read of size 2 at addr ffff88809366840c by task syz-executor599/8957
CPU: 1 PID: 8957 Comm: syz-executor599 Not tainted 5.2.0-rc1+ #32
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188
__kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
kasan_report+0x12/0x20 mm/kasan/common.c:614
__asan_report_load_n_noabort+0xf/0x20 mm/kasan/generic_report.c:142
napi_frags_skb net/core/dev.c:5833 [inline]
napi_gro_frags+0xc6f/0xd10 net/core/dev.c:5841
tun_get_user+0x2f3c/0x3ff0 drivers/net/tun.c:1991
tun_chr_write_iter+0xbd/0x156 drivers/net/tun.c:2037
call_write_iter include/linux/fs.h:1872 [inline]
do_iter_readv_writev+0x5f8/0x8f0 fs/read_write.c:693
do_iter_write fs/read_write.c:970 [inline]
do_iter_write+0x184/0x610 fs/read_write.c:951
vfs_writev+0x1b3/0x2f0 fs/read_write.c:1015
do_writev+0x15b/0x330 fs/read_write.c:1058
Fixes: a50e233c50db ("net-gro: restore frag0 optimization")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/core/dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -4239,7 +4239,6 @@ static struct sk_buff *napi_frags_skb(st
skb_reset_mac_header(skb);
skb_gro_reset_offset(skb);
- eth = skb_gro_header_fast(skb, 0);
if (unlikely(skb_gro_header_hard(skb, hlen))) {
eth = skb_gro_header_slow(skb, hlen, 0);
if (unlikely(!eth)) {
@@ -4247,6 +4246,7 @@ static struct sk_buff *napi_frags_skb(st
return NULL;
}
} else {
+ eth = (const struct ethhdr *)skb->data;
gro_pull_from_frag0(skb, hlen);
NAPI_GRO_CB(skb)->frag0 += hlen;
NAPI_GRO_CB(skb)->frag0_len -= hlen;
next prev parent reply other threads:[~2019-10-02 19:13 UTC|newest]
Thread overview: 101+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-02 19:06 [PATCH 3.16 00/87] 3.16.75-rc1 review Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 27/87] genwqe: Prevent an integer overflow in the ioctl Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 52/87] ipv6: flowlabel: fl6_sock_lookup() must use atomic_inc_not_zero Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 61/87] cfg80211: fix memory leak of wiphy device name Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 10/87] drm/gma500/cdv: Check vbt config bits when detecting lvds panels Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 04/87] ASoC: cs42xx8: Add regcache mask dirty Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 80/87] bonding: Always enable vlan tx offload Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 59/87] fs/ocfs2: fix race in ocfs2_dentry_attach_lock() Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 41/87] kernel/signal.c: trace_signal_deliver when signal_group_exit Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 21/87] ipv4/igmp: fix build error if !CONFIG_IP_MULTICAST Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 26/87] gpio: fix gpio-adp5588 build errors Ben Hutchings
2019-10-02 19:06 ` Ben Hutchings [this message]
2019-10-02 19:06 ` [PATCH 3.16 42/87] USB: usb-storage: Add new ID to ums-realtek Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 66/87] perf/core: Fix perf_sample_regs_user() mm check Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 57/87] libata: Extend quirks for the ST1000LM024 drives with NOLPM quirk Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 47/87] net: rds: fix memory leak in rds_ib_flush_mr_pool Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 63/87] btrfs: start readahead also in seed devices Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 82/87] sctp: change to hold sk after auth shkey is created successfully Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 20/87] ipv4/igmp: fix another memory leak in igmpv3_del_delrec() Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 62/87] Btrfs: fix race between readahead and device replace/removal Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 05/87] scsi: bnx2fc: fix incorrect cast to u64 on shift operation Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 75/87] be2net: fix link failure after ethtool offline test Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 58/87] cifs: add spinlock for the openFileList to cifsInodeInfo Ben Hutchings
2019-10-28 22:19 ` Pavel Shilovskiy
2019-10-29 13:15 ` Ben Hutchings
2019-11-19 14:49 ` Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 55/87] KVM: arm64: Filter out invalid core register IDs in KVM_GET_REG_LIST Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 69/87] net: netem: fix backlog accounting for corrupted GSO frames Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 16/87] usb: xhci: avoid null pointer deref when bos field is NULL Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 36/87] usbip: usbip_host: fix stub_dev lock context imbalance regression Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 81/87] bonding: Add vlan tx offload to hw_enc_features Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 48/87] pktgen: do not sleep with the thread lock held Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 03/87] Btrfs: fix race between ranged fsync and writeback of adjacent ranges Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 13/87] tty: max310x: Fix external crystal register setup Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 23/87] Input: uinput - add compat ioctl number translation for UI_*_FF_UPLOAD Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 67/87] SMB3: retry on STATUS_INSUFFICIENT_RESOURCES instead of failing write Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 72/87] net/af_iucv: always register net_device notifier Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 44/87] s390/qeth: fix VLAN attribute in bridge_hostnotify udev event Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 12/87] serial: sh-sci: disable DMA for uart_console Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 17/87] net: stmmac: fix reset gpio free missing Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 01/87] net/mlx4_core: Change the error print to info print Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 32/87] configfs: Fix use-after-free when accessing sd->s_dentry Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 70/87] scsi: ufs: Avoid runtime suspend possibly being blocked forever Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 09/87] USB: rio500: fix memory leak in close after disconnect Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 85/87] scsi: target/iblock: Fix overrun in WRITE SAME emulation Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 46/87] parisc: Use implicit space register selection for loading the coherence index of I/O pdirs Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 11/87] USB: serial: pl2303: add Allied Telesis VT-Kit3 Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 76/87] perf/ioctl: Add check for the sample_period value Ben Hutchings
2019-10-02 19:06 ` Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 15/87] powerpc/perf: Fix MMCRA corruption by bhrb_filter Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 38/87] scsi: zfcp: fix to prevent port_remove with pure auto scan LUNs (only sdevs) Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 87/87] crypto: user - prevent operating on larval algorithms Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 50/87] can: af_can: Fix error path of can_init() Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 29/87] staging: iio: cdc: Don't put an else right after a return Ben Hutchings
2019-10-02 21:36 ` Joe Perches
2019-10-03 14:47 ` Ben Hutchings
2019-10-03 15:09 ` Joe Perches
2019-10-03 22:06 ` Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 39/87] signal/ptrace: Don't leak unitialized kernel memory with PTRACE_PEEK_SIGINFO Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 31/87] i2c: dev: fix potential memory leak in i2cdev_ioctl_rdwr Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 35/87] s390/crypto: fix possible sleep during spinlock aquired Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 64/87] be2net: Fix number of Rx queues used for flow hashing Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 68/87] apparmor: enforce nullbyte at end of tag string Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 30/87] staging:iio:ad7150: fix threshold mode config bit Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 22/87] sbitmap: fix improper use of smp_mb__before_atomic() Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 43/87] USB: Fix chipmunk-like voice when using Logitech C270 for recording audio Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 49/87] can: flexcan: fix timeout when set small bitrate Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 06/87] USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 78/87] x86/speculation: Allow guests to use SSBD even if host does not Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 71/87] net/af_iucv: remove GFP_DMA restriction for HiperTransport Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 19/87] igmp: add a missing spin_lock_init() Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 73/87] scsi: vmw_pscsi: Fix use-after-free in pvscsi_queue_lck() Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 74/87] x86/apic: Fix integer overflow on 10 bit left shift of cpu_khz Ben Hutchings
2019-10-02 19:06 ` Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 24/87] perf/ring_buffer: Fix exposing a temporarily decreased data_head Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 79/87] cpu/speculation: Warn on unsupported mitigations= parameter Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 45/87] hwmon: (pmbus/core) Treat parameters as paged if on multiple pages Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 53/87] ptrace: restore smp_rmb() in __ptrace_may_access() Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 34/87] CIFS: cifs_read_allocate_pages: don't iterate through whole page array on ENOMEM Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 18/87] igmp: acquire pmc lock for ip_mc_clear_src() Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 25/87] perf/ring_buffer: Add ordering to rb->nest increment Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 02/87] spi: bitbang: Fix NULL pointer dereference in spi_unregister_master Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 37/87] scsi: zfcp: fix missing zfcp_port reference put on -EBUSY from port_remove Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 28/87] net: tulip: de4x5: Drop redundant MODULE_DEVICE_TABLE() Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 56/87] bcache: fix stack corruption by PRECEDING_KEY() Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 86/87] lib/mpi: Fix karactx leak in mpi_powm Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 14/87] powerpc/perf: add missing put_cpu_var in power_pmu_event_init Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 77/87] MIPS: Add missing EHB in mtc0 -> mfc0 sequence Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 60/87] coredump: fix race condition between collapse_huge_page() and core dumping Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 84/87] tracing/snapshot: Resize spare buffer if size changed Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 51/87] can: purge socket error queue on sock destruct Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 65/87] neigh: fix use-after-free read in pneigh_get_next Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 08/87] usbip: usbip_host: fix BUG: sleeping function called from invalid context Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 33/87] llc: fix skb leak in llc_build_and_send_ui_pkt() Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 07/87] USB: Add LPM quirk for Surface Dock GigE adapter Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 54/87] i2c: acorn: fix i2c warning Ben Hutchings
2019-10-02 19:06 ` [PATCH 3.16 83/87] ALSA: seq: fix incorrect order of dest_client/dest_ports arguments Ben Hutchings
2019-10-03 12:54 ` [PATCH 3.16 00/87] 3.16.75-rc1 review Guenter Roeck
2019-10-03 22:25 ` Ben Hutchings
2019-10-04 23:09 ` Guenter Roeck
2019-10-05 20:29 ` Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=lsq.1570043211.104471262@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=akpm@linux-foundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kda@linux-powerpc.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.