From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Edward Cree <ecree@solarflare.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.14 46/50] net: use skb_list_del_init() to remove from RX sublists
Date: Fri, 22 Jan 2021 15:12:27 +0100 [thread overview]
Message-ID: <20210122135737.063168430@linuxfoundation.org> (raw)
In-Reply-To: <20210122135735.176469491@linuxfoundation.org>
From: Edward Cree <ecree@solarflare.com>
[ Upstream commit 22f6bbb7bcfcef0b373b0502a7ff390275c575dd ]
list_del() leaves the skb->next pointer poisoned, which can then lead to
a crash in e.g. OVS forwarding. For example, setting up an OVS VXLAN
forwarding bridge on sfc as per:
========
$ ovs-vsctl show
5dfd9c47-f04b-4aaa-aa96-4fbb0a522a30
Bridge "br0"
Port "br0"
Interface "br0"
type: internal
Port "enp6s0f0"
Interface "enp6s0f0"
Port "vxlan0"
Interface "vxlan0"
type: vxlan
options: {key="1", local_ip="10.0.0.5", remote_ip="10.0.0.4"}
ovs_version: "2.5.0"
========
(where 10.0.0.5 is an address on enp6s0f1)
and sending traffic across it will lead to the following panic:
========
general protection fault: 0000 [#1] SMP PTI
CPU: 5 PID: 0 Comm: swapper/5 Not tainted 4.20.0-rc3-ehc+ #701
Hardware name: Dell Inc. PowerEdge R710/0M233H, BIOS 6.4.0 07/23/2013
RIP: 0010:dev_hard_start_xmit+0x38/0x200
Code: 53 48 89 fb 48 83 ec 20 48 85 ff 48 89 54 24 08 48 89 4c 24 18 0f 84 ab 01 00 00 48 8d 86 90 00 00 00 48 89 f5 48 89 44 24 10 <4c> 8b 33 48 c7 03 00 00 00 00 48 8b 05 c7 d1 b3 00 4d 85 f6 0f 95
RSP: 0018:ffff888627b437e0 EFLAGS: 00010202
RAX: 0000000000000000 RBX: dead000000000100 RCX: ffff88862279c000
RDX: ffff888614a342c0 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff888618a88000 R08: 0000000000000001 R09: 00000000000003e8
R10: 0000000000000000 R11: ffff888614a34140 R12: 0000000000000000
R13: 0000000000000062 R14: dead000000000100 R15: ffff888616430000
FS: 0000000000000000(0000) GS:ffff888627b40000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6d2bc6d000 CR3: 000000000200a000 CR4: 00000000000006e0
Call Trace:
<IRQ>
__dev_queue_xmit+0x623/0x870
? masked_flow_lookup+0xf7/0x220 [openvswitch]
? ep_poll_callback+0x101/0x310
do_execute_actions+0xaba/0xaf0 [openvswitch]
? __wake_up_common+0x8a/0x150
? __wake_up_common_lock+0x87/0xc0
? queue_userspace_packet+0x31c/0x5b0 [openvswitch]
ovs_execute_actions+0x47/0x120 [openvswitch]
ovs_dp_process_packet+0x7d/0x110 [openvswitch]
ovs_vport_receive+0x6e/0xd0 [openvswitch]
? dst_alloc+0x64/0x90
? rt_dst_alloc+0x50/0xd0
? ip_route_input_slow+0x19a/0x9a0
? __udp_enqueue_schedule_skb+0x198/0x1b0
? __udp4_lib_rcv+0x856/0xa30
? __udp4_lib_rcv+0x856/0xa30
? cpumask_next_and+0x19/0x20
? find_busiest_group+0x12d/0xcd0
netdev_frame_hook+0xce/0x150 [openvswitch]
__netif_receive_skb_core+0x205/0xae0
__netif_receive_skb_list_core+0x11e/0x220
netif_receive_skb_list+0x203/0x460
? __efx_rx_packet+0x335/0x5e0 [sfc]
efx_poll+0x182/0x320 [sfc]
net_rx_action+0x294/0x3c0
__do_softirq+0xca/0x297
irq_exit+0xa6/0xb0
do_IRQ+0x54/0xd0
common_interrupt+0xf/0xf
</IRQ>
========
So, in all listified-receive handling, instead pull skbs off the lists with
skb_list_del_init().
Fixes: 9af86f933894 ("net: core: fix use-after-free in __netif_receive_skb_list_core")
Fixes: 7da517a3bc52 ("net: core: Another step of skb receive list processing")
Fixes: a4ca8b7df73c ("net: ipv4: fix drop handling in ip_list_rcv() and ip_list_rcv_finish()")
Fixes: d8269e2cbf90 ("net: ipv6: listify ipv6_rcv() and ip6_rcv_finish()")
Signed-off-by: Edward Cree <ecree@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[ for 4.14.y and older, just take the skbuff.h change - gregkh ]
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/skbuff.h | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -1335,6 +1335,17 @@ static inline void skb_zcopy_abort(struc
}
}
+static inline void skb_mark_not_on_list(struct sk_buff *skb)
+{
+ skb->next = NULL;
+}
+
+static inline void skb_list_del_init(struct sk_buff *skb)
+{
+ __list_del_entry(&skb->list);
+ skb_mark_not_on_list(skb);
+}
+
/**
* skb_queue_empty - check if a queue is empty
* @list: queue head
next prev parent reply other threads:[~2021-01-22 18:56 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-22 14:11 [PATCH 4.14 00/50] 4.14.217-rc1 review Greg Kroah-Hartman
2021-01-22 14:11 ` [PATCH 4.14 01/50] ASoC: dapm: remove widget from dirty list on free Greg Kroah-Hartman
2021-01-22 14:11 ` [PATCH 4.14 02/50] MIPS: boot: Fix unaligned access with CONFIG_MIPS_RAW_APPENDED_DTB Greg Kroah-Hartman
2021-01-22 14:11 ` [PATCH 4.14 03/50] MIPS: Fix malformed NT_FILE and NT_SIGINFO in 32bit coredumps Greg Kroah-Hartman
2021-01-22 14:11 ` [PATCH 4.14 04/50] MIPS: relocatable: fix possible boot hangup with KASLR enabled Greg Kroah-Hartman
2021-01-22 14:11 ` [PATCH 4.14 05/50] ACPI: scan: Harden acpi_device_add() against device ID overflows Greg Kroah-Hartman
2021-01-22 14:11 ` [PATCH 4.14 06/50] mm/hugetlb: fix potential missing huge page size info Greg Kroah-Hartman
2021-01-22 14:11 ` [PATCH 4.14 07/50] dm snapshot: flush merged data before committing metadata Greg Kroah-Hartman
2021-01-22 14:11 ` [PATCH 4.14 08/50] r8152: Add Lenovo Powered USB-C Travel Hub Greg Kroah-Hartman
2021-01-22 14:11 ` [PATCH 4.14 09/50] ext4: fix bug for rename with RENAME_WHITEOUT Greg Kroah-Hartman
2021-01-22 14:11 ` [PATCH 4.14 10/50] ARC: build: remove non-existing bootpImage from KBUILD_IMAGE Greg Kroah-Hartman
2021-01-22 14:11 ` [PATCH 4.14 11/50] ARC: build: add uImage.lzma to the top-level target Greg Kroah-Hartman
2021-01-22 14:11 ` [PATCH 4.14 12/50] ARC: build: add boot_targets to PHONY Greg Kroah-Hartman
2021-01-22 14:11 ` [PATCH 4.14 13/50] btrfs: fix transaction leak and crash after RO remount caused by qgroup rescan Greg Kroah-Hartman
2021-01-22 14:11 ` [PATCH 4.14 14/50] ethernet: ucc_geth: fix definition and size of ucc_geth_tx_global_pram Greg Kroah-Hartman
2021-01-22 14:11 ` [PATCH 4.14 15/50] arch/arc: add copy_user_page() to <asm/page.h> to fix build error on ARC Greg Kroah-Hartman
2021-01-22 14:11 ` [PATCH 4.14 16/50] misdn: dsp: select CONFIG_BITREVERSE Greg Kroah-Hartman
2021-01-22 14:11 ` [PATCH 4.14 17/50] net: ethernet: fs_enet: Add missing MODULE_LICENSE Greg Kroah-Hartman
2021-01-22 14:11 ` [PATCH 4.14 18/50] ACPI: scan: add stub acpi_create_platform_device() for !CONFIG_ACPI Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 4.14 19/50] ARM: picoxcell: fix missing interrupt-parent properties Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 4.14 20/50] dump_common_audit_data(): fix racy accesses to ->d_name Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 4.14 21/50] ASoC: Intel: fix error code cnl_set_dsp_D0() Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 4.14 22/50] NFS4: Fix use-after-free in trace_event_raw_event_nfs4_set_lock Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 4.14 23/50] pNFS: Mark layout for return if return-on-close was not sent Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 4.14 24/50] NFS: nfs_igrab_and_active must first reference the superblock Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 4.14 25/50] ext4: fix superblock checksum failure when setting password salt Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 4.14 26/50] RDMA/usnic: Fix memleak in find_free_vf_and_create_qp_grp Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 4.14 27/50] mm, slub: consider rest of partial list if acquire_slab() fails Greg Kroah-Hartman
2021-03-10 18:43 ` Linus Torvalds
2021-03-10 18:50 ` Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 4.14 28/50] net: sunrpc: interpret the return value of kstrtou32 correctly Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 4.14 29/50] dm: eliminate potential source of excessive kernel log noise Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 4.14 30/50] ALSA: firewire-tascam: Fix integer overflow in midi_port_work() Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 4.14 31/50] ALSA: fireface: Fix integer overflow in transmit_midi_msg() Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 4.14 32/50] netfilter: conntrack: fix reading nf_conntrack_buckets Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 4.14 33/50] usb: ohci: Make distrust_firmware param default to false Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 4.14 34/50] compiler.h: Raise minimum version of GCC to 5.1 for arm64 Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 4.14 35/50] nfsd4: readdirplus shouldnt return parent of export Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 4.14 36/50] netxen_nic: fix MSI/MSI-x interrupts Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 4.14 37/50] rndis_host: set proper input size for OID_GEN_PHYSICAL_MEDIUM request Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 4.14 38/50] esp: avoid unneeded kmap_atomic call Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 4.14 39/50] net: dcb: Validate netlink message in DCB handler Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 4.14 40/50] net: dcb: Accept RTM_GETDCB messages carrying set-like DCB commands Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 4.14 41/50] net: stmmac: Fixed mtu channged by cache aligned Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 4.14 42/50] net: sit: unregister_netdevice on newlinks error path Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 4.14 43/50] net: avoid 32 x truesize under-estimation for tiny skbs Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 4.14 44/50] rxrpc: Fix handling of an unsupported token type in rxrpc_read() Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 4.14 45/50] tipc: fix NULL deref in tipc_link_xmit() Greg Kroah-Hartman
2021-01-22 14:12 ` Greg Kroah-Hartman [this message]
2021-01-22 14:12 ` [PATCH 4.14 47/50] net: introduce skb_list_walk_safe for skb segment walking Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 4.14 48/50] net: skbuff: disambiguate argument and member for skb_list_walk_safe helper Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 4.14 49/50] net: ipv6: Validate GSO SKB before finish IPv6 processing Greg Kroah-Hartman
2021-01-22 14:12 ` [PATCH 4.14 50/50] spi: cadence: cache reference clock rate during probe Greg Kroah-Hartman
2021-01-22 15:02 ` [PATCH 4.14 00/50] 4.14.217-rc1 review Naresh Kamboju
2021-01-22 15:08 ` Greg Kroah-Hartman
2021-01-22 15:13 ` Naresh Kamboju
2021-01-22 15:36 ` Will Deacon
2021-01-22 15:42 ` Nathan Chancellor
2021-01-22 18:10 ` Nick Desaulniers
2021-01-22 15:57 ` Greg Kroah-Hartman
2021-01-22 15:20 ` Naresh Kamboju
2021-01-22 15:59 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210122135737.063168430@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=ecree@solarflare.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).