From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
Andrei Vagin <avagin@virtuozzo.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.9 08/28] net: use skb_to_full_sk() in skb_update_prio()
Date: Thu, 29 Mar 2018 20:00:27 +0200 [thread overview]
Message-ID: <20180329175734.474910176@linuxfoundation.org> (raw)
In-Reply-To: <20180329175733.447823703@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 4dcb31d4649df36297296b819437709f5407059c ]
Andrei Vagin reported a KASAN: slab-out-of-bounds error in
skb_update_prio()
Since SYNACK might be attached to a request socket, we need to
get back to the listener socket.
Since this listener is manipulated without locks, add const
qualifiers to sock_cgroup_prioidx() so that the const can also
be used in skb_update_prio()
Also add the const qualifier to sock_cgroup_classid() for consistency.
Fixes: ca6fb0651883 ("tcp: attach SYNACK messages to request sockets instead of listener")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrei Vagin <avagin@virtuozzo.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/cgroup-defs.h | 4 ++--
net/core/dev.c | 22 +++++++++++++++-------
2 files changed, 17 insertions(+), 9 deletions(-)
--- a/include/linux/cgroup-defs.h
+++ b/include/linux/cgroup-defs.h
@@ -609,13 +609,13 @@ struct sock_cgroup_data {
* updaters and return part of the previous pointer as the prioidx or
* classid. Such races are short-lived and the result isn't critical.
*/
-static inline u16 sock_cgroup_prioidx(struct sock_cgroup_data *skcd)
+static inline u16 sock_cgroup_prioidx(const struct sock_cgroup_data *skcd)
{
/* fallback to 1 which is always the ID of the root cgroup */
return (skcd->is_data & 1) ? skcd->prioidx : 1;
}
-static inline u32 sock_cgroup_classid(struct sock_cgroup_data *skcd)
+static inline u32 sock_cgroup_classid(const struct sock_cgroup_data *skcd)
{
/* fallback to 0 which is the unconfigured default classid */
return (skcd->is_data & 1) ? skcd->classid : 0;
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3179,15 +3179,23 @@ static inline int __dev_xmit_skb(struct
#if IS_ENABLED(CONFIG_CGROUP_NET_PRIO)
static void skb_update_prio(struct sk_buff *skb)
{
- struct netprio_map *map = rcu_dereference_bh(skb->dev->priomap);
+ const struct netprio_map *map;
+ const struct sock *sk;
+ unsigned int prioidx;
- if (!skb->priority && skb->sk && map) {
- unsigned int prioidx =
- sock_cgroup_prioidx(&skb->sk->sk_cgrp_data);
+ if (skb->priority)
+ return;
+ map = rcu_dereference_bh(skb->dev->priomap);
+ if (!map)
+ return;
+ sk = skb_to_full_sk(skb);
+ if (!sk)
+ return;
- if (prioidx < map->priomap_len)
- skb->priority = map->priomap[prioidx];
- }
+ prioidx = sock_cgroup_prioidx(&sk->sk_cgrp_data);
+
+ if (prioidx < map->priomap_len)
+ skb->priority = map->priomap[prioidx];
}
#else
#define skb_update_prio(skb)
next prev parent reply other threads:[~2018-03-29 18:00 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-29 18:00 [PATCH 4.9 00/28] 4.9.92-stable review Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 01/28] scsi: sg: dont return bogus Sg_requests Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 02/28] genirq: Track whether the trigger type has been set Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 03/28] net sched actions: return explicit error when tunnel_key mode is not specified Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 04/28] ppp: avoid loop in xmit recursion detection code Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 05/28] rhashtable: Fix rhlist duplicates insertion Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 06/28] sch_netem: fix skb leak in netem_enqueue() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 07/28] ieee802154: 6lowpan: fix possible NULL deref in lowpan_device_event() Greg Kroah-Hartman
2018-03-29 18:00 ` Greg Kroah-Hartman [this message]
2018-03-29 18:00 ` [PATCH 4.9 09/28] net: Fix hlist corruptions in inet_evict_bucket() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 10/28] dccp: check sk for closed state in dccp_sendmsg() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 11/28] ipv6: fix access to non-linear packet in ndisc_fill_redirect_hdr_option() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 12/28] l2tp: do not accept arbitrary sockets Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 13/28] net: ethernet: arc: Fix a potential memory leak if an optional regulator is deferred Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 14/28] net: ethernet: ti: cpsw: add check for in-band mode setting with RGMII PHY interface Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 15/28] net: fec: Fix unbalanced PM runtime calls Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 16/28] net/iucv: Free memory obtained by kzalloc Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 17/28] netlink: avoid a double skb free in genlmsg_mcast() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 18/28] net: Only honor ifindex in IP_PKTINFO if non-0 Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 19/28] skbuff: Fix not waking applications when errors are enqueued Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 20/28] team: Fix double free in error path Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 21/28] soc/fsl/qbman: fix issue in qman_delete_cgr_safe() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 22/28] s390/qeth: free netdevice when removing a card Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 23/28] s390/qeth: when thread completes, wake up all waiters Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 24/28] s390/qeth: lock read device while queueing next buffer Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 25/28] s390/qeth: on channel error, reject further cmd requests Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 26/28] net: systemport: Rewrite __bcm_sysport_tx_reclaim() Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 27/28] kcm: lock lower socket in kcm_attach Greg Kroah-Hartman
2018-03-29 18:00 ` [PATCH 4.9 28/28] net: hns: Fix a skb used after free bug Greg Kroah-Hartman
2018-03-29 22:01 ` [PATCH 4.9 00/28] 4.9.92-stable review kernelci.org bot
2018-03-29 22:08 ` Guenter Roeck
2018-03-29 23:11 ` Shuah Khan
2018-03-30 6:21 ` Naresh Kamboju
2018-03-30 9:08 ` Greg Kroah-Hartman
2018-03-30 15:10 ` Naresh Kamboju
2018-03-30 9:00 ` Greg Kroah-Hartman
2018-03-30 15:19 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180329175734.474910176@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=avagin@virtuozzo.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.