From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Guillaume Nault <gnault@redhat.com>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.9 08/54] netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments
Date: Thu, 18 Jul 2019 12:01:38 +0900 [thread overview]
Message-ID: <20190718030049.783720080@linuxfoundation.org> (raw)
In-Reply-To: <20190718030048.392549994@linuxfoundation.org>
[ Upstream commit a0d56cb911ca301de81735f1d73c2aab424654ba ]
With commit 997dd9647164 ("net: IP6 defrag: use rbtrees in
nf_conntrack_reasm.c"), nf_ct_frag6_reasm() is now called from
nf_ct_frag6_queue(). With this change, nf_ct_frag6_queue() can fail
after the skb has been added to the fragment queue and
nf_ct_frag6_gather() was adapted to handle this case.
But nf_ct_frag6_queue() can still fail before the fragment has been
queued. nf_ct_frag6_gather() can't handle this case anymore, because it
has no way to know if nf_ct_frag6_queue() queued the fragment before
failing. If it didn't, the skb is lost as the error code is overwritten
with -EINPROGRESS.
Fix this by setting -EINPROGRESS directly in nf_ct_frag6_queue(), so
that nf_ct_frag6_gather() can propagate the error as is.
Fixes: 997dd9647164 ("net: IP6 defrag: use rbtrees in nf_conntrack_reasm.c")
Signed-off-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/netfilter/nf_conntrack_reasm.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 1e1fa99b3243..e6114a6710e0 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -292,7 +292,11 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
skb->_skb_refdst = 0UL;
err = nf_ct_frag6_reasm(fq, skb, prev, dev);
skb->_skb_refdst = orefdst;
- return err;
+
+ /* After queue has assumed skb ownership, only 0 or
+ * -EINPROGRESS must be returned.
+ */
+ return err ? -EINPROGRESS : 0;
}
skb_dst_drop(skb);
@@ -480,12 +484,6 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user)
ret = 0;
}
- /* after queue has assumed skb ownership, only 0 or -EINPROGRESS
- * must be returned.
- */
- if (ret)
- ret = -EINPROGRESS;
-
spin_unlock_bh(&fq->q.lock);
inet_frag_put(&fq->q);
return ret;
--
2.20.1
next prev parent reply other threads:[~2019-07-18 3:19 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-18 3:01 [PATCH 4.9 00/54] 4.9.186-stable review Greg Kroah-Hartman
2019-07-18 3:01 ` [PATCH 4.9 01/54] crypto: talitos - rename alternative AEAD algos Greg Kroah-Hartman
2019-07-18 3:01 ` [PATCH 4.9 02/54] Input: elantech - enable middle button support on 2 ThinkPads Greg Kroah-Hartman
2019-07-18 3:01 ` [PATCH 4.9 03/54] samples, bpf: fix to change the buffer size for read() Greg Kroah-Hartman
2019-07-18 3:01 ` [PATCH 4.9 04/54] staging:iio:ad7150: fix threshold mode config bit Greg Kroah-Hartman
2019-07-18 3:01 ` [PATCH 4.9 05/54] mac80211: mesh: fix RCU warning Greg Kroah-Hartman
2019-07-18 3:01 ` [PATCH 4.9 06/54] mac80211: free peer keys before vif down in mesh Greg Kroah-Hartman
2019-07-18 3:01 ` [PATCH 4.9 07/54] mwifiex: Fix possible buffer overflows at parsing bss descriptor Greg Kroah-Hartman
2019-07-18 3:01 ` Greg Kroah-Hartman [this message]
2019-07-18 3:01 ` [PATCH 4.9 09/54] netfilter: ipv6: nf_defrag: accept duplicate fragments again Greg Kroah-Hartman
2019-07-18 3:01 ` [PATCH 4.9 10/54] dt-bindings: can: mcp251x: add mcp25625 support Greg Kroah-Hartman
2019-07-18 3:01 ` [PATCH 4.9 11/54] can: mcp251x: add support for mcp25625 Greg Kroah-Hartman
2019-07-18 3:01 ` [PATCH 4.9 12/54] Input: imx_keypad - make sure keyboard can always wake up system Greg Kroah-Hartman
2019-07-18 3:01 ` [PATCH 4.9 13/54] KVM: arm/arm64: vgic: Fix kvm_device leak in vgic_its_destroy Greg Kroah-Hartman
2019-07-18 3:01 ` [PATCH 4.9 14/54] mlxsw: spectrum: Disallow prio-tagged packets when PVID is removed Greg Kroah-Hartman
2019-07-18 3:01 ` [PATCH 4.9 15/54] ARM: davinci: da850-evm: call regulator_has_full_constraints() Greg Kroah-Hartman
2019-07-18 3:01 ` [PATCH 4.9 16/54] ARM: davinci: da8xx: specify dma_coherent_mask for lcdc Greg Kroah-Hartman
2019-07-18 3:01 ` [PATCH 4.9 17/54] mac80211: only warn once on chanctx_conf being NULL Greg Kroah-Hartman
2019-07-18 3:01 ` [PATCH 4.9 18/54] md: fix for divide error in status_resync Greg Kroah-Hartman
2019-07-18 3:01 ` [PATCH 4.9 19/54] bnx2x: Check if transceiver implements DDM before access Greg Kroah-Hartman
2019-07-18 3:01 ` [PATCH 4.9 20/54] ip6_tunnel: allow not to count pkts on tstats by passing dev as NULL Greg Kroah-Hartman
2019-07-18 3:01 ` [PATCH 4.9 21/54] net :sunrpc :clnt :Fix xps refcount imbalance on the error path Greg Kroah-Hartman
2019-07-18 3:01 ` [PATCH 4.9 22/54] udf: Fix incorrect final NOT_ALLOCATED (hole) extent length Greg Kroah-Hartman
2019-07-18 3:01 ` [PATCH 4.9 23/54] x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg() Greg Kroah-Hartman
2019-07-18 3:01 ` [PATCH 4.9 24/54] x86/tls: Fix possible spectre-v1 in do_get_thread_area() Greg Kroah-Hartman
2019-07-18 3:01 ` [PATCH 4.9 25/54] mwifiex: Abort at too short BSS descriptor element Greg Kroah-Hartman
2019-07-18 3:01 ` [PATCH 4.9 26/54] mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies() Greg Kroah-Hartman
2019-07-18 3:01 ` [PATCH 4.9 27/54] fscrypt: dont set policy for a dead directory Greg Kroah-Hartman
2019-07-18 3:01 ` [PATCH 4.9 28/54] mwifiex: Dont abort on small, spec-compliant vendor IEs Greg Kroah-Hartman
2019-07-18 3:01 ` [PATCH 4.9 29/54] USB: serial: ftdi_sio: add ID for isodebug v1 Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.9 30/54] USB: serial: option: add support for GosunCn ME3630 RNDIS mode Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.9 31/54] Revert "serial: 8250: Dont service RX FIFO if interrupts are disabled" Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.9 32/54] p54usb: Fix race between disconnect and firmware loading Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.9 33/54] usb: gadget: ether: Fix race between gether_disconnect and rx_submit Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.9 34/54] usb: renesas_usbhs: add a workaround for a race condition of workqueue Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.9 35/54] staging: comedi: dt282x: fix a null pointer deref on interrupt Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.9 36/54] staging: comedi: amplc_pci230: fix " Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.9 37/54] carl9170: fix misuse of device driver API Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.9 38/54] VMCI: Fix integer overflow in VMCI handle arrays Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.9 39/54] MIPS: Remove superfluous check for __linux__ Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.9 40/54] Revert "e1000e: fix cyclic resets at link up with active tx" Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.9 41/54] e1000e: start network tx queue only when link is up Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.9 42/54] nilfs2: do not use unexported cpu_to_le32()/le32_to_cpu() in uapi header Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.9 43/54] arm64: crypto: remove accidentally backported files Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.9 44/54] perf/core: Fix perf_sample_regs_user() mm check Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.9 45/54] ARM: omap2: remove incorrect __init annotation Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.9 46/54] be2net: fix link failure after ethtool offline test Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.9 47/54] ppp: mppe: Add softdep to arc4 Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.9 48/54] sis900: fix TX completion Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.9 49/54] ARM: dts: imx6ul: fix PWM[1-4] interrupts Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.9 50/54] dm verity: use message limit for data block corruption message Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.9 51/54] ARC: hide unused function unw_hdr_alloc Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.9 52/54] s390: fix stfle zero padding Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.9 53/54] s390/qdio: (re-)initialize tiqdio list entries Greg Kroah-Hartman
2019-07-18 3:02 ` [PATCH 4.9 54/54] s390/qdio: dont touch the dsci in tiqdio_add_input_queues() Greg Kroah-Hartman
2019-07-18 7:13 ` [PATCH 4.9 00/54] 4.9.186-stable review kernelci.org bot
2019-07-18 8:30 ` Naresh Kamboju
2019-07-18 9:20 ` Jon Hunter
2019-07-18 9:20 ` Jon Hunter
2019-07-18 19:47 ` Guenter Roeck
2019-07-18 20:56 ` Kelsey Skunberg
2019-07-19 4:41 ` Bharath Vedartham
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190718030049.783720080@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=gnault@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.