From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Taehee Yoo <ap420073@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.4 46/54] mld: fix panic in mld_newpack()
Date: Mon, 31 May 2021 15:14:12 +0200 [thread overview]
Message-ID: <20210531130636.513805582@linuxfoundation.org> (raw)
In-Reply-To: <20210531130635.070310929@linuxfoundation.org>
From: Taehee Yoo <ap420073@gmail.com>
[ Upstream commit 020ef930b826d21c5446fdc9db80fd72a791bc21 ]
mld_newpack() doesn't allow to allocate high order page,
only order-0 allocation is allowed.
If headroom size is too large, a kernel panic could occur in skb_put().
Test commands:
ip netns del A
ip netns del B
ip netns add A
ip netns add B
ip link add veth0 type veth peer name veth1
ip link set veth0 netns A
ip link set veth1 netns B
ip netns exec A ip link set lo up
ip netns exec A ip link set veth0 up
ip netns exec A ip -6 a a 2001:db8:0::1/64 dev veth0
ip netns exec B ip link set lo up
ip netns exec B ip link set veth1 up
ip netns exec B ip -6 a a 2001:db8:0::2/64 dev veth1
for i in {1..99}
do
let A=$i-1
ip netns exec A ip link add ip6gre$i type ip6gre \
local 2001:db8:$A::1 remote 2001:db8:$A::2 encaplimit 100
ip netns exec A ip -6 a a 2001:db8:$i::1/64 dev ip6gre$i
ip netns exec A ip link set ip6gre$i up
ip netns exec B ip link add ip6gre$i type ip6gre \
local 2001:db8:$A::2 remote 2001:db8:$A::1 encaplimit 100
ip netns exec B ip -6 a a 2001:db8:$i::2/64 dev ip6gre$i
ip netns exec B ip link set ip6gre$i up
done
Splat looks like:
kernel BUG at net/core/skbuff.c:110!
invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
CPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.12.0+ #891
Workqueue: ipv6_addrconf addrconf_dad_work
RIP: 0010:skb_panic+0x15d/0x15f
Code: 92 fe 4c 8b 4c 24 10 53 8b 4d 70 45 89 e0 48 c7 c7 00 ae 79 83
41 57 41 56 41 55 48 8b 54 24 a6 26 f9 ff <0f> 0b 48 8b 6c 24 20 89
34 24 e8 4a 4e 92 fe 8b 34 24 48 c7 c1 20
RSP: 0018:ffff88810091f820 EFLAGS: 00010282
RAX: 0000000000000089 RBX: ffff8881086e9000 RCX: 0000000000000000
RDX: 0000000000000089 RSI: 0000000000000008 RDI: ffffed1020123efb
RBP: ffff888005f6eac0 R08: ffffed1022fc0031 R09: ffffed1022fc0031
R10: ffff888117e00187 R11: ffffed1022fc0030 R12: 0000000000000028
R13: ffff888008284eb0 R14: 0000000000000ed8 R15: 0000000000000ec0
FS: 0000000000000000(0000) GS:ffff888117c00000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8b801c5640 CR3: 0000000033c2c006 CR4: 00000000003706f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600
? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600
skb_put.cold.104+0x22/0x22
ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600
? rcu_read_lock_sched_held+0x91/0xc0
mld_newpack+0x398/0x8f0
? ip6_mc_hdr.isra.26.constprop.46+0x600/0x600
? lock_contended+0xc40/0xc40
add_grhead.isra.33+0x280/0x380
add_grec+0x5ca/0xff0
? mld_sendpack+0xf40/0xf40
? lock_downgrade+0x690/0x690
mld_send_initial_cr.part.34+0xb9/0x180
ipv6_mc_dad_complete+0x15d/0x1b0
addrconf_dad_completed+0x8d2/0xbb0
? lock_downgrade+0x690/0x690
? addrconf_rs_timer+0x660/0x660
? addrconf_dad_work+0x73c/0x10e0
addrconf_dad_work+0x73c/0x10e0
Allowing high order page allocation could fix this problem.
Fixes: 72e09ad107e7 ("ipv6: avoid high order allocations")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/mcast.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
index 2d28f0b54494..636425999aac 100644
--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -1573,10 +1573,7 @@ static struct sk_buff *mld_newpack(struct inet6_dev *idev, unsigned int mtu)
IPV6_TLV_PADN, 0 };
/* we assume size > sizeof(ra) here */
- /* limit our allocations to order-0 page */
- size = min_t(int, size, SKB_MAX_ORDER(0, 0));
skb = sock_alloc_send_skb(sk, size, 1, &err);
-
if (!skb)
return NULL;
--
2.30.2
next prev parent reply other threads:[~2021-05-31 13:22 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-31 13:13 [PATCH 4.4 00/54] 4.4.271-rc1 review Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 01/54] mm, vmstat: drop zone->lock in /proc/pagetypeinfo Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 02/54] netfilter: x_tables: Use correct memory barriers Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 03/54] NFC: nci: fix memory leak in nci_allocate_device Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 04/54] proc: Check /proc/$pid/attr/ writes against file opener Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 05/54] net: hso: fix control-request directions Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 06/54] mac80211: assure all fragments are encrypted Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 07/54] mac80211: prevent mixed key and fragment cache attacks Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 08/54] dm snapshot: properly fix a crash when an origin has no snapshots Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 09/54] kgdb: fix gcc-11 warnings harder Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 10/54] misc/uss720: fix memory leak in uss720_probe Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 11/54] mei: request autosuspend after sending rx flow control Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 12/54] staging: iio: cdc: ad7746: avoid overwrite of num_channels Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 13/54] iio: adc: ad7793: Add missing error code in ad7793_setup() Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 14/54] USB: trancevibrator: fix control-request direction Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 15/54] serial: rp2: use request_firmware instead of request_firmware_nowait Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 16/54] USB: serial: option: add Telit LE910-S1 compositions 0x7010, 0x7011 Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 17/54] USB: serial: ftdi_sio: add IDs for IDS GmbH Products Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 18/54] USB: serial: pl2303: add device id for ADLINK ND-6530 GC Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 19/54] net: usb: fix memory leak in smsc75xx_bind Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 20/54] spi: Fix use-after-free with devm_spi_alloc_* Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 21/54] spi: spi-sh: Fix use-after-free on unbind Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 22/54] Bluetooth: cmtp: fix file refcount when cmtp_attach_device fails Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 23/54] NFS: fix an incorrect limit in filelayout_decode_layout() Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 24/54] NFS: Dont corrupt the value of pg_bytes_written in nfs_do_recoalesce() Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 25/54] NFSv4: Fix v4.0/v4.1 SEEK_DATA return -ENOTSUPP when set NFS_V4_2 config Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 26/54] net/mlx4: Fix EEPROM dump support Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 27/54] Revert "net:tipc: Fix a double free in tipc_sk_mcast_rcv" Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 28/54] tipc: skb_linearize the head skb when reassembling msgs Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 29/54] i2c: s3c2410: fix possible NULL pointer deref on read message after write Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 30/54] i2c: i801: Dont generate an interrupt on bus reset Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 31/54] platform/x86: hp_accel: Avoid invoking _INI to speed up resume Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 32/54] net: fujitsu: fix potential null-ptr-deref Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 33/54] net: caif: remove BUG_ON(dev == NULL) in caif_xmit Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.4 34/54] char: hpet: add checks after calling ioremap Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.4 35/54] ALSA: sb8: Add a comment note regarding an unused pointer Greg Kroah-Hartman
2021-05-31 20:36 ` Pavel Machek
2021-05-31 21:43 ` Sasha Levin
2021-05-31 13:14 ` [PATCH 4.4 36/54] isdn: mISDNinfineon: check/cleanup ioremap failure correctly in setup_io Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.4 37/54] libertas: register sysfs groups properly Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.4 38/54] media: dvb: Add check on sp8870_readreg return Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.4 39/54] media: gspca: properly check for errors in po1030_probe() Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.4 40/54] scsi: BusLogic: Fix 64-bit system enumeration error for Buslogic Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.4 41/54] openrisc: Define memory barrier mb Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.4 42/54] btrfs: do not BUG_ON in link_to_fixup_dir Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.4 43/54] drm/amdgpu: Fix a use-after-free Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.4 44/54] net: netcp: Fix an error message Greg Kroah-Hartman
2021-05-31 18:41 ` Marion & Christophe JAILLET
2021-05-31 13:14 ` [PATCH 4.4 45/54] net: bnx2: Fix error return code in bnx2_init_board() Greg Kroah-Hartman
2021-05-31 13:14 ` Greg Kroah-Hartman [this message]
2021-05-31 13:14 ` [PATCH 4.4 47/54] staging: emxx_udc: fix loop in _nbu2ss_nuke() Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.4 48/54] scsi: libsas: Use _safe() loop in sas_resume_port() Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.4 49/54] sch_dsmark: fix a NULL deref in qdisc_reset() Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.4 50/54] MIPS: alchemy: xxs1500: add gpio-au1000.h header file Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.4 51/54] MIPS: ralink: export rt_sysc_membase for rt2880_wdt.c Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.4 52/54] hugetlbfs: hugetlb_fault_mutex_hash() cleanup Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.4 53/54] bluetooth: eliminate the potential race condition when removing the HCI controller Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.4 54/54] usb: core: reduce power-on-good delay time of root hub Greg Kroah-Hartman
2021-05-31 19:07 ` [PATCH 4.4 00/54] 4.4.271-rc1 review Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210531130636.513805582@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ap420073@gmail.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.