Re: [PATCH 5.15.y 4/6] net: fix crash when config small gso_max_size/gso_ipv4_max_size

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: stable@vger.kernel.org
Cc: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>,
	Sasha Levin <sashal@kernel.org>
Subject: Re: [PATCH 5.15.y 4/6] net: fix crash when config small gso_max_size/gso_ipv4_max_size
Date: Tue, 15 Apr 2025 17:43:11 -0400	[thread overview]
Message-ID: <20250415124015-bfc23e13b0e7cdb2@stable.kernel.org> (raw)
In-Reply-To: <20250414185023.2165422-5-harshit.m.mogalapalli@oracle.com>

[ Sasha's backport helper bot ]

Hi,

✅ All tests passed successfully. No issues detected.
No action required from the submitter.

The upstream commit SHA1 provided is correct: 9ab5cf19fb0e4680f95e506d6c544259bf1111c4

WARNING: Author mismatch between patch and upstream commit:
Backport author: Harshit Mogalapalli<harshit.m.mogalapalli@oracle.com>
Commit author: Wang Liang<wangliang74@huawei.com>

Status in newer kernel trees:
6.14.y | Present (exact SHA1)
6.13.y | Present (exact SHA1)
6.12.y | Present (exact SHA1)
6.6.y | Present (different SHA1: ac5977001eee)
6.1.y | Present (different SHA1: e9365368b483)

Note: The patch differs from the upstream commit:
---
1:  9ab5cf19fb0e4 ! 1:  92a2aab3e8a99 net: fix crash when config small gso_max_size/gso_ipv4_max_size
    @@ Metadata
      ## Commit message ##
         net: fix crash when config small gso_max_size/gso_ipv4_max_size
     
    +    [ Upstream commit 9ab5cf19fb0e4680f95e506d6c544259bf1111c4 ]
    +
         Config a small gso_max_size/gso_ipv4_max_size will lead to an underflow
         in sk_dst_gso_max_size(), which may trigger a BUG_ON crash,
         because sk->sk_gso_max_size would be much bigger than device limits.
    @@ Commit message
         Reviewed-by: Eric Dumazet <edumazet@google.com>
         Link: https://patch.msgid.link/20241023035213.517386-1-wangliang74@huawei.com
         Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    +    [ Resolve minor conflicts to fix CVE-2024-50258 ]
    +    Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
    +    Signed-off-by: Sasha Levin <sashal@kernel.org>
    +    [Harshit: Clean cherrypick from 6.1.y commit]
    +    Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
     
      ## net/core/rtnetlink.c ##
     @@ net/core/rtnetlink.c: static const struct nla_policy ifla_policy[IFLA_MAX+1] = {
    @@ net/core/rtnetlink.c: static const struct nla_policy ifla_policy[IFLA_MAX+1] = {
      	[IFLA_PHYS_PORT_ID]	= { .type = NLA_BINARY, .len = MAX_PHYS_ITEM_ID_LEN },
      	[IFLA_CARRIER_CHANGES]	= { .type = NLA_U32 },  /* ignored */
      	[IFLA_PHYS_SWITCH_ID]	= { .type = NLA_BINARY, .len = MAX_PHYS_ITEM_ID_LEN },
    -@@ net/core/rtnetlink.c: static const struct nla_policy ifla_policy[IFLA_MAX+1] = {
    - 	[IFLA_TSO_MAX_SIZE]	= { .type = NLA_REJECT },
    - 	[IFLA_TSO_MAX_SEGS]	= { .type = NLA_REJECT },
    - 	[IFLA_ALLMULTI]		= { .type = NLA_REJECT },
    --	[IFLA_GSO_IPV4_MAX_SIZE]	= { .type = NLA_U32 },
    -+	[IFLA_GSO_IPV4_MAX_SIZE]	= NLA_POLICY_MIN(NLA_U32, MAX_TCP_HEADER + 1),
    - 	[IFLA_GRO_IPV4_MAX_SIZE]	= { .type = NLA_U32 },
    - };
    - 
---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.1.y        |  Success    |  Success   |

next prev parent reply	other threads:[~2025-04-15 21:43 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-04-14 18:50 [PATCH 5.15.y 0/6] Few missing CVE fixes Harshit Mogalapalli
2025-04-14 18:50 ` [PATCH 5.15.y 1/6] net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup Harshit Mogalapalli
2025-04-15 21:43   ` Sasha Levin
2025-04-14 18:50 ` [PATCH 5.15.y 2/6] bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq Harshit Mogalapalli
2025-04-15 21:43   ` Sasha Levin
2025-04-14 18:50 ` [PATCH 5.15.y 3/6] phonet/pep: fix racy skb_queue_empty() use Harshit Mogalapalli
2025-04-15 21:43   ` Sasha Levin
2025-04-14 18:50 ` [PATCH 5.15.y 4/6] net: fix crash when config small gso_max_size/gso_ipv4_max_size Harshit Mogalapalli
2025-04-15 21:43   ` Sasha Levin [this message]
2025-04-14 18:50 ` [PATCH 5.15.y 5/6] filemap: Fix bounds checking in filemap_read() Harshit Mogalapalli
2025-04-15 21:43   ` Sasha Levin
2025-04-14 18:50 ` [PATCH 5.15.y 6/6] ipv6: release nexthop on device removal Harshit Mogalapalli
2025-04-15 21:44   ` Sasha Levin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250415124015-bfc23e13b0e7cdb2@stable.kernel.org \
    --to=sashal@kernel.org \
    --cc=harshit.m.mogalapalli@oracle.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.