[PATCH net] ax25: properly unshare skbs in ax25_kiss

linux-hams.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH net] ax25: properly unshare skbs in ax25_kiss_rcv()
@ 2025-09-02 12:46 Eric Dumazet
  2025-09-02 12:50 ` Dan Cross
  2025-09-04  0:30 ` patchwork-bot+netdevbpf
  0 siblings, 2 replies; 4+ messages in thread
From: Eric Dumazet @ 2025-09-02 12:46 UTC (permalink / raw)
  To: David S . Miller, Jakub Kicinski, Paolo Abeni
  Cc: Simon Horman, netdev, eric.dumazet, Eric Dumazet, Bernard Pidoux,
	Joerg Reuter, linux-hams, David Ranch, Dan Cross,
	Folkert van Heusden

Bernard Pidoux reported a regression apparently caused by commit
c353e8983e0d ("net: introduce per netns packet chains").

skb->dev becomes NULL and we crash in __netif_receive_skb_core().

Before above commit, different kind of bugs or corruptions could happen
without a major crash.

But the root cause is that ax25_kiss_rcv() can queue/mangle input skb
without checking if this skb is shared or not.

Many thanks to Bernard Pidoux for his help, diagnosis and tests.

We had a similar issue years ago fixed with commit 7aaed57c5c28
("phonet: properly unshare skbs in phonet_rcv()").

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Bernard Pidoux <f6bvp@free.fr>
Closes: https://lore.kernel.org/netdev/1713f383-c538-4918-bc64-13b3288cd542@free.fr/
Tested-by: Bernard Pidoux <f6bvp@free.fr>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Joerg Reuter <jreuter@yaina.de>
Cc: linux-hams@vger.kernel.org
Cc: David Ranch <dranch@trinnet.net>
Cc: Dan Cross <crossd@gmail.com>
Cc: Folkert van Heusden <folkert@vanheusden.com>
---
 net/ax25/ax25_in.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/ax25/ax25_in.c b/net/ax25/ax25_in.c
index 1cac25aca637..f2d66af86359 100644
--- a/net/ax25/ax25_in.c
+++ b/net/ax25/ax25_in.c
@@ -433,6 +433,10 @@ static int ax25_rcv(struct sk_buff *skb, struct net_device *dev,
 int ax25_kiss_rcv(struct sk_buff *skb, struct net_device *dev,
 		  struct packet_type *ptype, struct net_device *orig_dev)
 {
+	skb = skb_share_check(skb, GFP_ATOMIC);
+	if (!skb)
+		return NET_RX_DROP;
+
 	skb_orphan(skb);
 
 	if (!net_eq(dev_net(dev), &init_net)) {
-- 
2.51.0.318.gd7df087d1a-goog


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH net] ax25: properly unshare skbs in ax25_kiss_rcv()
  2025-09-02 12:46 [PATCH net] ax25: properly unshare skbs in ax25_kiss_rcv() Eric Dumazet
@ 2025-09-02 12:50 ` Dan Cross
  2025-09-02 14:13   ` Eric Dumazet
  2025-09-04  0:30 ` patchwork-bot+netdevbpf
  1 sibling, 1 reply; 4+ messages in thread
From: Dan Cross @ 2025-09-02 12:50 UTC (permalink / raw)
  To: Eric Dumazet
  Cc: David S . Miller, Jakub Kicinski, Paolo Abeni, Simon Horman,
	netdev, eric.dumazet, Bernard Pidoux, Joerg Reuter, linux-hams,
	David Ranch, Folkert van Heusden

On Tue, Sep 2, 2025 at 8:46 AM Eric Dumazet <edumazet@google.com> wrote:
> Bernard Pidoux reported a regression apparently caused by commit
> c353e8983e0d ("net: introduce per netns packet chains").
>
> skb->dev becomes NULL and we crash in __netif_receive_skb_core().
>
> Before above commit, different kind of bugs or corruptions could happen
> without a major crash.
>
> But the root cause is that ax25_kiss_rcv() can queue/mangle input skb
> without checking if this skb is shared or not.
>
> Many thanks to Bernard Pidoux for his help, diagnosis and tests.
>
> We had a similar issue years ago fixed with commit 7aaed57c5c28
> ("phonet: properly unshare skbs in phonet_rcv()").

Please mention the analysis done here in the change description:
https://lore.kernel.org/linux-hams/CAEoi9W4FGoEv+2FUKs7zc=XoLuwhhLY8f8t_xQ6MgTJyzQPxXA@mail.gmail.com/#R

Reviewed-by: Dan Cross <crossd@gmail.com>

> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Reported-by: Bernard Pidoux <f6bvp@free.fr>
> Closes: https://lore.kernel.org/netdev/1713f383-c538-4918-bc64-13b3288cd542@free.fr/
> Tested-by: Bernard Pidoux <f6bvp@free.fr>
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Cc: Joerg Reuter <jreuter@yaina.de>
> Cc: linux-hams@vger.kernel.org
> Cc: David Ranch <dranch@trinnet.net>
> Cc: Dan Cross <crossd@gmail.com>
> Cc: Folkert van Heusden <folkert@vanheusden.com>
> ---
>  net/ax25/ax25_in.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/net/ax25/ax25_in.c b/net/ax25/ax25_in.c
> index 1cac25aca637..f2d66af86359 100644
> --- a/net/ax25/ax25_in.c
> +++ b/net/ax25/ax25_in.c
> @@ -433,6 +433,10 @@ static int ax25_rcv(struct sk_buff *skb, struct net_device *dev,
>  int ax25_kiss_rcv(struct sk_buff *skb, struct net_device *dev,
>                   struct packet_type *ptype, struct net_device *orig_dev)
>  {
> +       skb = skb_share_check(skb, GFP_ATOMIC);
> +       if (!skb)
> +               return NET_RX_DROP;
> +
>         skb_orphan(skb);
>
>         if (!net_eq(dev_net(dev), &init_net)) {
> --
> 2.51.0.318.gd7df087d1a-goog
>

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH net] ax25: properly unshare skbs in ax25_kiss_rcv()
  2025-09-02 12:50 ` Dan Cross
@ 2025-09-02 14:13   ` Eric Dumazet
  0 siblings, 0 replies; 4+ messages in thread
From: Eric Dumazet @ 2025-09-02 14:13 UTC (permalink / raw)
  To: Dan Cross
  Cc: David S . Miller, Jakub Kicinski, Paolo Abeni, Simon Horman,
	netdev, eric.dumazet, Bernard Pidoux, Joerg Reuter, linux-hams,
	David Ranch, Folkert van Heusden

On Tue, Sep 2, 2025 at 5:51 AM Dan Cross <crossd@gmail.com> wrote:
>
> On Tue, Sep 2, 2025 at 8:46 AM Eric Dumazet <edumazet@google.com> wrote:
> > Bernard Pidoux reported a regression apparently caused by commit
> > c353e8983e0d ("net: introduce per netns packet chains").
> >
> > skb->dev becomes NULL and we crash in __netif_receive_skb_core().
> >
> > Before above commit, different kind of bugs or corruptions could happen
> > without a major crash.
> >
> > But the root cause is that ax25_kiss_rcv() can queue/mangle input skb
> > without checking if this skb is shared or not.
> >
> > Many thanks to Bernard Pidoux for his help, diagnosis and tests.
> >
> > We had a similar issue years ago fixed with commit 7aaed57c5c28
> > ("phonet: properly unshare skbs in phonet_rcv()").
>
> Please mention the analysis done here in the change description:
> https://lore.kernel.org/linux-hams/CAEoi9W4FGoEv+2FUKs7zc=XoLuwhhLY8f8t_xQ6MgTJyzQPxXA@mail.gmail.com/#R
>

I was not aware of all the long past discussions.

No need for me to respin this patch, there is the Closes: tag for this purpose.

Whoever wants to find all the details can follow it.

For this changelog, I basically copy/pasted my phonet change,
as it included all the relevant information for this old bug.

Thank you.

> Reviewed-by: Dan Cross <crossd@gmail.com>
>
> > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> > Reported-by: Bernard Pidoux <f6bvp@free.fr>
> > Closes: https://lore.kernel.org/netdev/1713f383-c538-4918-bc64-13b3288cd542@free.fr/
> > Tested-by: Bernard Pidoux <f6bvp@free.fr>
> > Signed-off-by: Eric Dumazet <edumazet@google.com>
> > Cc: Joerg Reuter <jreuter@yaina.de>
> > Cc: linux-hams@vger.kernel.org
> > Cc: David Ranch <dranch@trinnet.net>
> > Cc: Dan Cross <crossd@gmail.com>
> > Cc: Folkert van Heusden <folkert@vanheusden.com>
> > ---
> >  net/ax25/ax25_in.c | 4 ++++
> >  1 file changed, 4 insertions(+)
> >
> > diff --git a/net/ax25/ax25_in.c b/net/ax25/ax25_in.c
> > index 1cac25aca637..f2d66af86359 100644
> > --- a/net/ax25/ax25_in.c
> > +++ b/net/ax25/ax25_in.c
> > @@ -433,6 +433,10 @@ static int ax25_rcv(struct sk_buff *skb, struct net_device *dev,
> >  int ax25_kiss_rcv(struct sk_buff *skb, struct net_device *dev,
> >                   struct packet_type *ptype, struct net_device *orig_dev)
> >  {
> > +       skb = skb_share_check(skb, GFP_ATOMIC);
> > +       if (!skb)
> > +               return NET_RX_DROP;
> > +
> >         skb_orphan(skb);
> >
> >         if (!net_eq(dev_net(dev), &init_net)) {
> > --
> > 2.51.0.318.gd7df087d1a-goog
> >

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH net] ax25: properly unshare skbs in ax25_kiss_rcv()
  2025-09-02 12:46 [PATCH net] ax25: properly unshare skbs in ax25_kiss_rcv() Eric Dumazet
  2025-09-02 12:50 ` Dan Cross
@ 2025-09-04  0:30 ` patchwork-bot+netdevbpf
  1 sibling, 0 replies; 4+ messages in thread
From: patchwork-bot+netdevbpf @ 2025-09-04  0:30 UTC (permalink / raw)
  To: Eric Dumazet
  Cc: davem, kuba, pabeni, horms, netdev, eric.dumazet, f6bvp, jreuter,
	linux-hams, dranch, crossd, folkert

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Tue,  2 Sep 2025 12:46:42 +0000 you wrote:
> Bernard Pidoux reported a regression apparently caused by commit
> c353e8983e0d ("net: introduce per netns packet chains").
> 
> skb->dev becomes NULL and we crash in __netif_receive_skb_core().
> 
> Before above commit, different kind of bugs or corruptions could happen
> without a major crash.
> 
> [...]

Here is the summary with links:
  - [net] ax25: properly unshare skbs in ax25_kiss_rcv()
    https://git.kernel.org/netdev/net/c/8156210d36a4

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2025-09-04  0:30 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-09-02 12:46 [PATCH net] ax25: properly unshare skbs in ax25_kiss_rcv() Eric Dumazet
2025-09-02 12:50 ` Dan Cross
2025-09-02 14:13   ` Eric Dumazet
2025-09-04  0:30 ` patchwork-bot+netdevbpf

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).