From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Daniel Borkmann <daniel@iogearbox.net>,
Willem de Bruijn <willemb@google.com>,
Yan Zhai <yan@cloudflare.com>, Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH 5.15 19/20] net: fix NULL pointer in skb_segment_list
Date: Fri, 3 Feb 2023 11:13:46 +0100 [thread overview]
Message-ID: <20230203101008.795120228@linuxfoundation.org> (raw)
In-Reply-To: <20230203101007.985835823@linuxfoundation.org>
From: Yan Zhai <yan@cloudflare.com>
commit 876e8ca8366735a604bac86ff7e2732fc9d85d2d upstream.
Commit 3a1296a38d0c ("net: Support GRO/GSO fraglist chaining.")
introduced UDP listifyed GRO. The segmentation relies on frag_list being
untouched when passing through the network stack. This assumption can be
broken sometimes, where frag_list itself gets pulled into linear area,
leaving frag_list being NULL. When this happens it can trigger
following NULL pointer dereference, and panic the kernel. Reverse the
test condition should fix it.
[19185.577801][ C1] BUG: kernel NULL pointer dereference, address:
...
[19185.663775][ C1] RIP: 0010:skb_segment_list+0x1cc/0x390
...
[19185.834644][ C1] Call Trace:
[19185.841730][ C1] <TASK>
[19185.848563][ C1] __udp_gso_segment+0x33e/0x510
[19185.857370][ C1] inet_gso_segment+0x15b/0x3e0
[19185.866059][ C1] skb_mac_gso_segment+0x97/0x110
[19185.874939][ C1] __skb_gso_segment+0xb2/0x160
[19185.883646][ C1] udp_queue_rcv_skb+0xc3/0x1d0
[19185.892319][ C1] udp_unicast_rcv_skb+0x75/0x90
[19185.900979][ C1] ip_protocol_deliver_rcu+0xd2/0x200
[19185.910003][ C1] ip_local_deliver_finish+0x44/0x60
[19185.918757][ C1] __netif_receive_skb_one_core+0x8b/0xa0
[19185.927834][ C1] process_backlog+0x88/0x130
[19185.935840][ C1] __napi_poll+0x27/0x150
[19185.943447][ C1] net_rx_action+0x27e/0x5f0
[19185.951331][ C1] ? mlx5_cq_tasklet_cb+0x70/0x160 [mlx5_core]
[19185.960848][ C1] __do_softirq+0xbc/0x25d
[19185.968607][ C1] irq_exit_rcu+0x83/0xb0
[19185.976247][ C1] common_interrupt+0x43/0xa0
[19185.984235][ C1] asm_common_interrupt+0x22/0x40
...
[19186.094106][ C1] </TASK>
Fixes: 3a1296a38d0c ("net: Support GRO/GSO fraglist chaining.")
Suggested-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Yan Zhai <yan@cloudflare.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/r/Y9gt5EUizK1UImEP@debian
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/skbuff.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -3884,7 +3884,7 @@ struct sk_buff *skb_segment_list(struct
skb_shinfo(skb)->frag_list = NULL;
- do {
+ while (list_skb) {
nskb = list_skb;
list_skb = list_skb->next;
@@ -3930,8 +3930,7 @@ struct sk_buff *skb_segment_list(struct
if (skb_needs_linearize(nskb, features) &&
__skb_linearize(nskb))
goto err_linearize;
-
- } while (list_skb);
+ }
skb->truesize = skb->truesize - delta_truesize;
skb->data_len = skb->data_len - delta_len;
next prev parent reply other threads:[~2023-02-03 10:24 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-03 10:13 [PATCH 5.15 00/20] 5.15.92-rc1 review Greg Kroah-Hartman
2023-02-03 10:13 ` [PATCH 5.15 01/20] ARM: dts: imx: Fix pca9547 i2c-mux node name Greg Kroah-Hartman
2023-02-03 10:13 ` [PATCH 5.15 02/20] ARM: dts: vf610: Fix pca9548 i2c-mux node names Greg Kroah-Hartman
2023-02-03 10:13 ` [PATCH 5.15 03/20] arm64: dts: freescale: Fix pca954x " Greg Kroah-Hartman
2023-02-03 10:13 ` [PATCH 5.15 04/20] arm64: dts: imx8mq-thor96: fix no-mmc property for SDHCI Greg Kroah-Hartman
2023-02-03 10:13 ` [PATCH 5.15 05/20] firmware: arm_scmi: Clear stale xfer->hdr.status Greg Kroah-Hartman
2023-02-03 10:13 ` [PATCH 5.15 06/20] bpf: Skip task with pid=1 in send_signal_common() Greg Kroah-Hartman
2023-02-03 10:13 ` [PATCH 5.15 07/20] erofs/zmap.c: Fix incorrect offset calculation Greg Kroah-Hartman
2023-02-03 10:13 ` [PATCH 5.15 08/20] blk-cgroup: fix missing pd_online_fn() while activating policy Greg Kroah-Hartman
2023-02-03 10:13 ` [PATCH 5.15 09/20] HID: playstation: sanity check DualSense calibration data Greg Kroah-Hartman
2023-02-03 10:13 ` [PATCH 5.15 10/20] dmaengine: imx-sdma: Fix a possible memory leak in sdma_transfer_init Greg Kroah-Hartman
2023-02-03 10:13 ` [PATCH 5.15 11/20] cifs: fix return of uninitialized rc in dfs_cache_update_tgthint() Greg Kroah-Hartman
2023-02-03 10:13 ` [PATCH 5.15 12/20] ext4: fix bad checksum after online resize Greg Kroah-Hartman
2023-02-03 10:13 ` [PATCH 5.15 13/20] extcon: usbc-tusb320: fix kernel-doc warning Greg Kroah-Hartman
2023-02-03 10:13 ` [PATCH 5.15 14/20] ACPI: processor idle: Practically limit "Dummy wait" workaround to old Intel systems Greg Kroah-Hartman
2023-02-03 10:13 ` [PATCH 5.15 15/20] Bluetooth: fix null ptr deref on hci_sync_conn_complete_evt Greg Kroah-Hartman
2023-02-03 10:13 ` [PATCH 5.15 16/20] tools: fix ARRAY_SIZE defines in tools and selftests hdrs Greg Kroah-Hartman
2023-02-03 10:13 ` [PATCH 5.15 17/20] selftests/vm: remove ARRAY_SIZE define from individual tests Greg Kroah-Hartman
2023-02-03 10:13 ` [PATCH 5.15 18/20] selftests: Provide local define of __cpuid_count() Greg Kroah-Hartman
2023-02-03 10:13 ` Greg Kroah-Hartman [this message]
2023-02-03 10:13 ` [PATCH 5.15 20/20] net: mctp: purge receive queues on sk destruction Greg Kroah-Hartman
2023-02-03 20:03 ` [PATCH 5.15 00/20] 5.15.92-rc1 review Florian Fainelli
2023-02-04 0:53 ` Shuah Khan
2023-02-04 1:50 ` Guenter Roeck
2023-02-04 2:03 ` Bagas Sanjaya
2023-02-04 8:31 ` Naresh Kamboju
2023-02-04 8:55 ` Ron Economos
2023-02-06 7:12 ` Greg Kroah-Hartman
2023-02-06 8:56 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230203101008.795120228@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=daniel@iogearbox.net \
--cc=kuba@kernel.org \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=willemb@google.com \
--cc=yan@cloudflare.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox