From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Willem de Bruijn <willemb@google.com>,
Jason Wang <jasowang@redhat.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH 6.6 43/91] net: tighten bad gso csum offset check in virtio_net_hdr
Date: Mon, 16 Sep 2024 13:44:19 +0200 [thread overview]
Message-ID: <20240916114225.923827191@linuxfoundation.org> (raw)
In-Reply-To: <20240916114224.509743970@linuxfoundation.org>
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Willem de Bruijn <willemb@google.com>
commit 6513eb3d3191574b58859ef2d6dc26c0277c6f81 upstream.
The referenced commit drops bad input, but has false positives.
Tighten the check to avoid these.
The check detects illegal checksum offload requests, which produce
csum_start/csum_off beyond end of packet after segmentation.
But it is based on two incorrect assumptions:
1. virtio_net_hdr_to_skb with VIRTIO_NET_HDR_GSO_TCP[46] implies GSO.
True in callers that inject into the tx path, such as tap.
But false in callers that inject into rx, like virtio-net.
Here, the flags indicate GRO, and CHECKSUM_UNNECESSARY or
CHECKSUM_NONE without VIRTIO_NET_HDR_F_NEEDS_CSUM is normal.
2. TSO requires checksum offload, i.e., ip_summed == CHECKSUM_PARTIAL.
False, as tcp[46]_gso_segment will fix up csum_start and offset for
all other ip_summed by calling __tcp_v4_send_check.
Because of 2, we can limit the scope of the fix to virtio_net_hdr
that do try to set these fields, with a bogus value.
Link: https://lore.kernel.org/netdev/20240909094527.GA3048202@port70.net/
Fixes: 89add40066f9 ("net: drop bad gso csum_start and offset in virtio_net_hdr")
Signed-off-by: Willem de Bruijn <willemb@google.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20240910213553.839926-1-willemdebruijn.kernel@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/virtio_net.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/include/linux/virtio_net.h
+++ b/include/linux/virtio_net.h
@@ -173,7 +173,8 @@ retry:
break;
case SKB_GSO_TCPV4:
case SKB_GSO_TCPV6:
- if (skb->csum_offset != offsetof(struct tcphdr, check))
+ if (skb->ip_summed == CHECKSUM_PARTIAL &&
+ skb->csum_offset != offsetof(struct tcphdr, check))
return -EINVAL;
break;
}
next prev parent reply other threads:[~2024-09-16 12:09 UTC|newest]
Thread overview: 106+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-16 11:43 [PATCH 6.6 00/91] 6.6.52-rc1 review Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 01/91] device property: Add cleanup.h based fwnode_handle_put() scope based cleanup Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 02/91] device property: Introduce device_for_each_child_node_scoped() Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 03/91] iio: adc: ad7124: Switch from of specific to fwnode based property handling Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 04/91] iio: adc: ad7124: fix DT configuration parsing Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 05/91] nvmem: core: add nvmem_dev_size() helper Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 06/91] nvmem: u-boot-env: use nvmem_add_one_cell() nvmem subsystem helper Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 07/91] nvmem: u-boot-env: use nvmem device helpers Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 08/91] nvmem: u-boot-env: improve coding style Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 09/91] nvmem: u-boot-env: error if NVMEM device is too small Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 10/91] ksmbd: override fsids for share path check Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 11/91] ksmbd: override fsids for smb2_query_info() Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 12/91] usbnet: ipheth: remove extraneous rx URB length check Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 13/91] usbnet: ipheth: drop RX URBs with no payload Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 14/91] usbnet: ipheth: do not stop RX on failing RX callback Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 15/91] usbnet: ipheth: fix carrier detection in modes 1 and 4 Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 16/91] net: ethernet: use ip_hdrlen() instead of bit shift Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 17/91] drm: panel-orientation-quirks: Add quirk for Ayn Loki Zero Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 18/91] drm: panel-orientation-quirks: Add quirk for Ayn Loki Max Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 19/91] net: phy: vitesse: repair vsc73xx autonegotiation Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 20/91] powerpc/mm: Fix boot warning with hugepages and CONFIG_DEBUG_VIRTUAL Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 21/91] wifi: mt76: mt7921: fix NULL pointer access in mt7921_ipv6_addr_change Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 22/91] net: hns3: use correct release function during uninitialization Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 23/91] btrfs: update target inodes ctime on unlink Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 24/91] Input: ads7846 - ratelimit the spi_sync error message Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 25/91] Input: synaptics - enable SMBus for HP Elitebook 840 G2 Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 26/91] HID: multitouch: Add support for GT7868Q Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 27/91] scripts: kconfig: merge_config: config files: add a trailing newline Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 28/91] platform/surface: aggregator_registry: Add Support for Surface Pro 10 Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 29/91] platform/surface: aggregator_registry: Add support for Surface Laptop Go 3 Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 30/91] drm/msm/adreno: Fix error return if missing firmware-name Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 31/91] Input: i8042 - add Fujitsu Lifebook E756 to i8042 quirk table Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 32/91] s390/mm: Prevent lowcore vs identity mapping overlap Greg Kroah-Hartman
2024-09-17 11:06 ` Alexander Gordeev
2024-09-17 11:15 ` Greg Kroah-Hartman
2024-09-17 15:17 ` Alexander Gordeev
2024-09-18 6:17 ` Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 33/91] smb/server: fix return value of smb2_open() Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 34/91] NFSv4: Fix clearing of layout segments in layoutreturn Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 35/91] NFS: Avoid unnecessary rescanning of the per-server delegation list Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 36/91] platform/x86: panasonic-laptop: Fix SINF array out of bounds accesses Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 37/91] platform/x86: panasonic-laptop: Allocate 1 entry extra in the sinf array Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 38/91] mptcp: pm: Fix uaf in __timer_delete_sync Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 39/91] selftests: mptcp: join: restrict fullmesh endp on 1st sf Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 40/91] arm64: dts: rockchip: fix eMMC/SPI corruption when audio has been used on RK3399 Puma Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 41/91] arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog " Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 42/91] minmax: reduce min/max macro expansion in atomisp driver Greg Kroah-Hartman
2024-09-16 11:44 ` Greg Kroah-Hartman [this message]
2024-09-16 11:44 ` [PATCH 6.6 44/91] dm-integrity: fix a race condition when accessing recalc_sector Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 45/91] x86/hyperv: fix kexec crash due to VP assist page corruption Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 46/91] mm: avoid leaving partial pfn mappings around in error case Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 47/91] net: xilinx: axienet: Fix race in axienet_stop Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 48/91] arm64: dts: rockchip: fix PMIC interrupt pin in pinctrl for ROCK Pi E Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 49/91] drm/amd/display: Disable error correction if its not supported Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 50/91] drm/amd/display: Fix FEC_READY write on DP LT Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 51/91] eeprom: digsy_mtc: Fix 93xx46 driver probe failure Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 52/91] cxl/core: Fix incorrect vendor debug UUID define Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 53/91] selftests/bpf: Support SOCK_STREAM in unix_inet_redir_to_connected() Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 54/91] hwmon: (pmbus) Conditionally clear individual status bits for pmbus rev >= 1.2 Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 55/91] ice: Fix lldp packets dropping after changing the number of channels Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 56/91] ice: fix accounting for filters shared by multiple VSIs Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 57/91] ice: fix VSI lists confusion when adding VLANs Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 58/91] igb: Always call igb_xdp_ring_update_tail() under Tx lock Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 59/91] net/mlx5: Update the list of the PCI supported devices Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 60/91] net/mlx5e: Add missing link modes to ptys2ethtool_map Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 61/91] IB/mlx5: Rename 400G_8X speed to comply to naming convention Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 62/91] net/mlx5e: Add missing link mode to ptys2ext_ethtool_map Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 63/91] net/mlx5: Explicitly set scheduling element and TSAR type Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 64/91] net/mlx5: Add missing masks and QoS bit masks for scheduling elements Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 65/91] net/mlx5: Correct TASR typo into TSAR Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 66/91] net/mlx5: Verify support for scheduling element and TSAR type Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 67/91] net/mlx5: Fix bridge mode operations when there are no VFs Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 68/91] fou: fix initialization of grc Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 69/91] octeontx2-af: Modify SMQ flush sequence to drop packets Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 70/91] net: ftgmac100: Enable TX interrupt to avoid TX timeout Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 71/91] selftests: net: csum: Fix checksums for packets with non-zero padding Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 72/91] netfilter: nft_socket: fix sk refcount leaks Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 73/91] netfilter: nft_socket: make cgroupsv2 matching work with namespaces Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 74/91] net: dsa: felix: ignore pending status of TAS module when its disabled Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 75/91] net: dpaa: Pad packets to ETH_ZLEN Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 76/91] tracing/osnoise: Fix build when timerlat is not enabled Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 77/91] spi: nxp-fspi: fix the KASAN report out-of-bounds bug Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 78/91] soundwire: stream: Revert "soundwire: stream: fix programming slave ports for non-continous port maps" Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 79/91] drm/syncobj: Fix syncobj leak in drm_syncobj_eventfd_ioctl Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 80/91] dma-buf: heaps: Fix off-by-one in CMA heap fault handler Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 81/91] drm/nouveau/fb: restore init() for ramgp102 Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 82/91] drm/amdgpu/atomfirmware: Silence UBSAN warning Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 83/91] drm/amd/amdgpu: apply command submission parser for JPEG v1 Greg Kroah-Hartman
2024-09-16 11:45 ` [PATCH 6.6 84/91] spi: geni-qcom: Undo runtime PM changes at driver exit time Greg Kroah-Hartman
2024-09-16 11:45 ` [PATCH 6.6 85/91] spi: geni-qcom: Fix incorrect free_irq() sequence Greg Kroah-Hartman
2024-09-16 11:45 ` [PATCH 6.6 86/91] drm/i915/guc: prevent a possible int overflow in wq offsets Greg Kroah-Hartman
2024-09-16 11:45 ` [PATCH 6.6 87/91] ASoC: codecs: avoid possible garbage value in peb2466_reg_read() Greg Kroah-Hartman
2024-09-16 11:45 ` [PATCH 6.6 88/91] cifs: Fix signature miscalculation Greg Kroah-Hartman
2024-09-16 11:45 ` [PATCH 6.6 89/91] pinctrl: meteorlake: Add Arrow Lake-H/U ACPI ID Greg Kroah-Hartman
2024-09-16 11:45 ` [PATCH 6.6 90/91] ASoC: meson: axg-card: fix use-after-free Greg Kroah-Hartman
2024-09-16 11:45 ` [PATCH 6.6 91/91] riscv: dts: starfive: add assigned-clock* to limit frquency Greg Kroah-Hartman
2024-09-16 14:10 ` [PATCH 6.6 00/91] 6.6.52-rc1 review Takeshi Ogasawara
2024-09-16 16:29 ` Harshit Mogalapalli
2024-09-16 18:12 ` Peter Schneider
2024-09-17 9:56 ` Mark Brown
2024-09-17 10:30 ` Naresh Kamboju
2024-09-18 6:17 ` Greg Kroah-Hartman
2024-09-17 15:19 ` Jon Hunter
2024-09-17 21:44 ` Florian Fainelli
2024-09-17 22:35 ` Ron Economos
2024-09-18 10:03 ` Kexy Biscuit
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240916114225.923827191@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jasowang@redhat.com \
--cc=kuba@kernel.org \
--cc=mst@redhat.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox