From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, netdev@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
Taehee Yoo <ap420073@gmail.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.9 70/71] ip: frags: fix crash in ip_do_fragment()
Date: Tue, 16 Oct 2018 19:10:07 +0200 [thread overview]
Message-ID: <20181016170542.905205656@linuxfoundation.org> (raw)
In-Reply-To: <20181016170539.315587743@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Taehee Yoo <ap420073@gmail.com>
commit 5d407b071dc369c26a38398326ee2be53651cfe4 upstream
A kernel crash occurrs when defragmented packet is fragmented
in ip_do_fragment().
In defragment routine, skb_orphan() is called and
skb->ip_defrag_offset is set. but skb->sk and
skb->ip_defrag_offset are same union member. so that
frag->sk is not NULL.
Hence crash occurrs in skb->sk check routine in ip_do_fragment() when
defragmented packet is fragmented.
test commands:
%iptables -t nat -I POSTROUTING -j MASQUERADE
%hping3 192.168.4.2 -s 1000 -p 2000 -d 60000
splat looks like:
[ 261.069429] kernel BUG at net/ipv4/ip_output.c:636!
[ 261.075753] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
[ 261.083854] CPU: 1 PID: 1349 Comm: hping3 Not tainted 4.19.0-rc2+ #3
[ 261.100977] RIP: 0010:ip_do_fragment+0x1613/0x2600
[ 261.106945] Code: e8 e2 38 e3 fe 4c 8b 44 24 18 48 8b 74 24 08 e9 92 f6 ff ff 80 3c 02 00 0f 85 da 07 00 00 48 8b b5 d0 00 00 00 e9 25 f6 ff ff <0f> 0b 0f 0b 44 8b 54 24 58 4c 8b 4c 24 18 4c 8b 5c 24 60 4c 8b 6c
[ 261.127015] RSP: 0018:ffff8801031cf2c0 EFLAGS: 00010202
[ 261.134156] RAX: 1ffff1002297537b RBX: ffffed0020639e6e RCX: 0000000000000004
[ 261.142156] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff880114ba9bd8
[ 261.150157] RBP: ffff880114ba8a40 R08: ffffed0022975395 R09: ffffed0022975395
[ 261.158157] R10: 0000000000000001 R11: ffffed0022975394 R12: ffff880114ba9ca4
[ 261.166159] R13: 0000000000000010 R14: ffff880114ba9bc0 R15: dffffc0000000000
[ 261.174169] FS: 00007fbae2199700(0000) GS:ffff88011b400000(0000) knlGS:0000000000000000
[ 261.183012] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 261.189013] CR2: 00005579244fe000 CR3: 0000000119bf4000 CR4: 00000000001006e0
[ 261.198158] Call Trace:
[ 261.199018] ? dst_output+0x180/0x180
[ 261.205011] ? save_trace+0x300/0x300
[ 261.209018] ? ip_copy_metadata+0xb00/0xb00
[ 261.213034] ? sched_clock_local+0xd4/0x140
[ 261.218158] ? kill_l4proto+0x120/0x120 [nf_conntrack]
[ 261.223014] ? rt_cpu_seq_stop+0x10/0x10
[ 261.227014] ? find_held_lock+0x39/0x1c0
[ 261.233008] ip_finish_output+0x51d/0xb50
[ 261.237006] ? ip_fragment.constprop.56+0x220/0x220
[ 261.243011] ? nf_ct_l4proto_register_one+0x5b0/0x5b0 [nf_conntrack]
[ 261.250152] ? rcu_is_watching+0x77/0x120
[ 261.255010] ? nf_nat_ipv4_out+0x1e/0x2b0 [nf_nat_ipv4]
[ 261.261033] ? nf_hook_slow+0xb1/0x160
[ 261.265007] ip_output+0x1c7/0x710
[ 261.269005] ? ip_mc_output+0x13f0/0x13f0
[ 261.273002] ? __local_bh_enable_ip+0xe9/0x1b0
[ 261.278152] ? ip_fragment.constprop.56+0x220/0x220
[ 261.282996] ? nf_hook_slow+0xb1/0x160
[ 261.287007] raw_sendmsg+0x21f9/0x4420
[ 261.291008] ? dst_output+0x180/0x180
[ 261.297003] ? sched_clock_cpu+0x126/0x170
[ 261.301003] ? find_held_lock+0x39/0x1c0
[ 261.306155] ? stop_critical_timings+0x420/0x420
[ 261.311004] ? check_flags.part.36+0x450/0x450
[ 261.315005] ? _raw_spin_unlock_irq+0x29/0x40
[ 261.320995] ? _raw_spin_unlock_irq+0x29/0x40
[ 261.326142] ? cyc2ns_read_end+0x10/0x10
[ 261.330139] ? raw_bind+0x280/0x280
[ 261.334138] ? sched_clock_cpu+0x126/0x170
[ 261.338995] ? check_flags.part.36+0x450/0x450
[ 261.342991] ? __lock_acquire+0x4500/0x4500
[ 261.348994] ? inet_sendmsg+0x11c/0x500
[ 261.352989] ? dst_output+0x180/0x180
[ 261.357012] inet_sendmsg+0x11c/0x500
[ ... ]
v2:
- clear skb->sk at reassembly routine.(Eric Dumarzet)
Fixes: fa0f527358bd ("ip: use rb trees for IP frag queue.")
Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/ip_fragment.c | 1 +
net/ipv6/netfilter/nf_conntrack_reasm.c | 1 +
2 files changed, 2 insertions(+)
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -597,6 +597,7 @@ static int ip_frag_reasm(struct ipq *qp,
nextp = &fp->next;
fp->prev = NULL;
memset(&fp->rbnode, 0, sizeof(fp->rbnode));
+ fp->sk = NULL;
head->data_len += fp->len;
head->len += fp->len;
if (head->ip_summed != fp->ip_summed)
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -452,6 +452,7 @@ nf_ct_frag6_reasm(struct frag_queue *fq,
else if (head->ip_summed == CHECKSUM_COMPLETE)
head->csum = csum_add(head->csum, fp->csum);
head->truesize += fp->truesize;
+ fp->sk = NULL;
}
sub_frag_mem_limit(fq->q.net, head->truesize);
next prev parent reply other threads:[~2018-10-16 17:25 UTC|newest]
Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-16 17:08 [PATCH 4.9 00/71] 4.9.134-stable review Greg Kroah-Hartman
2018-10-16 17:08 ` [PATCH 4.9 01/71] ASoC: wm8804: Add ACPI support Greg Kroah-Hartman
2018-10-16 17:08 ` [PATCH 4.9 02/71] ASoC: sigmadsp: safeload should not have lower byte limit Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 03/71] selftests/efivarfs: add required kernel configs Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 04/71] selftests: memory-hotplug: add required configs Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 05/71] mfd: omap-usb-host: Fix dts probe of children Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 06/71] scsi: iscsi: target: Dont use stack buffer for scatterlist Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 07/71] scsi: qla2xxx: Fix an endian bug in fcpcmd_is_corrupted() Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 08/71] sound: enable interrupt after dma buffer initialization Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 09/71] stmmac: fix valid numbers of unicast filter entries Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 10/71] net: macb: disable scatter-gather for macb on sama5d3 Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 11/71] ARM: dts: at91: add new compatibility string " Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 12/71] x86/kvm/lapic: always disable MMIO interface in x2APIC mode Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 13/71] drm/amdgpu: Fix SDMA HQD destroy error on gfx_v7 Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 14/71] ext4: Fix error code in ext4_xattr_set_entry() Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 15/71] mm/vmstat.c: fix outdated vmstat_text Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 16/71] MIPS: VDSO: Always map near top of user memory Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 17/71] mach64: detect the dot clock divider correctly on sparc Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 18/71] perf script python: Fix export-to-postgresql.py occasional failure Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 19/71] mm: Preserve _PAGE_DEVMAP across mprotect() calls Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 20/71] i2c: i2c-scmi: fix for i2c_smbus_write_block_data Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 21/71] xhci: Dont print a warning when setting link state for disabled ports Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 22/71] bnxt_en: Fix TX timeout during netpoll Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 23/71] bonding: avoid possible dead-lock Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 24/71] ip6_tunnel: be careful when accessing the inner header Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 25/71] ip_tunnel: " Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 26/71] ipv4: fix use-after-free in ip_cmsg_recv_dstaddr() Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 27/71] ipv6: take rcu lock in rawv6_send_hdrinc() Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 28/71] net: dsa: bcm_sf2: Call setup during switch resume Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 29/71] net: hns: fix for unmapping problem when SMMU is on Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 30/71] net: ipv4: update fnhe_pmtu when first hops MTU changes Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 31/71] net/ipv6: Display all addresses in output of /proc/net/if_inet6 Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 32/71] netlabel: check for IPV4MASK in addrinfo_get Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 33/71] net/usb: cancel pending work when unbinding smsc75xx Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 34/71] qlcnic: fix Tx descriptor corruption on 82xx devices Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 35/71] qmi_wwan: Added support for Gemaltos Cinterion ALASxx WWAN interface Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 36/71] team: Forbid enslaving team device to itself Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 37/71] net: dsa: bcm_sf2: Fix unbind ordering Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 38/71] net: mvpp2: Extract the correct ethtype from the skb for tx csum offload Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 39/71] net: systemport: Fix wake-up interrupt race during resume Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 40/71] rtnl: limit IFLA_NUM_TX_QUEUES and IFLA_NUM_RX_QUEUES to 4096 Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 41/71] tcp/dccp: fix lockdep issue when SYN is backlogged Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 42/71] inet: make sure to grab rcu_read_lock before using ireq->ireq_opt Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 43/71] inet: frags: change inet_frags_init_net() return value Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 44/71] inet: frags: add a pointer to struct netns_frags Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 45/71] inet: frags: refactor ipfrag_init() Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 46/71] inet: frags: refactor ipv6_frag_init() Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 47/71] inet: frags: refactor lowpan_net_frag_init() Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 48/71] ipv6: export ip6 fragments sysctl to unprivileged users Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 49/71] rhashtable: add schedule points Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 50/71] inet: frags: use rhashtables for reassembly units Greg Kroah-Hartman
2018-10-26 13:39 ` Stefan Schmidt
2018-11-29 12:54 ` Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 51/71] inet: frags: remove some helpers Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 52/71] inet: frags: get rif of inet_frag_evicting() Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 53/71] inet: frags: remove inet_frag_maybe_warn_overflow() Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 54/71] inet: frags: break the 2GB limit for frags storage Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 55/71] inet: frags: do not clone skb in ip_expire() Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 56/71] ipv6: frags: rewrite ip6_expire_frag_queue() Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 57/71] rhashtable: reorganize struct rhashtable layout Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 58/71] inet: frags: reorganize struct netns_frags Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 59/71] inet: frags: get rid of ipfrag_skb_cb/FRAG_CB Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 60/71] inet: frags: fix ip6frag_low_thresh boundary Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 61/71] ip: discard IPv4 datagrams with overlapping segments Greg Kroah-Hartman
2018-10-16 17:09 ` [PATCH 4.9 62/71] net: speed up skb_rbtree_purge() Greg Kroah-Hartman
2018-10-16 17:10 ` [PATCH 4.9 63/71] net: modify skb_rbtree_purge to return the truesize of all purged skbs Greg Kroah-Hartman
2018-10-16 17:10 ` [PATCH 4.9 64/71] ipv6: defrag: drop non-last frags smaller than min mtu Greg Kroah-Hartman
2018-10-16 17:10 ` [PATCH 4.9 65/71] net: pskb_trim_rcsum() and CHECKSUM_COMPLETE are friends Greg Kroah-Hartman
2018-10-16 17:10 ` [PATCH 4.9 66/71] net: add rb_to_skb() and other rb tree helpers Greg Kroah-Hartman
2018-10-16 17:10 ` [PATCH 4.9 67/71] ip: use rb trees for IP frag queue Greg Kroah-Hartman
2018-10-16 17:10 ` [PATCH 4.9 68/71] ip: add helpers to process in-order fragments faster Greg Kroah-Hartman
2018-10-16 17:10 ` [PATCH 4.9 69/71] ip: process in-order fragments efficiently Greg Kroah-Hartman
2018-10-16 17:10 ` Greg Kroah-Hartman [this message]
2018-10-16 17:10 ` [PATCH 4.9 71/71] ipv4: frags: precedence bug in ip_expire() Greg Kroah-Hartman
2018-10-17 7:20 ` [PATCH 4.9 00/71] 4.9.134-stable review Amit Pundir
2018-10-17 7:51 ` Greg Kroah-Hartman
2018-10-17 13:19 ` Guenter Roeck
2018-10-17 13:32 ` Greg Kroah-Hartman
2018-10-17 15:11 ` Rafael Tinoco
2018-10-17 18:43 ` Shuah Khan
2018-10-17 19:19 ` Guenter Roeck
2018-10-18 7:12 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181016170542.905205656@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ap420073@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).