From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Taehee Yoo <ap420073@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.4 46/54] mld: fix panic in mld_newpack()
Date: Mon, 31 May 2021 15:14:12 +0200 [thread overview]
Message-ID: <20210531130636.513805582@linuxfoundation.org> (raw)
In-Reply-To: <20210531130635.070310929@linuxfoundation.org>
From: Taehee Yoo <ap420073@gmail.com>
[ Upstream commit 020ef930b826d21c5446fdc9db80fd72a791bc21 ]
mld_newpack() doesn't allow to allocate high order page,
only order-0 allocation is allowed.
If headroom size is too large, a kernel panic could occur in skb_put().
Test commands:
ip netns del A
ip netns del B
ip netns add A
ip netns add B
ip link add veth0 type veth peer name veth1
ip link set veth0 netns A
ip link set veth1 netns B
ip netns exec A ip link set lo up
ip netns exec A ip link set veth0 up
ip netns exec A ip -6 a a 2001:db8:0::1/64 dev veth0
ip netns exec B ip link set lo up
ip netns exec B ip link set veth1 up
ip netns exec B ip -6 a a 2001:db8:0::2/64 dev veth1
for i in {1..99}
do
let A=$i-1
ip netns exec A ip link add ip6gre$i type ip6gre \
local 2001:db8:$A::1 remote 2001:db8:$A::2 encaplimit 100
ip netns exec A ip -6 a a 2001:db8:$i::1/64 dev ip6gre$i
ip netns exec A ip link set ip6gre$i up
ip netns exec B ip link add ip6gre$i type ip6gre \
local 2001:db8:$A::2 remote 2001:db8:$A::1 encaplimit 100
ip netns exec B ip -6 a a 2001:db8:$i::2/64 dev ip6gre$i
ip netns exec B ip link set ip6gre$i up
done
Splat looks like:
kernel BUG at net/core/skbuff.c:110!
invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
CPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.12.0+ #891
Workqueue: ipv6_addrconf addrconf_dad_work
RIP: 0010:skb_panic+0x15d/0x15f
Code: 92 fe 4c 8b 4c 24 10 53 8b 4d 70 45 89 e0 48 c7 c7 00 ae 79 83
41 57 41 56 41 55 48 8b 54 24 a6 26 f9 ff <0f> 0b 48 8b 6c 24 20 89
34 24 e8 4a 4e 92 fe 8b 34 24 48 c7 c1 20
RSP: 0018:ffff88810091f820 EFLAGS: 00010282
RAX: 0000000000000089 RBX: ffff8881086e9000 RCX: 0000000000000000
RDX: 0000000000000089 RSI: 0000000000000008 RDI: ffffed1020123efb
RBP: ffff888005f6eac0 R08: ffffed1022fc0031 R09: ffffed1022fc0031
R10: ffff888117e00187 R11: ffffed1022fc0030 R12: 0000000000000028
R13: ffff888008284eb0 R14: 0000000000000ed8 R15: 0000000000000ec0
FS: 0000000000000000(0000) GS:ffff888117c00000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8b801c5640 CR3: 0000000033c2c006 CR4: 00000000003706f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600
? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600
skb_put.cold.104+0x22/0x22
ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600
? rcu_read_lock_sched_held+0x91/0xc0
mld_newpack+0x398/0x8f0
? ip6_mc_hdr.isra.26.constprop.46+0x600/0x600
? lock_contended+0xc40/0xc40
add_grhead.isra.33+0x280/0x380
add_grec+0x5ca/0xff0
? mld_sendpack+0xf40/0xf40
? lock_downgrade+0x690/0x690
mld_send_initial_cr.part.34+0xb9/0x180
ipv6_mc_dad_complete+0x15d/0x1b0
addrconf_dad_completed+0x8d2/0xbb0
? lock_downgrade+0x690/0x690
? addrconf_rs_timer+0x660/0x660
? addrconf_dad_work+0x73c/0x10e0
addrconf_dad_work+0x73c/0x10e0
Allowing high order page allocation could fix this problem.
Fixes: 72e09ad107e7 ("ipv6: avoid high order allocations")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/mcast.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
index 2d28f0b54494..636425999aac 100644
--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -1573,10 +1573,7 @@ static struct sk_buff *mld_newpack(struct inet6_dev *idev, unsigned int mtu)
IPV6_TLV_PADN, 0 };
/* we assume size > sizeof(ra) here */
- /* limit our allocations to order-0 page */
- size = min_t(int, size, SKB_MAX_ORDER(0, 0));
skb = sock_alloc_send_skb(sk, size, 1, &err);
-
if (!skb)
return NULL;
--
2.30.2
next prev parent reply other threads:[~2021-05-31 13:22 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-31 13:13 [PATCH 4.4 00/54] 4.4.271-rc1 review Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 01/54] mm, vmstat: drop zone->lock in /proc/pagetypeinfo Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 02/54] netfilter: x_tables: Use correct memory barriers Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 03/54] NFC: nci: fix memory leak in nci_allocate_device Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 04/54] proc: Check /proc/$pid/attr/ writes against file opener Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 05/54] net: hso: fix control-request directions Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 06/54] mac80211: assure all fragments are encrypted Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 07/54] mac80211: prevent mixed key and fragment cache attacks Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 08/54] dm snapshot: properly fix a crash when an origin has no snapshots Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 09/54] kgdb: fix gcc-11 warnings harder Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 10/54] misc/uss720: fix memory leak in uss720_probe Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 11/54] mei: request autosuspend after sending rx flow control Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 12/54] staging: iio: cdc: ad7746: avoid overwrite of num_channels Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 13/54] iio: adc: ad7793: Add missing error code in ad7793_setup() Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 14/54] USB: trancevibrator: fix control-request direction Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 15/54] serial: rp2: use request_firmware instead of request_firmware_nowait Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 16/54] USB: serial: option: add Telit LE910-S1 compositions 0x7010, 0x7011 Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 17/54] USB: serial: ftdi_sio: add IDs for IDS GmbH Products Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 18/54] USB: serial: pl2303: add device id for ADLINK ND-6530 GC Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 19/54] net: usb: fix memory leak in smsc75xx_bind Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 20/54] spi: Fix use-after-free with devm_spi_alloc_* Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 21/54] spi: spi-sh: Fix use-after-free on unbind Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 22/54] Bluetooth: cmtp: fix file refcount when cmtp_attach_device fails Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 23/54] NFS: fix an incorrect limit in filelayout_decode_layout() Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 24/54] NFS: Dont corrupt the value of pg_bytes_written in nfs_do_recoalesce() Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 25/54] NFSv4: Fix v4.0/v4.1 SEEK_DATA return -ENOTSUPP when set NFS_V4_2 config Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 26/54] net/mlx4: Fix EEPROM dump support Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 27/54] Revert "net:tipc: Fix a double free in tipc_sk_mcast_rcv" Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 28/54] tipc: skb_linearize the head skb when reassembling msgs Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 29/54] i2c: s3c2410: fix possible NULL pointer deref on read message after write Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 30/54] i2c: i801: Dont generate an interrupt on bus reset Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 31/54] platform/x86: hp_accel: Avoid invoking _INI to speed up resume Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 32/54] net: fujitsu: fix potential null-ptr-deref Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.4 33/54] net: caif: remove BUG_ON(dev == NULL) in caif_xmit Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.4 34/54] char: hpet: add checks after calling ioremap Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.4 35/54] ALSA: sb8: Add a comment note regarding an unused pointer Greg Kroah-Hartman
2021-05-31 20:36 ` Pavel Machek
2021-05-31 21:43 ` Sasha Levin
2021-05-31 13:14 ` [PATCH 4.4 36/54] isdn: mISDNinfineon: check/cleanup ioremap failure correctly in setup_io Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.4 37/54] libertas: register sysfs groups properly Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.4 38/54] media: dvb: Add check on sp8870_readreg return Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.4 39/54] media: gspca: properly check for errors in po1030_probe() Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.4 40/54] scsi: BusLogic: Fix 64-bit system enumeration error for Buslogic Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.4 41/54] openrisc: Define memory barrier mb Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.4 42/54] btrfs: do not BUG_ON in link_to_fixup_dir Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.4 43/54] drm/amdgpu: Fix a use-after-free Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.4 44/54] net: netcp: Fix an error message Greg Kroah-Hartman
2021-05-31 18:41 ` Marion & Christophe JAILLET
2021-05-31 13:14 ` [PATCH 4.4 45/54] net: bnx2: Fix error return code in bnx2_init_board() Greg Kroah-Hartman
2021-05-31 13:14 ` Greg Kroah-Hartman [this message]
2021-05-31 13:14 ` [PATCH 4.4 47/54] staging: emxx_udc: fix loop in _nbu2ss_nuke() Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.4 48/54] scsi: libsas: Use _safe() loop in sas_resume_port() Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.4 49/54] sch_dsmark: fix a NULL deref in qdisc_reset() Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.4 50/54] MIPS: alchemy: xxs1500: add gpio-au1000.h header file Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.4 51/54] MIPS: ralink: export rt_sysc_membase for rt2880_wdt.c Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.4 52/54] hugetlbfs: hugetlb_fault_mutex_hash() cleanup Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.4 53/54] bluetooth: eliminate the potential race condition when removing the HCI controller Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.4 54/54] usb: core: reduce power-on-good delay time of root hub Greg Kroah-Hartman
2021-05-31 19:07 ` [PATCH 4.4 00/54] 4.4.271-rc1 review Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210531130636.513805582@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ap420073@gmail.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox