[PATCH 0/1] oops in af_packet fanout mode

[PATCH 0/1] oops in af_packet fanout mode

[Eric Leblond]

Due to a NULL dereference, the following patch is causing oops
in normal trafic condition:

commit c0de08d04215031d68fa13af36f347a6cfa252ca
Author: Eric Leblond <eric@regit.org>
Date:   Thu Aug 16 22:02:58 2012 +0000

    af_packet: don't emit packet on orig fanout group

This patch was a feature fix and has reached most stable
branches. The following patch fixes the issue and should be
applied to branch containing the previous patch.

BR,
--
Eric Leblond <eric@regit.org>

[PATCH 1/1] af-packet: fix oops when socket is not present

[Eric Leblond]

When skb->sk is NULL and when packet fanout is used, there is a
crash in match_fanout_group where skb->sk is accessed.
This patch fixes the issue by returning false as soon as the
socket is NULL: this correspond to the wanted behavior because
the kernel as to resend the skb to all the listening socket in
this case.

Signed-off-by: Eric Leblond <eric@regit.org>
---
 net/core/dev.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/core/dev.c b/net/core/dev.c
index b4978e2..c7b5293 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1666,7 +1666,7 @@ static inline int deliver_skb(struct sk_buff *skb,
 
 static inline bool skb_loop_sk(struct packet_type *ptype, struct sk_buff *skb)
 {
-	if (ptype->af_packet_priv == NULL)
+	if ((ptype->af_packet_priv == NULL) || (skb->sk == NULL))
 		return false;
 
 	if (ptype->id_match)
-- 
1.7.10.4

Re: [PATCH 1/1] af-packet: fix oops when socket is not present

[Eric Dumazet]

On Tue, 2012-11-06 at 11:24 +0100, Eric Leblond wrote:
> When skb->sk is NULL and when packet fanout is used, there is a
> crash in match_fanout_group where skb->sk is accessed.
> This patch fixes the issue by returning false as soon as the
> socket is NULL: this correspond to the wanted behavior because
> the kernel as to resend the skb to all the listening socket in
> this case.
> 
> Signed-off-by: Eric Leblond <eric@regit.org>
> ---
>  net/core/dev.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/core/dev.c b/net/core/dev.c
> index b4978e2..c7b5293 100644
> --- a/net/core/dev.c
> +++ b/net/core/dev.c
> @@ -1666,7 +1666,7 @@ static inline int deliver_skb(struct sk_buff *skb,
>  
>  static inline bool skb_loop_sk(struct packet_type *ptype, struct sk_buff *skb)
>  {
> -	if (ptype->af_packet_priv == NULL)
> +	if ((ptype->af_packet_priv == NULL) || (skb->sk == NULL))

Why adding these parentheses  ?

if (!ptype->af_packet_priv || !skb->sk)


>  		return false;
>  
>  	if (ptype->id_match)

Your patch is technically correct, but misses extra information to ease
stable team work.

Your previous mail with this useful information wont be part of the
patch.

Please add this information in the changelog ?

Thanks

[PATCH v2] af-packet: fix oops when socket is not present

[Eric Leblond]

Due to a NULL dereference, the following patch is causing oops
in normal trafic condition:

commit c0de08d04215031d68fa13af36f347a6cfa252ca
Author: Eric Leblond <eric@regit.org>
Date:   Thu Aug 16 22:02:58 2012 +0000

    af_packet: don't emit packet on orig fanout group

This buggy patch was a feature fix and has reached most stable
branches.

When skb->sk is NULL and when packet fanout is used, there is a
crash in match_fanout_group where skb->sk is accessed.
This patch fixes the issue by returning false as soon as the
socket is NULL: this correspond to the wanted behavior because
the kernel as to resend the skb to all the listening socket in
this case.

Signed-off-by: Eric Leblond <eric@regit.org>
---
 net/core/dev.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/core/dev.c b/net/core/dev.c
index b4978e2..83232a1 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1666,7 +1666,7 @@ static inline int deliver_skb(struct sk_buff *skb,
 
 static inline bool skb_loop_sk(struct packet_type *ptype, struct sk_buff *skb)
 {
-	if (ptype->af_packet_priv == NULL)
+	if (!ptype->af_packet_priv || !skb->sk)
 		return false;
 
 	if (ptype->id_match)
-- 
1.7.10.4

Re: [PATCH v2] af-packet: fix oops when socket is not present

[Greg KH]

On Tue, Nov 06, 2012 at 01:10:10PM +0100, Eric Leblond wrote:
> Due to a NULL dereference, the following patch is causing oops
> in normal trafic condition:
> 
> commit c0de08d04215031d68fa13af36f347a6cfa252ca
> Author: Eric Leblond <eric@regit.org>
> Date:   Thu Aug 16 22:02:58 2012 +0000
> 
>     af_packet: don't emit packet on orig fanout group
> 
> This buggy patch was a feature fix and has reached most stable
> branches.
> 
> When skb->sk is NULL and when packet fanout is used, there is a
> crash in match_fanout_group where skb->sk is accessed.
> This patch fixes the issue by returning false as soon as the
> socket is NULL: this correspond to the wanted behavior because
> the kernel as to resend the skb to all the listening socket in
> this case.
> 
> Signed-off-by: Eric Leblond <eric@regit.org>
> ---
>  net/core/dev.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

<formletter>

This is not the correct way to submit patches for inclusion in the
stable kernel tree.  Please read Documentation/stable_kernel_rules.txt
for how to do this properly.

</formletter>

Re: [PATCH v2] af-packet: fix oops when socket is not present

[Eric Dumazet]

On Tue, 2012-11-06 at 13:28 +0100, Greg KH wrote:
> On Tue, Nov 06, 2012 at 01:10:10PM +0100, Eric Leblond wrote:
> > Due to a NULL dereference, the following patch is causing oops
> > in normal trafic condition:
> > 
> > commit c0de08d04215031d68fa13af36f347a6cfa252ca
> > Author: Eric Leblond <eric@regit.org>
> > Date:   Thu Aug 16 22:02:58 2012 +0000
> > 
> >     af_packet: don't emit packet on orig fanout group
> > 
> > This buggy patch was a feature fix and has reached most stable
> > branches.
> > 
> > When skb->sk is NULL and when packet fanout is used, there is a
> > crash in match_fanout_group where skb->sk is accessed.
> > This patch fixes the issue by returning false as soon as the
> > socket is NULL: this correspond to the wanted behavior because
> > the kernel as to resend the skb to all the listening socket in
> > this case.
> > 
> > Signed-off-by: Eric Leblond <eric@regit.org>
> > ---
> >  net/core/dev.c |    2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> <formletter>
> 
> This is not the correct way to submit patches for inclusion in the
> stable kernel tree.  Please read Documentation/stable_kernel_rules.txt
> for how to do this properly.
> 
> </formletter>

Right.

By the way, David Miller prefers to handle stable submissions himself.

So Eric, I guess you could just do nothing for this particular patch,
since your stable@vger.kernel.org addition in the CC will be void.

(Dont add the Cc: in the patch itself, as David will remove it anyway)

Thanks

Re: [PATCH v2] af-packet: fix oops when socket is not present

[David Miller]

From: Eric Leblond <eric@regit.org>
Date: Tue,  6 Nov 2012 13:10:10 +0100

> Due to a NULL dereference, the following patch is causing oops
> in normal trafic condition:
> 
> commit c0de08d04215031d68fa13af36f347a6cfa252ca
> Author: Eric Leblond <eric@regit.org>
> Date:   Thu Aug 16 22:02:58 2012 +0000
> 
>     af_packet: don't emit packet on orig fanout group
> 
> This buggy patch was a feature fix and has reached most stable
> branches.
> 
> When skb->sk is NULL and when packet fanout is used, there is a
> crash in match_fanout_group where skb->sk is accessed.
> This patch fixes the issue by returning false as soon as the
> socket is NULL: this correspond to the wanted behavior because
> the kernel as to resend the skb to all the listening socket in
> this case.
> 
> Signed-off-by: Eric Leblond <eric@regit.org>

Applied and queued up for -stable, thanks.