From: Michal Kubecek <mkubecek@suse.cz>
To: Ivan Babrou <ivan@cloudflare.com>
Cc: Linux Kernel Network Developers <netdev@vger.kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Ignat Korchagin <ignat@cloudflare.com>,
Shawn Bohrer <sbohrer@cloudflare.com>,
Jakub Sitnicki <jakub@cloudflare.com>
Subject: Re: BUG: KASAN: double-free or invalid-free in ip_defrag after upgrade from 4.19.13
Date: Thu, 31 Jan 2019 00:00:01 +0100 [thread overview]
Message-ID: <20190130230001.GL24651@unicorn.suse.cz> (raw)
In-Reply-To: <CABWYdi1=CwMH1McYkVy+HOQcVHWqZerhjqyn8irQq10wee08Zg@mail.gmail.com>
On Wed, Jan 30, 2019 at 02:26:32PM -0800, Ivan Babrou wrote:
> Hey,
>
> Continuing from this thread earlier today:
>
> * https://marc.info/?t=154886729100001&r=1&w=2
>
> We fired up KASAN enabled kernel one one of those machine and this is
> what we saw:
...
> This commit from 4.19.14 seems relevant:
>
> * https://github.com/torvalds/linux/commit/d5f9565c8d5ad3cf94982223cfcef1169b0bb60f
>
> As a reminder, we upgraded from 4.19.13 and started seeing crashes.
Unfortunately I'm on vacation this week so that my capability to look
deeper into this is limited but there seems to be one obvious problem
with the 4.19.y backport: in mainline, there is
err = -EINVAL;
right on top of the "Find out where to put this fragment." comment which
had been added by commit 0ff89efb5246 ("ip: fail fast on IP defrag
errors"). In 4.19.y backport of the commit, this assignment is missing
so that the value of err at this point comes from earlier
pskb_trim_rcsum() call so that it must be zero and if we take any of the
"goto err" added by commit d5f9565c8d5a, we drop the packet by calling
kfree_skb() but return zero so that caller doesn't know about it.
Michal Kubecek
next prev parent reply other threads:[~2019-01-30 23:00 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-30 22:26 BUG: KASAN: double-free or invalid-free in ip_defrag after upgrade from 4.19.13 Ivan Babrou
2019-01-30 22:50 ` Eric Dumazet
2019-01-30 22:57 ` Eric Dumazet
2019-01-30 23:00 ` Michal Kubecek [this message]
2019-01-30 23:09 ` Ivan Babrou
2019-01-30 23:13 ` Eric Dumazet
2019-01-30 23:16 ` Eric Dumazet
2019-01-31 12:48 ` Greg Kroah-Hartman
2019-01-31 15:05 ` Eric Dumazet
2019-01-31 17:38 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190130230001.GL24651@unicorn.suse.cz \
--to=mkubecek@suse.cz \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=ignat@cloudflare.com \
--cc=ivan@cloudflare.com \
--cc=jakub@cloudflare.com \
--cc=netdev@vger.kernel.org \
--cc=sbohrer@cloudflare.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).