From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.5 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SPF_PASS,USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id AF03BC282D9 for ; Thu, 31 Jan 2019 12:48:21 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 81083218D3 for ; Thu, 31 Jan 2019 12:48:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1548938901; bh=i9l4r9YmEtvHV0WLUW0hLZ8oqoc1sZmxbK1ZeROBNn0=; h=Date:From:To:Cc:Subject:References:In-Reply-To:List-ID:From; b=Pis0YPQyi15yT/gU4U/dgsNoP9ARKLx978u6YbsoQ+NYlGd6ojklksvSuapEsBeIN wH2sDpFsdj7v/9bNxq9e2B5Uy0SjmUkHchQjCpt3RuKctqXyvTF3j4uKPbh0mCQtYW 3R9hz0hzPImf7dED+6mwo7tOQdE85DJCuBt+r39Y= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733228AbfAaMsU (ORCPT ); Thu, 31 Jan 2019 07:48:20 -0500 Received: from mail.kernel.org ([198.145.29.99]:40478 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732280AbfAaMsT (ORCPT ); Thu, 31 Jan 2019 07:48:19 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 159532086C; Thu, 31 Jan 2019 12:48:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1548938899; bh=i9l4r9YmEtvHV0WLUW0hLZ8oqoc1sZmxbK1ZeROBNn0=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=xzGCsHUt/xFcTD24d8USgwRYCozXxuaVVXIRcFTHzVReKD9yfYa0iRrAgw6IwL5Wm bwB4WMR2WB6omzbCc+8jI8l0tQFWrGnLQCMQb9vzuAir3WUh9sQea2iNu6uevJ0X10 Oqzp4voKv0t5LCFmZyutT6Xmqq7TZ8FBaoW79ebc= Date: Thu, 31 Jan 2019 13:48:16 +0100 From: Greg Kroah-Hartman To: Eric Dumazet Cc: Ivan Babrou , Michal Kubecek , Linux Kernel Network Developers , "David S. Miller" , Ignat Korchagin , Shawn Bohrer , Jakub Sitnicki Subject: Re: BUG: KASAN: double-free or invalid-free in ip_defrag after upgrade from 4.19.13 Message-ID: <20190131124816.GA8031@kroah.com> References: <20190130230001.GL24651@unicorn.suse.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.11.2 (2019-01-07) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On Wed, Jan 30, 2019 at 03:16:56PM -0800, Eric Dumazet wrote: > On Wed, Jan 30, 2019 at 3:13 PM Eric Dumazet wrote: > > > > On Wed, Jan 30, 2019 at 3:09 PM Ivan Babrou wrote: > > > > > > Eric, > > > > > > Are you going to propose the change then? > > > > > > I'm happy to test it out. > > > > > > > This is indeed a bug in linux stable tree only. > > > > The err=-EINVAL move was part of a patch that was not backported > > (since it was not a bug fix) > > > > commit 0ff89efb524631ac9901b81446b453c29711c376 > > Author: Peter Oskolkov > > Date: Tue Aug 28 11:36:19 2018 -0700 > > > > ip: fail fast on IP defrag errors > > > > > > Greg, the fix for 4.19 (and maybe other stable trees ?) would be : > > diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c > index f8bbd693c19c247e41839c2d0b5318ca51b23ee8..d95b32af4a0e3f552405c9e61cc372729834160c > 100644 > --- a/net/ipv4/ip_fragment.c > +++ b/net/ipv4/ip_fragment.c > @@ -425,6 +425,7 @@ static int ip_frag_queue(struct ipq *qp, struct > sk_buff *skb) > * fragment. > */ > > + err = -EINVAL; > /* Find out where to put this fragment. */ > prev_tail = qp->q.fragments_tail; > if (!prev_tail) > @@ -501,7 +502,6 @@ static int ip_frag_queue(struct ipq *qp, struct > sk_buff *skb) > > discard_qp: > inet_frag_kill(&qp->q); > - err = -EINVAL; > __IP_INC_STATS(net, IPSTATS_MIB_REASM_OVERLAPS); > err: > kfree_skb(skb); > Thanks for this, I'll turn this into a real patch and backport it to where it is needed. greg k-h