From mboxrd@z Thu Jan  1 00:00:00 1970
From: Eric Dumazet <eric.dumazet@gmail.com>
Subject: Re: [PATCH v2 net] net: Prevent invalid access to skb->prev in
 __qdisc_drop_all
Date: Thu, 29 Nov 2018 16:18:49 -0800
Message-ID: <2a2a645c-edc7-a492-f218-10ac22bdb590@gmail.com>
References: <20181130000104.13213-1-cpaasch@apple.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Cc: netdev@vger.kernel.org,
        Prashant Bhole <bhole_prashant_q7@lab.ntt.co.jp>,
        Tyler Hicks <tyhicks@canonical.com>
To: Christoph Paasch <cpaasch@apple.com>,
        David Miller <davem@davemloft.net>
Return-path: <netdev-owner@vger.kernel.org>
Received: from mail-pl1-f196.google.com ([209.85.214.196]:37667 "EHLO
        mail-pl1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726392AbeK3L0N (ORCPT
        <rfc822;netdev@vger.kernel.org>); Fri, 30 Nov 2018 06:26:13 -0500
Received: by mail-pl1-f196.google.com with SMTP id b5so1868416plr.4
        for <netdev@vger.kernel.org>; Thu, 29 Nov 2018 16:18:52 -0800 (PST)
In-Reply-To: <20181130000104.13213-1-cpaasch@apple.com>
Content-Language: en-US
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>



On 11/29/2018 04:01 PM, Christoph Paasch wrote:
> __qdisc_drop_all() accesses skb->prev to get to the tail of the
> segment-list.
> 
> With commit 68d2f84a1368 ("net: gro: properly remove skb from list")
> the skb-list handling has been changed to set skb->next to NULL and set
> the list-poison on skb->prev.
> 
> With that change, __qdisc_drop_all() will panic when it tries to
> dereference skb->prev.
> 

Reviewed-by: Eric Dumazet <edumazet@google.com>

Thanks !