[PATCH net v2 1/1] net: nsh: limit recursive GSO redispatch

Netdev List
 help / color / mirror / Atom feed

* [PATCH net v2 1/1] net: nsh: limit recursive GSO redispatch
@ 2026-05-10  6:58 Ren Wei
  2026-05-10 11:45 ` [syzbot ci] " syzbot ci
  0 siblings, 1 reply; 2+ messages in thread
From: Ren Wei @ 2026-05-10  6:58 UTC (permalink / raw)
  To: netdev, matttbe
  Cc: jbenc, davem, yuantan098, yifanwucs, tomapufckgml, bird, lkp,
	lx24, caoruide123, n05ec

From: Ruide Cao <caoruide123@gmail.com>

nsh_gso_segment() currently redispatches the inner payload through
skb_mac_gso_segment() after stripping one NSH header. For nested NSH
payloads, this can recurse back into nsh_gso_segment() through repeated
GSO redispatch.

The existing validation added by commit af50e4ba34f4 ("nsh: fix infinite
loop") only covers invalid header lengths and does not prevent recursive
redispatch across nested NSH payload chains.

Use the existing dev_xmit_recursion mechanism to bound recursive
redispatch, as with other nested tunnel-like paths in the networking
stack. If the recursion limit is exceeded, abort segmentation and unwind
the skb state through the existing error path.

This keeps the existing protocol behavior for normal packets while
preventing pathological recursion without adding NSH-specific protocol
unrolling.

Fixes: c411ed854584 ("nsh: add GSO support")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202604302359.kU59LnTI-lkp@intel.com/
Co-developed-by: Xiao Liu <lx24@stu.ynu.edu.cn>
Signed-off-by: Xiao Liu <lx24@stu.ynu.edu.cn>
Signed-off-by: Ruide Cao <caoruide123@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
---
changes in v2:
- Rework the fix to use dev_xmit_recursion() instead of iteratively
    unwrapping nested NSH payloads.
- Abort segmentation when the recursion limit is exceeded and unwind
    skb state through skb_gso_error_unwind().
- Rewrite the commit message to reflect the recursion-limit approach.
- v1 link: https://lore.kernel.org/all/6112cce99b4e3571444a616d0fb19e91e2fcca72.1776597598.git.caoruide123@gmail.com/

 net/nsh/nsh.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/net/nsh/nsh.c b/net/nsh/nsh.c
index bfb7758063f3..d83e4e2da41e 100644
--- a/net/nsh/nsh.c
+++ b/net/nsh/nsh.c
@@ -107,12 +107,14 @@ static struct sk_buff *nsh_gso_segment(struct sk_buff *skb,
 	skb->protocol = proto;
 
 	features &= NETIF_F_SG;
+	if (dev_xmit_recursion())
+		goto err;
+
+	dev_xmit_recursion_inc();
 	segs = skb_mac_gso_segment(skb, features);
-	if (IS_ERR_OR_NULL(segs)) {
-		skb_gso_error_unwind(skb, htons(ETH_P_NSH), nsh_len,
-				     mac_offset, mac_len);
-		goto out;
-	}
+	dev_xmit_recursion_dec();
+	if (IS_ERR_OR_NULL(segs))
+		goto err;
 
 	for (skb = segs; skb; skb = skb->next) {
 		skb->protocol = outer_proto;
@@ -122,6 +124,11 @@ static struct sk_buff *nsh_gso_segment(struct sk_buff *skb,
 		skb->mac_len = mac_len;
 	}
 
+	goto out;
+
+err:
+	skb_gso_error_unwind(skb, outer_proto, nsh_len, mac_offset, mac_len);
+
 out:
 	return segs;
 }
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* [syzbot ci] Re: net: nsh: limit recursive GSO redispatch
  2026-05-10  6:58 [PATCH net v2 1/1] net: nsh: limit recursive GSO redispatch Ren Wei
@ 2026-05-10 11:45 ` syzbot ci
  0 siblings, 0 replies; 2+ messages in thread
From: syzbot ci @ 2026-05-10 11:45 UTC (permalink / raw)
  To: bird, caoruide123, davem, jbenc, lkp, lx24, matttbe, n05ec,
	netdev, tomapufckgml, yifanwucs, yuantan098
  Cc: syzbot, syzkaller-bugs

syzbot ci has tested the following series

[v2] net: nsh: limit recursive GSO redispatch
https://lore.kernel.org/all/67e8340baa2c2772def267a801c8d5b201444d49.1778382236.git.caoruide123@gmail.com
* [PATCH net v2 1/1] net: nsh: limit recursive GSO redispatch

and found the following issue:
BUG: using __this_cpu_read() in preemptible code in nsh_gso_segment

Full report is available here:
https://ci.syzbot.org/series/cb23e640-2f7a-42e1-8bad-7249684b1cd5

***

BUG: using __this_cpu_read() in preemptible code in nsh_gso_segment

tree:      net
URL:       https://kernel.googlesource.com/pub/scm/linux/kernel/git/netdev/net.git
base:      496c0c4c53bbe1bad97e82cd12103df61a6e459d
arch:      amd64
compiler:  Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
config:    https://ci.syzbot.org/builds/a7e3d1e1-97c4-4876-99c8-658c4cef49c5/config
syz repro: https://ci.syzbot.org/findings/62ca20c2-7c78-4820-b695-f63b15eaf738/syz_repro

BUG: using __this_cpu_read() in preemptible [00000000] code: syz.1.18/5860
caller is dev_xmit_recursion include/linux/netdevice.h:3625 [inline]
caller is nsh_gso_segment+0x535/0xed0 net/nsh/nsh.c:110
CPU: 0 UID: 0 PID: 5860 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 check_preemption_disabled+0xd3/0xe0 lib/smp_processor_id.c:47
 dev_xmit_recursion include/linux/netdevice.h:3625 [inline]
 nsh_gso_segment+0x535/0xed0 net/nsh/nsh.c:110
 skb_mac_gso_segment+0x31c/0x690 net/core/gso.c:53
 __skb_gso_segment+0x376/0x540 net/core/gso.c:124
 skb_gso_segment include/net/gso.h:83 [inline]
 validate_xmit_skb+0xa21/0x14a0 net/core/dev.c:4039
 validate_xmit_skb_list net/core/dev.c:4089 [inline]
 __dev_direct_xmit+0x1b4/0x750 net/core/dev.c:4922
 dev_direct_xmit include/linux/netdevice.h:3431 [inline]
 packet_xmit+0x1b4/0x320 net/packet/af_packet.c:285
 packet_snd net/packet/af_packet.c:3082 [inline]
 packet_sendmsg+0x3c81/0x4fb0 net/packet/af_packet.c:3114
 sock_sendmsg_nosec net/socket.c:787 [inline]
 __sock_sendmsg net/socket.c:802 [inline]
 __sys_sendto+0x672/0x710 net/socket.c:2265
 __do_sys_sendto net/socket.c:2272 [inline]
 __se_sys_sendto net/socket.c:2268 [inline]
 __x64_sys_sendto+0xde/0x100 net/socket.c:2268
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fcd6a99cdd9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fcd6b903028 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fcd6ac15fa0 RCX: 00007fcd6a99cdd9
RDX: 00000000000100a6 RSI: 0000200000000180 RDI: 0000000000000005
RBP: 00007fcd6aa32d69 R08: 0000200000000140 R09: 0000000000000014
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fcd6ac16038 R14: 00007fcd6ac15fa0 R15: 00007fff57a83608
 </TASK>
BUG: using __this_cpu_add() in preemptible [00000000] code: syz.1.18/5860
caller is dev_xmit_recursion_inc include/linux/netdevice.h:3631 [inline]
caller is nsh_gso_segment+0x57d/0xed0 net/nsh/nsh.c:113
CPU: 0 UID: 0 PID: 5860 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 check_preemption_disabled+0xd3/0xe0 lib/smp_processor_id.c:47
 dev_xmit_recursion_inc include/linux/netdevice.h:3631 [inline]
 nsh_gso_segment+0x57d/0xed0 net/nsh/nsh.c:113
 skb_mac_gso_segment+0x31c/0x690 net/core/gso.c:53
 __skb_gso_segment+0x376/0x540 net/core/gso.c:124
 skb_gso_segment include/net/gso.h:83 [inline]
 validate_xmit_skb+0xa21/0x14a0 net/core/dev.c:4039
 validate_xmit_skb_list net/core/dev.c:4089 [inline]
 __dev_direct_xmit+0x1b4/0x750 net/core/dev.c:4922
 dev_direct_xmit include/linux/netdevice.h:3431 [inline]
 packet_xmit+0x1b4/0x320 net/packet/af_packet.c:285
 packet_snd net/packet/af_packet.c:3082 [inline]
 packet_sendmsg+0x3c81/0x4fb0 net/packet/af_packet.c:3114
 sock_sendmsg_nosec net/socket.c:787 [inline]
 __sock_sendmsg net/socket.c:802 [inline]
 __sys_sendto+0x672/0x710 net/socket.c:2265
 __do_sys_sendto net/socket.c:2272 [inline]
 __se_sys_sendto net/socket.c:2268 [inline]
 __x64_sys_sendto+0xde/0x100 net/socket.c:2268
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fcd6a99cdd9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fcd6b903028 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fcd6ac15fa0 RCX: 00007fcd6a99cdd9
RDX: 00000000000100a6 RSI: 0000200000000180 RDI: 0000000000000005
RBP: 00007fcd6aa32d69 R08: 0000200000000140 R09: 0000000000000014
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fcd6ac16038 R14: 00007fcd6ac15fa0 R15: 00007fff57a83608
 </TASK>
BUG: using __this_cpu_add() in preemptible [00000000] code: syz.1.18/5860
caller is dev_xmit_recursion_dec include/linux/netdevice.h:3636 [inline]
caller is nsh_gso_segment+0x59f/0xed0 net/nsh/nsh.c:115
CPU: 0 UID: 0 PID: 5860 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 check_preemption_disabled+0xd3/0xe0 lib/smp_processor_id.c:47
 dev_xmit_recursion_dec include/linux/netdevice.h:3636 [inline]
 nsh_gso_segment+0x59f/0xed0 net/nsh/nsh.c:115
 skb_mac_gso_segment+0x31c/0x690 net/core/gso.c:53
 __skb_gso_segment+0x376/0x540 net/core/gso.c:124
 skb_gso_segment include/net/gso.h:83 [inline]
 validate_xmit_skb+0xa21/0x14a0 net/core/dev.c:4039
 validate_xmit_skb_list net/core/dev.c:4089 [inline]
 __dev_direct_xmit+0x1b4/0x750 net/core/dev.c:4922
 dev_direct_xmit include/linux/netdevice.h:3431 [inline]
 packet_xmit+0x1b4/0x320 net/packet/af_packet.c:285
 packet_snd net/packet/af_packet.c:3082 [inline]
 packet_sendmsg+0x3c81/0x4fb0 net/packet/af_packet.c:3114
 sock_sendmsg_nosec net/socket.c:787 [inline]
 __sock_sendmsg net/socket.c:802 [inline]
 __sys_sendto+0x672/0x710 net/socket.c:2265
 __do_sys_sendto net/socket.c:2272 [inline]
 __se_sys_sendto net/socket.c:2268 [inline]
 __x64_sys_sendto+0xde/0x100 net/socket.c:2268
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fcd6a99cdd9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fcd6b903028 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fcd6ac15fa0 RCX: 00007fcd6a99cdd9
RDX: 00000000000100a6 RSI: 0000200000000180 RDI: 0000000000000005
RBP: 00007fcd6aa32d69 R08: 0000200000000140 R09: 0000000000000014
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fcd6ac16038 R14: 00007fcd6ac15fa0 R15: 00007fff57a83608
 </TASK>


***

If these findings have caused you to resend the series or submit a
separate fix, please add the following tag to your commit message:
  Tested-by: syzbot@syzkaller.appspotmail.com

---
This report is generated by a bot. It may contain errors.
syzbot ci engineers can be reached at syzkaller@googlegroups.com.

To test a patch for this bug, please reply with `#syz test`
(should be on a separate line).

The patch should be attached to the email.
Note: arguments like custom git repos and branches are not supported.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-05-10 11:45 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-10  6:58 [PATCH net v2 1/1] net: nsh: limit recursive GSO redispatch Ren Wei
2026-05-10 11:45 ` [syzbot ci] " syzbot ci

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox