From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Vittorio Gambaletta <linuxbugs@vittgam.net>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Eric Dumazet <edumazet@google.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 3.10 02/29] ipv4: Avoid crashing in ip_error
Date: Fri, 19 Jun 2015 13:36:22 -0700 [thread overview]
Message-ID: <20150619203557.451108076@linuxfoundation.org> (raw)
In-Reply-To: <20150619203557.356558223@linuxfoundation.org>
3.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Eric W. Biederman" <ebiederm@xmission.com>
[ Upstream commit 381c759d9916c42959515ad34a6d467e24a88e93 ]
ip_error does not check if in_dev is NULL before dereferencing it.
IThe following sequence of calls is possible:
CPU A CPU B
ip_rcv_finish
ip_route_input_noref()
ip_route_input_slow()
inetdev_destroy()
dst_input()
With the result that a network device can be destroyed while processing
an input packet.
A crash was triggered with only unicast packets in flight, and
forwarding enabled on the only network device. The error condition
was created by the removal of the network device.
As such it is likely the that error code was -EHOSTUNREACH, and the
action taken by ip_error (if in_dev had been accessible) would have
been to not increment any counters and to have tried and likely failed
to send an icmp error as the network device is going away.
Therefore handle this weird case by just dropping the packet if
!in_dev. It will result in dropping the packet sooner, and will not
result in an actual change of behavior.
Fixes: 251da4130115b ("ipv4: Cache ip_error() routes even when not forwarding.")
Reported-by: Vittorio Gambaletta <linuxbugs@vittgam.net>
Tested-by: Vittorio Gambaletta <linuxbugs@vittgam.net>
Signed-off-by: Vittorio Gambaletta <linuxbugs@vittgam.net>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/route.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -871,6 +871,10 @@ static int ip_error(struct sk_buff *skb)
bool send;
int code;
+ /* IP on this device is disabled. */
+ if (!in_dev)
+ goto out;
+
net = dev_net(rt->dst.dev);
if (!IN_DEV_FORWARD(in_dev)) {
switch (rt->dst.error) {
--
To unsubscribe from this list: send the line "unsubscribe stable" in
next prev parent reply other threads:[~2015-06-19 20:49 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-19 20:36 [PATCH 3.10 00/29] 3.10.81-stable review Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 01/29] net: phy: Allow EEE for all RGMII variants Greg Kroah-Hartman
2015-06-19 20:36 ` Greg Kroah-Hartman [this message]
2015-06-19 20:36 ` [PATCH 3.10 03/29] bridge: fix parsing of MLDv2 reports Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 04/29] net: dp83640: fix broken calibration routine Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 05/29] unix/caif: sk_socket can disappear when state is unlocked Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 06/29] net_sched: invoke ->attach() after setting dev->qdisc Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 07/29] udp: fix behavior of wrong checksums Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 08/29] xen: netback: read hotplug script once at start of day Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 09/29] iio: adis16400: Report pressure channel scale Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 10/29] iio: adis16400: Use != channel indices for the two voltage channels Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 11/29] iio: adis16400: Compute the scan mask from channel indices Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 12/29] ALSA: hda/realtek - Add a fixup for another Acer Aspire 9420 Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 13/29] ALSA: usb-audio: Add mic volume fix quirk for Logitech Quickcam Fusion Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 14/29] ALSA: usb-audio: add MAYA44 USB+ mixer control names Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 16/29] block: fix ext_dev_lock lockdep report Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 17/29] USB: cp210x: add ID for HubZ dual ZigBee and Z-Wave dongle Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 18/29] USB: serial: ftdi_sio: Add support for a Motion Tracker Development Board Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 19/29] ring-buffer-benchmark: Fix the wrong sched_priority of producer Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 20/29] MIPS: Fix enabling of DEBUG_STACKOVERFLOW Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 21/29] ozwpan: Use proper check to prevent heap overflow Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 22/29] ozwpan: divide-by-zero leading to panic Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 23/29] ozwpan: unchecked signed subtraction leads to DoS Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 24/29] pata_octeon_cf: fix broken build Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 26/29] mm/memory_hotplug.c: set zone->wait_table to null after freeing it Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 27/29] cfg80211: wext: clear sinfo struct before calling driver Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 28/29] btrfs: incorrect handling for fiemap_fill_next_extent return Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.10 29/29] btrfs: cleanup orphans while looking up default subvolume Greg Kroah-Hartman
2015-06-20 1:13 ` [PATCH 3.10 00/29] 3.10.81-stable review Shuah Khan
2015-06-20 1:25 ` Guenter Roeck
2015-06-20 7:50 ` Sudip Mukherjee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150619203557.451108076@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=ebiederm@xmission.com \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxbugs@vittgam.net \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).