From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Herbert Xu <herbert@gondor.apana.org.au>,
Jerome Stanislaus <jeromes@codeaurora.org>,
Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.5 057/124] xfrm: Fix crash observed during device unregistration and decryption
Date: Mon, 18 Apr 2016 11:28:49 +0900 [thread overview]
Message-ID: <20160418022618.664091640@linuxfoundation.org> (raw)
In-Reply-To: <20160418022615.726954227@linuxfoundation.org>
4.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: "subashab@codeaurora.org" <subashab@codeaurora.org>
[ Upstream commit 071d36bf21bcc837be00cea55bcef8d129e7f609 ]
A crash is observed when a decrypted packet is processed in receive
path. get_rps_cpus() tries to dereference the skb->dev fields but it
appears that the device is freed from the poison pattern.
[<ffffffc000af58ec>] get_rps_cpu+0x94/0x2f0
[<ffffffc000af5f94>] netif_rx_internal+0x140/0x1cc
[<ffffffc000af6094>] netif_rx+0x74/0x94
[<ffffffc000bc0b6c>] xfrm_input+0x754/0x7d0
[<ffffffc000bc0bf8>] xfrm_input_resume+0x10/0x1c
[<ffffffc000ba6eb8>] esp_input_done+0x20/0x30
[<ffffffc0000b64c8>] process_one_work+0x244/0x3fc
[<ffffffc0000b7324>] worker_thread+0x2f8/0x418
[<ffffffc0000bb40c>] kthread+0xe0/0xec
-013|get_rps_cpu(
| dev = 0xFFFFFFC08B688000,
| skb = 0xFFFFFFC0C76AAC00 -> (
| dev = 0xFFFFFFC08B688000 -> (
| name =
"......................................................
| name_hlist = (next = 0xAAAAAAAAAAAAAAAA, pprev =
0xAAAAAAAAAAA
Following are the sequence of events observed -
- Encrypted packet in receive path from netdevice is queued
- Encrypted packet queued for decryption (asynchronous)
- Netdevice brought down and freed
- Packet is decrypted and returned through callback in esp_input_done
- Packet is queued again for process in network stack using netif_rx
Since the device appears to have been freed, the dereference of
skb->dev in get_rps_cpus() leads to an unhandled page fault
exception.
Fix this by holding on to device reference when queueing packets
asynchronously and releasing the reference on call back return.
v2: Make the change generic to xfrm as mentioned by Steffen and
update the title to xfrm
Suggested-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Jerome Stanislaus <jeromes@codeaurora.org>
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/xfrm/xfrm_input.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -292,12 +292,15 @@ int xfrm_input(struct sk_buff *skb, int
XFRM_SKB_CB(skb)->seq.input.hi = seq_hi;
skb_dst_force(skb);
+ dev_hold(skb->dev);
nexthdr = x->type->input(x, skb);
if (nexthdr == -EINPROGRESS)
return 0;
resume:
+ dev_put(skb->dev);
+
spin_lock(&x->lock);
if (nexthdr <= 0) {
if (nexthdr == -EBADMSG) {
next prev parent reply other threads:[~2016-04-18 2:28 UTC|newest]
Thread overview: 128+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-18 2:27 [PATCH 4.5 000/124] 4.5.2-stable review Greg Kroah-Hartman
2016-04-18 2:27 ` [PATCH 4.5 001/124] hwmon: (max1111) Return -ENODEV from max1111_read_channel if not instantiated Greg Kroah-Hartman
2016-04-18 2:27 ` [PATCH 4.5 002/124] PKCS#7: pkcs7_validate_trust(): initialize the _trusted output argument Greg Kroah-Hartman
2016-04-18 2:27 ` [PATCH 4.5 003/124] parisc: Fix SIGSYS signals in compat case Greg Kroah-Hartman
2016-04-18 2:27 ` [PATCH 4.5 004/124] parisc: Fix and enable seccomp filter support Greg Kroah-Hartman
2016-04-18 2:27 ` [PATCH 4.5 005/124] parisc: Avoid function pointers for kernel exception routines Greg Kroah-Hartman
2016-04-18 2:27 ` [PATCH 4.5 006/124] parisc: Fix kernel crash with reversed copy_from_user() Greg Kroah-Hartman
2016-04-18 2:27 ` [PATCH 4.5 007/124] parisc: Unbreak handling exceptions from kernel modules Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 008/124] ALSA: timer: Use mod_timer() for rearming the system timer Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 009/124] ALSA: hda - Asus N750JV external subwoofer fixup Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 010/124] ALSA: hda - Fix white noise on Asus N750JV headphone Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 011/124] ALSA: hda - Apply fix for white noise on Asus N550JV, too Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 012/124] ALSA: hda - fix front mic problem for a HP desktop Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 013/124] mm: fix invalid node in alloc_migrate_target() Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 014/124] powerpc/mm: Fixup preempt underflow with huge pages Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 015/124] s390/mm: handle PTE-mapped tail pages in fast gup Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 016/124] libnvdimm: fix smart data retrieval Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 017/124] libnvdimm, pfn: fix uuid validation Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 018/124] powerpc/process: Fix altivec SPR not being saved Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 019/124] compiler-gcc: disable -ftracer for __noclone functions Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 020/124] arm64: opcodes.h: Add arm big-endian config options before including arm header Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 022/124] drm/udl: Use unlocked gem unreferencing Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 023/124] drm/radeon: add a dpm quirk for sapphire Dual-X R7 370 2G D5 Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 024/124] drm/radeon: add another R7 370 quirk Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 025/124] drm/radeon: add a dpm quirk for all R7 370 parts Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 026/124] drm/amd/powerplay: fix segment fault issue in multi-display case Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 027/124] drm/amdgpu/gmc: move vram type fetching into sw_init Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 028/124] drm/amdgpu/gmc: use proper register for vram type on Fiji Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 029/124] xen/events: Mask a moving irq Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 030/124] net: validate variable length ll headers Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 031/124] ax25: add link layer header validation function Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 032/124] packet: validate variable length ll headers Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 033/124] bpf: avoid copying junk bytes in bpf_get_current_comm() Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 034/124] net: dsa: Fix cleanup resources upon module removal Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 035/124] sh_eth: fix NULL pointer dereference in sh_eth_ring_format() Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 036/124] sh_eth: advance rxdesc later " Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 037/124] qlcnic: Remove unnecessary usage of atomic_t Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 038/124] qlcnic: Fix mailbox completion handling during spurious interrupt Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 039/124] macvtap: always pass ethernet header in linear Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 040/124] mlxsw: spectrum: Check requested ageing time is valid Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 041/124] rocker: set FDB cleanup timer according to lowest ageing time Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 042/124] bridge: allow zero " Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 043/124] ipv4: Dont do expensive useless work during inetdev destroy Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 044/124] net: Fix use after free in the recvmmsg exit path Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 045/124] mlx4: add missing braces in verify_qp_parameters Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 046/124] farsync: fix off-by-one bug in fst_add_one Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 047/124] ath9k: fix buffer overrun for ar9287 Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 048/124] net: mvneta: Fix spinlock usage Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 049/124] ppp: ensure file->private_data cant be overridden Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 050/124] tcp/dccp: remove obsolete WARN_ON() in icmp handlers Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 051/124] qlge: Fix receive packets drop Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 052/124] net: bcmgenet: fix dma api length mismatch Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 053/124] bonding: fix bond_get_stats() Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 054/124] ipv4: fix broadcast packets reception Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 055/124] ipv4: initialize flowi4_flags before calling fib_lookup() Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 056/124] ppp: take reference on channels netns Greg Kroah-Hartman
2016-04-18 2:28 ` Greg Kroah-Hartman [this message]
2016-04-18 2:28 ` [PATCH 4.5 059/124] ipv6: udp: fix UDP_MIB_IGNOREDMULTI updates Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 060/124] bridge: Allow set bridge ageing time when switchdev disabled Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 061/124] rtnl: fix msg size calculation in if_nlmsg_size() Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 062/124] tun, bpf: fix suspicious RCU usage in tun_{attach, detach}_filter Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 063/124] tuntap: restore default qdisc Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 064/124] ipv4: l2tp: fix a potential issue in l2tp_ip_recv Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 065/124] ipv6: l2tp: fix a potential issue in l2tp_ip6_recv Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 066/124] ip6_tunnel: set rtnl_link_ops before calling register_netdevice Greg Kroah-Hartman
2016-04-18 2:28 ` [PATCH 4.5 067/124] ipv6: Count in extension headers in skb->network_header Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 068/124] mpls: find_outdev: check for err ptr in addition to NULL check Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 069/124] USB: uas: Limit qdepth at the scsi-host level Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 070/124] USB: uas: Add a new NO_REPORT_LUNS quirk Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 071/124] KVM: x86: Inject pending interrupt even if pending nmi exist Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 072/124] KVM: x86: reduce default value of halt_poll_ns parameter Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 073/124] MIPS: Fix MSA ld unaligned failure cases Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 074/124] pinctrl: pistachio: fix mfio84-89 function description and pinmux Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 075/124] pinctrl: sh-pfc: only use dummy states for non-DT platforms Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 076/124] pinctrl: sunxi: Fix A33 external interrupts not working Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 077/124] pinctrl: nomadik: fix pull debug print inversion Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 078/124] pinctrl: freescale: imx: fix bogus check of of_iomap() return value Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 079/124] gpio: pxa: fix legacy non pinctrl aware builds Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 080/124] [media] au0828: fix au0828_v4l2_close() dev_state race condition Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 081/124] [media] au0828: Fix dev_state handling Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 082/124] [media] coda: fix error path in case of missing pdata on non-DT platform Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 083/124] [media] v4l: vsp1: Set the SRU CTRL0 register when starting the stream Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 084/124] pcmcia: db1xxx_ss: fix last irq_to_gpio user Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 085/124] rbd: use GFP_NOIO consistently for request allocations Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 086/124] virtio: virtio 1.0 cs04 spec compliance for reset Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 087/124] mac80211: properly deal with station hashtable insert errors Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 088/124] mac80211: avoid excessive stack usage in sta_info Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 089/124] mac80211: fix ibss scan parameters Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 090/124] mac80211: fix unnecessary frame drops in mesh fwding Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 091/124] mac80211: fix txq queue related crashes Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 092/124] gpio: pca953x: Use correct u16 value for register word write Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 093/124] usb: renesas_usbhs: avoid NULL pointer derefernce in usbhsf_pkt_handler() Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 094/124] usb: renesas_usbhs: disable TX IRQ before starting TX DMAC transfer Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 095/124] usb: renesas_usbhs: fix to avoid using a disabled ep in usbhsg_queue_done() Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 096/124] scsi: Do not attach VPD to devices that dont support it Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 097/124] ARM: 8550/1: protect idiv patching against undefined gcc behavior Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 098/124] iio: fix config watermark initial value Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 099/124] iio: st_magn: always define ST_MAGN_TRIGGER_SET_STATE Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 100/124] iio: accel: bmc150: fix endianness when reading axes Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 101/124] iio: gyro: bmg160: fix buffer read values Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 102/124] iio: gyro: bmg160: fix endianness when reading axes Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 103/124] sd: Fix excessive capacity printing on devices with blocks bigger than 512 bytes Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 104/124] fs: add file_dentry() Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 105/124] nfs: use file_dentry() Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 106/124] ext4 crypto: use dget_parent() in ext4_d_revalidate() Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 107/124] ext4: use dget_parent() in ext4_file_open() Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 108/124] ext4: use file_dentry() Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 109/124] btrfs: fix crash/invalid memory access on fsync when using overlayfs Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 110/124] ext4: add lockdep annotations for i_data_sem Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 111/124] ext4: ignore quota mount options if the quota feature is enabled Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 112/124] iommu: Dont overwrite domain pointer when there is no default_domain Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 113/124] Btrfs: fix file/data loss caused by fsync after rename and new inode Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 114/124] arm64: replace read_lock to rcu lock in call_step_hook Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 115/124] mmc: sdhci: Fix regression setting power on Trats2 board Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 116/124] mmc: sdhci-pci: Add support and PCI IDs for more Broxton host controllers Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 117/124] ALSA: hda - Fix regression of monitor_present flag in eld proc file Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 118/124] ALSA: hda/realtek - Enable the ALC292 dock fixup on the Thinkpad T460s Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 119/124] ALSA: usb-audio: Add a sample rate quirk for Phoenix Audio TMX320 Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 120/124] ALSA: usb-audio: Add a quirk for Plantronics BT300 Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 121/124] ALSA: usb-audio: Skip volume controls triggers hangup on Dell USB Dock Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 122/124] HID: wacom: fix Bamboo ONE oops Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 123/124] HID: usbhid: fix inconsistent reset/resume/reset-resume behavior Greg Kroah-Hartman
2016-04-18 2:29 ` [PATCH 4.5 124/124] staging: android: ion: Set the length of the DMA sg entries in buffer Greg Kroah-Hartman
2016-04-18 16:35 ` [PATCH 4.5 000/124] 4.5.2-stable review Shuah Khan
2016-04-19 5:57 ` Greg Kroah-Hartman
2016-04-18 16:35 ` Guenter Roeck
2016-04-19 5:56 ` Greg Kroah-Hartman
[not found] ` <57148c50.63dfc20a.74bb8.ffffc6df@mx.google.com>
2016-04-19 5:56 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160418022618.664091640@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=jeromes@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=subashab@codeaurora.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).