From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
Stefan Bader <stefan.bader@canonical.com>,
Peter Oskolkov <posk@google.com>, Florian Westphal <fw@strlen.de>,
"David S. Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 76/90] ip6: fix skb leak in ip6frag_expire_frag_queue()
Date: Mon, 8 Jul 2019 17:13:43 +0200 [thread overview]
Message-ID: <20190708150526.177660229@linuxfoundation.org> (raw)
In-Reply-To: <20190708150521.829733162@linuxfoundation.org>
[ Upstream commit 47d3d7fdb10a21c223036b58bd70ffdc24a472c4 ]
Since ip6frag_expire_frag_queue() now pulls the head skb
from frag queue, we should no longer use skb_get(), since
this leads to an skb leak.
Stefan Bader initially reported a problem in 4.4.stable [1] caused
by the skb_get(), so this patch should also fix this issue.
296583.091021] kernel BUG at /build/linux-6VmqmP/linux-4.4.0/net/core/skbuff.c:1207!
[296583.091734] Call Trace:
[296583.091749] [<ffffffff81740e50>] __pskb_pull_tail+0x50/0x350
[296583.091764] [<ffffffff8183939a>] _decode_session6+0x26a/0x400
[296583.091779] [<ffffffff817ec719>] __xfrm_decode_session+0x39/0x50
[296583.091795] [<ffffffff818239d0>] icmpv6_route_lookup+0xf0/0x1c0
[296583.091809] [<ffffffff81824421>] icmp6_send+0x5e1/0x940
[296583.091823] [<ffffffff81753238>] ? __netif_receive_skb+0x18/0x60
[296583.091838] [<ffffffff817532b2>] ? netif_receive_skb_internal+0x32/0xa0
[296583.091858] [<ffffffffc0199f74>] ? ixgbe_clean_rx_irq+0x594/0xac0 [ixgbe]
[296583.091876] [<ffffffffc04eb260>] ? nf_ct_net_exit+0x50/0x50 [nf_defrag_ipv6]
[296583.091893] [<ffffffff8183d431>] icmpv6_send+0x21/0x30
[296583.091906] [<ffffffff8182b500>] ip6_expire_frag_queue+0xe0/0x120
[296583.091921] [<ffffffffc04eb27f>] nf_ct_frag6_expire+0x1f/0x30 [nf_defrag_ipv6]
[296583.091938] [<ffffffff810f3b57>] call_timer_fn+0x37/0x140
[296583.091951] [<ffffffffc04eb260>] ? nf_ct_net_exit+0x50/0x50 [nf_defrag_ipv6]
[296583.091968] [<ffffffff810f5464>] run_timer_softirq+0x234/0x330
[296583.091982] [<ffffffff8108a339>] __do_softirq+0x109/0x2b0
Fixes: d4289fcc9b16 ("net: IP6 defrag: use rbtrees for IPv6 defrag")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Stefan Bader <stefan.bader@canonical.com>
Cc: Peter Oskolkov <posk@google.com>
Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/ipv6_frag.h | 1 -
1 file changed, 1 deletion(-)
diff --git a/include/net/ipv6_frag.h b/include/net/ipv6_frag.h
index 28aa9b30aece..1f77fb4dc79d 100644
--- a/include/net/ipv6_frag.h
+++ b/include/net/ipv6_frag.h
@@ -94,7 +94,6 @@ ip6frag_expire_frag_queue(struct net *net, struct frag_queue *fq)
goto out;
head->dev = dev;
- skb_get(head);
spin_unlock(&fq->q.lock);
icmpv6_send(head, ICMPV6_TIME_EXCEED, ICMPV6_EXC_FRAGTIME, 0);
--
2.20.1
next prev parent reply other threads:[~2019-07-08 15:39 UTC|newest]
Thread overview: 98+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-08 15:12 [PATCH 4.19 00/90] 4.19.58-stable review Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.19 01/90] Bluetooth: Fix faulty expression for minimum encryption key size check Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.19 02/90] block: Fix a NULL pointer dereference in generic_make_request() Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.19 03/90] md/raid0: Do not bypass blocking queue entered for raid0 bios Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.19 04/90] netfilter: nf_flow_table: ignore DF bit setting Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.19 05/90] netfilter: nft_flow_offload: set liberal tracking mode for tcp Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.19 06/90] netfilter: nft_flow_offload: dont offload when sequence numbers need adjustment Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.19 07/90] netfilter: nft_flow_offload: IPCB is only valid for ipv4 family Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.19 08/90] ASoC : cs4265 : readable register too low Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.19 09/90] ASoC: ak4458: add return value for ak4458_probe Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.19 10/90] ASoC: soc-pcm: BE dai needs prepare when pause release after resume Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.19 11/90] ASoC: ak4458: rstn_control - return a non-zero on error only Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.19 12/90] spi: bitbang: Fix NULL pointer dereference in spi_unregister_master Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.19 13/90] drm/mediatek: fix unbind functions Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.19 14/90] drm/mediatek: unbind components in mtk_drm_unbind() Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.19 15/90] drm/mediatek: call drm_atomic_helper_shutdown() when unbinding driver Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.19 16/90] drm/mediatek: clear num_pipes when unbind driver Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.19 17/90] drm/mediatek: call mtk_dsi_stop() after mtk_drm_crtc_atomic_disable() Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.19 18/90] ASoC: max98090: remove 24-bit format support if RJ is 0 Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.19 19/90] ASoC: sun4i-i2s: Fix sun8i tx channel offset mask Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.19 20/90] ASoC: sun4i-i2s: Add offset to RX channel select Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.19 21/90] x86/CPU: Add more Icelake model numbers Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.19 22/90] usb: gadget: fusb300_udc: Fix memory leak of fusb300->ep[i] Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.19 23/90] usb: gadget: udc: lpc32xx: allocate descriptor with GFP_ATOMIC Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.19 24/90] ALSA: hdac: fix memory release for SST and SOF drivers Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.19 25/90] SoC: rt274: Fix internal jack assignment in set_jack callback Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.19 26/90] scsi: hpsa: correct ioaccel2 chaining Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.19 27/90] drm: panel-orientation-quirks: Add quirk for GPD pocket2 Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.19 28/90] drm: panel-orientation-quirks: Add quirk for GPD MicroPC Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.19 29/90] platform/x86: asus-wmi: Only Tell EC the OS will handle display hotkeys from asus_nb_wmi Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.19 30/90] platform/x86: intel-vbtn: Report switch events when event wakes device Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.19 31/90] platform/x86: mlx-platform: Fix parent device in i2c-mux-reg device registration Greg Kroah-Hartman
2019-07-08 15:12 ` [PATCH 4.19 32/90] platform/mellanox: mlxreg-hotplug: Add devm_free_irq call to remove flow Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 33/90] i2c: pca-platform: Fix GPIO lookup code Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 34/90] cpuset: restore sanity to cpuset_cpus_allowed_fallback() Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 35/90] scripts/decode_stacktrace.sh: prefix addr2line with $CROSS_COMPILE Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 36/90] mm/mlock.c: change count_mm_mlocked_page_nr return type Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 37/90] tracing: avoid build warning with HAVE_NOP_MCOUNT Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 38/90] module: Fix livepatch/ftrace module text permissions race Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 39/90] ftrace: Fix NULL pointer dereference in free_ftrace_func_mapper() Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 40/90] drm/i915/dmc: protect against reading random memory Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 41/90] ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 42/90] crypto: user - prevent operating on larval algorithms Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 43/90] crypto: cryptd - Fix skcipher instance memory leak Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 44/90] ALSA: seq: fix incorrect order of dest_client/dest_ports arguments Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 45/90] ALSA: firewire-lib/fireworks: fix miss detection of received MIDI messages Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 46/90] ALSA: line6: Fix write on zero-sized buffer Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 47/90] ALSA: usb-audio: fix sign unintended sign extension on left shifts Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 48/90] ALSA: hda/realtek: Add quirks for several Clevo notebook barebones Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 49/90] ALSA: hda/realtek - Change front mic location for Lenovo M710q Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 50/90] lib/mpi: Fix karactx leak in mpi_powm Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 51/90] fs/userfaultfd.c: disable irqs for fault_pending and event locks Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 52/90] tracing/snapshot: Resize spare buffer if size changed Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 53/90] ARM: dts: armada-xp-98dx3236: Switch to armada-38x-uart serial node Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 54/90] arm64: kaslr: keep modules inside module region when KASAN is enabled Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 55/90] drm/amd/powerplay: use hardware fan control if no powerplay fan table Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 56/90] drm/amdgpu/gfx9: use reset default for PA_SC_FIFO_SIZE Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 57/90] drm/etnaviv: add missing failure path to destroy suballoc Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 58/90] drm/imx: notify drm core before sending event during crtc disable Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 59/90] drm/imx: only send event on crtc disable if kept disabled Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 60/90] ftrace/x86: Remove possible deadlock between register_kprobe() and ftrace_run_update_code() Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 61/90] mm/vmscan.c: prevent useless kswapd loops Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 62/90] btrfs: Ensure replaced device doesnt have pending chunk allocation Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 63/90] tty: rocket: fix incorrect forward declaration of rp_init() Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 64/90] mlxsw: spectrum: Handle VLAN device unlinking Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 65/90] net/smc: move unhash before release of clcsock Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 66/90] media: s5p-mfc: fix incorrect bus assignment in virtual child device Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 67/90] drm/fb-helper: generic: Dont take module ref for fbcon Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 68/90] f2fs: dont access node/meta inode mapping after iput Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 69/90] mac80211: mesh: fix missing unlock on error in table_path_del() Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 70/90] scsi: tcmu: fix use after free Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 71/90] selftests: fib_rule_tests: Fix icmp proto with ipv6 Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 72/90] x86/boot/compressed/64: Do not corrupt EDX on EFER.LME=1 setting Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 73/90] net: hns: Fixes the missing put_device in positive leg for roce reset Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 74/90] ALSA: hda: Initialize power_state field properly Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 75/90] rds: Fix warning Greg Kroah-Hartman
2019-07-08 15:13 ` Greg Kroah-Hartman [this message]
2019-07-08 15:13 ` [PATCH 4.19 77/90] netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 78/90] sc16is7xx: move label err_spi to correct section Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 79/90] net: hns: fix unsigned comparison to less than zero Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 80/90] bpf: fix bpf_jit_limit knob for PAGE_SIZE >= 64K Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 81/90] netfilter: ipv6: nf_defrag: accept duplicate fragments again Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 82/90] KVM: x86: degrade WARN to pr_warn_ratelimited Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 83/90] KVM: LAPIC: Fix pending interrupt in IRR blocked by software disable LAPIC Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 84/90] nfsd: Fix overflow causing non-working mounts on 1 TB machines Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 85/90] svcrdma: Ignore source port when computing DRC hash Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 86/90] MIPS: Fix bounds check virt_addr_valid Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 87/90] MIPS: Add missing EHB in mtc0 -> mfc0 sequence Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 88/90] MIPS: have "plain" make calls build dtbs for selected platforms Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 89/90] dmaengine: qcom: bam_dma: Fix completed descriptors count Greg Kroah-Hartman
2019-07-08 15:13 ` [PATCH 4.19 90/90] dmaengine: imx-sdma: remove BD_INTR for channel0 Greg Kroah-Hartman
2019-07-08 17:31 ` [PATCH 4.19 00/90] 4.19.58-stable review Phong Tran
2019-07-08 19:12 ` kernelci.org bot
2019-07-09 0:54 ` shuah
2019-07-09 4:24 ` Naresh Kamboju
2019-07-09 15:44 ` Amol Surati
2019-07-09 18:41 ` Guenter Roeck
2019-07-10 6:13 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190708150526.177660229@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=linux-kernel@vger.kernel.org \
--cc=posk@google.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=stefan.bader@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).