Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-10-23 05:30:55 +00:00
Code Issues Packages Projects Releases Wiki Activity
17bd3bd82f
linux/net/ipv6
History
Felix Fietkau 17bd3bd82f net: gso: fix tcp fraglist segmentation after pull from frag_list 
Detect tcp gso fraglist skbs with corrupted geometry (see below) and
pass these to skb_segment instead of skb_segment_list, as the first
can segment them correctly.

Valid SKB_GSO_FRAGLIST skbs
- consist of two or more segments
- the head_skb holds the protocol headers plus first gso_size
- one or more frag_list skbs hold exactly one segment
- all but the last must be gso_size

Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can
modify these skbs, breaking these invariants.

In extreme cases they pull all data into skb linear. For TCP, this
causes a NULL ptr deref in __tcpv4_gso_segment_list_csum at
tcp_hdr(seg->next).

Detect invalid geometry due to pull, by checking head_skb size.
Don't just drop, as this may blackhole a destination. Convert to be
able to pass to regular skb_segment.

Approach and description based on a patch by Willem de Bruijn.

Link: https://lore.kernel.org/netdev/20240428142913.18666-1-shiming.cheng@mediatek.com/
Link: https://lore.kernel.org/netdev/20240922150450.3873767-1-willemdebruijn.kernel@gmail.com/
Fixes: bee88cd5bd ("net: add support for segmenting TCP fraglist GSO packets")
Cc: stable@vger.kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20240926085315.51524-1-nbd@nbd.name
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2024-10-02 17:21:47 -07:00
..
ila ila: call nf_unregister_net_hooks() sooner 2024-09-05 14:57:12 -07:00
netfilter netfilter pull request 24-09-26 2024-09-26 15:47:11 +02:00
addrconf_core.c ipv6: Ensure natural alignment of const ipv6 loopback and router addresses 2024-01-30 12:43:18 +01:00
addrconf.c ipv6: remove redundant check 2024-08-21 17:21:09 -07:00
addrlabel.c ipv6: remove RTNL protection from ip6addrlbl_dump() 2024-04-08 11:01:05 +01:00
af_inet6.c tcp: add SO_PEEK_OFF socket option tor TCPv6 2024-08-29 13:00:36 -07:00
ah6.c net: fill in MODULE_DESCRIPTION()s for ipv6 modules 2024-02-09 14:12:01 -08:00
anycast.c ipv6: anycast: use call_rcu_hurry() in aca_put() 2024-05-01 11:46:21 +01:00
calipso.c netlabel: remove impossible return value in netlbl_bitmap_walk 2024-02-28 19:37:34 -08:00
datagram.c ipv6: annotate data-races around np->ucast_oif 2023-12-11 10:59:17 +00:00
esp6_offload.c xfrm: Log input direction mismatch error in one place 2024-06-17 13:53:19 +02:00
esp6.c net: support non paged skb frags 2024-09-11 20:44:31 -07:00
exthdrs_core.c ipv6: Fix out-of-bounds access in ipv6_find_tlv() 2023-05-24 08:43:39 +01:00
exthdrs_offload.c net: gso: add HBH extension header offload support 2024-01-05 08:11:49 -08:00
exthdrs.c net: ipv6: exthdrs: get rid of ipv6_skb_net() 2024-03-11 15:15:08 -07:00
fib6_notifier.c
fib6_rules.c ipv6: fib_rules: Add DSCP selector support 2024-09-13 21:15:45 -07:00
fou6.c
icmp.c icmp: move icmp_global.credit and icmp_global.stamp to per netns storage 2024-08-30 11:14:06 -07:00
inet6_connection_sock.c net: implement lockless SO_PRIORITY 2023-10-01 19:09:54 +01:00
inet6_hashtables.c inet6: constify 'struct net' parameter of various lookup helpers 2024-08-05 16:27:26 -07:00
ioam6_iptunnel.c ioam6: improve checks on user data 2024-09-03 11:38:32 -07:00
ioam6.c ipv6/addrconf: annotate data-races around devconf fields (II) 2024-03-01 08:42:33 +00:00
ip6_checksum.c
ip6_fib.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-06-20 13:49:59 -07:00
ip6_flowlabel.c ipv6: move np->repflow to atomic flags 2023-09-15 10:33:48 +01:00
ip6_gre.c netdev_features: convert NETIF_F_NETNS_LOCAL to dev->netns_local 2024-09-03 11:36:43 +02:00
ip6_icmp.c
ip6_input.c net/ipv6: make use of the helper macro LIST_HEAD() 2024-09-06 18:10:21 -07:00
ip6_offload.c net: gro: initialize network_offset in network layer 2024-05-27 16:46:59 -07:00
ip6_offload.h
ip6_output.c ipv6: prevent possible UAF in ip6_xmit() 2024-08-21 17:35:49 -07:00
ip6_tunnel.c ip6_tunnel: Unmask upper DSCP bits in ip4ip6_err() 2024-09-04 16:57:11 -07:00
ip6_udp_tunnel.c net: fill in MODULE_DESCRIPTION()s for ipv6 modules 2024-02-09 14:12:01 -08:00
ip6_vti.c net: annotate writes on dev->mtu from ndo_change_mtu() 2024-05-07 16:19:14 -07:00
ip6mr.c netdev_features: convert NETIF_F_NETNS_LOCAL to dev->netns_local 2024-09-03 11:36:43 +02:00
ipcomp6.c xfrm: ipcomp: add extack to ipcomp{4,6}_init_state 2022-09-29 07:18:00 +02:00
ipv6_sockglue.c ipv6: avoid indirect calls for SOL_IP socket options 2024-08-26 14:53:50 -07:00
Kconfig net: ipv6: select DST_CACHE from IPV6_RPL_LWTUNNEL 2024-09-22 19:52:07 +01:00
Makefile net/tcp: Introduce TCP_AO setsockopt()s 2023-10-27 10:35:44 +01:00
mcast_snoop.c
mcast.c ipv6: mcast: use min() to simplify the code 2024-08-26 09:48:53 -07:00
mip6.c net: fill in MODULE_DESCRIPTION()s for ipv6 modules 2024-02-09 14:12:01 -08:00
ndisc.c net/ipv6: replace deprecated strcpy with strscpy 2024-08-29 12:33:07 -07:00
netfilter.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-06-13 13:13:46 -07:00
output_core.c ipv6: annotate data-races around cnf.hop_limit 2024-03-01 08:42:31 +00:00
ping.c ipv6: introduce dst_rt6_info() helper 2024-04-29 13:32:01 +01:00
proc.c minmax: add a few more MIN_T/MAX_T users 2024-07-28 13:41:14 -07:00
protocol.c
raw.c net: raw: use sk_skb_reason_drop to free rx packets 2024-06-19 12:44:22 +01:00
reassembly.c net: Rename mono_delivery_time to tstamp_type for scalabilty 2024-05-23 14:14:23 -07:00
route.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-09-15 09:13:19 -07:00
rpl_iptunnel.c net: ipv6: rpl_iptunnel: Fix memory leak in rpl_input 2024-09-13 19:55:49 -07:00
rpl.c ipv6: rpl: Remove pskb(_may)?_pull() in ipv6_rpl_srh_rcv(). 2023-06-19 11:32:58 -07:00
seg6_hmac.c ipv6: sr: fix memleak in seg6_hmac_init_algo 2024-05-21 13:16:25 +02:00
seg6_iptunnel.c ipv6: sr: block BH in seg6_output_core() and seg6_input_core() 2024-06-03 18:50:08 -07:00
seg6_local.c seg6: Use nested-BH locking for seg6_bpf_srh_states. 2024-06-24 16:41:23 -07:00
seg6.c ipv6: sr: restruct ifdefines 2024-05-30 18:29:38 -07:00
sit.c ipv6: sit: Unmask upper DSCP bits in ipip6_tunnel_bind_dev() 2024-09-04 16:57:11 -07:00
syncookies.c tcp: use sk_skb_reason_drop to free rx packets 2024-06-19 12:44:22 +01:00
sysctl_net_ipv6.c sysctl: treewide: constify the ctl_table argument of proc_handlers 2024-07-24 20:59:29 +02:00
tcp_ao.c net/tcp: Wire up l3index to TCP-AO 2023-10-27 10:35:46 +01:00
tcp_ipv6.c tcp: annotate data-races around tcptw->tw_rcv_nxt 2024-08-28 17:08:17 -07:00
tcpv6_offload.c net: gso: fix tcp fraglist segmentation after pull from frag_list 2024-10-02 17:21:47 -07:00
tunnel6.c net: fill in MODULE_DESCRIPTION()s for ipv6 modules 2024-02-09 14:12:01 -08:00
udp_impl.h tcp/udp: Call inet6_destroy_sock() in IPv6 sk->sk_destruct(). 2022-10-12 17:50:37 -07:00
udp_offload.c net: gro: fix udp bad offset in socket lookup by adding {inner_}network_offset to napi_gro_cb 2024-05-02 11:02:48 +02:00
udp.c ipv6: udp: constify 'struct net' parameter of socket lookups 2024-08-05 16:27:26 -07:00
udplite.c udplite: remove UDPLITE_BIT 2023-09-14 16:16:36 +02:00
xfrm6_input.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-05-09 10:01:01 -07:00
xfrm6_output.c ipv6: drop feature RTAX_FEATURE_ALLFRAG 2023-10-25 18:04:29 -07:00
xfrm6_policy.c ipsec-next-2024-07-13 2024-07-14 07:56:32 -07:00
xfrm6_protocol.c
xfrm6_state.c
xfrm6_tunnel.c ipsec-next-2024-03-06 2024-03-08 10:56:05 +00:00