Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp1483061pxb;
        Tue, 26 Oct 2021 09:48:28 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyYEXIQe1TYmwcZvlzLJYEVN10Um4BrRqSq2SfiFzBH8stKmtCwbAH8NSL9F0l0vtdTOAqg
X-Received: by 2002:a17:90b:4c03:: with SMTP id na3mr21802853pjb.90.1635266908662;
        Tue, 26 Oct 2021 09:48:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1635266908; cv=none;
        d=google.com; s=arc-20160816;
        b=jobYueMds/y/V27rl8e6wiINNp/kz0UlY/yVV73hj4Ft0emdK5EHbi8p/HAdwj/gij
         F1qdNIx2KEixyxN9e77l3lAbRrzvj6hJ8E/HAkkS/awh2pioajqB0AFN9/BqvFTHj9JG
         Qqo31+YFGTgBx6uu/faYR29VoBmA5gsuFd72iaWl2tRTsXXgZ3sD7JOxgnmQCNxBhYEz
         47UKoiIoqtfer1WL2J4O4pLZ/pj2o04ljOFOl5P6bpOtDFJE7kzW2u1cxIaFI6exQGV2
         FugrCU8946CHUcJrzVWSjr1rUdlZaZzmzMq88NZ0wtdvfX18rg1aVYGrSJ8tCsjs6hLp
         sXWA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=VzCWxXxK9TdDs8vtpTG3m2qg1k4LCb22yH40yBeN194=;
        b=bRCuyZKA2DHfrRgoi8ZVARLc5Mu2c2oNt+kB7EoLYaXjrJU9P8UdCdd/ednuReI/xW
         shOKamBs0Jqtzu4IYvSrE5R16egv+PRHdn/UqVBU9+hrI0G0F2ZMvbsyt/G7k3ixPg8K
         udNHck8m/PEKbs+BqP45/ZSApeF5kOnQ1atASYZO1Ao6TyB9o/VYDcFqA85tdXVxZ2Wd
         HuAqm8+GIIkNj/PfxcDfdSreOs2ILMMWiBPnNbuYPhp2jmITGkq1QZmEF2kZuWApb/9F
         6Wq8c2M3a2DwYnj+6fCmRBcHx9VXsGtNAI1koO7GYxWHpG6A42RpNV63LFh+30gp/ToH
         hZUA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=iAIwAL+i;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id d27si9575843pgd.29.2021.10.26.09.48.15;
        Tue, 26 Oct 2021 09:48:28 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=iAIwAL+i;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S236090AbhJZNWH (ORCPT <rfc822;sduhuangshuai@gmail.com>
        + 99 others); Tue, 26 Oct 2021 09:22:07 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39416 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231178AbhJZNWG (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 26 Oct 2021 09:22:06 -0400
Received: from mail-pl1-x62c.google.com (mail-pl1-x62c.google.com [IPv6:2607:f8b0:4864:20::62c])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D7188C061745;
        Tue, 26 Oct 2021 06:19:42 -0700 (PDT)
Received: by mail-pl1-x62c.google.com with SMTP id n12so5640875plc.2;
        Tue, 26 Oct 2021 06:19:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=VzCWxXxK9TdDs8vtpTG3m2qg1k4LCb22yH40yBeN194=;
        b=iAIwAL+itZzmAG/PxuRn0efFaRUSfd9e5rOMTCoNN+4qLc3H0Q8iuLh9nKBHDgU+G+
         qmBMdI2B3hQPMWAHa31SY4Az56+T/RGNR4ppy2ui6VjIf50HqnrAECVvqWLlQSV5X9nP
         Gtw347BTcEdbDJjo0n+oma0GF/rohUVqQLQx3O2ppEM1/5rT4oUfyLyxYZr12yj6E3dS
         MIxRGgU3IHdaSBtD3tQONEy1sRT259J1bTHlzLjw+9GqL3v0dmGb+Y+40GsTdF/r6XQK
         P/H1sAzssiePrQc4PZY39vmdgVj8aIDoYhI7a38mG5POc1aWPhCySI1FiHNba5/XDq+P
         nHWA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=VzCWxXxK9TdDs8vtpTG3m2qg1k4LCb22yH40yBeN194=;
        b=Wj+GMCdKO4yVjdJP+0+5HAHA0ErmS72Q5D6bZzZ21FD7ThUfmgK0c06I4ZEXYgXQe7
         xGBKfa+dqHELDAtR61pSDcfk4N+/rJhxobMd0Xk4wWGd7UKEHAm6dVRxpeB2p2wfurkn
         nL7oV1Gko+0ahtBpCh6KIGochqvxcXUA51+7TfirOyXN6vmHAzKrN0yNR9AoXo2ubn92
         6MXig6NjOT+loi1rHeq7601EX874HUzhD7kCU6wT7ZpMX/bBkmdG0dJGdoVWCY46XUcZ
         /7h/F0NrPF/HoPATbiXJ6X0Q50pDTQiNpmqpOH4s7J4pwl9D3rKCE+aFQPpcfcfXzCu0
         Sb+g==
X-Gm-Message-State: AOAM531MYxpX/wojk+uxJU3cO/W7c9jzdTWOwY1+71bnYMuoCkXpbedr
        UX9Fp023/dOhGCLvvElPRyQ=
X-Received: by 2002:a17:902:b40a:b0:13d:cbcd:2e64 with SMTP id x10-20020a170902b40a00b0013dcbcd2e64mr22527791plr.18.1635254382283;
        Tue, 26 Oct 2021 06:19:42 -0700 (PDT)
Received: from localhost.localdomain ([103.112.79.202])
        by smtp.gmail.com with ESMTPSA id d17sm9501560pfv.204.2021.10.26.06.19.38
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 26 Oct 2021 06:19:41 -0700 (PDT)
From:   kerneljasonxing@gmail.com
To:     davem@davemloft.net, kuba@kernel.org, alobakin@pm.me,
        jonathan.lemon@gmail.com, willemb@google.com, pabeni@redhat.com,
        vvs@virtuozzo.com, cong.wang@bytedance.com
Cc:     netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
        kerneljasonxing@gmail.com, Jason Xing <xingwanli@kuaishou.com>
Subject: [PATCH net] net: gro: set the last skb->next to NULL when it get merged
Date:   Tue, 26 Oct 2021 21:18:59 +0800
Message-Id: <20211026131859.59114-1-kerneljasonxing@gmail.com>
X-Mailer: git-send-email 2.30.1 (Apple Git-130)
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Jason Xing <xingwanli@kuaishou.com>

Setting the @next of the last skb to NULL to prevent the panic in future
when someone does something to the last of the gro list but its @next is
invalid.

For example, without the fix (commit: ece23711dd95), a panic could happen
with the clsact loaded when skb is redirected and then validated in
validate_xmit_skb_list() which could access the error addr of the @next
of the last skb. Thus, "general protection fault" would appear after that.

Signed-off-by: Jason Xing <xingwanli@kuaishou.com>
---
 net/core/skbuff.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 2170bea..7b248f1 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -4396,6 +4396,7 @@ int skb_gro_receive(struct sk_buff *p, struct sk_buff *skb)
 		skb_shinfo(p)->frag_list = skb;
 	else
 		NAPI_GRO_CB(p)->last->next = skb;
+	skb->next = NULL;
 	NAPI_GRO_CB(p)->last = skb;
 	__skb_header_release(skb);
 	lp = p;
-- 
1.8.3.1