Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id AC742C636D6 for ; Mon, 30 Jan 2023 21:06:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230425AbjA3VGE (ORCPT ); Mon, 30 Jan 2023 16:06:04 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60870 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230414AbjA3VF7 (ORCPT ); Mon, 30 Jan 2023 16:05:59 -0500 Received: from www62.your-server.de (www62.your-server.de [213.133.104.62]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 243E0474F8; Mon, 30 Jan 2023 13:05:39 -0800 (PST) Received: from sslproxy03.your-server.de ([88.198.220.132]) by www62.your-server.de with esmtpsa (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1pMbLC-000NMm-Ba; Mon, 30 Jan 2023 22:05:26 +0100 Received: from [85.1.206.226] (helo=linux.home) by sslproxy03.your-server.de with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pMbLB-000BBl-TF; Mon, 30 Jan 2023 22:05:25 +0100 Subject: Re: [PATCH] net: fix NULL pointer in skb_segment_list To: Yan Zhai , netdev@vger.kernel.org Cc: edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, davem@davemloft.net, asml.silence@gmail.com, imagedong@tencent.com, keescook@chromium.org, jbenc@redhat.com, richardbgobert@gmail.com, willemb@google.com, steffen.klassert@secunet.com, linux-kernel@vger.kernel.org References: From: Daniel Borkmann Message-ID: <0e41673f-457d-1685-ea47-0166ca71ff97@iogearbox.net> Date: Mon, 30 Jan 2023 22:05:25 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Authenticated-Sender: daniel@iogearbox.net X-Virus-Scanned: Clear (ClamAV 0.103.7/26797/Mon Jan 30 09:24:58 2023) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 1/30/23 9:51 PM, Yan Zhai wrote: > Commit 3a1296a38d0c ("net: Support GRO/GSO fraglist chaining.") > introduced UDP listifyed GRO. The segmentation relies on frag_list being > untouched when passing through the network stack. This assumption can be > broken sometimes, where frag_list itself gets pulled into linear area, > leaving frag_list being NULL. When this happens it can trigger > following NULL pointer dereference, and panic the kernel. Reverse the > test condition should fix it. > > [19185.577801][ C1] BUG: kernel NULL pointer dereference, address: > ... > [19185.663775][ C1] RIP: 0010:skb_segment_list+0x1cc/0x390 > ... > [19185.834644][ C1] Call Trace: > [19185.841730][ C1] > [19185.848563][ C1] __udp_gso_segment+0x33e/0x510 > [19185.857370][ C1] inet_gso_segment+0x15b/0x3e0 > [19185.866059][ C1] skb_mac_gso_segment+0x97/0x110 > [19185.874939][ C1] __skb_gso_segment+0xb2/0x160 > [19185.883646][ C1] udp_queue_rcv_skb+0xc3/0x1d0 > [19185.892319][ C1] udp_unicast_rcv_skb+0x75/0x90 > [19185.900979][ C1] ip_protocol_deliver_rcu+0xd2/0x200 > [19185.910003][ C1] ip_local_deliver_finish+0x44/0x60 > [19185.918757][ C1] __netif_receive_skb_one_core+0x8b/0xa0 > [19185.927834][ C1] process_backlog+0x88/0x130 > [19185.935840][ C1] __napi_poll+0x27/0x150 > [19185.943447][ C1] net_rx_action+0x27e/0x5f0 > [19185.951331][ C1] ? mlx5_cq_tasklet_cb+0x70/0x160 [mlx5_core] > [19185.960848][ C1] __do_softirq+0xbc/0x25d > [19185.968607][ C1] irq_exit_rcu+0x83/0xb0 > [19185.976247][ C1] common_interrupt+0x43/0xa0 > [19185.984235][ C1] asm_common_interrupt+0x22/0x40 > ... > [19186.094106][ C1] > > Fixes: 3a1296a38d0c ("net: Support GRO/GSO fraglist chaining.") > Suggested-by: Daniel Borkmann > Reviewed-by: Willem de Bruijn > Signed-off-by: Yan Zhai Acked-by: Daniel Borkmann > net/core/skbuff.c | 5 ++--- > 1 file changed, 2 insertions(+), 3 deletions(-) > > diff --git a/net/core/skbuff.c b/net/core/skbuff.c > index 4a0eb5593275..a31ff4d83ecc 100644 > --- a/net/core/skbuff.c > +++ b/net/core/skbuff.c > @@ -4100,7 +4100,7 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb, > > skb_shinfo(skb)->frag_list = NULL; > > - do { > + while (list_skb) { > nskb = list_skb; > list_skb = list_skb->next; > > @@ -4146,8 +4146,7 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb, > if (skb_needs_linearize(nskb, features) && > __skb_linearize(nskb)) > goto err_linearize; > - > - } while (list_skb); > + } > > skb->truesize = skb->truesize - delta_truesize; > skb->data_len = skb->data_len - delta_len; >