Received: by 2002:ab2:710b:0:b0:1ef:a325:1205 with SMTP id z11csp1729336lql; Wed, 13 Mar 2024 06:48:25 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWmt8PBtjTRXVc+DxWwkqeOklkfw0h5mW4yNak8ZhoWyFXv6rKM88LmOF8aNOsE9PWu1DSpHTiiT3LaB9Gf8YyAxSHCMb6hvBaD5i5ltw== X-Google-Smtp-Source: AGHT+IHDBKcfXsMAWAWW/Y2IBOd5vLXY4XbGZPWkYSf8+5W9E4EB5QkFmrWx5DrLA+xiONnThNxe X-Received: by 2002:a17:906:3a9a:b0:a46:2751:1358 with SMTP id y26-20020a1709063a9a00b00a4627511358mr5046300ejd.62.1710337705178; Wed, 13 Mar 2024 06:48:25 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1710337705; cv=pass; d=google.com; s=arc-20160816; b=Ky8X+w4tKlIfLzt332bNatffBlTA0B6fen/K+zJZBGT50emmEaqFG4enhTcJuQM7wz iMASc0XQ5NOolhYLwuCL8xkrGaoZpy0GIwsa/4cm5pU29MlGvYtD/WvLQ38fcdwMoo+R J7FojQyAHz7zkvOd6GNbnyf6FJHWltXIcaI8VrCjT69YHKqb7ybH3w6tDkOi5MaLVufq zkbGUufxlqjp7ZQXBidNA8GoiezHI5qy5bmAS/iQvO0fdEi0CLPVnb/Y89usT8J7vZyx jNMu9kSFpER15615jwDRcnzqMZTaS3vUK05hU/WE6SQXjyuLe6/KUygLEIdMQXUaZ47F GXqg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:list-unsubscribe:list-subscribe:list-id:precedence :message-id:date:subject:cc:to:from:dkim-signature; bh=L4w20N+otfg7LwiYSgZBTvkCN/wv91X1s34i/ad5CCw=; fh=iAQSCC7YtAvd28mzZiCmZ+qtboTC0aV5zhGhNxMIBvM=; b=FXwoZ89JxjXDPtGp5ZlYoPPkDChGFgcS511+kppxyKXmg8GNs3gG8KP6G4SptO2PW+ eN/LM4CnDmiVp786W0Kqa1grtAT9df+XoPqEZGcxsym1FUE8FFaQebnoWHn6849G8Hl1 wCy4MmYpWxUD0RPgrqSQZAQMU9d5UyBp4fZW/w3fHCMS5JB0V/LXxHCZj9PY6/ZXUx9t tSlcA+x8WH2YzZy5bjRTeXaJPE/IdVi4fUF2isb5Ra0aWeWVc1WK+4i9ZeM1yN9LbmxN qjbCP1OagA4yEpXP8W2H8twelNrZP+BBR2gTZElk/gW0MA4opR2fcBjWztZ1vGznfnSK h0hw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@mediatek.com header.s=dk header.b=oGfDetpX; arc=pass (i=1 spf=pass spfdomain=mediatek.com dkim=pass dkdomain=mediatek.com dmarc=pass fromdomain=mediatek.com); spf=pass (google.com: domain of linux-kernel+bounces-101561-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-101561-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mediatek.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id he9-20020a1709073d8900b00a464e1bdd25si1085365ejc.615.2024.03.13.06.48.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Mar 2024 06:48:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-101561-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@mediatek.com header.s=dk header.b=oGfDetpX; arc=pass (i=1 spf=pass spfdomain=mediatek.com dkim=pass dkdomain=mediatek.com dmarc=pass fromdomain=mediatek.com); spf=pass (google.com: domain of linux-kernel+bounces-101561-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-101561-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mediatek.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id AEA621F247A0 for ; Wed, 13 Mar 2024 13:48:24 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id E341743AD5; Wed, 13 Mar 2024 13:48:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=mediatek.com header.i=@mediatek.com header.b="oGfDetpX" Received: from mailgw01.mediatek.com (unknown [60.244.123.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8F64E4174F; Wed, 13 Mar 2024 13:48:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=60.244.123.138 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710337695; cv=none; b=DoIWb2Ry74SEPRERqyrTrE2sYw1GiigbNR4n+zPZlkJ5pzpgbFMYgilDDxg0G+i8ayl8WjUXaMo5Lgax+G7PN2Qq8pNvaMphXKbseZqMDH7xpRxjVr6Z7NFTqEC4E0Gv1hMlwQM5mSh1Xj+h3Cv+8NwIUdnEyYbf0oDMsgLhUVg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710337695; c=relaxed/simple; bh=YRfQD+t2dkUzHEULs3NlLIIcIZaaDOWzomGtk1FtK3Y=; h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type; b=UDY1sYNxeQgegoJdfQlLvDnuslnHVG/WeoY4QG/8YjO+R3TqwKvZZJRf881kdeL0Frzsx0ycOubjiVQ0hRxucZs/QCCy8StNZQnoxBE7MLIFDCBPT2I4g/87Z+2rh3LQk+jOe47xuxHYfI4zSIEY4orfLgvDeriSYzRASWfpzc0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=mediatek.com; spf=pass smtp.mailfrom=mediatek.com; dkim=pass (1024-bit key) header.d=mediatek.com header.i=@mediatek.com header.b=oGfDetpX; arc=none smtp.client-ip=60.244.123.138 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=mediatek.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=mediatek.com X-UUID: 50dcf980e14011eeb8927bc1f75efef4-20240313 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mediatek.com; s=dk; h=Content-Type:MIME-Version:Message-ID:Date:Subject:CC:To:From; bh=L4w20N+otfg7LwiYSgZBTvkCN/wv91X1s34i/ad5CCw=; b=oGfDetpXML9V4gCa5zrrGvflXDfgBD950x4waeaDoTDUBe4hUAIU5I/ta2RUpqEJdxFb2Mt3vk5lJNDNKt5e1KiF3i4Oe5ZE9BACbRq1BaSyPkfrLuncWkNrr7eutK0gECQ+YRguwUBNj/QBJrvGsQyXuvulZjFHfkNCmS5Ycz0=; X-CID-P-RULE: Release_Ham X-CID-O-INFO: VERSION:1.1.37,REQID:60f705f5-bd61-4bfa-ad4b-07ab2bc4ba90,IP:0,U RL:0,TC:0,Content:0,EDM:0,RT:0,SF:0,FILE:0,BULK:0,RULE:Release_Ham,ACTION: release,TS:0 X-CID-META: VersionHash:6f543d0,CLOUDID:31555c90-e2c0-40b0-a8fe-7c7e47299109,B ulkID:nil,BulkQuantity:0,Recheck:0,SF:102,TC:nil,Content:0,EDM:-3,IP:nil,U RL:11|1,File:nil,RT:nil,Bulk:nil,QS:nil,BEC:nil,COL:0,OSI:0,OSA:0,AV:0,LES :1,SPR:NO,DKR:0,DKP:0,BRR:0,BRE:0 X-CID-BVR: 0,NGT X-CID-BAS: 0,NGT,0,_ X-CID-FACTOR: TF_CID_SPAM_SNR,TF_CID_SPAM_ULN X-UUID: 50dcf980e14011eeb8927bc1f75efef4-20240313 Received: from mtkmbs13n2.mediatek.inc [(172.21.101.108)] by mailgw01.mediatek.com (envelope-from ) (Generic MTA with TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256/256) with ESMTP id 1696624639; Wed, 13 Mar 2024 21:48:04 +0800 Received: from mtkmbs11n1.mediatek.inc (172.21.101.185) by mtkmbs10n2.mediatek.inc (172.21.101.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.26; Wed, 13 Mar 2024 21:48:01 +0800 Received: from mbjsdccf07.gcn.mediatek.inc (10.15.20.246) by mtkmbs11n1.mediatek.inc (172.21.101.73) with Microsoft SMTP Server id 15.2.1118.26 via Frontend Transport; Wed, 13 Mar 2024 21:48:01 +0800 From: Shiming Cheng To: , , , CC: , , , Subject: [PATCH net] udp: fix segmentation crash for untrusted source packet Date: Wed, 13 Mar 2024 21:34:02 +0800 Message-ID: <20240313133402.9027-1-shiming.cheng@mediatek.com> X-Mailer: git-send-email 2.18.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain X-TM-AS-Product-Ver: SMEX-14.0.0.3152-9.1.1006-23728.005 X-TM-AS-Result: No-10--0.036400-8.000000 X-TMASE-MatchedRID: wpfAD6xEq/UmcsJib2IjaZyebS/i2xjjRf40pT7Zmv4AhmnHHeGnvd5N RzJ0gz5Ho2jEjZ+uot2x/IsbGBsvcXHPBvSspzfjlUgQqGVMqmw+alo1+UETifgnJH5vm2+gE1H sA1hANbFWqgnWQ924PABrzRY/wC05Z4gQbTRJ1T0poxDq3DugMkyQ5fRSh265DpCUEeEFm7B91D unZtIaFuLzNWBegCW2wgn7iDBesS1YF3qW3Je6+3Cl2j/T96VWClrgwgRb4DTA1+j5xhROnF/E0 Qms4izZ9dXR8igG1pZpqUV/1/kckl6hsFytkdpyBzxJxdddetpD1vQ6Bk4NMYCE5xpCtDRTUbJF yh4XXyqYo/TPOlMB4bCh3zE4wqa8wIE77PEBbml+3BndfXUhXQ== X-TM-AS-User-Approved-Sender: No X-TM-AS-User-Blocked-Sender: No X-TMASE-Result: 10--0.036400-8.000000 X-TMASE-Version: SMEX-14.0.0.3152-9.1.1006-23728.005 X-TM-SNTS-SMTP: EB00A10A7E0B78C7CD380D35C873753B8267A33E8C1FB10F0EF5AEE09A8965CE2000:8 X-MTK: N Kernel exception is reported when making udp frag list segmentation. Backtrace is as below: at out/android15-6.6/kernel-6.6/kernel-6.6/net/ipv4/udp_offload.c:229 at out/android15-6.6/kernel-6.6/kernel-6.6/net/ipv4/udp_offload.c:262 features=features@entry=19, is_ipv6=false) at out/android15-6.6/kernel-6.6/kernel-6.6/net/ipv4/udp_offload.c:289 features=19) at out/android15-6.6/kernel-6.6/kernel-6.6/net/ipv4/udp_offload.c:399 features=19) at out/android15-6.6/kernel-6.6/kernel-6.6/net/ipv4/af_inet.c:1418 skb@entry=0x0, features=19, features@entry=0) at out/android15-6.6/kernel-6.6/kernel-6.6/net/core/gso.c:53 tx_path=) at out/android15-6.6/kernel-6.6/kernel-6.6/net/core/gso.c:124 This packet's frag list is null while gso_type is not 0. Then it is treated as a GRO-ed packet and sent to segment frag list. Function call path is udp_rcv_segment => config features value __udpv4_gso_segment => skb_gso_ok returns false. Here it should be true. Failed reason is features doesn't match gso_type. __udp_gso_segment_list skb_segment_list => packet is linear with skb->next = NULL __udpv4_gso_segment_list_csum => use skb->next directly and crash happens In rx-gro-list GRO-ed packet is set gso type as NETIF_F_GSO_UDP_L4 | NETIF_F_GSO_FRAGLIST in napi_gro_complete. In gso flow the features should also set them to match with gso_type. Or else it will always return false in skb_gso_ok. Then it can't discover the untrusted source packet and result crash in following function. Fixes: f2696099c6c6 ("udp: Avoid post-GRO UDP checksum recalculation") Signed-off-by: Shiming Cheng Signed-off-by: Lena Wang --- include/net/udp.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/net/udp.h b/include/net/udp.h index 488a6d2babcc..c87baa23b9da 100644 --- a/include/net/udp.h +++ b/include/net/udp.h @@ -464,7 +464,7 @@ void udpv6_encap_enable(void); static inline struct sk_buff *udp_rcv_segment(struct sock *sk, struct sk_buff *skb, bool ipv4) { - netdev_features_t features = NETIF_F_SG; + netdev_features_t features = NETIF_F_SG | NETIF_F_GSO_UDP_L4 | NETIF_F_GSO_FRAGLIST; struct sk_buff *segs; /* Avoid csum recalculation by skb_segment unless userspace explicitly -- 2.18.0