korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-29 07:04:10 +08:00
Code Issues Packages Projects Releases Wiki Activity
794ed393b7
linux/drivers/net
History
Eric Dumazet 794ed393b7 net: loopback: fix a dst refcounting issue 
Ben Greear reported crashes in ip_rcv_finish() on a stress
test involving many macvlans.

We tracked the bug to a dst use after free. ip_rcv_finish()
was calling dst->input() and got garbage for dst->input value.

It appears the bug is in loopback driver, lacking
a skb_dst_force() before calling netif_rx().

As a result, a non refcounted dst, normally protected by a
RCU read_lock section, was escaping this section and could
be freed before the packet being processed.

  [<ffffffff813a3c4d>] loopback_xmit+0x64/0x83
  [<ffffffff81477364>] dev_hard_start_xmit+0x26c/0x35e
  [<ffffffff8147771a>] dev_queue_xmit+0x2c4/0x37c
  [<ffffffff81477456>] ? dev_hard_start_xmit+0x35e/0x35e
  [<ffffffff8148cfa6>] ? eth_header+0x28/0xb6
  [<ffffffff81480f09>] neigh_resolve_output+0x176/0x1a7
  [<ffffffff814ad835>] ip_finish_output2+0x297/0x30d
  [<ffffffff814ad6d5>] ? ip_finish_output2+0x137/0x30d
  [<ffffffff814ad90e>] ip_finish_output+0x63/0x68
  [<ffffffff814ae412>] ip_output+0x61/0x67
  [<ffffffff814ab904>] dst_output+0x17/0x1b
  [<ffffffff814adb6d>] ip_local_out+0x1e/0x23
  [<ffffffff814ae1c4>] ip_queue_xmit+0x315/0x353
  [<ffffffff814adeaf>] ? ip_send_unicast_reply+0x2cc/0x2cc
  [<ffffffff814c018f>] tcp_transmit_skb+0x7ca/0x80b
  [<ffffffff814c3571>] tcp_connect+0x53c/0x587
  [<ffffffff810c2f0c>] ? getnstimeofday+0x44/0x7d
  [<ffffffff810c2f56>] ? ktime_get_real+0x11/0x3e
  [<ffffffff814c6f9b>] tcp_v4_connect+0x3c2/0x431
  [<ffffffff814d6913>] __inet_stream_connect+0x84/0x287
  [<ffffffff814d6b38>] ? inet_stream_connect+0x22/0x49
  [<ffffffff8108d695>] ? _local_bh_enable_ip+0x84/0x9f
  [<ffffffff8108d6c8>] ? local_bh_enable+0xd/0x11
  [<ffffffff8146763c>] ? lock_sock_nested+0x6e/0x79
  [<ffffffff814d6b38>] ? inet_stream_connect+0x22/0x49
  [<ffffffff814d6b49>] inet_stream_connect+0x33/0x49
  [<ffffffff814632c6>] sys_connect+0x75/0x98

This bug was introduced in linux-2.6.35, in commit
7fee226ad2 (net: add a noref bit on skb dst)

skb_dst_force() is enforced in dev_queue_xmit() for devices having a
qdisc.

Reported-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Tested-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-01-27 01:30:35 -05:00
..
appletalk
arcnet ARCNET: remove __dev* attributes 2012-12-03 11:16:10 -08:00
bonding bonding: do not cancel works in bond_uninit() 2012-12-14 13:14:07 -05:00
caif
can can: pch_can: fix invalid error codes 2013-01-26 17:13:41 +01:00
cris
dsa dsa: Hide core config options; make drivers select what they need 2012-11-26 17:10:44 -05:00
ethernet r8169: remove the obsolete and incorrect AMD workaround 2013-01-23 13:51:47 -05:00
fddi drivers/net: fix up function prototypes after __dev* removals 2012-12-07 14:22:22 -05:00
hamradio sections: fix section conflicts in drivers/net/hamradio 2012-10-06 03:04:43 +09:00
hippi drivers/net: fix up function prototypes after __dev* removals 2012-12-07 14:22:22 -05:00
hyperv net/hyperv: fix wrong length of mac address 2013-01-19 11:01:23 -05:00
ieee802154 ieee802154: remove __dev* attributes 2012-12-03 11:16:56 -08:00
irda drivers/net: fix up function prototypes after __dev* removals 2012-12-07 14:22:22 -05:00
phy phy/marvell: remove fiber/copper autoselect on 88e1111 2013-01-17 15:47:24 -05:00
plip
ppp ppp: make ppp_get_stats64 static 2012-11-01 12:38:31 -04:00
slip
team team: fix hw_features setup 2012-11-28 11:39:22 -05:00
usb net: cdc_mbim: send ZLP only for the specific buggy device 2013-01-23 13:45:49 -05:00
vmxnet3 vmxnet3: remove __dev* attributes 2012-12-03 11:17:06 -08:00
wan Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2012-12-12 18:07:07 -08:00
wimax i2400m: add Intel 6150 device IDs 2012-12-15 17:14:38 -08:00
wireless Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into for-davem 2013-01-17 12:07:44 -05:00
xen-netback xen: netback: handle compound page fragments on transmit. 2012-10-10 22:50:45 -04:00
dummy.c
eql.c
ifb.c
Kconfig vxlan: Depend on CONFIG_INET 2012-10-02 14:37:31 -04:00
LICENSE.SRC
loopback.c net: loopback: fix a dst refcounting issue 2013-01-27 01:30:35 -05:00
macvlan.c macvlan: fix macvlan_get_size() 2013-01-17 16:40:35 -05:00
macvtap.c
Makefile vxlan: virtual extensible lan 2012-10-01 18:39:45 -04:00
mdio.c
mii.c
netconsole.c netconsole: add oops_only module option 2012-11-08 22:06:36 -05:00
rionet.c rapidio/rionet: rework to support multiple RIO master ports 2012-10-06 03:05:23 +09:00
sb1000.c
Space.c
sungem_phy.c Fix misspellings of "whether" in comments. 2012-11-19 14:31:35 +01:00
tun.c tuntap: limit the number of flow caches 2013-01-23 13:47:06 -05:00
veth.c rtnelink: remove unused parameter from rtnl_create_link(). 2012-11-30 12:24:40 -05:00
virtio_net.c virtio-net: reset virtqueue affinity when doing cpu hotplug 2013-01-27 01:22:51 -05:00
vxlan.c vxlan: allow live mac address change 2013-01-03 01:58:13 -08:00
xen-netfront.c xen/netfront: improve truesize tracking 2013-01-07 19:51:19 -08:00