diff mbox series

[net-next,v3,4/4] net: tcp: reset 'drop_reason' to NOT_SPCIFIED in tcp_v{4,6}_rcv()

Message ID 20220513030339.336580-5-imagedong@tencent.com (mailing list archive)
State Accepted
Commit f8319dfd1b3b3be6c08795017fc30f880f8bc861
Delegated to: Netdev Maintainers
Headers show
Series net: skb: check the boundrary of skb drop reason | expand

Checks

Context Check Description
netdev/tree_selection success Clearly marked for net-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/subject_prefix success Link
netdev/cover_letter success Series has a cover letter
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 22 this patch: 22
netdev/cc_maintainers success CCed 7 of 7 maintainers
netdev/build_clang success Errors and warnings before: 9 this patch: 9
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 22 this patch: 22
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 14 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Menglong Dong May 13, 2022, 3:03 a.m. UTC
From: Menglong Dong <imagedong@tencent.com>

The 'drop_reason' that passed to kfree_skb_reason() in tcp_v4_rcv()
and tcp_v6_rcv() can be SKB_NOT_DROPPED_YET(0), as it is used as the
return value of tcp_inbound_md5_hash().

And it can panic the kernel with NULL pointer in
net_dm_packet_report_size() if the reason is 0, as drop_reasons[0]
is NULL.

Fixes: 1330b6ef3313 ("skb: make drop reason booleanable")
Reviewed-by: Jiang Biao <benbjiang@tencent.com>
Reviewed-by: Hao Peng <flyingpeng@tencent.com>
Signed-off-by: Menglong Dong <imagedong@tencent.com>
---
v3:
- remove new lines between tags
v2:
- consider tcp_v6_rcv()
---
 net/ipv4/tcp_ipv4.c | 1 +
 net/ipv6/tcp_ipv6.c | 1 +
 2 files changed, 2 insertions(+)

Comments

Jakub Kicinski May 19, 2022, 3:48 p.m. UTC | #1
On Fri, 13 May 2022 11:03:39 +0800 menglong8.dong@gmail.com wrote:
> From: Menglong Dong <imagedong@tencent.com>
> 
> The 'drop_reason' that passed to kfree_skb_reason() in tcp_v4_rcv()
> and tcp_v6_rcv() can be SKB_NOT_DROPPED_YET(0), as it is used as the
> return value of tcp_inbound_md5_hash().
> 
> And it can panic the kernel with NULL pointer in
> net_dm_packet_report_size() if the reason is 0, as drop_reasons[0]
> is NULL.
> 
> Fixes: 1330b6ef3313 ("skb: make drop reason booleanable")

This patch is in net, should this fix have been targeting net / 5.18?
Menglong Dong May 20, 2022, 1:46 a.m. UTC | #2
On Thu, May 19, 2022 at 11:48 PM Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Fri, 13 May 2022 11:03:39 +0800 menglong8.dong@gmail.com wrote:
> > From: Menglong Dong <imagedong@tencent.com>
> >
> > The 'drop_reason' that passed to kfree_skb_reason() in tcp_v4_rcv()
> > and tcp_v6_rcv() can be SKB_NOT_DROPPED_YET(0), as it is used as the
> > return value of tcp_inbound_md5_hash().
> >
> > And it can panic the kernel with NULL pointer in
> > net_dm_packet_report_size() if the reason is 0, as drop_reasons[0]
> > is NULL.
> >
> > Fixes: 1330b6ef3313 ("skb: make drop reason booleanable")
>
> This patch is in net, should this fix have been targeting net / 5.18?

Yeah, I think it should have. What do I need to do? CC someone?
Jakub Kicinski May 20, 2022, 2:09 a.m. UTC | #3
On Fri, 20 May 2022 09:46:49 +0800 Menglong Dong wrote:
> > This patch is in net, should this fix have been targeting net / 5.18?  
> 
> Yeah, I think it should have. What do I need to do? CC someone?

Too late now, I was just double checking. It can make its way to the
current release via stable in a week or two.

BTW I'm about to send a fixup to patch 4, stay tuned.
Jakub Kicinski May 20, 2022, 2:18 a.m. UTC | #4
On Thu, 19 May 2022 19:09:15 -0700 Jakub Kicinski wrote:
> On Fri, 20 May 2022 09:46:49 +0800 Menglong Dong wrote:
> > > This patch is in net, should this fix have been targeting net / 5.18?    
> > 
> > Yeah, I think it should have. What do I need to do? CC someone?  
> 
> Too late now, I was just double checking. It can make its way to the
> current release via stable in a week or two.

Ah, FWIW my initial question was missing "-next" - I meant to say that
the patch is in net-next rather than net. I think you got what I meant..
Menglong Dong May 20, 2022, 2:39 a.m. UTC | #5
On Fri, May 20, 2022 at 10:18 AM Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Thu, 19 May 2022 19:09:15 -0700 Jakub Kicinski wrote:
> > On Fri, 20 May 2022 09:46:49 +0800 Menglong Dong wrote:
> > > > This patch is in net, should this fix have been targeting net / 5.18?
> > >
> > > Yeah, I think it should have. What do I need to do? CC someone?
> >
> > Too late now, I was just double checking. It can make its way to the
> > current release via stable in a week or two.
>
> Ah, FWIW my initial question was missing "-next" - I meant to say that
> the patch is in net-next rather than net. I think you got what I meant..

Yeah, I get what you mean now. Such bug-fix patches should target 'net'
rather than 'net-next'.

BTW, thanks for your fixup...I am still surprised at my mistake.
diff mbox series

Patch

diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 918816ec5dd4..24eb42497a71 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -2101,6 +2101,7 @@  int tcp_v4_rcv(struct sk_buff *skb)
 	}
 
 discard_it:
+	SKB_DR_OR(drop_reason, NOT_SPECIFIED);
 	/* Discard frame. */
 	kfree_skb_reason(skb, drop_reason);
 	return 0;
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 60bdec257ba7..636ed23d9af0 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1509,6 +1509,7 @@  int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
 discard:
 	if (opt_skb)
 		__kfree_skb(opt_skb);
+	SKB_DR_OR(reason, NOT_SPECIFIED);
 	kfree_skb_reason(skb, reason);
 	return 0;
 csum_err: