linux/net/core
Alexander Lobakin 9a5a90d167 net: core: netif_receive_skb_list: unlist skb before passing to pt->func
__netif_receive_skb_list_ptype() leaves skb->next poisoned before passing
it to pt_prev->func handler, what may produce (in certain cases, e.g. DSA
setup) crashes like:

[ 88.606777] CPU 0 Unable to handle kernel paging request at virtual address 0000000e, epc == 80687078, ra == 8052cc7c
[ 88.618666] Oops[#1]:
[ 88.621196] CPU: 0 PID: 0 Comm: swapper Not tainted 5.1.0-rc2-dlink-00206-g4192a172-dirty #1473
[ 88.630885] $ 0 : 00000000 10000400 00000002 864d7850
[ 88.636709] $ 4 : 87c0ddf0 864d7800 87c0ddf0 00000000
[ 88.642526] $ 8 : 00000000 49600000 00000001 00000001
[ 88.648342] $12 : 00000000 c288617b dadbee27 25d17c41
[ 88.654159] $16 : 87c0ddf0 85cff080 80790000 fffffffd
[ 88.659975] $20 : 80797b20 ffffffff 00000001 864d7800
[ 88.665793] $24 : 00000000 8011e658
[ 88.671609] $28 : 80790000 87c0dbc0 87cabf00 8052cc7c
[ 88.677427] Hi : 00000003
[ 88.680622] Lo : 7b5b4220
[ 88.683840] epc : 80687078 vlan_dev_hard_start_xmit+0x1c/0x1a0
[ 88.690532] ra : 8052cc7c dev_hard_start_xmit+0xac/0x188
[ 88.696734] Status: 10000404	IEp
[ 88.700422] Cause : 50000008 (ExcCode 02)
[ 88.704874] BadVA : 0000000e
[ 88.708069] PrId : 0001a120 (MIPS interAptiv (multi))
[ 88.713005] Modules linked in:
[ 88.716407] Process swapper (pid: 0, threadinfo=(ptrval), task=(ptrval), tls=00000000)
[ 88.725219] Stack : 85f61c28 00000000 0000000e 80780000 87c0ddf0 85cff080 80790000 8052cc7c
[ 88.734529] 87cabf00 00000000 00000001 85f5fb40 807b0000 864d7850 87cabf00 807d0000
[ 88.743839] 864d7800 8655f600 00000000 85cff080 87c1c000 0000006a 00000000 8052d96c
[ 88.753149] 807a0000 8057adb8 87c0dcc8 87c0dc50 85cfff08 00000558 87cabf00 85f58c50
[ 88.762460] 00000002 85f58c00 864d7800 80543308 fffffff4 00000001 85f58c00 864d7800
[ 88.771770] ...
[ 88.774483] Call Trace:
[ 88.777199] [<80687078>] vlan_dev_hard_start_xmit+0x1c/0x1a0
[ 88.783504] [<8052cc7c>] dev_hard_start_xmit+0xac/0x188
[ 88.789326] [<8052d96c>] __dev_queue_xmit+0x6e8/0x7d4
[ 88.794955] [<805a8640>] ip_finish_output2+0x238/0x4d0
[ 88.800677] [<805ab6a0>] ip_output+0xc8/0x140
[ 88.805526] [<805a68f4>] ip_forward+0x364/0x560
[ 88.810567] [<805a4ff8>] ip_rcv+0x48/0xe4
[ 88.815030] [<80528d44>] __netif_receive_skb_one_core+0x44/0x58
[ 88.821635] [<8067f220>] dsa_switch_rcv+0x108/0x1ac
[ 88.827067] [<80528f80>] __netif_receive_skb_list_core+0x228/0x26c
[ 88.833951] [<8052ed84>] netif_receive_skb_list+0x1d4/0x394
[ 88.840160] [<80355a88>] lunar_rx_poll+0x38c/0x828
[ 88.845496] [<8052fa78>] net_rx_action+0x14c/0x3cc
[ 88.850835] [<806ad300>] __do_softirq+0x178/0x338
[ 88.856077] [<8012a2d4>] irq_exit+0xbc/0x100
[ 88.860846] [<802f8b70>] plat_irq_dispatch+0xc0/0x144
[ 88.866477] [<80105974>] handle_int+0x14c/0x158
[ 88.871516] [<806acfb0>] r4k_wait+0x30/0x40
[ 88.876462] Code: afb10014 8c8200a0 00803025 <9443000c> 94a20468 00000000 10620042 00a08025 9605046a
[ 88.887332]
[ 88.888982] ---[ end trace eb863d007da11cf1 ]---
[ 88.894122] Kernel panic - not syncing: Fatal exception in interrupt
[ 88.901202] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---

Fix this by pulling skb off the sublist and zeroing skb->next pointer
before calling ptype callback.

Fixes: 88eb1944e1 ("net: core: propagate SKB lists through packet_type lookup")
Reviewed-by: Edward Cree <ecree@solarflare.com>
Signed-off-by: Alexander Lobakin <alobakin@dlink.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-03-28 17:28:05 -07:00
..
datagram.c net: datagram: fix unbounded loop in __skb_try_recv_datagram() 2019-03-27 21:58:53 -07:00
dev_addr_lists.c net: dev: Issue NETDEV_PRE_CHANGEADDR 2018-12-13 18:41:38 -08:00
dev_ioctl.c net: dev: Add extack argument to dev_set_mac_address() 2018-12-13 18:41:38 -08:00
dev.c net: core: netif_receive_skb_list: unlist skb before passing to pt->func 2019-03-28 17:28:05 -07:00
devlink.c net: devlink: skip info_get op call if it is not defined in dumpit 2019-03-26 11:25:29 -07:00
drop_monitor.c treewide: setup_timer() -> timer_setup() 2017-11-21 15:57:07 -08:00
dst_cache.c net: core: dst_cache_set_ip6: Rename 'addr' parameter to 'saddr' for consistency 2018-03-05 12:52:45 -05:00
dst.c net: add a route cache full diagnostic message 2019-01-17 15:37:25 -08:00
ethtool.c ethtool: reduce stack usage with clang 2019-03-07 09:45:21 -08:00
failover.c net: Introduce generic failover module 2018-05-28 22:59:54 -04:00
fib_notifier.c net: Fix fib notifer to return errno 2018-03-29 14:10:30 -04:00
fib_rules.c net/fib_rules: Update fib_nl_dumprule for strict data checking 2018-10-08 10:39:05 -07:00
filter.c bpf: Add bpf_get_listener_sock(struct bpf_sock *sk) helper 2019-03-13 12:04:35 -07:00
flow_dissector.c net/flow_dissector: move bpf case into __skb_flow_bpf_dissect 2019-01-29 01:08:29 +01:00
flow_offload.c flow_offload: add flow action infrastructure 2019-02-06 10:38:25 -08:00
gen_estimator.c net: core: protect rate estimator statistics pointer with lock 2018-08-11 12:37:10 -07:00
gen_stats.c net: sched: put back q.qlen into a single location 2019-03-02 14:10:18 -08:00
gro_cells.c gro_cells: make sure device is up in gro_cells_receive() 2019-03-10 11:07:14 -07:00
hwbm.c
link_watch.c net: linkwatch: add check for netdevice being present to linkwatch_do_dev 2018-09-19 21:06:46 -07:00
lwt_bpf.c net: fix GSO in bpf_lwt_push_ip_encap 2019-03-07 10:41:29 +01:00
lwtunnel.c ip_tunnel: Add dst_cache support in lwtunnel_state of ip tunnel 2019-02-24 22:13:49 -08:00
Makefile flow_offload: add flow_rule and flow_match structures and use them 2019-02-06 10:38:25 -08:00
neighbour.c neigh: hook tracepoints in neigh update code 2019-02-17 10:33:39 -08:00
net_namespace.c netns: provide pure entropy for net_hash_mix() 2019-03-28 17:00:45 -07:00
net-procfs.c proc: introduce proc_create_net{,_data} 2018-05-16 07:24:30 +02:00
net-sysfs.c net-sysfs: Fix memory leak in netdev_register_kobject 2019-03-21 13:38:27 -07:00
net-sysfs.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
net-traces.c trace: events: add a few neigh tracepoints 2019-02-17 10:33:39 -08:00
netclassid_cgroup.c cgroup, netclassid: add a preemption point to write_classid 2018-10-23 12:58:17 -07:00
netevent.c
netpoll.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2018-12-27 13:04:52 -08:00
netprio_cgroup.c net: remove duplicate includes 2017-12-13 13:18:46 -05:00
page_pool.c page_pool: use DMA_ATTR_SKIP_CPU_SYNC for DMA mappings 2019-02-13 22:00:16 -08:00
pktgen.c mm: replace all open encodings for NUMA_NO_NODE 2019-03-05 21:07:14 -08:00
ptp_classifier.c
request_sock.c
rtnetlink.c net: Get rid of SWITCHDEV_ATTR_ID_PORT_PARENT_ID 2019-02-06 14:17:03 -08:00
scm.c socket: Add SO_TIMESTAMPING_NEW 2019-02-03 11:17:31 -08:00
secure_seq.c infiniband: i40iw, nes: don't use wall time for TCP sequence numbers 2018-07-11 12:10:19 -06:00
skbuff.c net: Do not allocate page fragments that are not skb aligned 2019-02-17 15:48:43 -08:00
skmsg.c bpf: Stop the psock parser before canceling its work 2019-03-07 15:16:20 +01:00
sock_diag.c net: sock_diag: Fix spectre v1 gadget in __sock_diag_cmd() 2018-08-14 10:01:24 -07:00
sock_map.c bpf: skmsg, fix psock create on existing kcm/tls port 2018-10-20 00:40:45 +02:00
sock_reuseport.c sctp: add sock_reuseport for the sock in __sctp_hash_endpoint 2018-11-12 09:09:51 -08:00
sock.c net: support 64bit rates for getsockopt(SO_MAX_PACING_RATE) 2019-03-01 23:08:30 -08:00
stream.c tcp: reduce POLLOUT events caused by TCP_NOTSENT_LOWAT 2018-12-04 21:21:18 -08:00
sysctl_net_core.c net: introduce a knob to control whether to inherit devconf config 2019-01-22 11:07:21 -08:00
timestamping.c
tso.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
utils.c net: Remove some unneeded semicolon 2018-08-04 13:05:39 -07:00
xdp.c xdp: remove redundant variable 'headroom' 2018-09-01 01:35:53 +02:00