| From foo@baz Tue 01 Oct 2019 04:06:17 PM CEST |
| From: Xin Long <lucien.xin@gmail.com> |
| Date: Mon, 23 Sep 2019 17:02:46 +0800 |
| Subject: macsec: drop skb sk before calling gro_cells_receive |
| |
| From: Xin Long <lucien.xin@gmail.com> |
| |
| [ Upstream commit ba56d8ce38c8252fff5b745db3899cf092578ede ] |
| |
| Fei Liu reported a crash when doing netperf on a topo of macsec |
| dev over veth: |
| |
| [ 448.919128] refcount_t: underflow; use-after-free. |
| [ 449.090460] Call trace: |
| [ 449.092895] refcount_sub_and_test+0xb4/0xc0 |
| [ 449.097155] tcp_wfree+0x2c/0x150 |
| [ 449.100460] ip_rcv+0x1d4/0x3a8 |
| [ 449.103591] __netif_receive_skb_core+0x554/0xae0 |
| [ 449.108282] __netif_receive_skb+0x28/0x78 |
| [ 449.112366] netif_receive_skb_internal+0x54/0x100 |
| [ 449.117144] napi_gro_complete+0x70/0xc0 |
| [ 449.121054] napi_gro_flush+0x6c/0x90 |
| [ 449.124703] napi_complete_done+0x50/0x130 |
| [ 449.128788] gro_cell_poll+0x8c/0xa8 |
| [ 449.132351] net_rx_action+0x16c/0x3f8 |
| [ 449.136088] __do_softirq+0x128/0x320 |
| |
| The issue was caused by skb's true_size changed without its sk's |
| sk_wmem_alloc increased in tcp/skb_gro_receive(). Later when the |
| skb is being freed and the skb's truesize is subtracted from its |
| sk's sk_wmem_alloc in tcp_wfree(), underflow occurs. |
| |
| macsec is calling gro_cells_receive() to receive a packet, which |
| actually requires skb->sk to be NULL. However when macsec dev is |
| over veth, it's possible the skb->sk is still set if the skb was |
| not unshared or expanded from the peer veth. |
| |
| ip_rcv() is calling skb_orphan() to drop the skb's sk for tproxy, |
| but it is too late for macsec's calling gro_cells_receive(). So |
| fix it by dropping the skb's sk earlier on rx path of macsec. |
| |
| Fixes: 5491e7c6b1a9 ("macsec: enable GRO and RPS on macsec devices") |
| Reported-by: Xiumei Mu <xmu@redhat.com> |
| Reported-by: Fei Liu <feliu@redhat.com> |
| Signed-off-by: Xin Long <lucien.xin@gmail.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/net/macsec.c | 1 + |
| 1 file changed, 1 insertion(+) |
| |
| --- a/drivers/net/macsec.c |
| +++ b/drivers/net/macsec.c |
| @@ -1240,6 +1240,7 @@ deliver: |
| macsec_rxsa_put(rx_sa); |
| macsec_rxsc_put(rx_sc); |
| |
| + skb_orphan(skb); |
| ret = gro_cells_receive(&macsec->gro_cells, skb); |
| if (ret == NET_RX_SUCCESS) |
| count_rx(dev, skb->len); |