From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 2 Sep 2022 08:40:13 +0000 (+0200)
Subject: 5.4-stable patches
X-Git-Tag: v4.9.327~6
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=04df2be9a3c946a8260365c1b0b0ece62db85ca8;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	net-neigh-don-t-call-kfree_skb-under-spin_lock_irqsave.patch
---

diff --git a/queue-5.4/net-neigh-don-t-call-kfree_skb-under-spin_lock_irqsave.patch b/queue-5.4/net-neigh-don-t-call-kfree_skb-under-spin_lock_irqsave.patch
new file mode 100644
index 00000000000..88efa5a4d68
--- /dev/null
+++ b/queue-5.4/net-neigh-don-t-call-kfree_skb-under-spin_lock_irqsave.patch
@@ -0,0 +1,56 @@
+From d5485d9dd24e1d04e5509916515260186eb1455c Mon Sep 17 00:00:00 2001
+From: Yang Yingliang <yangyingliang@huawei.com>
+Date: Mon, 22 Aug 2022 10:53:46 +0800
+Subject: net: neigh: don't call kfree_skb() under spin_lock_irqsave()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+commit d5485d9dd24e1d04e5509916515260186eb1455c upstream.
+
+It is not allowed to call kfree_skb() from hardware interrupt
+context or with interrupts being disabled. So add all skb to
+a tmp list, then free them after spin_unlock_irqrestore() at
+once.
+
+Fixes: 66ba215cb513 ("neigh: fix possible DoS due to net iface start/stop loop")
+Suggested-by: Denis V. Lunev <den@openvz.org>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/neighbour.c |   10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -282,21 +282,27 @@ static int neigh_del_timer(struct neighb
+ 
+ static void pneigh_queue_purge(struct sk_buff_head *list, struct net *net)
+ {
++	struct sk_buff_head tmp;
+ 	unsigned long flags;
+ 	struct sk_buff *skb;
+ 
++	skb_queue_head_init(&tmp);
+ 	spin_lock_irqsave(&list->lock, flags);
+ 	skb = skb_peek(list);
+ 	while (skb != NULL) {
+ 		struct sk_buff *skb_next = skb_peek_next(skb, list);
+ 		if (net == NULL || net_eq(dev_net(skb->dev), net)) {
+ 			__skb_unlink(skb, list);
+-			dev_put(skb->dev);
+-			kfree_skb(skb);
++			__skb_queue_tail(&tmp, skb);
+ 		}
+ 		skb = skb_next;
+ 	}
+ 	spin_unlock_irqrestore(&list->lock, flags);
++
++	while ((skb = __skb_dequeue(&tmp))) {
++		dev_put(skb->dev);
++		kfree_skb(skb);
++	}
+ }
+ 
+ static void neigh_flush_dev(struct neigh_table *tbl, struct net_device *dev,
diff --git a/queue-5.4/series b/queue-5.4/series
index d0112eb85ef..02eefecaa1d 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -74,3 +74,4 @@ lib-vdso-mark-do_hres-and-do_coarse-as-__always_inli.patch
 kprobes-don-t-call-disarm_kprobe-for-disabled-kprobes.patch
 io_uring-disable-polling-pollfree-files.patch
 net-af_packet-check-len-when-min_header_len-equals-to-0.patch
+net-neigh-don-t-call-kfree_skb-under-spin_lock_irqsave.patch