From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 2 Sep 2022 08:40:22 +0000 (+0200)
Subject: 5.10-stable patches
X-Git-Tag: v4.9.327~5
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=29dc669238c83a69d9e220bd441668f131633c36;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	net-neigh-don-t-call-kfree_skb-under-spin_lock_irqsave.patch
---

diff --git a/queue-5.10/net-neigh-don-t-call-kfree_skb-under-spin_lock_irqsave.patch b/queue-5.10/net-neigh-don-t-call-kfree_skb-under-spin_lock_irqsave.patch
new file mode 100644
index 00000000000..88efa5a4d68
--- /dev/null
+++ b/queue-5.10/net-neigh-don-t-call-kfree_skb-under-spin_lock_irqsave.patch
@@ -0,0 +1,56 @@
+From d5485d9dd24e1d04e5509916515260186eb1455c Mon Sep 17 00:00:00 2001
+From: Yang Yingliang <yangyingliang@huawei.com>
+Date: Mon, 22 Aug 2022 10:53:46 +0800
+Subject: net: neigh: don't call kfree_skb() under spin_lock_irqsave()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+commit d5485d9dd24e1d04e5509916515260186eb1455c upstream.
+
+It is not allowed to call kfree_skb() from hardware interrupt
+context or with interrupts being disabled. So add all skb to
+a tmp list, then free them after spin_unlock_irqrestore() at
+once.
+
+Fixes: 66ba215cb513 ("neigh: fix possible DoS due to net iface start/stop loop")
+Suggested-by: Denis V. Lunev <den@openvz.org>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/neighbour.c |   10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -282,21 +282,27 @@ static int neigh_del_timer(struct neighb
+ 
+ static void pneigh_queue_purge(struct sk_buff_head *list, struct net *net)
+ {
++	struct sk_buff_head tmp;
+ 	unsigned long flags;
+ 	struct sk_buff *skb;
+ 
++	skb_queue_head_init(&tmp);
+ 	spin_lock_irqsave(&list->lock, flags);
+ 	skb = skb_peek(list);
+ 	while (skb != NULL) {
+ 		struct sk_buff *skb_next = skb_peek_next(skb, list);
+ 		if (net == NULL || net_eq(dev_net(skb->dev), net)) {
+ 			__skb_unlink(skb, list);
+-			dev_put(skb->dev);
+-			kfree_skb(skb);
++			__skb_queue_tail(&tmp, skb);
+ 		}
+ 		skb = skb_next;
+ 	}
+ 	spin_unlock_irqrestore(&list->lock, flags);
++
++	while ((skb = __skb_dequeue(&tmp))) {
++		dev_put(skb->dev);
++		kfree_skb(skb);
++	}
+ }
+ 
+ static void neigh_flush_dev(struct neigh_table *tbl, struct net_device *dev,
diff --git a/queue-5.10/series b/queue-5.10/series
index 6870b660bed..bd2272c6d03 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -34,3 +34,4 @@ xfs-fix-overfilling-of-reserve-pool.patch
 xfs-fix-soft-lockup-via-spinning-in-filestream-ag-selection-loop.patch
 xfs-revert-xfs-actually-bump-warning-counts-when-we-send-warnings.patch
 net-af_packet-check-len-when-min_header_len-equals-to-0.patch
+net-neigh-don-t-call-kfree_skb-under-spin_lock_irqsave.patch