releases/4.19.35/net-core-netif_receive_skb_list-unlist-skb-before-pa.patch

   1 From 4d308de3b07f683d3cba4d3bbbf5a997b8c1d1c4 Mon Sep 17 00:00:00 2001
   2 From: Alexander Lobakin <alobakin@dlink.ru>
   3 Date: Thu, 28 Mar 2019 18:23:04 +0300
   4 Subject: net: core: netif_receive_skb_list: unlist skb before passing to
   5  pt->func
   6
   7 [ Upstream commit 9a5a90d167b0e5fe3d47af16b68fd09ce64085cd ]
   8
   9 __netif_receive_skb_list_ptype() leaves skb->next poisoned before passing
  10 it to pt_prev->func handler, what may produce (in certain cases, e.g. DSA
  11 setup) crashes like:
  12
  13 [ 88.606777] CPU 0 Unable to handle kernel paging request at virtual address 0000000e, epc == 80687078, ra == 8052cc7c
  14 [ 88.618666] Oops[#1]:
  15 [ 88.621196] CPU: 0 PID: 0 Comm: swapper Not tainted 5.1.0-rc2-dlink-00206-g4192a172-dirty #1473
  16 [ 88.630885] $ 0 : 00000000 10000400 00000002 864d7850
  17 [ 88.636709] $ 4 : 87c0ddf0 864d7800 87c0ddf0 00000000
  18 [ 88.642526] $ 8 : 00000000 49600000 00000001 00000001
  19 [ 88.648342] $12 : 00000000 c288617b dadbee27 25d17c41
  20 [ 88.654159] $16 : 87c0ddf0 85cff080 80790000 fffffffd
  21 [ 88.659975] $20 : 80797b20 ffffffff 00000001 864d7800
  22 [ 88.665793] $24 : 00000000 8011e658
  23 [ 88.671609] $28 : 80790000 87c0dbc0 87cabf00 8052cc7c
  24 [ 88.677427] Hi : 00000003
  25 [ 88.680622] Lo : 7b5b4220
  26 [ 88.683840] epc : 80687078 vlan_dev_hard_start_xmit+0x1c/0x1a0
  27 [ 88.690532] ra : 8052cc7c dev_hard_start_xmit+0xac/0x188
  28 [ 88.696734] Status: 10000404   IEp
  29 [ 88.700422] Cause : 50000008 (ExcCode 02)
  30 [ 88.704874] BadVA : 0000000e
  31 [ 88.708069] PrId : 0001a120 (MIPS interAptiv (multi))
  32 [ 88.713005] Modules linked in:
  33 [ 88.716407] Process swapper (pid: 0, threadinfo=(ptrval), task=(ptrval), tls=00000000)
  34 [ 88.725219] Stack : 85f61c28 00000000 0000000e 80780000 87c0ddf0 85cff080 80790000 8052cc7c
  35 [ 88.734529] 87cabf00 00000000 00000001 85f5fb40 807b0000 864d7850 87cabf00 807d0000
  36 [ 88.743839] 864d7800 8655f600 00000000 85cff080 87c1c000 0000006a 00000000 8052d96c
  37 [ 88.753149] 807a0000 8057adb8 87c0dcc8 87c0dc50 85cfff08 00000558 87cabf00 85f58c50
  38 [ 88.762460] 00000002 85f58c00 864d7800 80543308 fffffff4 00000001 85f58c00 864d7800
  39 [ 88.771770] ...
  40 [ 88.774483] Call Trace:
  41 [ 88.777199] [<80687078>] vlan_dev_hard_start_xmit+0x1c/0x1a0
  42 [ 88.783504] [<8052cc7c>] dev_hard_start_xmit+0xac/0x188
  43 [ 88.789326] [<8052d96c>] __dev_queue_xmit+0x6e8/0x7d4
  44 [ 88.794955] [<805a8640>] ip_finish_output2+0x238/0x4d0
  45 [ 88.800677] [<805ab6a0>] ip_output+0xc8/0x140
  46 [ 88.805526] [<805a68f4>] ip_forward+0x364/0x560
  47 [ 88.810567] [<805a4ff8>] ip_rcv+0x48/0xe4
  48 [ 88.815030] [<80528d44>] __netif_receive_skb_one_core+0x44/0x58
  49 [ 88.821635] [<8067f220>] dsa_switch_rcv+0x108/0x1ac
  50 [ 88.827067] [<80528f80>] __netif_receive_skb_list_core+0x228/0x26c
  51 [ 88.833951] [<8052ed84>] netif_receive_skb_list+0x1d4/0x394
  52 [ 88.840160] [<80355a88>] lunar_rx_poll+0x38c/0x828
  53 [ 88.845496] [<8052fa78>] net_rx_action+0x14c/0x3cc
  54 [ 88.850835] [<806ad300>] __do_softirq+0x178/0x338
  55 [ 88.856077] [<8012a2d4>] irq_exit+0xbc/0x100
  56 [ 88.860846] [<802f8b70>] plat_irq_dispatch+0xc0/0x144
  57 [ 88.866477] [<80105974>] handle_int+0x14c/0x158
  58 [ 88.871516] [<806acfb0>] r4k_wait+0x30/0x40
  59 [ 88.876462] Code: afb10014 8c8200a0 00803025 <9443000c> 94a20468 00000000 10620042 00a08025 9605046a
  60 [ 88.887332]
  61 [ 88.888982] ---[ end trace eb863d007da11cf1 ]---
  62 [ 88.894122] Kernel panic - not syncing: Fatal exception in interrupt
  63 [ 88.901202] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
  64
  65 Fix this by pulling skb off the sublist and zeroing skb->next pointer
  66 before calling ptype callback.
  67
  68 Fixes: 88eb1944e18c ("net: core: propagate SKB lists through packet_type lookup")
  69 Reviewed-by: Edward Cree <ecree@solarflare.com>
  70 Signed-off-by: Alexander Lobakin <alobakin@dlink.ru>
  71 Signed-off-by: David S. Miller <davem@davemloft.net>
  72 Signed-off-by: Sasha Levin <sashal@kernel.org>
  73 ---
  74  net/core/dev.c | 4 +++-
  75  1 file changed, 3 insertions(+), 1 deletion(-)
  76
  77 diff --git a/net/core/dev.c b/net/core/dev.c
  78 index 5c8c0a572ee9..d47554307a6d 100644
  79 --- a/net/core/dev.c
  80 +++ b/net/core/dev.c
  81 @@ -4959,8 +4959,10 @@ static inline void __netif_receive_skb_list_ptype(struct list_head *head,
  82         if (pt_prev->list_func != NULL)
  83                 pt_prev->list_func(head, pt_prev, orig_dev);
  84         else
  85 -               list_for_each_entry_safe(skb, next, head, list)
  86 +               list_for_each_entry_safe(skb, next, head, list) {
  87 +                       skb_list_del_init(skb);
  88                         pt_prev->func(skb, skb->dev, pt_prev, orig_dev);
  89 +               }
  90  }
  91
  92  static void __netif_receive_skb_list_core(struct list_head *head, bool pfmemalloc)
  93 --
  94 2.19.1
  95