lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 18 Sep 2017 11:09:34 +0200
From:   Greg Kroah-Hartman <>
Cc:     Greg Kroah-Hartman <>,, Eric Dumazet <>,
        Paolo Abeni <>,
        "David S. Miller" <>
Subject: [PATCH 4.13 06/52] udp: drop head states only when all skb references are gone

4.13-stable review patch.  If anyone has any objections, please let me know.


From: Paolo Abeni <>

[ Upstream commit ca2c1418efe9f7fe37aa1f355efdf4eb293673ce ]

After commit 0ddf3fb2c43d ("udp: preserve skb->dst if required
for IP options processing") we clear the skb head state as soon
as the skb carrying them is first processed.

Since the same skb can be processed several times when MSG_PEEK
is used, we can end up lacking the required head states, and
eventually oopsing.

Fix this clearing the skb head state only when processing the
last skb reference.

Reported-by: Eric Dumazet <>
Fixes: 0ddf3fb2c43d ("udp: preserve skb->dst if required for IP options processing")
Signed-off-by: Paolo Abeni <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
 include/linux/skbuff.h |    2 +-
 net/core/skbuff.c      |    9 +++------
 net/ipv4/udp.c         |    5 ++++-
 3 files changed, 8 insertions(+), 8 deletions(-)

--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -885,7 +885,7 @@ void kfree_skb(struct sk_buff *skb);
 void kfree_skb_list(struct sk_buff *segs);
 void skb_tx_error(struct sk_buff *skb);
 void consume_skb(struct sk_buff *skb);
-void consume_stateless_skb(struct sk_buff *skb);
+void __consume_stateless_skb(struct sk_buff *skb);
 void  __kfree_skb(struct sk_buff *skb);
 extern struct kmem_cache *skbuff_head_cache;
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -753,14 +753,11 @@ EXPORT_SYMBOL(consume_skb);
  *	consume_stateless_skb - free an skbuff, assuming it is stateless
  *	@skb: buffer to free
- *	Works like consume_skb(), but this variant assumes that all the head
- *	states have been already dropped.
+ *	Alike consume_skb(), but this variant assumes that this is the last
+ *	skb reference and all the head states have been already dropped
-void consume_stateless_skb(struct sk_buff *skb)
+void __consume_stateless_skb(struct sk_buff *skb)
-	if (!skb_unref(skb))
-		return;
 	if (likely(skb->head))
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1386,12 +1386,15 @@ void skb_consume_udp(struct sock *sk, st
 		unlock_sock_fast(sk, slow);
+	if (!skb_unref(skb))
+		return;
 	/* In the more common cases we cleared the head states previously,
 	 * see __udp_queue_rcv_skb().
 	if (unlikely(udp_skb_has_head_state(skb)))
-	consume_stateless_skb(skb);
+	__consume_stateless_skb(skb);

Powered by blists - more mailing lists