[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20230706130800.85963-1-squirrel.prog@gmail.com>
Date: Thu, 6 Jul 2023 13:08:00 +0000
From: Kaiyu Zhang <squirrel.prog@...il.com>
To: davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
pabeni@...hat.com
Cc: netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
Kaiyu Zhang <squirrel.prog@...il.com>
Subject: [PATCH] gro: check returned skb of napi_frags_skb() against NULL
Some rogue network adapter and their driver pass bad skbs to GRO.
napi_frags_skb() detects this, drops these bad skbs, and return NULL
to napi_gro_frags(), which does not check returned skb against NULL
and access it. This results in a kernel crash.
A better approach to address these bad skbs would be to issue some
warnings and drop them, which napi_frags_skb() already does, and
move on without crashing the kernel.
Signed-off-by: Kaiyu Zhang <squirrel.prog@...il.com>
---
net/core/gro.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/core/gro.c b/net/core/gro.c
index 0759277dc..18d92016b 100644
--- a/net/core/gro.c
+++ b/net/core/gro.c
@@ -731,6 +731,9 @@ gro_result_t napi_gro_frags(struct napi_struct *napi)
gro_result_t ret;
struct sk_buff *skb = napi_frags_skb(napi);
+ if (unlikely(!skb))
+ return GRO_CONSUMED;
+
trace_napi_gro_frags_entry(skb);
ret = napi_frags_finish(napi, skb, dev_gro_receive(napi, skb));
--
2.34.1
Powered by blists - more mailing lists