From: Andrea Mayer <andrea.mayer(a)uniroma2.it>
mainline inclusion
from mainline-v6.10-rc1
commit 5447f9708d9e4c17a647b16a9cb29e9e02820bd9
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAC3N2
CVE: CVE-2024-39490
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
The seg6_input() function is responsible for adding the SRH into a
packet, delegating the operation to the seg6_input_core(). This function
uses the skb_cow_head() to ensure that there is sufficient headroom in
the sk_buff for accommodating the link-layer header.
In the event that the skb_cow_header() function fails, the
seg6_input_core() catches the error but it does not release the sk_buff,
which will result in a memory leak.
This issue was introduced in commit af3b5158b89d ("ipv6: sr: fix BUG due
to headroom too small after SRH push") and persists even after commit
7a3f5b0de364 ("netfilter: add netfilter hooks to SRv6 data plane"),
where the entire seg6_input() code was refactored to deal with netfilter
hooks.
The proposed patch addresses the identified memory leak by requiring the
seg6_input_core() function to release the sk_buff in the event that
skb_cow_head() fails.
Fixes: af3b5158b89d ("ipv6: sr: fix BUG due to headroom too small after SRH push")
Signed-off-by: Andrea Mayer <andrea.mayer(a)uniroma2.it>
Reviewed-by: Simon Horman <horms(a)kernel.org>
Reviewed-by: David Ahern <dsahern(a)kernel.org>
Signed-off-by: David S. Miller <davem(a)davemloft.net>
Conflicts:
net/ipv6/seg6_iptunnel.c
[commit 7a3f5b0de364 add seg6_input_core() to seg6_input() for netfilter
hooks of SRv6, which lead to context conflicts]
Signed-off-by: Dong Chenchen <dongchenchen2(a)huawei.com>
---
net/ipv6/seg6_iptunnel.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/net/ipv6/seg6_iptunnel.c b/net/ipv6/seg6_iptunnel.c
index 40ac23242c37..ab2a606fdb65 100644
--- a/net/ipv6/seg6_iptunnel.c
+++ b/net/ipv6/seg6_iptunnel.c
@@ -318,10 +318,8 @@ static int seg6_input(struct sk_buff *skb)
int err;
err = seg6_do_srh(skb);
- if (unlikely(err)) {
- kfree_skb(skb);
- return err;
- }
+ if (unlikely(err))
+ goto drop;
slwt = seg6_lwt_lwtunnel(orig_dst->lwtstate);
@@ -346,9 +344,12 @@ static int seg6_input(struct sk_buff *skb)
err = skb_cow_head(skb, LL_RESERVED_SPACE(dst->dev));
if (unlikely(err))
- return err;
+ goto drop;
return dst_input(skb);
+drop:
+ kfree_skb(skb);
+ return err;
}
static int seg6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
--
2.25.1
From: Andrea Mayer <andrea.mayer(a)uniroma2.it>
mainline inclusion
from mainline-v6.10-rc1
commit 5447f9708d9e4c17a647b16a9cb29e9e02820bd9
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAC3N2
CVE: CVE-2024-39490
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
The seg6_input() function is responsible for adding the SRH into a
packet, delegating the operation to the seg6_input_core(). This function
uses the skb_cow_head() to ensure that there is sufficient headroom in
the sk_buff for accommodating the link-layer header.
In the event that the skb_cow_header() function fails, the
seg6_input_core() catches the error but it does not release the sk_buff,
which will result in a memory leak.
This issue was introduced in commit af3b5158b89d ("ipv6: sr: fix BUG due
to headroom too small after SRH push") and persists even after commit
7a3f5b0de364 ("netfilter: add netfilter hooks to SRv6 data plane"),
where the entire seg6_input() code was refactored to deal with netfilter
hooks.
The proposed patch addresses the identified memory leak by requiring the
seg6_input_core() function to release the sk_buff in the event that
skb_cow_head() fails.
Fixes: af3b5158b89d ("ipv6: sr: fix BUG due to headroom too small after SRH push")
Signed-off-by: Andrea Mayer <andrea.mayer(a)uniroma2.it>
Reviewed-by: Simon Horman <horms(a)kernel.org>
Reviewed-by: David Ahern <dsahern(a)kernel.org>
Signed-off-by: David S. Miller <davem(a)davemloft.net>
Conflicts:
net/ipv6/seg6_iptunnel.c
[commit 7a3f5b0de364 add seg6_input_core() to seg6_input() for netfilter
hooks of SRv6, which lead to context conflicts]
Signed-off-by: Dong Chenchen <dongchenchen2(a)huawei.com>
---
net/ipv6/seg6_iptunnel.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/net/ipv6/seg6_iptunnel.c b/net/ipv6/seg6_iptunnel.c
index 40ac23242c37..ab2a606fdb65 100644
--- a/net/ipv6/seg6_iptunnel.c
+++ b/net/ipv6/seg6_iptunnel.c
@@ -318,10 +318,8 @@ static int seg6_input(struct sk_buff *skb)
int err;
err = seg6_do_srh(skb);
- if (unlikely(err)) {
- kfree_skb(skb);
- return err;
- }
+ if (unlikely(err))
+ goto drop;
slwt = seg6_lwt_lwtunnel(orig_dst->lwtstate);
@@ -346,9 +344,12 @@ static int seg6_input(struct sk_buff *skb)
err = skb_cow_head(skb, LL_RESERVED_SPACE(dst->dev));
if (unlikely(err))
- return err;
+ goto drop;
return dst_input(skb);
+drop:
+ kfree_skb(skb);
+ return err;
}
static int seg6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
--
2.25.1
From: Andrea Mayer <andrea.mayer(a)uniroma2.it>
mainline inclusion
from mainline-v6.10-rc1
commit 5447f9708d9e4c17a647b16a9cb29e9e02820bd9
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAC3N2
CVE: CVE-2024-39490
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
The seg6_input() function is responsible for adding the SRH into a
packet, delegating the operation to the seg6_input_core(). This function
uses the skb_cow_head() to ensure that there is sufficient headroom in
the sk_buff for accommodating the link-layer header.
In the event that the skb_cow_header() function fails, the
seg6_input_core() catches the error but it does not release the sk_buff,
which will result in a memory leak.
This issue was introduced in commit af3b5158b89d ("ipv6: sr: fix BUG due
to headroom too small after SRH push") and persists even after commit
7a3f5b0de364 ("netfilter: add netfilter hooks to SRv6 data plane"),
where the entire seg6_input() code was refactored to deal with netfilter
hooks.
The proposed patch addresses the identified memory leak by requiring the
seg6_input_core() function to release the sk_buff in the event that
skb_cow_head() fails.
Fixes: af3b5158b89d ("ipv6: sr: fix BUG due to headroom too small after SRH push")
Signed-off-by: Andrea Mayer <andrea.mayer(a)uniroma2.it>
Reviewed-by: Simon Horman <horms(a)kernel.org>
Reviewed-by: David Ahern <dsahern(a)kernel.org>
Signed-off-by: David S. Miller <davem(a)davemloft.net>
Signed-off-by: Dong Chenchen <dongchenchen2(a)huawei.com>
---
net/ipv6/seg6_iptunnel.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/net/ipv6/seg6_iptunnel.c b/net/ipv6/seg6_iptunnel.c
index 03b877ff4558..a75df2ec8db0 100644
--- a/net/ipv6/seg6_iptunnel.c
+++ b/net/ipv6/seg6_iptunnel.c
@@ -459,10 +459,8 @@ static int seg6_input_core(struct net *net, struct sock *sk,
int err;
err = seg6_do_srh(skb);
- if (unlikely(err)) {
- kfree_skb(skb);
- return err;
- }
+ if (unlikely(err))
+ goto drop;
slwt = seg6_lwt_lwtunnel(orig_dst->lwtstate);
@@ -486,7 +484,7 @@ static int seg6_input_core(struct net *net, struct sock *sk,
err = skb_cow_head(skb, LL_RESERVED_SPACE(dst->dev));
if (unlikely(err))
- return err;
+ goto drop;
if (static_branch_unlikely(&nf_hooks_lwtunnel_enabled))
return NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT,
@@ -494,6 +492,9 @@ static int seg6_input_core(struct net *net, struct sock *sk,
skb_dst(skb)->dev, seg6_input_finish);
return seg6_input_finish(dev_net(skb->dev), NULL, skb);
+drop:
+ kfree_skb(skb);
+ return err;
}
static int seg6_input_nf(struct sk_buff *skb)
--
2.25.1
tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS
head: e5ea67ef45bf84add14bf009f071b29909f087cb
commit: 8b9ea9010139596e71aae4be5264c3dd901b13cb [13169/23386] pagecache: support percpu refcount to imporve performance
config: x86_64-randconfig-003-20240731 (https://download.01.org/0day-ci/archive/20240731/202407311035.uLDyyIFP-lkp@…)
compiler: clang version 18.1.5 (https://github.com/llvm/llvm-project 617a15a9eac96088ae5e9134248d8236e34b91b1)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240731/202407311035.uLDyyIFP-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202407311035.uLDyyIFP-lkp@intel.com/
All warnings (new ones prefixed by >>):
In file included from mm/userfaultfd.c:12:
include/linux/pagemap.h:425:21: warning: cast from 'int (*)(struct file *, struct page *)' to 'filler_t *' (aka 'int (*)(void *, struct page *)') converts to incompatible function type [-Wcast-function-type-strict]
425 | filler_t *filler = (filler_t *)mapping->a_ops->readpage;
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
>> mm/userfaultfd.o: warning: objtool: mcopy_atomic()+0x1e78: unreachable instruction
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki