From patchwork Mon Dec 14 15:18:49 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vitaly Mayatskikh X-Patchwork-Id: 1416022 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.136; helo=silver.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=openvswitch.org Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=digitalocean.com header.i=@digitalocean.com header.a=rsa-sha256 header.s=google header.b=Foqf4Srj; dkim-atps=neutral Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Cvlzn2s1bz9sS8 for ; Tue, 15 Dec 2020 02:43:49 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id B53AA23600; Mon, 14 Dec 2020 15:43:46 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FY4Ix6-Fmhm8; Mon, 14 Dec 2020 15:43:45 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by silver.osuosl.org (Postfix) with ESMTP id 3E4A320C92; Mon, 14 Dec 2020 15:43:45 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 1BA28C088E; Mon, 14 Dec 2020 15:43:45 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 4843EC013B for ; Mon, 14 Dec 2020 15:43:43 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 3AE9F870EE for ; Mon, 14 Dec 2020 15:43:43 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K08luQv04GpC for ; Mon, 14 Dec 2020 15:43:42 +0000 (UTC) X-Greylist: delayed 00:24:31 by SQLgrey-1.7.6 Received: from mail-qv1-f68.google.com (mail-qv1-f68.google.com [209.85.219.68]) by hemlock.osuosl.org (Postfix) with ESMTPS id 6B7D0870EB for ; Mon, 14 Dec 2020 15:43:42 +0000 (UTC) Received: by mail-qv1-f68.google.com with SMTP id s6so7982091qvn.6 for ; Mon, 14 Dec 2020 07:43:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digitalocean.com; s=google; h=from:to:cc:subject:date:message-id; bh=6kfnM1c4ySgTLw/FAcUoCN2aaRIV5Absn2r8XTyvit0=; b=Foqf4Srjul4G/sP9Smb01lhyx6MM6/e2ByRaz6sB4OITRZDGSHuc5x1shBvfQC+YJH kK1H2hagVqSLpdQogh8s9bj08v3MUEo7Etnrrib+mxXoWt/BIpnxbp6VCeJrDEHXUpEQ M0EANoxPyhCrQa7/AUzBAxxDh01RVrk6X4c6o= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=6kfnM1c4ySgTLw/FAcUoCN2aaRIV5Absn2r8XTyvit0=; b=eBrnEawYJeKBbmK4FexbuhL7qCQOLCEwPzNcqVpg5fAEVRaH8tB/u47EJQd3aK5YPi IxHkA8TBcTm3/SJXpXoqXe/5hucCVijHuAvKxDEFecBhT2gFxhBGiUeFRHH0pWxgd6Fx JrS3nhIzmhMjJ2gOuu5HZwSJAlRIPxWncvcwwkauYWhLVkd8xbc5s697uIWSUHkIlCw1 lEroLmNN14mhSmhlduzFzAuVEJVFhIE5tjj7l6ug4tmWLeiRPu3HZOHLPrqJxeK6ZLQY i+dzbHhQScQiZ4ruMIwkOdNcB1P8UXCXHj5Ju6bxea5aTKVZCTLTyLjjpsZTCdvXhsPm ojwA== X-Gm-Message-State: AOAM533RIAEkKpQVuRaVlGhmExuXZBtDnOE9FA5CTT90hf8t+5lio1c6 1lKRtu0hysRtb1KUjLJSYZ99DVyaSCoXkA== X-Google-Smtp-Source: ABdhPJw3L2RRSyAX1xGGB2ZEZfmvGuyhRFX+OihK3+xgIXo764gBb0M9NH0MzShSUYbeNL1MBQ6VHA== X-Received: by 2002:a0c:9ba6:: with SMTP id o38mr32072959qve.56.1607959150433; Mon, 14 Dec 2020 07:19:10 -0800 (PST) Received: from localhost.localdomain.info (pool-173-48-156-211.bstnma.fios.verizon.net. [173.48.156.211]) by smtp.googlemail.com with ESMTPSA id r22sm15490478qkk.67.2020.12.14.07.19.09 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 14 Dec 2020 07:19:09 -0800 (PST) To: ovs-dev@openvswitch.org Date: Mon, 14 Dec 2020 10:18:49 -0500 Message-Id: <1607959129-26808-1-git-send-email-vmayatskikh@digitalocean.com> X-Mailer: git-send-email 1.8.3.1 Cc: Pravin B Shelar Subject: [ovs-dev] [PATCH] stt: fix dst_entry use-after-free in rcv_list for GSO skb X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Vitaly Mayatskikh via dev From: Vitaly Mayatskikh Reply-To: Vitaly Mayatskikh MIME-Version: 1.0 Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" rcv_list assigns next->dst which is later released in skb_scrub_packet and then assigns the same dst_entry again in ovs_ip_tunnel_rcv, but it was freed already. Signed-off-by: Vitaly Mayatskikh --- datapath/linux/compat/stt.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/datapath/linux/compat/stt.c b/datapath/linux/compat/stt.c index 39a2947..c2ad3b0 100644 --- a/datapath/linux/compat/stt.c +++ b/datapath/linux/compat/stt.c @@ -1397,10 +1397,8 @@ static void rcv_list(struct net_device *dev, struct sk_buff *skb, do { next = skb->next; skb->next = NULL; - if (next) { + if (next) ovs_dst_hold((struct dst_entry *)tun_dst); - ovs_skb_dst_set(next, (struct dst_entry *)tun_dst); - } ovs_ip_tunnel_rcv(dev, skb, tun_dst); } while ((skb = next)); }