OpenCloudOS-Kernel

History

Honglin Li 26941c0f5e rue/net: avoid wrong memory access to struct net_device It assigns the net_device pointer of network interface to sock->in_dev in cls_tc_rx_hook() in the receiving process. The use of a sock->in_dev pointer can potentially lead to wrong memory access if the memory of struct net_device is freed after network interface is unregistered, which may cause kernel crash. The above use after free issue causes a crash as follows: BUG: unable to handle page fault for address: ffffffed698999c8 CPU: 50 PID: 1290732 Comm: kubelet Kdump: loaded Tainted: G O K 5.4.119-1-tlinux4-0009.1 #1 RIP: 0010:cls_cgroup_tx_accept+0x5e/0x120 Call Trace: <IRQ> cls_tc_tx_hook+0x10d/0x1a0 nf_hook_slow+0x43/0xc0 __ip_local_out+0xcb/0x130 ? ip_forward_options+0x190/0x190 ip_local_out+0x1c/0x40 __ip_queue_xmit+0x162/0x3d0 ? rx_cgroup_throttle.isra.4+0x2b0/0x2b0 ip_queue_xmit+0x10/0x20 __tcp_transmit_skb+0x57f/0xbe0 __tcp_retransmit_skb+0x1b0/0x8a0 tcp_retransmit_skb+0x19/0xd0 tcp_retransmit_timer+0x367/0xa80 ? kvm_clock_get_cycles+0x11/0x20 ? ktime_get+0x34/0x90 tcp_write_timer_handler+0x93/0x1f0 tcp_write_timer+0x7c/0x80 ? tcp_write_timer_handler+0x1f0/0x1f0 call_timer_fn+0x35/0x130 run_timer_softirq+0x1a8/0x420 ? ktime_get+0x34/0x90 ? clockevents_program_event+0x85/0xe0 __do_softirq+0x8c/0x2d7 ? hrtimer_interrupt+0x12a/0x210 irq_exit+0xa3/0xb0 smp_apic_timer_interrupt+0x77/0x130 apic_timer_interrupt+0xf/0x20 </IRQ> We introduce indev_ifindex as a new struct filed to record the ifindex of net_device, and then indev_ifindex can be used for obtaining an index to avoid direct memory access to struct members of in_dev pointer. Fixes: f8829546f3b3 ("rue/net: init netcls traffic controller") Signed-off-by: Honglin Li <honglinli@tencent.com> Reviewed-by: Ze Gao <zegao@tencent.com>		2024-09-27 11:13:30 +08:00
..
Makefile	netns/mbuf: add a per net namespace ring buffer	2024-05-23 21:22:21 +08:00
bpf_sk_storage.c	bpf: Add length check for SK_DIAG_BPF_STORAGE_REQ_MAP_FD parsing	2023-07-27 10:07:56 -07:00
datagram.c	net: fix rc7's __skb_datagram_iter()	2024-07-18 13:21:13 +02:00
dev.c	rue/net: avoid wrong memory access to struct net_device	2024-09-27 11:13:30 +08:00
dev.h	Merge remote-tracking branch 'stable/linux-6.6.y' into ocks-2401	2024-03-01 17:21:23 +08:00
dev_addr_lists.c	net: extract a few internals from netdevice.h	2022-04-07 20:32:09 -07:00
dev_addr_lists_test.c	kunit: Use KUNIT_EXPECT_MEMEQ macro	2022-10-27 02:40:14 -06:00
dev_ioctl.c	net: omit ndo_hwtstamp_get() call when possible in dev_set_hwtstamp_phylib()	2023-08-06 13:25:10 +01:00
drop_monitor.c	drop_monitor: replace spin_lock by raw_spin_lock	2024-06-27 13:49:01 +02:00
dst.c	net: remove unnecessary input parameter 'how' in ifdown function	2023-08-22 13:19:02 +02:00
dst_cache.c	wireguard: device: reset peer src endpoint when netns exits	2021-11-29 19:50:45 -08:00
failover.c	net: failover: use IFF_NO_ADDRCONF flag to prevent ipv6 addrconf	2022-12-12 15:18:25 -08:00
fib_notifier.c	…
fib_rules.c	fib: expand fib_rule_policy	2021-12-16 07:18:35 -08:00
filter.c	bpf, net: Use DEV_STAT_INC()	2024-08-19 06:04:29 +02:00
flow_dissector.c	net: flow_dissector: use DEBUG_NET_WARN_ON_ONCE	2024-08-03 08:54:05 +02:00
flow_offload.c	tc: flower: Enable offload support IPSEC SPI field.	2023-08-02 10:09:32 +01:00
gen_estimator.c	treewide: Convert del_timer() to timer_shutdown()	2022-12-25 13:38:09 -08:00
gen_stats.c	net: Remove the obsolte u64_stats_fetch_*_irq() users (net).	2022-10-28 20:13:54 -07:00
gro.c	net: gro: fix udp bad offset in socket lookup by adding {inner_}network_offset to napi_gro_cb	2024-05-17 12:02:07 +02:00
gro_cells.c	net: drop the weight argument from netif_napi_add	2022-09-28 18:57:14 -07:00
gso.c	net: move gso declarations and functions to their own files	2023-06-10 00:11:41 -07:00
hwbm.c	…
link_watch.c	net: linkwatch: use system_unbound_wq	2024-08-14 13:58:39 +02:00
lwt_bpf.c	lwt: Fix return values of BPF xmit ops	2023-08-18 16:05:26 +02:00
lwtunnel.c	xfrm: lwtunnel: squelch kernel warning in case XFRM encap type is not available	2022-10-12 10:45:51 +02:00
neighbour.c	neighbour: Don't let neigh_forced_gc() disable preemption for long	2024-01-20 11:51:43 +01:00
net-procfs.c	net: dev ipv4/v6 stat	2023-12-12 15:56:50 +08:00
net-sysfs.c	net-sysfs: convert dev->operstate reads to lockless ones	2024-05-17 12:02:23 +02:00
net-sysfs.h	…
net-traces.c	udp6: add a missing call into udp_fail_queue_rcv_skb tracepoint	2023-07-07 09:16:52 +01:00
net_namespace.c	netns: Make get_net_ns() handle zero refcount net	2024-06-27 13:49:06 +02:00
netclassid_cgroup.c	rue/net: adapt to the new rue modular framework	2024-09-27 11:13:30 +08:00
netdev-genl-gen.c	net: ynl: prefix uAPI header include with uapi/	2023-05-26 10:30:14 +01:00
netdev-genl-gen.h	net: ynl: prefix uAPI header include with uapi/	2023-05-26 10:30:14 +01:00
netdev-genl.c	netdev-genl: use struct genl_info for reply construction	2023-08-15 15:01:03 -07:00
netevent.c	…
netns_mbuf.c	netlat: fix warnning when del netns	2024-05-24 16:37:28 +08:00
netpoll.c	netpoll: Fix race condition in netpoll_owner_active	2024-06-27 13:49:02 +02:00
netprio_cgroup.c	bpf, cgroups: Fix cgroup v2 fallback on v1/v2 mixed mode	2021-09-13 16:35:58 -07:00
of_net.c	net: Explicitly include correct DT includes	2023-07-27 20:33:16 -07:00
page_pool.c	net: page_pool: add missing free_percpu when page_pool_init fail	2023-11-20 11:59:34 +01:00
pktgen.c	kthread: add kthread_stop_put	2024-06-12 11:12:52 +02:00
ptp_classifier.c	ptp: Add generic PTP is_sync() function	2022-03-07 11:31:34 +00:00
request_sock.c	tcp: make sure init the accept_queue's spinlocks once	2024-01-31 16:19:00 -08:00
rtnetlink.c	rtnetlink: Don't ignore IFLA_TARGET_NETNSID when ifname is specified in rtnl_dellink().	2024-08-11 12:47:20 +02:00
scm.c	io_uring/unix: drop usage of io_uring socket	2024-03-26 18:19:09 -04:00
secure_seq.c	tcp: Fix data-races around sysctl knobs related to SYN option.	2022-07-20 10:14:49 +01:00
selftests.c	net: core: constify mac addrs in selftests	2021-10-24 13:59:44 +01:00
skbuff.c	rue/net: avoid wrong memory access to struct net_device	2024-09-27 11:13:30 +08:00
skmsg.c	skmsg: Skip zero length skb in sk_msg_recvmsg	2024-07-18 13:21:12 +02:00
sock.c	Merge branch 'dev/toa' into 'master' (merge request !154 )	2024-08-14 07:35:37 +00:00
sock_destructor.h	skb_expand_head() adjust skb->truesize incorrectly	2021-10-22 12:35:51 -07:00
sock_diag.c	sock_diag: annotate data-races around sock_diag_handlers[family]	2024-03-26 18:19:22 -04:00
sock_map.c	sock_map: avoid race between sock_map_close and sk_psock_put	2024-06-21 14:38:40 +02:00
sock_reuseport.c	soreuseport: Fix socket selection for SO_INCOMING_CPU.	2022-10-25 11:35:16 +02:00
stream.c	net: Return error from sk_stream_wait_connect() if sk_wait_event() fails	2024-01-01 12:42:30 +00:00
sysctl_net_core.c	Merge linux 6.6.30	2024-05-08 19:22:41 +08:00
timestamping.c	…
tso.c	net: tso: inline tso_count_descs()	2022-12-12 15:04:39 -08:00
utils.c	net: core: inet[46]_pton strlen len types	2022-11-01 21:14:39 -07:00
xdp.c	xdp: fix invalid wait context of page_pool_destroy()	2024-08-03 08:53:44 +02:00