net: fix use-after-free in GRO with ESP

Since the addition of GRO for ESP, gro_receive can consume the skb and return -EINPROGRESS. In that case, the lower layer GRO handler cannot touch the skb anymore. Commit 5f114163f2f5 ("net: Add a skb_gro_flush_final helper.") converted some of the gro_receive handlers that can lead to ESP's gro_receive so that they wouldn't access the skb when -EINPROGRESS is returned, but missed other spots, mainly in tunneling protocols. This patch finishes the conversion to using skb_gro_flush_final(), and adds a new helper, skb_gro_flush_final_remcsum(), used in VXLAN and GUE. Fixes: 5f114163f2f5 ("net: Add a skb_gro_flush_final helper.") Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> Reviewed-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Sabrina Dubroca <sd@queasysnail.net> 2018-06-30 11:38:55 -0400
committer: David S. Miller <davem@davemloft.net> 2018-07-02 07:34:04 -0400
commit: 603d4cf8fe095b1ee78f423d514427be507fb513 (patch)
tree: a4051b67f31ba061752f8c5326fa9c6aab528e7f
parent: 1236f22fbae15df3736ab4a984c64c0c6ee6254c (diff)
7 files changed, 26 insertions, 10 deletions
diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c
index 750eaa53bf0c..ada33c2d9ac2 100644
--- a/drivers/net/geneve.c
+++ b/drivers/net/geneve.c
@@ -476,7 +476,7 @@ static struct sk_buff **geneve_gro_receive(struct sock *sk,
 out_unlock:
        rcu_read_unlock();
 out:
-        NAPI_GRO_CB(skb)->flush |= flush;
+        skb_gro_flush_final(skb, pp, flush);
        return pp;
 }
diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
index aee0e60471f1..f6bb1d54d4bd 100644
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -623,9 +623,7 @@ static struct sk_buff **vxlan_gro_receive(struct sock *sk,
        flush = 0;
 out:
-        skb_gro_remcsum_cleanup(skb, &grc);
+        skb_gro_flush_final_remcsum(skb, pp, flush, &grc);
-        skb->remcsum_offload = 0;
-        NAPI_GRO_CB(skb)->flush |= flush;
        return pp;
 }
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index 3ec9850c7936..3d0cc0b5cec2 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -2789,11 +2789,31 @@ static inline void skb_gro_flush_final(struct sk_buff *skb, struct sk_buff **pp,
        if (PTR_ERR(pp) != -EINPROGRESS)
                NAPI_GRO_CB(skb)->flush |= flush;
 }
+static inline void skb_gro_flush_final_remcsum(struct sk_buff *skb,
+                                               struct sk_buff **pp,
+                                               int flush,
+                                               struct gro_remcsum *grc)
+{
+        if (PTR_ERR(pp) != -EINPROGRESS) {
+                NAPI_GRO_CB(skb)->flush |= flush;
+                skb_gro_remcsum_cleanup(skb, grc);
+                skb->remcsum_offload = 0;
+        }
+}
 #else
 static inline void skb_gro_flush_final(struct sk_buff *skb, struct sk_buff **pp, int flush)
 {
        NAPI_GRO_CB(skb)->flush |= flush;
 }
+static inline void skb_gro_flush_final_remcsum(struct sk_buff *skb,
+                                               struct sk_buff **pp,
+                                               int flush,
+                                               struct gro_remcsum *grc)
+{
+        NAPI_GRO_CB(skb)->flush |= flush;
+        skb_gro_remcsum_cleanup(skb, grc);
+        skb->remcsum_offload = 0;
+}
 #endif
 static inline int dev_hard_header(struct sk_buff *skb, struct net_device *dev,
diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c
index 73a65789271b..8ccee3d01822 100644
--- a/net/8021q/vlan.c
+++ b/net/8021q/vlan.c
@@ -693,7 +693,7 @@ static struct sk_buff **vlan_gro_receive(struct sk_buff **head,
 out_unlock:
        rcu_read_unlock();
 out:
-        NAPI_GRO_CB(skb)->flush |= flush;
+        skb_gro_flush_final(skb, pp, flush);
        return pp;
 }
diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c
index 1540db65241a..c9ec1603666b 100644
--- a/net/ipv4/fou.c
+++ b/net/ipv4/fou.c
@@ -448,9 +448,7 @@ next_proto:
 out_unlock:
        rcu_read_unlock();
 out:
-        NAPI_GRO_CB(skb)->flush |= flush;
+        skb_gro_flush_final_remcsum(skb, pp, flush, &grc);
-        skb_gro_remcsum_cleanup(skb, &grc);
-        skb->remcsum_offload = 0;
        return pp;
 }
diff --git a/net/ipv4/gre_offload.c b/net/ipv4/gre_offload.c
index 1859c473b21a..6a7d980105f6 100644
--- a/net/ipv4/gre_offload.c
+++ b/net/ipv4/gre_offload.c
@@ -223,7 +223,7 @@ static struct sk_buff **gre_gro_receive(struct sk_buff **head,
 out_unlock:
        rcu_read_unlock();
 out:
-        NAPI_GRO_CB(skb)->flush |= flush;
+        skb_gro_flush_final(skb, pp, flush);
        return pp;
 }
diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c
index 92dc9e5a7ff3..69c54540d5b4 100644
--- a/net/ipv4/udp_offload.c
+++ b/net/ipv4/udp_offload.c
@@ -394,7 +394,7 @@ unflush:
 out_unlock:
        rcu_read_unlock();
 out:
-        NAPI_GRO_CB(skb)->flush |= flush;
+        skb_gro_flush_final(skb, pp, flush);
        return pp;
 }
 EXPORT_SYMBOL(udp_gro_receive);
author	Sabrina Dubroca <sd@queasysnail.net>	2018-06-30 11:38:55 -0400
committer	David S. Miller <davem@davemloft.net>	2018-07-02 07:34:04 -0400
commit	603d4cf8fe095b1ee78f423d514427be507fb513 (patch)
tree	a4051b67f31ba061752f8c5326fa9c6aab528e7f
parent	1236f22fbae15df3736ab4a984c64c0c6ee6254c (diff)