diff options
Diffstat (limited to '0071-net-neigh-don-t-call-kfree_skb-under-spin_lock_irqsa.patch')
| -rw-r--r-- | 0071-net-neigh-don-t-call-kfree_skb-under-spin_lock_irqsa.patch | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/0071-net-neigh-don-t-call-kfree_skb-under-spin_lock_irqsa.patch b/0071-net-neigh-don-t-call-kfree_skb-under-spin_lock_irqsa.patch new file mode 100644 index 000000000000..91d931e50697 --- /dev/null +++ b/0071-net-neigh-don-t-call-kfree_skb-under-spin_lock_irqsa.patch @@ -0,0 +1,60 @@ +From 123bf15c1a15f8dc7b5aceb5186bed37f2e80af5 Mon Sep 17 00:00:00 2001 +From: Yang Yingliang <yangyingliang@huawei.com> +Date: Mon, 22 Aug 2022 10:53:46 +0800 +Subject: [PATCH 71/73] net: neigh: don't call kfree_skb() under + spin_lock_irqsave() + +commit d5485d9dd24e1d04e5509916515260186eb1455c upstream. + +It is not allowed to call kfree_skb() from hardware interrupt +context or with interrupts being disabled. So add all skb to +a tmp list, then free them after spin_unlock_irqrestore() at +once. + +Fixes: 66ba215cb513 ("neigh: fix possible DoS due to net iface start/stop loop") +Suggested-by: Denis V. Lunev <den@openvz.org> +Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> +Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/core/neighbour.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index 19d99d1eff53..fbaa557ed7ec 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -309,21 +309,27 @@ static int neigh_del_timer(struct neighbour *n) + + static void pneigh_queue_purge(struct sk_buff_head *list, struct net *net) + { ++ struct sk_buff_head tmp; + unsigned long flags; + struct sk_buff *skb; + ++ skb_queue_head_init(&tmp); + spin_lock_irqsave(&list->lock, flags); + skb = skb_peek(list); + while (skb != NULL) { + struct sk_buff *skb_next = skb_peek_next(skb, list); + if (net == NULL || net_eq(dev_net(skb->dev), net)) { + __skb_unlink(skb, list); +- dev_put(skb->dev); +- kfree_skb(skb); ++ __skb_queue_tail(&tmp, skb); + } + skb = skb_next; + } + spin_unlock_irqrestore(&list->lock, flags); ++ ++ while ((skb = __skb_dequeue(&tmp))) { ++ dev_put(skb->dev); ++ kfree_skb(skb); ++ } + } + + static void neigh_flush_dev(struct neigh_table *tbl, struct net_device *dev, +-- +2.37.3 + |