xps: must clear sender_cpu before forwarding

edumazet · davem330 · commit c29390c6dfee · 2015-03-11T23:51:18.000-04:00
John reported that my previous commit added a regression on his router. This is because sender_cpu & napi_id share a common location, so get_xps_queue() can see garbage and perform an out of bound access. We need to make sure sender_cpu is cleared before doing the transmit, otherwise any NIC busy poll enabled (skb_mark_napi_id()) can trigger this bug. Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: John <jw@nuclearfallout.net> Bisected-by: John <jw@nuclearfallout.net> Fixes: 2bd8248 ("xps: fix xps for stacked devices") Signed-off-by: David S. Miller <davem@davemloft.net>
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
@@ -948,6 +948,13 @@ static inline void skb_copy_hash(struct sk_buff *to, const struct sk_buff *from)
 	to->l4_hash = from->l4_hash;
 };
 
+static inline void skb_sender_cpu_clear(struct sk_buff *skb)
+{
+#ifdef CONFIG_XPS
+	skb->sender_cpu = 0;
+#endif
+}
+
 #ifdef NET_SKBUFF_DATA_USES_OFFSET
 static inline unsigned char *skb_end_pointer(const struct sk_buff *skb)
 {
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
@@ -4173,7 +4173,7 @@ void skb_scrub_packet(struct sk_buff *skb, bool xnet)
 	skb->ignore_df = 0;
 	skb_dst_drop(skb);
 	skb->mark = 0;
-	skb->sender_cpu = 0;
+	skb_sender_cpu_clear(skb);
 	skb_init_secmark(skb);
 	secpath_reset(skb);
 	nf_reset(skb);
diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c
@@ -67,6 +67,7 @@ static int ip_forward_finish(struct sk_buff *skb)
 	if (unlikely(opt->optlen))
 		ip_forward_options(skb);
 
+	skb_sender_cpu_clear(skb);
 	return dst_output(skb);
 }
 
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
@@ -318,6 +318,7 @@ static int ip6_forward_proxy_check(struct sk_buff *skb)
 
 static inline int ip6_forward_finish(struct sk_buff *skb)
 {
+	skb_sender_cpu_clear(skb);
 	return dst_output(skb);
 }
 

Original file line number	Diff line number	Diff line change
`@@ -67,6 +67,7 @@ static int ip_forward_finish(struct sk_buff *skb)`
`67`	`67`	`if (unlikely(opt->optlen))`
`68`	`68`	`ip_forward_options(skb);`
`69`	`69`
	`70`	`+ skb_sender_cpu_clear(skb);`
`70`	`71`	`return dst_output(skb);`
`71`	`72`	`}`
`72`	`73`
Original file line number	Diff line number	Diff line change
`@@ -318,6 +318,7 @@ static int ip6_forward_proxy_check(struct sk_buff *skb)`
`318`	`318`
`319`	`319`	`static inline int ip6_forward_finish(struct sk_buff *skb)`
`320`	`320`	`{`
	`321`	`+ skb_sender_cpu_clear(skb);`
`321`	`322`	`return dst_output(skb);`
`322`	`323`	`}`
`323`	`324`