UPSTREAM: net: add recursion limit to GRO
[ Upstream commit fcd91dd449867c6bfe56a81cabba76b829fd05cd ]
Currently, GRO can do unlimited recursion through the gro_receive
handlers. This was fixed for tunneling protocols by limiting tunnel GRO
to one level with encap_mark, but both VLAN and TEB still have this
problem. Thus, the kernel is vulnerable to a stack overflow, if we
receive a packet composed entirely of VLAN headers.
This patch adds a recursion counter to the GRO layer to prevent stack
overflow. When a gro_receive function hits the recursion limit, GRO is
aborted for this skb and it is processed normally. This recursion
counter is put in the GRO CB, but could be turned into a percpu counter
if we run out of space in the CB.
Thanks to Vladimr Bene <[email protected]> for the initial bug report.
Fixes: CVE-2016-7039
Fixes: 9b174d88c257 ("net: Add Transparent Ethernet Bridging GRO support.")
Fixes: 66e5133f19e9 ("vlan: Add GRO support for non hardware accelerated vlan")
Signed-off-by: Sabrina Dubroca <[email protected]>
Acked-by: Hannes Frederic Sowa <[email protected]>
Acked-by: Tom Herbert <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
(cherry picked from git.kernel.org kernel/git/stable/linux-stable.git linux-4.4.y
commit 3cb00b90e8b1bd59382f5e1304dd751f9674f027)
BUG=b:32515955
TEST=kernel compiles
Change-Id: I1ff66c3ba0e2b468233416f3c87e244335582007
Previous-Reviewed-on: https://chromium-review.googlesource.com/416902
(cherry picked from commit ed67191878f544ed2b4fb5357673d2a593953b61)
Reviewed-on: https://chromium-review.googlesource.com/419360
Reviewed-by: Guenter Roeck <[email protected]>
Commit-Queue: Andrey Ulanov <[email protected]>
Tested-by: Andrey Ulanov <[email protected]>
11 files changed
