net: core: fix use-after-free in __netif_receive_skb_list_core

__netif_receive_skb_core can free the skb, so we have to use the dequeue-
 enqueue model when calling it from __netif_receive_skb_list_core.

Fixes: 88eb1944e18c ("net: core: propagate SKB lists through packet_type lookup")
Signed-off-by: Edward Cree <ecree@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/core/dev.c b/net/core/dev.c
index ce4583564e00506599f2cfbaed97d9eea8b145ce..d13cddcac41ff13368022b417259c450b9558637 100644 (file)
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -4830,23 +4830,28 @@ static void __netif_receive_skb_list_core(struct list_head *head, bool pfmemallo
        struct list_head sublist;
        struct sk_buff *skb, *next;
 
+       INIT_LIST_HEAD(&sublist);
        list_for_each_entry_safe(skb, next, head, list) {
                struct net_device *orig_dev = skb->dev;
                struct packet_type *pt_prev = NULL;
 
+               list_del(&skb->list);
                __netif_receive_skb_core(skb, pfmemalloc, &pt_prev);
+               if (!pt_prev)
+                       continue;
                if (pt_curr != pt_prev || od_curr != orig_dev) {
                        /* dispatch old sublist */
-                       list_cut_before(&sublist, head, &skb->list);
                        __netif_receive_skb_list_ptype(&sublist, pt_curr, od_curr);
                        /* start new sublist */
+                       INIT_LIST_HEAD(&sublist);
                        pt_curr = pt_prev;
                        od_curr = orig_dev;
                }
+               list_add_tail(&skb->list, &sublist);
        }
 
        /* dispatch final sublist */
-       __netif_receive_skb_list_ptype(head, pt_curr, od_curr);
+       __netif_receive_skb_list_ptype(&sublist, pt_curr, od_curr);
 }
 
 static int __netif_receive_skb(struct sk_buff *skb)