| Message ID | 1646133431-8948-1-git-send-email-lena.wang@mediatek.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 224102de2ff105a2c05695e66a08f4b5b6b2d19c |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [net,v2] net: fix up skbs delta_truesize in UDP GRO frag_list | expand |
On Tue, Mar 1, 2022 at 3:23 AM lena wang <lena.wang@mediatek.com> wrote: > > The truesize for a UDP GRO packet is added by main skb and skbs in main > skb's frag_list: > skb_gro_receive_list > p->truesize += skb->truesize; > > > > Fixes: 53475c5dd856 ("net: fix use-after-free when UDP GRO with shared fraglist") > Signed-off-by: lena wang <lena.wang@mediatek.com> > Acked-by: Paolo Abeni <pabeni@redhat.com> > --- > change since v1: > 1) add the fix tag. > 2) add net subtree to the subject > --- > --- > net/core/skbuff.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > Reviewed-by: Eric Dumazet <edumazet@google.com>
Hello: This patch was applied to netdev/net.git (master) by Jakub Kicinski <kuba@kernel.org>: On Tue, 1 Mar 2022 19:17:09 +0800 you wrote: > The truesize for a UDP GRO packet is added by main skb and skbs in main > skb's frag_list: > skb_gro_receive_list > p->truesize += skb->truesize; > > The commit 53475c5dd856 ("net: fix use-after-free when UDP GRO with > shared fraglist") introduced a truesize increase for frag_list skbs. > When uncloning skb, it will call pskb_expand_head and trusesize for > frag_list skbs may increase. This can occur when allocators uses > __netdev_alloc_skb and not jump into __alloc_skb. This flow does not > use ksize(len) to calculate truesize while pskb_expand_head uses. > skb_segment_list > err = skb_unclone(nskb, GFP_ATOMIC); > pskb_expand_head > if (!skb->sk || skb->destructor == sock_edemux) > skb->truesize += size - osize; > > [...] Here is the summary with links: - [net,v2] net: fix up skbs delta_truesize in UDP GRO frag_list https://git.kernel.org/netdev/net/c/224102de2ff1 You are awesome, thank you!
diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 9d0388bed0c1..8b7356cffea7 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -3876,6 +3876,7 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb, list_skb = list_skb->next; err = 0; + delta_truesize += nskb->truesize; if (skb_shared(nskb)) { tmp = skb_clone(nskb, GFP_ATOMIC); if (tmp) { @@ -3900,7 +3901,6 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb, tail = nskb; delta_len += nskb->len; - delta_truesize += nskb->truesize; skb_push(nskb, -skb_network_offset(nskb) + offset);
The truesize for a UDP GRO packet is added by main skb and skbs in main skb's frag_list: skb_gro_receive_list p->truesize += skb->truesize; The commit 53475c5dd856 ("net: fix use-after-free when UDP GRO with shared fraglist") introduced a truesize increase for frag_list skbs. When uncloning skb, it will call pskb_expand_head and trusesize for frag_list skbs may increase. This can occur when allocators uses __netdev_alloc_skb and not jump into __alloc_skb. This flow does not use ksize(len) to calculate truesize while pskb_expand_head uses. skb_segment_list err = skb_unclone(nskb, GFP_ATOMIC); pskb_expand_head if (!skb->sk || skb->destructor == sock_edemux) skb->truesize += size - osize; If we uses increased truesize adding as delta_truesize, it will be larger than before and even larger than previous total truesize value if skbs in frag_list are abundant. The main skb truesize will become smaller and even a minus value or a huge value for an unsigned int parameter. Then the following memory check will drop this abnormal skb. To avoid this error we should use the original truesize to segment the main skb. Fixes: 53475c5dd856 ("net: fix use-after-free when UDP GRO with shared fraglist") Signed-off-by: lena wang <lena.wang@mediatek.com> Acked-by: Paolo Abeni <pabeni@redhat.com> --- change since v1: 1) add the fix tag. 2) add net subtree to the subject --- --- net/core/skbuff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)