[5.4.y,5.10.y,1/4] skbuff: introduce skb_expand_head()

Message ID	20241225051624.127745-2-harshvardhan.j.jha@oracle.com (mailing list archive)
State	New
Delegated to:	Netdev Maintainers
Headers	show Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6CB505C603; Wed, 25 Dec 2024 05:17:04 +0000 (UTC) From: Harshvardhan Jha <harshvardhan.j.jha@oracle.com> To: davem@davemloft.net, kuznet@ms2.inr.ac.ru, yoshfuji@linux-ipv6.org, kuba@kernel.org Cc: harshvardhan.j.jha@oracle.com, netdev@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH 5.4.y 5.10.y 1/4] skbuff: introduce skb_expand_head() Date: Tue, 24 Dec 2024 21:16:21 -0800 Message-ID: <20241225051624.127745-2-harshvardhan.j.jha@oracle.com> In-Reply-To: <20241225051624.127745-1-harshvardhan.j.jha@oracle.com> References: <20241225051624.127745-1-harshvardhan.j.jha@oracle.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Backport of CVE-2024-44986 fix to stable 5.4 and 5.10 \| expand [5.4.y,5.10.y,0/4] Backport of CVE-2024-44986 fix to stable 5.4 and 5.10 [5.4.y,5.10.y,1/4] skbuff: introduce skb_expand_head() [5.4.y,5.10.y,2/4] ipv6: use skb_expand_head in ip6_finish_output2 [5.4.y,5.10.y,3/4] ipv6: use skb_expand_head in ip6_xmit [5.4.y,5.10.y,4/4] ipv6: fix possible UAF in ip6_finish_output2()

Message ID

20241225051624.127745-2-harshvardhan.j.jha@oracle.com (mailing list archive)

State

New

Delegated to:

Netdev Maintainers

Headers

From: Harshvardhan Jha <harshvardhan.j.jha@oracle.com>
To: davem@davemloft.net, kuznet@ms2.inr.ac.ru, yoshfuji@linux-ipv6.org,
        kuba@kernel.org
Cc: harshvardhan.j.jha@oracle.com, netdev@vger.kernel.org,
        stable@vger.kernel.org
Subject: [PATCH 5.4.y 5.10.y 1/4] skbuff: introduce skb_expand_head()
Date: Tue, 24 Dec 2024 21:16:21 -0800
Message-ID: <20241225051624.127745-2-harshvardhan.j.jha@oracle.com>
In-Reply-To: <20241225051624.127745-1-harshvardhan.j.jha@oracle.com>
References: <20241225051624.127745-1-harshvardhan.j.jha@oracle.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Backport of CVE-2024-44986 fix to stable 5.4 and 5.10 | expand

Context	Check	Description
netdev/tree_selection	success	Guessing tree name failed - patch did not apply

Context

Check

Description

netdev/tree_selection

success

Guessing tree name failed - patch did not apply

Commit Message

Harshvardhan Jha Dec. 25, 2024, 5:16 a.m. UTC

From: Vasily Averin <vvs@virtuozzo.com>

[ Upstream commit f1260ff15a71b8fc122b2c9abd8a7abffb6e0168 ]

Like skb_realloc_headroom(), new helper increases headroom of specified skb.
Unlike skb_realloc_headroom(), it does not allocate a new skb if possible;
copies skb->sk on new skb when as needed and frees original skb in case
of failures.

This helps to simplify ip[6]_finish_output2() and a few other similar cases.

Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit f1260ff15a71b8fc122b2c9abd8a7abffb6e0168)
Signed-off-by: Harshvardhan Jha <harshvardhan.j.jha@oracle.com>
---
 include/linux/skbuff.h |  1 +
 net/core/skbuff.c      | 42 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 43 insertions(+)

diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 31ae4b74d4352..3248e4aeec037 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -1166,6 +1166,7 @@  static inline struct sk_buff *__pskb_copy(struct sk_buff *skb, int headroom,
 int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail, gfp_t gfp_mask);
 struct sk_buff *skb_realloc_headroom(struct sk_buff *skb,
 				     unsigned int headroom);
+struct sk_buff *skb_expand_head(struct sk_buff *skb, unsigned int headroom);
 struct sk_buff *skb_copy_expand(const struct sk_buff *skb, int newheadroom,
 				int newtailroom, gfp_t priority);
 int __must_check skb_to_sgvec_nomark(struct sk_buff *skb, struct scatterlist *sg,
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index b0c2d6f018003..fa3ea287d6ecc 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -1732,6 +1732,48 @@  struct sk_buff *skb_realloc_headroom(struct sk_buff *skb, unsigned int headroom)
 }
 EXPORT_SYMBOL(skb_realloc_headroom);
 
+/**
+ *	skb_expand_head - reallocate header of &sk_buff
+ *	@skb: buffer to reallocate
+ *	@headroom: needed headroom
+ *
+ *	Unlike skb_realloc_headroom, this one does not allocate a new skb
+ *	if possible; copies skb->sk to new skb as needed
+ *	and frees original skb in case of failures.
+ *
+ *	It expect increased headroom and generates warning otherwise.
+ */
+
+struct sk_buff *skb_expand_head(struct sk_buff *skb, unsigned int headroom)
+{
+	int delta = headroom - skb_headroom(skb);
+
+	if (WARN_ONCE(delta <= 0,
+		      "%s is expecting an increase in the headroom", __func__))
+		return skb;
+
+	/* pskb_expand_head() might crash, if skb is shared */
+	if (skb_shared(skb)) {
+		struct sk_buff *nskb = skb_clone(skb, GFP_ATOMIC);
+
+		if (likely(nskb)) {
+			if (skb->sk)
+				skb_set_owner_w(nskb, skb->sk);
+			consume_skb(skb);
+		} else {
+			kfree_skb(skb);
+		}
+		skb = nskb;
+	}
+	if (skb &&
+	    pskb_expand_head(skb, SKB_DATA_ALIGN(delta), 0, GFP_ATOMIC)) {
+		kfree_skb(skb);
+		skb = NULL;
+	}
+	return skb;
+}
+EXPORT_SYMBOL(skb_expand_head);
+
 /**
  *	skb_copy_expand	-	copy and expand sk_buff
  *	@skb: buffer to copy

[5.4.y,5.10.y,1/4] skbuff: introduce skb_expand_head()

Checks

Commit Message

Patch