lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ef4458d9-c4d7-f419-00f2-0f1cea5140ce@virtuozzo.com>
Date:   Mon, 23 Aug 2021 10:56:49 +0300
From:   Vasily Averin <vvs@...tuozzo.com>
To:     Christoph Paasch <christoph.paasch@...il.com>,
        "David S. Miller" <davem@...emloft.net>
Cc:     Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
        David Ahern <dsahern@...nel.org>,
        Jakub Kicinski <kuba@...nel.org>,
        Eric Dumazet <eric.dumazet@...il.com>,
        netdev <netdev@...r.kernel.org>, linux-kernel@...r.kernel.org,
        kernel@...nvz.org, Julian Wiedmann <jwi@...ux.ibm.com>
Subject: [PATCH NET-NEXT] ipv6: skb_expand_head() adjust skb->truesize
 incorrectly

Christoph Paasch reports [1] about incorrect skb->truesize
after skb_expand_head() call in ip6_xmit.
This happen because skb_set_owner_w() for newly clone skb is called
too early, before pskb_expand_head() where truesize is adjusted for
(!skb-sk) case.

[1] https://lkml.org/lkml/2021/8/20/1082

Reported-by: Christoph Paasch <christoph.paasch@...il.com>
Signed-off-by: Vasily Averin <vvs@...tuozzo.com>
---
 net/core/skbuff.c | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index f931176..508d5c4 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -1803,6 +1803,8 @@ struct sk_buff *skb_realloc_headroom(struct sk_buff *skb, unsigned int headroom)
 
 struct sk_buff *skb_expand_head(struct sk_buff *skb, unsigned int headroom)
 {
+	struct sk_buff *oskb = skb;
+	struct sk_buff *nskb = NULL;
 	int delta = headroom - skb_headroom(skb);
 
 	if (WARN_ONCE(delta <= 0,
@@ -1811,21 +1813,21 @@ struct sk_buff *skb_expand_head(struct sk_buff *skb, unsigned int headroom)
 
 	/* pskb_expand_head() might crash, if skb is shared */
 	if (skb_shared(skb)) {
-		struct sk_buff *nskb = skb_clone(skb, GFP_ATOMIC);
-
-		if (likely(nskb)) {
-			if (skb->sk)
-				skb_set_owner_w(nskb, skb->sk);
-			consume_skb(skb);
-		} else {
-			kfree_skb(skb);
-		}
+		nskb = skb_clone(skb, GFP_ATOMIC);
 		skb = nskb;
 	}
 	if (skb &&
-	    pskb_expand_head(skb, SKB_DATA_ALIGN(delta), 0, GFP_ATOMIC)) {
-		kfree_skb(skb);
+	    pskb_expand_head(skb, SKB_DATA_ALIGN(delta), 0, GFP_ATOMIC))
 		skb = NULL;
+
+	if (!skb) {
+		kfree_skb(oskb);
+		if (nskb)
+			kfree_skb(nskb);
+	} else if (nskb) {
+		if (oskb->sk)
+			skb_set_owner_w(nskb, oskb->sk);
+		consume_skb(oskb);
 	}
 	return skb;
 }
-- 
1.8.3.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ