Received: by 2002:a25:86ce:0:0:0:0:0 with SMTP id y14csp2177246ybm; Thu, 23 May 2019 12:37:44 -0700 (PDT) X-Google-Smtp-Source: APXvYqwBdosOkTQXRtQtCVSa6FtYR07A7atlHL0cJStGIiuOYf/X/dm5FpoE2M8lF6y94SDqfQvw X-Received: by 2002:a65:52c3:: with SMTP id z3mr47458243pgp.56.1558640264029; Thu, 23 May 2019 12:37:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1558640264; cv=none; d=google.com; s=arc-20160816; b=afEmoa/B7utmS0EO0ZghGagYxO/KNlkXXQ8BEVSNoJFRIPek4wJveTnbz/6wWGPXF3 iVRWfHRvn6IvVuRKyvpkb4BKimmZc5Pe/s+iPYsqjatlom/Cbq29y/kDkcx02pU+DliE jUDlr1mGmOyFhx8U9t+NrWJEuDHvAXsNAemz8qfY+gP3ZMepCdxGKte+LXiGMCxa/4d+ K/dcZLpV1PT+h9E5LhqtNFPGBAZlQodOIAqZYqySUwomRB/Pv31HUn4LwCkkgy0a8wep 12lM5pzDvyMN+VciOMxchUn6p/pWr8IR8z/HDJpzR6ak1HyVNwg85+UbaJpDBob46UOk zp1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ncz3w2FdeaImqcUEZN93aq4AtAyCJUAt5Q1hS1avXog=; b=C9dAOo/EknJ2PdNjBmrYOtICid/c2ZTHcKjJVi7/98He5Pvc75Fs0LGP1E+ozbJZRV Q2Xxx9Tq+iMe/DY8vwUuuXgiDmIfHhns//sm1HndXuLZUruJLUZSfqZUEYW6F4pSe58e Wy/ipUo2SSmTUmnk11KFSYLB/Vg2wXS9cm1IUmqHQyYv70o3GT6PlmDhbKMXwVC36B/T 7YALykBJqVA5TNSkAvoL3syEKEGnpKJHH08F/zq8+mmzC34AII4tGDdArFwtl1flVRyi EGguYViV5lSdMpXysWLEfqxlSNUOAGSN156Q4Q34CwZIIfRnwZ9b7ZATgniyxNOWXK3C C4Zg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=qvApkFuJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w7si521052ply.279.2019.05.23.12.37.29; Thu, 23 May 2019 12:37:44 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=qvApkFuJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391384AbfEWT0j (ORCPT + 99 others); Thu, 23 May 2019 15:26:39 -0400 Received: from mail.kernel.org ([198.145.29.99]:38472 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391018AbfEWT0f (ORCPT ); Thu, 23 May 2019 15:26:35 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 1D5542054F; Thu, 23 May 2019 19:26:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1558639594; bh=xiHFEhuKAhDe7yRHFzhu6xZ4kSRtH6LVk5ab6mrIEPg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qvApkFuJN9rpoCtuAMz9keQXkVDlVM+BnJmqsHd8KxA5GqtAFrvbT4Ysd9zLihGnR qp8CtyKz0PkXghyX5DoLO/f8HDD+/8haNxtUNz/1YJc0I8D6nHY51y+a6T1Fg8FJKo LV7srY/kD/QThaS0GtjHLT82DPuXEk+Viry6DIvo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Willem de Bruijn , "David S. Miller" Subject: [PATCH 5.1 006/122] net: test nouarg before dereferencing zerocopy pointers Date: Thu, 23 May 2019 21:05:28 +0200 Message-Id: <20190523181705.892932071@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190523181705.091418060@linuxfoundation.org> References: <20190523181705.091418060@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Willem de Bruijn [ Upstream commit 185ce5c38ea76f29b6bd9c7c8c7a5e5408834920 ] Zerocopy skbs without completion notification were added for packet sockets with PACKET_TX_RING user buffers. Those signal completion through the TP_STATUS_USER bit in the ring. Zerocopy annotation was added only to avoid premature notification after clone or orphan, by triggering a copy on these paths for these packets. The mechanism had to define a special "no-uarg" mode because packet sockets already use skb_uarg(skb) == skb_shinfo(skb)->destructor_arg for a different pointer. Before deferencing skb_uarg(skb), verify that it is a real pointer. Fixes: 5cd8d46ea1562 ("packet: copy user buffers before orphan or clone") Signed-off-by: Willem de Bruijn Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- include/linux/skbuff.h | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -1425,10 +1425,12 @@ static inline void skb_zcopy_clear(struc struct ubuf_info *uarg = skb_zcopy(skb); if (uarg) { - if (uarg->callback == sock_zerocopy_callback) { + if (skb_zcopy_is_nouarg(skb)) { + /* no notification callback */ + } else if (uarg->callback == sock_zerocopy_callback) { uarg->zerocopy = uarg->zerocopy && zerocopy; sock_zerocopy_put(uarg); - } else if (!skb_zcopy_is_nouarg(skb)) { + } else { uarg->callback(uarg, zerocopy); } @@ -2683,7 +2685,8 @@ static inline int skb_orphan_frags(struc { if (likely(!skb_zcopy(skb))) return 0; - if (skb_uarg(skb)->callback == sock_zerocopy_callback) + if (!skb_zcopy_is_nouarg(skb) && + skb_uarg(skb)->callback == sock_zerocopy_callback) return 0; return skb_copy_ubufs(skb, gfp_mask); }