Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp1675051pxa; Thu, 6 Aug 2020 13:06:02 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzJSvyT9Az5UBm6clKsRxGuX9sDRMYLGRhpgWKv+VGgqqMIW4tbDzbKvqHJqm9ZY+M8wVZT X-Received: by 2002:a17:906:4aca:: with SMTP id u10mr5983288ejt.320.1596744362731; Thu, 06 Aug 2020 13:06:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1596744362; cv=none; d=google.com; s=arc-20160816; b=RJNi7o4fUAcA9k9fm3fXQ4kfKGxGQa4OgjtRigMHeOTw1PUC7K/4UAPUbpU9yXKPMA ubAFgEnxBfB3EKRc/z8IKQGNjYWlbCKWcJEklbKwDGidCSU+1Vt1kLKRr8qEVa/EHhaW cyWyjVDA8mNwgrcNqTZT1JkzDjFeX3PpDHT6AuJxCFezMp1HV9rX4bskgAKB4hDpjVM9 TPAVnflxCFTyXSr1VgDoQJ4ufVpzpsMBvJs0Hhog0+1ZAKMjy4md9QjPvl6scb7NMgIb 3iAlt2eAa0vDLxUHNFrYs9jtt2eMM+6L1FLnQ6w3+LfaLGR+ERDXSU38tYjlRu9PVhSU Hq1g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:date:subject:cc :to:from; bh=Ehv1AObaqssyggNAU5GJUiR8ckDYLMcgEQ0mM68RWRU=; b=Zb+l+GnlKo5868X58ZpTXtpocqLYE6eXBQVntjXH9Tux2V7ORmnJ3JhUIoQ4dlnlGq d0xI8dwpvy8VFlyX/VmkgWDBaSFsFIx6R+Oek7MctjmcZfS8BX9NLXzF+ahE5UjmkY9l TC3Jq6kf8D/7a2wL+4oqTaqDK/2inAH24UNWt+STOsiGCoRYsbqshXNsJUnVmrinHTds uzfYqZCcNhQuvx2cjQhQp1SCySCcOXXq8qdOtiZ8NYdo3oLwQQ8IHRwAkFVT6YkaL6hV JjFbTmQ6QDumCJVL28euaR8NZGVVB87L9vki14clI0yg2fBoZlKjEBVoZDbyB9sVMslc t9Qw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h25si3883644eje.30.2020.08.06.13.05.39; Thu, 06 Aug 2020 13:06:02 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726386AbgHFUBr (ORCPT + 99 others); Thu, 6 Aug 2020 16:01:47 -0400 Received: from szxga05-in.huawei.com ([45.249.212.191]:9247 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726249AbgHFUBp (ORCPT ); Thu, 6 Aug 2020 16:01:45 -0400 Received: from DGGEMS411-HUB.china.huawei.com (unknown [172.30.72.60]) by Forcepoint Email with ESMTP id 8893FBF263BE271FF394; Thu, 6 Aug 2020 19:48:24 +0800 (CST) Received: from huawei.com (10.175.101.6) by DGGEMS411-HUB.china.huawei.com (10.3.19.211) with Microsoft SMTP Server id 14.3.487.0; Thu, 6 Aug 2020 19:48:13 +0800 From: linmiaohe To: , , , , , , , , , , , , CC: , Subject: [PATCH 1/5] net: Fix potential deadloop in skb_copy_ubufs() Date: Thu, 6 Aug 2020 19:50:42 +0800 Message-ID: <1596714642-25183-1-git-send-email-linmiaohe@huawei.com> X-Mailer: git-send-email 1.8.3.1 MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.175.101.6] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Miaohe Lin We could be trapped in deadloop when we try to copy userspace skb frags buffers to kernel with a cloned skb: [kbox] catch panic event, panic reason:kernel stack overflow [kbox] catch panic event, start logging. CPU: 3 PID: 4083 Comm: insmod Kdump: loaded Tainted: G OE 4.19 #6 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x0/0x198 show_stack+0x24/0x30 dump_stack+0xa4/0xcc kbox_panic_notifier_callback+0x1d0/0x310 [kbox] notifier_call_chain+0x5c/0xa0 atomic_notifier_call_chain+0x3c/0x50 panic+0x164/0x314 __stack_chk_fail+0x0/0x28 handle_bad_stack+0xfc/0x108 __bad_stack+0x90/0x94 pskb_expand_head+0x0/0x2c8 pskb_expand_head+0x290/0x2c8 skb_copy_ubufs+0x3cc/0x520 pskb_expand_head+0x290/0x2c8 skb_copy_ubufs+0x3cc/0x520 pskb_expand_head+0x290/0x2c8 skb_copy_ubufs+0x3cc/0x520 pskb_expand_head+0x290/0x2c8 skb_copy_ubufs+0x3cc/0x520 ... pskb_expand_head+0x290/0x2c8 skb_copy_ubufs+0x3cc/0x520 ... Reproduce code snippet: skb = alloc_skb(UBUF_DATA_LEN, GFP_ATOMIC); clone = skb_clone(skb, GFP_ATOMIC); skb_zcopy_set_nouarg(clone, NULL); pskb_expand_head(skb, 0, 0, GFP_ATOMIC); Catch this unexpected case and return -EINVAL in skb_orphan_frags() before we call skb_copy_ubufs() to fix it. Fixes: a6686f2f382b ("skbuff: skb supports zero-copy buffers") Signed-off-by: Miaohe Lin --- include/linux/skbuff.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index 0c0377fc00c2..167c8f4cb6e3 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -2753,6 +2753,9 @@ static inline int skb_orphan_frags(struct sk_buff *skb, gfp_t gfp_mask) if (!skb_zcopy_is_nouarg(skb) && skb_uarg(skb)->callback == sock_zerocopy_callback) return 0; + /* If the skb is cloned, return error here or we will be trapped in deadloop. */ + if (unlikely(skb_cloned(skb))) + return -EINVAL; return skb_copy_ubufs(skb, gfp_mask); } -- 2.19.1