Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp3958898pxb; Mon, 1 Feb 2021 08:53:52 -0800 (PST) X-Google-Smtp-Source: ABdhPJzHnNVGQbTYmVXPtp4dbnyvcxVklc4ldrzAHmmRgnedwTNRuIYIb3rMFJ1QJgybt0Rtgf74 X-Received: by 2002:a17:906:1796:: with SMTP id t22mr18149734eje.372.1612198432340; Mon, 01 Feb 2021 08:53:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612198432; cv=none; d=google.com; s=arc-20160816; b=j4wmp2/jPw22iVXO0+CUojAoOMFtkBhw27o9+Nxm8zhuPp+y/1T1dVimrvHlyaB8tR YuVOzfSN5LZ8J+rVzsXV/8J03hGDALXifUnwjN0iTbX/ISq8AEMQODgr/pEBjdmEPGcS Ypm+AcwGhKhKw4CUX7Z2oO9jHuDK2S3jKI6fr05RCl0z1fYFd6qNtIuLQa38DuG8bhs2 X2CqaqsVrKonoAfshLPzN/tVFIjJTypbriCnvcqFuLcB/DCtlcZtw7ZAYu1c2X+4b31w qHjsBUGhkiXnqpBxxn7DzvdqSRr3kf0rVPYqN7r3s3Q2+ia/6PXXqjJAMFj4KLIxQW+l S/jA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=28aWbeuxYU/d3zJdSw4FejdOSZ9mEcviBMdx8cpNqHs=; b=IpABUWqvmWZggX1eu8vv2BwSi0G3Fmx1m3nBHMUr9y5Y+Sl7kdDu2swVOuDCsz6fDZ BDISb9l117hKRipjsquTQ05MCxBG7v5YWLG2HMn8cBvAMMq2NU07Lsj+IlaQ/fCD/m66 sw9U2u8zFlkV+PXVxbtc6A+2OeW3y2apGBjX2U7YEUBSv//ifF+nOVxsk/9LVHCrrzLA Yq7EjLr3nwz2v2yxc/bm00FLdBqMiJI+5WPzsZ6Pp58+w+Tit1q3HYrHy3w9r55Ri9CS kwfxN5chw2QKDIBTfizNHxenH5T+YcArtqmt8z+Pa0dQ0H/bb0SikmOJql38zFJ54UC0 0f/w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=YYB38wSZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h18si12866766eds.460.2021.02.01.08.53.28; Mon, 01 Feb 2021 08:53:52 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=YYB38wSZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231701AbhBAQvT (ORCPT + 99 others); Mon, 1 Feb 2021 11:51:19 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59096 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231706AbhBAQvK (ORCPT ); Mon, 1 Feb 2021 11:51:10 -0500 Received: from mail-ej1-x62c.google.com (mail-ej1-x62c.google.com [IPv6:2a00:1450:4864:20::62c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B2702C061573; Mon, 1 Feb 2021 08:50:28 -0800 (PST) Received: by mail-ej1-x62c.google.com with SMTP id i8so8980190ejc.7; Mon, 01 Feb 2021 08:50:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=28aWbeuxYU/d3zJdSw4FejdOSZ9mEcviBMdx8cpNqHs=; b=YYB38wSZfAblKXtyMsYf35SYzEdm9cfOvaNlKacJ8HD1JxJZtVSUsQrifmWZgso1gm KzdTouGU1XjeqFjPmRf4TiCCG+If7iZQogIzNKP2sKh39Dy2/sDQ/M9eedtfKVqGUTdR +gFa3x4VUUFQA4OhrqPR57ZjbxblwQhp1qj3v6A/mKxx3eFbjMmn6srposj06ubkZGkA qfa10UfUdDPjK3WaR6qh3i3lTBPAp/ATOqNJ1lKkaxJgYgEc8L8oypG+BoeCE+BtWp14 deRpJxOhFVmLIJOU6uSO2Y0ArBZjrVfMiiVqj4S1OVr1b/lzUdNVPe27ReA3RI4t7Qj3 wtHQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=28aWbeuxYU/d3zJdSw4FejdOSZ9mEcviBMdx8cpNqHs=; b=We67QaowrhpsA48LSz3bvBus6VJySGxsOQIJSrRly2YJILKOG9kpd/CZdsOmwdobU/ +JRHcTPTu2G5SUmj7m7uoiN/z1TxmlffwXETqBmrD95AODnvdrPT/wDc59jC0G/hGhgo GUxpVFrbEJum29LpP233UQZmAWXhVGu3ILIlJCxOTTCgYl5d3iJrbJXa7CcS54Gsl2/4 5O/97Abmi+wFq34BgLyHbhQ/dZpdqgXbj0y3WLpnKShXkpSdh2qIN1IB4bVgNwvuBfxj dQ+Wag4zOBTuWgndNFlw9Q4qglxKoZFapPB2IpnmAGmIfnompVlKZUgTHtgVeY17oDnJ DabQ== X-Gm-Message-State: AOAM533WJEShHMwQfvOTVKXEB2X7BQZdsVHiU5n+dqinLV4RD/Cj7nKH 7J0kpmzvvIJGOfwO5cZn/g+0Z8lvPvs6jdDXaG0= X-Received: by 2002:a17:906:719:: with SMTP id y25mr11628409ejb.180.1612198227459; Mon, 01 Feb 2021 08:50:27 -0800 (PST) MIME-Version: 1.0 References: <20210201160420.2826895-1-elver@google.com> In-Reply-To: <20210201160420.2826895-1-elver@google.com> From: Christoph Paasch Date: Mon, 1 Feb 2021 08:50:16 -0800 Message-ID: Subject: Re: [PATCH net-next] net: fix up truesize of cloned skb in skb_prepare_for_shift() To: Marco Elver Cc: LKML , kasan-dev@googlegroups.com, David Miller , kuba@kernel.org, Jonathan Lemon , Willem de Bruijn , linmiaohe@huawei.com, gnault@redhat.com, dseok.yi@samsung.com, kyk.segfault@gmail.com, Al Viro , netdev , glider@google.com, syzbot+7b99aafdcc2eedea6178@syzkaller.appspotmail.com, Eric Dumazet Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Feb 1, 2021 at 8:09 AM Marco Elver wrote: > > Avoid the assumption that ksize(kmalloc(S)) == ksize(kmalloc(S)): when > cloning an skb, save and restore truesize after pskb_expand_head(). This > can occur if the allocator decides to service an allocation of the same > size differently (e.g. use a different size class, or pass the > allocation on to KFENCE). > > Because truesize is used for bookkeeping (such as sk_wmem_queued), a > modified truesize of a cloned skb may result in corrupt bookkeeping and > relevant warnings (such as in sk_stream_kill_queues()). > > Link: https://lkml.kernel.org/r/X9JR/J6dMMOy1obu@elver.google.com > Reported-by: syzbot+7b99aafdcc2eedea6178@syzkaller.appspotmail.com > Suggested-by: Eric Dumazet > Signed-off-by: Marco Elver > --- > net/core/skbuff.c | 14 +++++++++++++- > 1 file changed, 13 insertions(+), 1 deletion(-) > > diff --git a/net/core/skbuff.c b/net/core/skbuff.c > index 2af12f7e170c..3787093239f5 100644 > --- a/net/core/skbuff.c > +++ b/net/core/skbuff.c > @@ -3289,7 +3289,19 @@ EXPORT_SYMBOL(skb_split); > */ > static int skb_prepare_for_shift(struct sk_buff *skb) > { > - return skb_cloned(skb) && pskb_expand_head(skb, 0, 0, GFP_ATOMIC); > + int ret = 0; > + > + if (skb_cloned(skb)) { > + /* Save and restore truesize: pskb_expand_head() may reallocate > + * memory where ksize(kmalloc(S)) != ksize(kmalloc(S)), but we > + * cannot change truesize at this point. > + */ > + unsigned int save_truesize = skb->truesize; > + > + ret = pskb_expand_head(skb, 0, 0, GFP_ATOMIC); > + skb->truesize = save_truesize; > + } > + return ret; just a few days ago we found out that this also fixes a syzkaller issue on MPTCP (https://github.com/multipath-tcp/mptcp_net-next/issues/136). I confirmed that this patch fixes the issue for us as well: Tested-by: Christoph Paasch > } > > /** > > base-commit: 14e8e0f6008865d823a8184a276702a6c3cbef3d > -- > 2.30.0.365.g02bc693789-goog >