Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp1652497pxb; Mon, 23 Aug 2021 01:01:11 -0700 (PDT) X-Google-Smtp-Source: ABdhPJygzCVJ5EPvwtVVC75ygzZ8TAA2SaT2g4kojghdUloNflBZxSB+uBDFsS32X7MgqzHh+Yar X-Received: by 2002:a17:906:2cd5:: with SMTP id r21mr33821737ejr.435.1629705671045; Mon, 23 Aug 2021 01:01:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1629705671; cv=none; d=google.com; s=arc-20160816; b=WC1AK5/4nZ8sdRMIZa4SvMjhbfJ5O2WnjVci4jM+vL0qFCF5qY/T10GhQfuoHEmVw1 W8rBlxIiUgt1GYENzQb+Qsc2kxBvKbtyjhtuapS3pB/jmr5ZPKnP/8Kco1Ra4MYK/FYT pCrNyzdIctMAQ73ymLhiZfhVrc6u0JrhFc5/IbrAxIhXZ0PKkcRFU4iCKsWMlgxz1vI8 7Ss74rHsFA8iNk649mLUz3edhkK6fL0gd6n8gnn0mm1vdbU9ahi3bwsb7F9Vr4ivxCKk T+6saB/jHkvygrcQLEO3w2pY+DKRBa5dIbYWXG8F+wZIhcBgGyB+r3/YYKvuA3dSYvxP YSvg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:references:cc :to:subject:from:dkim-signature; bh=gYEdybKbXhCvejIGuZRQDqqEgCGQEYZNt6q+lPijJXQ=; b=sw5UvA94Xg6Bk2tqAuFeWFLWt0YmtlAsk3OpdmWy5wj+nJXyk+d+j3cJSmASdd8knr UzAUjLlFt4QscSg3WrMPvAh/1n6vd8ZYl4FqszPxM7KuZ/fP1D7UWSiOYSfkQV+w/p0R rdhrilfsr4mspgPZLCAukqRmzGpala6FpFNQuU3LVFEUyPgHrSCXeCoCUu59i83WUZ1e r40vKnCkGAi/9Je5m2fbzxi+ZuifOJWRGNf3Vslod3BIRkDn56xI8ziCcWAIKm5ZgXFp tIl22dv36MidWzeOigpgDPBzUSdkOnhluczt1wIedwpiDTdP/jdBVIk/yzz/mEnKrzLm jwBQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@virtuozzo.com header.s=relay header.b=zSOldxa2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=virtuozzo.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b6si15258186edu.126.2021.08.23.01.00.48; Mon, 23 Aug 2021 01:01:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@virtuozzo.com header.s=relay header.b=zSOldxa2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=virtuozzo.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235383AbhHWH5i (ORCPT + 99 others); Mon, 23 Aug 2021 03:57:38 -0400 Received: from relay.sw.ru ([185.231.240.75]:43240 "EHLO relay.sw.ru" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235374AbhHWH5i (ORCPT ); Mon, 23 Aug 2021 03:57:38 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=virtuozzo.com; s=relay; h=Content-Type:MIME-Version:Date:Message-ID:Subject :From; bh=gYEdybKbXhCvejIGuZRQDqqEgCGQEYZNt6q+lPijJXQ=; b=zSOldxa2ZHsHtkYYtQS B+p6VObdAf88ETGmdJEyC1AxeKrwmAYpomCtNgYo2EVh8ggpWW+GCQe3J/R/He2rlu4M8iWpsoFgj ZBsfPkHgccH9Pa5IvTdRIIS5ZSRPP7fsJNKBH8GW1KysE1zu80UfFjDWQLVCrqo/340m41wmot8=; Received: from [10.93.0.56] by relay.sw.ru with esmtp (Exim 4.94.2) (envelope-from ) id 1mI4p8-008YUo-4J; Mon, 23 Aug 2021 10:56:50 +0300 From: Vasily Averin Subject: [PATCH NET-NEXT] ipv6: skb_expand_head() adjust skb->truesize incorrectly To: Christoph Paasch , "David S. Miller" Cc: Hideaki YOSHIFUJI , David Ahern , Jakub Kicinski , Eric Dumazet , netdev , linux-kernel@vger.kernel.org, kernel@openvz.org, Julian Wiedmann References: <6858f130-e6b4-1ba7-ed6f-58c00152be69@virtuozzo.com> Message-ID: Date: Mon, 23 Aug 2021 10:56:49 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 MIME-Version: 1.0 In-Reply-To: <6858f130-e6b4-1ba7-ed6f-58c00152be69@virtuozzo.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Christoph Paasch reports [1] about incorrect skb->truesize after skb_expand_head() call in ip6_xmit. This happen because skb_set_owner_w() for newly clone skb is called too early, before pskb_expand_head() where truesize is adjusted for (!skb-sk) case. [1] https://lkml.org/lkml/2021/8/20/1082 Reported-by: Christoph Paasch Signed-off-by: Vasily Averin --- net/core/skbuff.c | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index f931176..508d5c4 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -1803,6 +1803,8 @@ struct sk_buff *skb_realloc_headroom(struct sk_buff *skb, unsigned int headroom) struct sk_buff *skb_expand_head(struct sk_buff *skb, unsigned int headroom) { + struct sk_buff *oskb = skb; + struct sk_buff *nskb = NULL; int delta = headroom - skb_headroom(skb); if (WARN_ONCE(delta <= 0, @@ -1811,21 +1813,21 @@ struct sk_buff *skb_expand_head(struct sk_buff *skb, unsigned int headroom) /* pskb_expand_head() might crash, if skb is shared */ if (skb_shared(skb)) { - struct sk_buff *nskb = skb_clone(skb, GFP_ATOMIC); - - if (likely(nskb)) { - if (skb->sk) - skb_set_owner_w(nskb, skb->sk); - consume_skb(skb); - } else { - kfree_skb(skb); - } + nskb = skb_clone(skb, GFP_ATOMIC); skb = nskb; } if (skb && - pskb_expand_head(skb, SKB_DATA_ALIGN(delta), 0, GFP_ATOMIC)) { - kfree_skb(skb); + pskb_expand_head(skb, SKB_DATA_ALIGN(delta), 0, GFP_ATOMIC)) skb = NULL; + + if (!skb) { + kfree_skb(oskb); + if (nskb) + kfree_skb(nskb); + } else if (nskb) { + if (oskb->sk) + skb_set_owner_w(nskb, oskb->sk); + consume_skb(oskb); } return skb; } -- 1.8.3.1