Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp1797743pxp; Mon, 7 Mar 2022 02:34:40 -0800 (PST) X-Google-Smtp-Source: ABdhPJzgC26kBItp3q3IeHlahgl9rFWOLncN5B3y9m4KP9m3wtT8GT79NzT3BClTvMmJfunRVw6T X-Received: by 2002:a63:d1d:0:b0:359:b894:23d1 with SMTP id c29-20020a630d1d000000b00359b89423d1mr9169310pgl.132.1646649279791; Mon, 07 Mar 2022 02:34:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1646649279; cv=none; d=google.com; s=arc-20160816; b=OFzogCQreqabS6CI2uxI91cZSapXZkI5bOFdfYGBrG9nX7MNkoBI5rzD5HpvenzqUZ RrC2ENOBDW2wR8JGje5onitqkYJWfGnSTM0GhlCxwdmTD5mZFj3nTmfqx2BLmbmTDHfm 4wUz5/oCoWNjyzunV2HUnPJJVtOOQrXlKjqZ1xgD+lObAyWHau7h2CRU5RAci6CBNwVQ /HExWk1xhbHp23f6hm4opto7MOWAdM95sBeZtMBzQiCVNqmhW9woaoe4XLHd07meiAhR Mnmfe3oFbBGxNx+NknMFFMRBKG3zZN27wvVPZ+peUbFgD4WS65GBkeWaFUVSTW4RHv3c 5i4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=zt/7x4Kq0KLByG+ckfznp0rOEynrzXGG0+o9E9ZxPyY=; b=yjiNtWdudY9tKRcmNf0SNfsFsMKe13gusp5hSi1ula2OyrMiiVB9YInGFHOTKDuWyX dWhcWf8l5BJHRhnzQl9D/Qh5v4yl+OLxkacR172ZYtT66Kd9pEnjcChYlFdVSb6fiFSL Tl2vZjlhf0KCi+pSc3N3G8f/ZPbCgBiI+aEb2T/5bOSZoWTxUUsDax2o+2g0KLJDUlmz I8J1OIC9qRfUFnuY8kHDUsrp1VGb983tiK0XbJ1+zr4KvWBd7pTbn14ovkaBikioP3Bk 0deMq8ZS5i+zu+QXSXtKo6af50gaGPdyOnvkkjjiKtfmm6JLkP3HdwC92GMfD7pJwvD6 /Haw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=dKMuzSVW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h23-20020a17090ac39700b001bf083c1752si6627257pjt.141.2022.03.07.02.34.25; Mon, 07 Mar 2022 02:34:39 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=dKMuzSVW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236711AbiCGKHb (ORCPT + 99 others); Mon, 7 Mar 2022 05:07:31 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53122 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239289AbiCGJt1 (ORCPT ); Mon, 7 Mar 2022 04:49:27 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E1C6A49255; Mon, 7 Mar 2022 01:43:04 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 2536B6116E; Mon, 7 Mar 2022 09:43:04 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2E19AC340E9; Mon, 7 Mar 2022 09:43:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1646646183; bh=eilNXL7FYByQZsmEqMoxFr7L+I0SJTK7SW/o3Pnue4k=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=dKMuzSVW1nYYLyFzjaFbZ7XzpXBrf1kGLMnaBNv1hXBeqyKaCS0hvLzruhxCGz2JB LdNB3EUX+EWUZbiV+Q2YMkyMBe8GWdfVdplJMkOdBFs6fhPKAjsXk3tplGQWOafpcr AsLYfrjKfV8/Jituk3FN9QvYdL2yiP066jn0cACU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, lena wang , Paolo Abeni , Eric Dumazet , Jakub Kicinski Subject: [PATCH 5.15 159/262] net: fix up skbs delta_truesize in UDP GRO frag_list Date: Mon, 7 Mar 2022 10:18:23 +0100 Message-Id: <20220307091706.921361675@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220307091702.378509770@linuxfoundation.org> References: <20220307091702.378509770@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: lena wang commit 224102de2ff105a2c05695e66a08f4b5b6b2d19c upstream. The truesize for a UDP GRO packet is added by main skb and skbs in main skb's frag_list: skb_gro_receive_list p->truesize += skb->truesize; The commit 53475c5dd856 ("net: fix use-after-free when UDP GRO with shared fraglist") introduced a truesize increase for frag_list skbs. When uncloning skb, it will call pskb_expand_head and trusesize for frag_list skbs may increase. This can occur when allocators uses __netdev_alloc_skb and not jump into __alloc_skb. This flow does not use ksize(len) to calculate truesize while pskb_expand_head uses. skb_segment_list err = skb_unclone(nskb, GFP_ATOMIC); pskb_expand_head if (!skb->sk || skb->destructor == sock_edemux) skb->truesize += size - osize; If we uses increased truesize adding as delta_truesize, it will be larger than before and even larger than previous total truesize value if skbs in frag_list are abundant. The main skb truesize will become smaller and even a minus value or a huge value for an unsigned int parameter. Then the following memory check will drop this abnormal skb. To avoid this error we should use the original truesize to segment the main skb. Fixes: 53475c5dd856 ("net: fix use-after-free when UDP GRO with shared fraglist") Signed-off-by: lena wang Acked-by: Paolo Abeni Reviewed-by: Eric Dumazet Link: https://lore.kernel.org/r/1646133431-8948-1-git-send-email-lena.wang@mediatek.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman --- net/core/skbuff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -3853,6 +3853,7 @@ struct sk_buff *skb_segment_list(struct list_skb = list_skb->next; err = 0; + delta_truesize += nskb->truesize; if (skb_shared(nskb)) { tmp = skb_clone(nskb, GFP_ATOMIC); if (tmp) { @@ -3877,7 +3878,6 @@ struct sk_buff *skb_segment_list(struct tail = nskb; delta_len += nskb->len; - delta_truesize += nskb->truesize; skb_push(nskb, -skb_network_offset(nskb) + offset);