Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp635740rwe; Thu, 1 Sep 2022 05:34:39 -0700 (PDT) X-Google-Smtp-Source: AA6agR4nItKK6fBojelY0k1FTrFG4HUKWwRDmWrmVcw9xzKwICrjskULLWoSIU7XF3h2T5hJnDIi X-Received: by 2002:a17:902:dac1:b0:172:eae4:950c with SMTP id q1-20020a170902dac100b00172eae4950cmr30026926plx.70.1662035679675; Thu, 01 Sep 2022 05:34:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1662035679; cv=none; d=google.com; s=arc-20160816; b=KQASPccMPsbs68M++V+NR0tCuzyPezJQorvIyM0fyZDuPs2anaCaYLTkozMwZh/KIv 8Y/j5lO7ISolsgy0/ft7OzxKrz3ItqIveVsPCHt4nekBttJ+5rZEMVYgqvlep0kLjAiy arIMq/FChfSrta0v51X6rXR+ZE+9JQSsRl71chfqgKwaZu6hdI15NI4wJz04zRIi80AF Jq1bPLA7jF7id6oQS8uaxnIffTiG+Wiaq0ZMBxgY/qJhAVWYC2FyH/t6XqcP12aRsOKG +djbNIOghEPNc8IbyDsHOdNmwq4OKWBnGHGtDyaITnLT9wjY9SHCf7aX71m9vFTB+MJz j5hA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:cc:to:from :subject:organization:dkim-signature; bh=3JTTZDB9pqqMlPFmzio4pJ+ZLsLWDUIAy1xWN+IXpLg=; b=Qph1FL3N2mPhlV+S48DplNpf1C6OxxbLdFstk4j75mUDDnVOJMogiYy4ZhfDnFOhMe hB06QfhnQPSOaBj5O+WXlbDgqd5Ey8NW8PmuSwnr0wjqUQzzhGe4m6bQTD1o0z8IW6KY CADDoCs1Dm38lManhbpN5zhiMWDyT76/FABrvqR2ljiYhIP/fuRRK+NSkqaa8gkql82Q h/4opwQ+BHJIpC4dsw/KRz4ojqG6Jiu7dyXp5TIN5AUa9JhY8eTYbllDnivdO5943523 bewGVsCGPv6GrpOEM5ff7hp2ryVR6P78ToiuRfeqZrgM0o3k/dD9d7g9m8Hcae6Kbd6K n2Ww== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=XC6DWAp0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id m1-20020a655301000000b0042b1e17d98csi7465614pgq.438.2022.09.01.05.34.26; Thu, 01 Sep 2022 05:34:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=XC6DWAp0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233545AbiIAM04 (ORCPT + 99 others); Thu, 1 Sep 2022 08:26:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45152 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233520AbiIAM0r (ORCPT ); Thu, 1 Sep 2022 08:26:47 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 40DC3126DF3 for ; Thu, 1 Sep 2022 05:26:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1662035204; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=3JTTZDB9pqqMlPFmzio4pJ+ZLsLWDUIAy1xWN+IXpLg=; b=XC6DWAp05RSy76xysVyaLuNwjtxJh/opf9KnvsfvZuHWA37tOedDymvWFvlIbSqoEqUbNp /W0NXiilWe+hIZFahwWkMK+1Fswej2K6FyPDPtfx5tUjlLi+oeXE3AmboihKAERSxrZnoL OyL+qapzrGkWXYNyVq4h0La/B7X9F18= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-365-OPtNyI7CNEy4R-Eq_rVtyw-1; Thu, 01 Sep 2022 08:26:41 -0400 X-MC-Unique: OPtNyI7CNEy4R-Eq_rVtyw-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id D7531185A794; Thu, 1 Sep 2022 12:26:40 +0000 (UTC) Received: from warthog.procyon.org.uk (unknown [10.33.36.72]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3EC522166B26; Thu, 1 Sep 2022 12:26:40 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 Subject: [PATCH net v3 2/6] rxrpc: Fix an insufficiently large sglist in rxkad_verify_packet_2() From: David Howells To: netdev@vger.kernel.org Cc: Marc Dionne , linux-afs@lists.infradead.org, dhowells@redhat.com, linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org Date: Thu, 01 Sep 2022 13:26:39 +0100 Message-ID: <166203519965.271364.793413451600531844.stgit@warthog.procyon.org.uk> In-Reply-To: <166203518656.271364.567426359603115318.stgit@warthog.procyon.org.uk> References: <166203518656.271364.567426359603115318.stgit@warthog.procyon.org.uk> User-Agent: StGit/1.5 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org rxkad_verify_packet_2() has a small stack-allocated sglist of 4 elements, but if that isn't sufficient for the number of fragments in the socket buffer, we try to allocate an sglist large enough to hold all the fragments. However, for large packets with a lot of fragments, this isn't sufficient and we need at least one additional fragment. The problem manifests as skb_to_sgvec() returning -EMSGSIZE and this then getting returned by userspace. Most of the time, this isn't a problem as rxrpc sets a limit of 5692, big enough for 4 jumbo subpackets to be glued together; occasionally, however, the server will ignore the reported limit and give a packet that's a lot bigger - say 19852 bytes with ->nr_frags being 7. skb_to_sgvec() then tries to return a "zeroth" fragment that seems to occur before the fragments counted by ->nr_frags and we hit the end of the sglist too early. Note that __skb_to_sgvec() also has an skb_walk_frags() loop that is recursive up to 24 deep. I'm not sure if I need to take account of that too - or if there's an easy way of counting those frags too. Fix this by counting an extra frag and allocating a larger sglist based on that. Fixes: d0d5c0cd1e71 ("rxrpc: Use skb_unshare() rather than skb_cow_data()") Reported-by: Marc Dionne Signed-off-by: David Howells cc: linux-afs@lists.infradead.org --- net/rxrpc/rxkad.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/rxrpc/rxkad.c b/net/rxrpc/rxkad.c index 258917a714c8..78fa0524156f 100644 --- a/net/rxrpc/rxkad.c +++ b/net/rxrpc/rxkad.c @@ -540,7 +540,7 @@ static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb, * directly into the target buffer. */ sg = _sg; - nsg = skb_shinfo(skb)->nr_frags; + nsg = skb_shinfo(skb)->nr_frags + 1; if (nsg <= 4) { nsg = 4; } else {