Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp1257058rwd; Thu, 18 May 2023 09:48:10 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7rbojy0PCMap12hWorHanE7V+v2WBktnyjpddgH75tjhVF73bx5bf9iTR265DG5NVX1ogz X-Received: by 2002:a17:90a:5ac3:b0:250:dd3:dc8 with SMTP id n61-20020a17090a5ac300b002500dd30dc8mr3271201pji.9.1684428489985; Thu, 18 May 2023 09:48:09 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1684428489; cv=pass; d=google.com; s=arc-20160816; b=ThoglQ+3FuYx1pYJ7FvD1/vMj0HkK0xjBEevRb7PvowfBMYZ3V+95FH6G7vXHxrX7i tRaRLP+DpwDS+DhR+G/8wEzbBp7GLKHpPCPkRI+Q02dC4LDTu+FVJA/IjPJ05rDUHRK1 cakBgEKtgwovW3We4gjzA8IM6Y0yG53T/nTUZ7lItsF5ECMAiwAb1mfsVkz8Pe4wlGBy RjorGeIL/pbHDrDk0EmAmEY/mGgsJ2gaOyyexYrsS+sFEFApnLGHCJAeqc5QdOA9svZr x71TPEGNPJTUV1r3DGxDDQISHCaF752GwGvMBqMLfIM+/j4RtJo7gxO8CCUZ/+t2r1uJ CGag== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:in-reply-to:content-disposition :references:message-id:subject:cc:to:from:date:dkim-signature; bh=L6AC67PE9Rn95sNol8qsPQ695tw5/b0/kKwiRAgarMw=; b=R2joQNAWzFrLIEnXMoB7o+y4kOyWSoqCcImwhgBLqI37aYaUCwz0AywUB58MQWTauJ xxV6VnXylvLkb2WIW6/DCdeAdissWk2JD2vNE3/2dDRYwgbOONbPRFi+/NpQ3fCbxZ/a ctbsi6HcPUPhLkiEulNG3TNVPaO93Zr87LZ+zm5PYapVZ/t+H41QRKRMK9R7Pxi6bEoC Sv0xBJtAY5Ld3Kd/EB4FacqQjTk45sfFBy14zyqzUP32vW8w2RVtMG5x4rW87vSBvDPN EN6iMDxZSdIoZ5kCd0Q0X05MnKPSqbKyrU6iXI/KLeGdzpUv6EzIjrFMfgNgO1bTsE2u xiEQ== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@corigine.onmicrosoft.com header.s=selector2-corigine-onmicrosoft-com header.b=M7wrKNXm; arc=pass (i=1 spf=pass spfdomain=corigine.com dkim=pass dkdomain=corigine.com dmarc=pass fromdomain=corigine.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=corigine.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id lb17-20020a17090b4a5100b00246aa5e7322si5133424pjb.59.2023.05.18.09.47.55; Thu, 18 May 2023 09:48:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@corigine.onmicrosoft.com header.s=selector2-corigine-onmicrosoft-com header.b=M7wrKNXm; arc=pass (i=1 spf=pass spfdomain=corigine.com dkim=pass dkdomain=corigine.com dmarc=pass fromdomain=corigine.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=corigine.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229577AbjERQmY (ORCPT + 99 others); Thu, 18 May 2023 12:42:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34010 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229493AbjERQmX (ORCPT ); Thu, 18 May 2023 12:42:23 -0400 Received: from NAM12-DM6-obe.outbound.protection.outlook.com (mail-dm6nam12on2117.outbound.protection.outlook.com [40.107.243.117]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B2079F5; Thu, 18 May 2023 09:42:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JxaoLHfv9x3d8RuDRjCelsrbCTBy6oFAeKGm1EV3mvhSDSHwPcPboV4h/JNM/ZhXu24QfV0Pk9kNu+xHrD3j0ffL7RXoOdyTCMV4ZIdSJQjCLODoGOaagA/E8v06B+ZcAFT+dnmX094TTwp6CG/3MHfH4ZnyRD63gAKl7aTKgg1aGVssxGZwf9dY7/TNG8UBqsOjF9qywMoq9KMJ5qLLdf3ObVTeu991M30LcfDF8R1KQZizSaYyRXN0rAcBlt/S1YF4iDvy9dIgA0lKk430BrKv3dzEX0LcKWe9/7WtnFePG59dyv7b1wdEg3ocJ60Bl72fLV3+Fr3KWxMrP55fUg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=L6AC67PE9Rn95sNol8qsPQ695tw5/b0/kKwiRAgarMw=; b=naGTl9LVeVNtyoSMNzPMWH2mDwNeN0C6yHMTdjkpaNP2G/WYm9FuOx+DZzWZy2myWhhmBvE3YZ+a8gNOWbq/CJ2ZMegXKAB71eI9KEUujhthwq/R584QRQdx5hfqOTLZX6g0A+HKba5Eyqv4aYstaj2n05caFHlvxxcdEwsO55eWEWvTsw4NhSMUsXJEoFJne+mecJZEdBjTIL/bLNEbp+OGju3XW78ddr9xygGVz9bV2IN73PtEK0MCYlduWt4Q7k06UMD9RRXITEFYccDN39QWm64fbYIhijMeA3ZhMizRLi1En7ma+g4A7vdXfPkxyE0oLmP4uXDUdrY/zgqzDA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=corigine.com; dmarc=pass action=none header.from=corigine.com; dkim=pass header.d=corigine.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=corigine.onmicrosoft.com; s=selector2-corigine-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=L6AC67PE9Rn95sNol8qsPQ695tw5/b0/kKwiRAgarMw=; b=M7wrKNXmfKfATm4faHM3KyHYClEjJA1b42PeiRQFL+5Lm4F1nwZFI2vFcP5o6z5JhDnMsmtjeal6x/ElNxOTvMQHoo9l1nsLIRcmF06NwdyovwmVOt6SJfj4o1RV076gee6SKpIVgRMJknvwet56UYNOoQHYGbV+pOyu/EZS6bA= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=corigine.com; Received: from PH0PR13MB4842.namprd13.prod.outlook.com (2603:10b6:510:78::6) by SJ0PR13MB5600.namprd13.prod.outlook.com (2603:10b6:a03:426::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6411.19; Thu, 18 May 2023 16:42:18 +0000 Received: from PH0PR13MB4842.namprd13.prod.outlook.com ([fe80::f416:544d:18b7:bb34]) by PH0PR13MB4842.namprd13.prod.outlook.com ([fe80::f416:544d:18b7:bb34%5]) with mapi id 15.20.6411.019; Thu, 18 May 2023 16:42:18 +0000 Date: Thu, 18 May 2023 18:42:11 +0200 From: Simon Horman To: Tudor Ambarus Cc: bjorn@mork.no, joneslee@google.com, oliver@neukum.org, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, linux-usb@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, syzbot+9f575a1f15fc0c01ed69@syzkaller.appspotmail.com Subject: Re: [PATCH] net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize Message-ID: References: <87wnklivun.fsf@miraculix.mork.no> <20230517133808.1873695-1-tudor.ambarus@linaro.org> <20230517133808.1873695-2-tudor.ambarus@linaro.org> Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230517133808.1873695-2-tudor.ambarus@linaro.org> X-ClientProxiedBy: AS4PR10CA0016.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:5d8::8) To PH0PR13MB4842.namprd13.prod.outlook.com (2603:10b6:510:78::6) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PH0PR13MB4842:EE_|SJ0PR13MB5600:EE_ X-MS-Office365-Filtering-Correlation-Id: 7801ac4d-a1da-4421-2c20-08db57bed7d7 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 7vohQAyV/IfpJEaEkLwwd6zm2+Td8HUekMPIE1Nvg3Fzz6ePKwNOnDl3TD1jB3rhP0vvPfLKnxYIAWE1hftIKNAgfj1KRQdx2Ks41Wv/D6m+ToWNtSszHtvuqpnU9umEY5dLRNYAIe3k1W+w+kxpR1H5JtZWGMy093ps3KLx+NRwb77olD302HyCnWxzVWBGrOSE8zayni5EPLyLowPrY9ehdW1ORCc6CmYBPK4jfzphBP7sIExIfZIEzelqUwRSP+VZvYAXgxXr+pjPy+btsDhY+vx4ZmuptyrTku/aPqoopTz2zuJfFkRtNc9AK1BkRMlFdyT308f+XA6zILfMqljOymjsKFraefJYo0BUjck2m93qQM0/9/KxXRU0nG53U3pQU2XiSDTdjqwcigOOCTpCrYw0eIBKxuopge3dx/Az+9KAoYa17u/nSVg1xA4by983tmtIeRnhOzQbTdti/7qJi000oYGbzAr+aClRq5/QbC4n4ZPq3KCScqHvCl7IcyBdH/ENRvBX4SUYpco1HBgbozhBoutCDdfTIlSs3Mdb/Pp4jqaUNCO2mx3NEV8JUoR97wgoouz9PR7LXHfXmB93Uj3BmwhpQC2Sd+YYuseKy5o+pby/SobH+BQx6Ah6R4ZRpYRy+tQnnBrWENe+pw== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR13MB4842.namprd13.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230028)(4636009)(396003)(136003)(39840400004)(376002)(346002)(366004)(451199021)(66556008)(66476007)(66946007)(4326008)(6916009)(8676002)(8936002)(966005)(316002)(478600001)(66899021)(6666004)(41300700001)(6486002)(2906002)(86362001)(6512007)(6506007)(36756003)(7416002)(44832011)(38100700002)(5660300002)(2616005)(186003)(145543001)(145603002)(99710200001);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?ZYH+QmPyu2eESwpYGCocdtXDx0L2fQix2N9LZRGIbVoYAFklH1XgCdsbCZGl?= =?us-ascii?Q?fWOVy1nMPAsYOr/uYJ5COJoP0whCPkXahy62r7FNA3c0JGVKHoyCZbM8nx7r?= =?us-ascii?Q?f16UbXj1wUqH/xnRow/tsFi1MqeaOx+ygR992t6+GhzCZxmDK34ULlzYIPtr?= =?us-ascii?Q?MbH8LM1whJo+ub7AxhnhSU7p4xKpJcH0OcX6AjcoTmJDsPLZ2McdYF5elLdS?= =?us-ascii?Q?rr5KGNQEP46Vef5dCrYRLiruI1Pwr23K3ga4wPXDPQ+V+rVePp/l4hMr4b2n?= =?us-ascii?Q?aYB6eZqMAYUXwQpsy4qMRIiXMomPNN+NsnLsE2X54oNYGuIN6O9dMP6qwrnA?= =?us-ascii?Q?9i7f7EsWEa4GIwR/bMame9YjNVRHSd7z+1OARtKdtJK3WVb01yU8MmR2ddGK?= =?us-ascii?Q?JbGlFjG00xlQhMCsGmWtDDc+qMXUuVvt1S32IHSvpONmpgpHA7naOBm1Ojj+?= =?us-ascii?Q?ZVcOJaRFQgap48L2+IAJMyI6e8ZgYvG72LENiTbzRyG7pHVRMRKdSDyx1vg2?= =?us-ascii?Q?OJwgwvZsFFNhaMC14EmbKfiukXb9tOfhNZDYzq1OWm/+N2S4GQqAdzwIB3uN?= =?us-ascii?Q?QIlRA8Jj0WHjXsT0yU31CGaZFc3Fyif32rGnVfZ4GPI6xZ927kuHrsQ6wE8H?= =?us-ascii?Q?sL1JYtvI283MuIE94NNadO+pmJB6OEeyfPaL1wQSCK6hjSerZpLo6ly0jk9Q?= =?us-ascii?Q?BQQ7b0dRl+Pmk1vfIhVLYoJ7d3PNg0n7t5B5gq1FCs/yy3MzHrWlUbnJ1h84?= =?us-ascii?Q?GhPDUwSo5nwxHsItXH+fEwzgH+0wC/HDNWpE9CDOJJb56AuE/mpbhVr2s5u9?= =?us-ascii?Q?at7qhYvD+7r9f8ZPgfL22xGknmUiDegq6TIUuqbK2i1CbiM6pkkTGQGa5PRY?= =?us-ascii?Q?nHucHapynygLqvcskjQixpiXTPR2pTnWeEncw9muQ9VYRNQShauBiKDeWdCO?= =?us-ascii?Q?5vFVvXtRYSjbsbTXwXHXt11gzM/2Oj0nlKO+TVDM1ijihu3x0AH93t8/P87O?= =?us-ascii?Q?ZsFwopjOTq5k1mfPstGDIiO6TN4NioPEyEbVNvkHE/MmgX3/pOkjabG2Odue?= =?us-ascii?Q?8X+/fjFzo328gtfj1puYhIHUPo51VW6yxuTmeIINXPL7oUMaIGmn+U7DlPou?= =?us-ascii?Q?fh3c5v6gZgSgi0Mj4/+TrPyzl8EHrF6lvaykc/voL687QOvPOfpUzgaG2DFJ?= =?us-ascii?Q?7YKbaPD7KoqN14LAPSvRrcY5sys4mQ2m1zYn/65JJS53jY9gYL75HbmXP0Gd?= =?us-ascii?Q?BAuPCugCSmnY0ITdHTZqGPyYP7FQNwKnP2gqeRUvKFy2lULCoXrnOoNWQrd/?= =?us-ascii?Q?D2fDNtswJBDNAmUKd6mx+TRQJvRx4gII5+n2UGP3bea72xgUsgaroj8tdW+S?= =?us-ascii?Q?uCCC0dfsfrIaC+EBiHLa+JL21S0Byi6KAZuW+rtj9TELtgEwcljcOUvnuj+N?= =?us-ascii?Q?dqt8CV8M5dKDIColqzBLbZ2h1qf+Ss7QIZSpv8YHLgsIsGl93pIKbUnjR6S9?= =?us-ascii?Q?rKDszHrxmh3q3U0NWhwr+Zc7tafjv5MWG5twMpddWj3qTbKq/45MlmF4gekO?= =?us-ascii?Q?hV1PrkXYurcCHAscC0o3hYWrQjGZU0cSEeKYLJHm0jyJLVtIyldMVf85AF5w?= =?us-ascii?Q?aBx0l/FG95apUJQvfscJ4wyjPdF0Jl7axA0F3weu2k34w8sZLkBoABE/TyJ4?= =?us-ascii?Q?SNU8vA=3D=3D?= X-OriginatorOrg: corigine.com X-MS-Exchange-CrossTenant-Network-Message-Id: 7801ac4d-a1da-4421-2c20-08db57bed7d7 X-MS-Exchange-CrossTenant-AuthSource: PH0PR13MB4842.namprd13.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 May 2023 16:42:18.1361 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: fe128f2c-073b-4c20-818e-7246a585940c X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 0P0vGK8jgysYvZYnS6npoH1/rZWhY+uUM/sWw9eXjd+8yNB+W+hBLK1v3bJC0oAW6AC730Cr2JMM6ksp4W5mIG6UohVSMxxlcncgHrwFgBw= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR13MB5600 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 17, 2023 at 01:38:08PM +0000, Tudor Ambarus wrote: > Currently in cdc_ncm_check_tx_max(), if dwNtbOutMaxSize is lower than > the calculated "min" value, but greater than zero, the logic sets > tx_max to dwNtbOutMaxSize. This is then used to allocate a new SKB in > cdc_ncm_fill_tx_frame() where all the data is handled. > > For small values of dwNtbOutMaxSize the memory allocated during > alloc_skb(dwNtbOutMaxSize, GFP_ATOMIC) will have the same size, due to > how size is aligned at alloc time: > size = SKB_DATA_ALIGN(size); > size += SKB_DATA_ALIGN(sizeof(struct skb_shared_info)); > Thus we hit the same bug that we tried to squash with > commit 2be6d4d16a084 ("net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero") > > Low values of dwNtbOutMaxSize do not cause an issue presently because at > alloc_skb() time more memory (512b) is allocated than required for the > SKB headers alone (320b), leaving some space (512b - 320b = 192b) > for CDC data (172b). > > However, if more elements (for example 3 x u64 = [24b]) were added to > one of the SKB header structs, say 'struct skb_shared_info', > increasing its original size (320b [320b aligned]) to something larger > (344b [384b aligned]), then suddenly the CDC data (172b) no longer > fits in the spare SKB data area (512b - 384b = 128b). > > Consequently the SKB bounds checking semantics fails and panics: > > skbuff: skb_over_panic: text:ffffffff831f755b len:184 put:172 head:ffff88811f1c6c00 data:ffff88811f1c6c00 tail:0xb8 end:0x80 dev: > ------------[ cut here ]------------ > kernel BUG at net/core/skbuff.c:113! > invalid opcode: 0000 [#1] PREEMPT SMP KASAN > CPU: 0 PID: 57 Comm: kworker/0:2 Not tainted 5.15.106-syzkaller-00249-g19c0ed55a470 #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 > Workqueue: mld mld_ifc_work > RIP: 0010:skb_panic net/core/skbuff.c:113 [inline] > RIP: 0010:skb_over_panic+0x14c/0x150 net/core/skbuff.c:118 > [snip] > Call Trace: > > skb_put+0x151/0x210 net/core/skbuff.c:2047 > skb_put_zero include/linux/skbuff.h:2422 [inline] > cdc_ncm_ndp16 drivers/net/usb/cdc_ncm.c:1131 [inline] > cdc_ncm_fill_tx_frame+0x11ab/0x3da0 drivers/net/usb/cdc_ncm.c:1308 > cdc_ncm_tx_fixup+0xa3/0x100 > > Deal with too low values of dwNtbOutMaxSize, clamp it in the range > [USB_CDC_NCM_NTB_MIN_OUT_SIZE, CDC_NCM_NTB_MAX_SIZE_TX]. We ensure > enough data space is allocated to handle CDC data by making sure > dwNtbOutMaxSize is not smaller than USB_CDC_NCM_NTB_MIN_OUT_SIZE. > > Fixes: 289507d3364f ("net: cdc_ncm: use sysfs for rx/tx aggregation tuning") > Cc: stable@vger.kernel.org > Reported-by: syzbot+9f575a1f15fc0c01ed69@syzkaller.appspotmail.com > Link: https://syzkaller.appspot.com/bug?extid=b982f1059506db48409d > Link: https://lore.kernel.org/all/20211202143437.1411410-1-lee.jones@linaro.org/ > Signed-off-by: Tudor Ambarus Reviewed-by: Simon Horman