Received: by 2002:a05:7412:f584:b0:e2:908c:2ebd with SMTP id eh4csp2033992rdb; Tue, 5 Sep 2023 12:12:39 -0700 (PDT) X-Google-Smtp-Source: AGHT+IENzx//PnPtupQI75QLANd88rFdUAFzhb4BqN7agjmHgWCKNKU4bUDsmu0L7NSrOsVCrqvg X-Received: by 2002:a17:902:e5cc:b0:1c3:52ed:18f9 with SMTP id u12-20020a170902e5cc00b001c352ed18f9mr3066091plf.62.1693941158750; Tue, 05 Sep 2023 12:12:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1693941158; cv=none; d=google.com; s=arc-20160816; b=rC6Copq5aPFzzytbFOZM1d87K6xJsl46MrElRz7btJZKIqaWszc5e+R/gG3vMd8ETb aXmNa3eT+EopcHNlpf6piDfnhdvyRXa3DhOitdEEJUDN/IRJJnhR0UbfwiwwXwNafDZB StTvMqxxngEaeiOmtCH1F++CpCks4cdRFZ02ihVLkJYK5Q/tsR1I2jJ1NKrhFRmqq4T8 Vi2Pd8cJaOySxihEgGG2EVcinSleJhy+yLcB+TJjMyPnGiiKxz2lMApt2ipmm/kJ63tC YfiCrz6bvOMM4E/pMnAWI/uwjgapTuhvNmNkQBn1R51kkrV6wuQsr4W66w/aZ6oy7dQl eedw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=ik1gJpmACdK/zEYsDZLMBYhWNKKU7+LfXVBjZIp1WHE=; fh=SCQsL9oGBYjBur6qK7pXZh7QJoBIbRVnWdUXCogOcKg=; b=DF/EQd1Ob/lpZIhkQYXGl2S0SZFwXe0PiH9jKz21GfhjCS3faKxIab5n3gXYPoVdWL pyn0iKBHmTWEwUTaVbsn6+gQcGmX/ShRyMq/GFIDXFjLL+XQ7aVPZEqjTuuumbGIAjKz mXgAbW5IXYqzj5iTgW42xygT+HcYqGFQUAcAaQe5t0eAjz2JaWHJkQP8YhnhxDfK6NaO ctfTrSTfTAShkf62+LS/ZTOOg8K/m0j65YJ6qLE2e0ExB6G8xBPi+wQW0kIUWL3ADlg0 ixpAJbRZkR4yQkR8sg9784skgWTHS80kzxWbhBJ+cpxlz17ZisSkuP89Uw2ETzEKgkJZ vj7g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=Vwaq3KoY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id m3-20020a63ed43000000b0056a36f9eb0esi10032802pgk.15.2023.09.05.12.12.37; Tue, 05 Sep 2023 12:12:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=Vwaq3KoY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238315AbjHaIrh (ORCPT + 4 others); Thu, 31 Aug 2023 04:47:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47042 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239767AbjHaIrh (ORCPT ); Thu, 31 Aug 2023 04:47:37 -0400 Received: from mail-qt1-x832.google.com (mail-qt1-x832.google.com [IPv6:2607:f8b0:4864:20::832]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C0837CEA for ; Thu, 31 Aug 2023 01:47:33 -0700 (PDT) Received: by mail-qt1-x832.google.com with SMTP id d75a77b69052e-40a47e8e38dso199771cf.1 for ; Thu, 31 Aug 2023 01:47:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1693471653; x=1694076453; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=ik1gJpmACdK/zEYsDZLMBYhWNKKU7+LfXVBjZIp1WHE=; b=Vwaq3KoY2hbu2eXGNEYSR/QWN2d9ZOJdrEe3JPif0ZkLN7t+NT0cQyAThAxBylr1X+ K8xr9AwpnwFe3t+r826UumNfHwmiFHKmKMExeG4pwiaIS68ByiLBid6OdQ9IIDOPyIU1 UyxrmhDHKOdIvRLEOcre975KO2iog8RCrYz9lSMB+d8j0KYL9IH/aX4gWYNoB1o1jjTG KqwUthLHoQVouaDCpq2ASj2jWr/5E9SOH3P4w71aWKoQMHXOwFWdSK+biXAHW6lFDbSF GAPVv20/Bdg00KwuccWBMJ1csDi20324w2JoHE0r5n3QXwlc9qxno3RukxQAPjby+eHZ 0AhA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1693471653; x=1694076453; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ik1gJpmACdK/zEYsDZLMBYhWNKKU7+LfXVBjZIp1WHE=; b=IhUZjX7MMl/mBTJzGkiDO197tQEq2dZb4Vh0BlWiIsodBZ5LBdu+pu9JkarZjrltvl JyFM3lsL6qJ8Fe3KHJSyCPB6rAphU1lX1ei7x2WhKSsw8eQUx2Pr2qUO7T4JxLTkAmWz BDMP0V4WusqWRmk2+spYe9ViZmejoH3WnrfU6Z+tLWkzOw2O3/tQSbo/o5UR6GjGsTm2 /VRkzlFqSN1TeTAaYS9e0v1Qq0i4FGll3kkdbaraduLCKL7K3HHzVHjmdrMAgDYYDFzo 8hltgC/Zjz2kli+MmldbErSxNrTIkBPWnW6wpi6oKJb7UxO+dFgm0+c3xXEoYvD0lWw3 oigA== X-Gm-Message-State: AOJu0Yy/0I8Q68ARI8vzNFJ048LLHiGbNkGSgTFRelrb5RYW+1b7gb77 Zb9/duKQFYIQLWJod7h1AsWM6xZ24V2k+M2guOQc5Q== X-Received: by 2002:a05:622a:1ba7:b0:410:9855:acd with SMTP id bp39-20020a05622a1ba700b0041098550acdmr210744qtb.14.1693471652689; Thu, 31 Aug 2023 01:47:32 -0700 (PDT) MIME-Version: 1.0 References: <64ed7188a2745_9cf208e1@penguin.notmuch> <20230831081702.101342-1-mkhalfella@purestorage.com> In-Reply-To: <20230831081702.101342-1-mkhalfella@purestorage.com> From: Eric Dumazet Date: Thu, 31 Aug 2023 10:47:21 +0200 Message-ID: Subject: Re: [PATCH v3] skbuff: skb_segment, Call zero copy functions before using skbuff frags To: Mohamed Khalfella Cc: willemdebruijn.kernel@gmail.com, alexanderduyck@fb.com, bpf@vger.kernel.org, brouer@redhat.com, davem@davemloft.net, dhowells@redhat.com, keescook@chromium.org, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, pabeni@redhat.com, willemb@google.com, stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Aug 31, 2023 at 10:17=E2=80=AFAM Mohamed Khalfella wrote: > > Commit bf5c25d60861 ("skbuff: in skb_segment, call zerocopy functions > once per nskb") added the call to zero copy functions in skb_segment(). > The change introduced a bug in skb_segment() because skb_orphan_frags() > may possibly change the number of fragments or allocate new fragments > altogether leaving nrfrags and frag to point to the old values. This can > cause a panic with stacktrace like the one below. > > > In this case calling skb_orphan_frags() updated nr_frags leaving nrfrags > local variable in skb_segment() stale. This resulted in the code hitting > i >=3D nrfrags prematurely and trying to move to next frag_skb using > list_skb pointer, which was NULL, and caused kernel panic. Move the call > to zero copy functions before using frags and nr_frags. > > Fixes: bf5c25d60861 ("skbuff: in skb_segment, call zerocopy functions onc= e per nskb") > Signed-off-by: Mohamed Khalfella > Reported-by: Amit Goyal > Cc: stable@vger.kernel.org > --- Reviewed-by: Eric Dumazet