Received: by 2002:a05:7412:37c9:b0:e2:908c:2ebd with SMTP id jz9csp1719423rdb; Wed, 20 Sep 2023 18:42:28 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHtgXCWW7wx5yMmllW2fsN/LBaKu0y5MDZJkh0ysc3FDtGTLGDQ6mdu7eUFfSXK296EMDKy X-Received: by 2002:a17:902:efc6:b0:1c5:6d04:75ee with SMTP id ja6-20020a170902efc600b001c56d0475eemr3109164plb.21.1695260547820; Wed, 20 Sep 2023 18:42:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695260547; cv=none; d=google.com; s=arc-20160816; b=YtnfagS1r6PQ9AOqMLbAMGrKCBAJqn9KZTLm32Dv/ULzOGA9GKnr+YjRqsZD5Icsk0 cnIVDo9n6yqq137IIbrOYOJIxM/D3bndltdQ1ncUlw73fdZSY1pEje2fE2XNOTyB1zQm gEhXozIpLya4mj3gJqlJaSyUNIjy/XZlfTcl1XqeOVFFGgJY8Auo13Mm4DoSn9jsUn0n sdL4Dqk8/raktchvw8HkQnSOO6yyXIn+QH12+piAdMcRdoIZK0FsXvpIU4NTxK2rDyjU aWhEQbeGn6qba1wrudhYWTyxxCZ/ceARwdohLaZWPP/W0GLEOQJ0tdmGwykYU38/9FLK DoAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=H6KMWbUCoc8DexqhlNXXHeZryH/GRdUKaDnFHjWc3FE=; fh=TJJs7QK1nT4lwP8jcOLWFZJM4itdmba2wkbuNAStxhg=; b=h84J6Vv0nTjXZs8OOW1ndlSNTcK5/Q8So7ck3hqUZalXtbT1EBh8O5ftP/7qVdDbq2 IRsnXL2FS3IhkynA5I7ju1Ue5G2Sy39MHhJVvmOm8s7LcMqyI0PaZpb/CrcQfoSJf9+3 uqL4TIkulqZQkyM0G1AYBjEYRaYXF5QoNbD7k5RipzjZHdJnKvkHirtlDsn3qvrEp5qf CJuAXMdSRbHzgsQTzrmCGM/Z7s3Uu94uk30KY3DNWD4rdwu3UbCtLxv7hq0766JxEZnY dfM/16xs5l9vBXzOzZlyc8f1Fj/Z9HdgBUqoLvZjgU6ge7e+59HN+a+dPFGwyW55D71R btzw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=ZG+uxVGT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from groat.vger.email (groat.vger.email. [23.128.96.35]) by mx.google.com with ESMTPS id y18-20020a17090322d200b001bbb8324bd5si334186plg.479.2023.09.20.18.42.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Sep 2023 18:42:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) client-ip=23.128.96.35; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=ZG+uxVGT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id 87BEC8316EC9; Wed, 20 Sep 2023 18:42:24 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229696AbjIUBmV (ORCPT + 99 others); Wed, 20 Sep 2023 21:42:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60472 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229560AbjIUBmV (ORCPT ); Wed, 20 Sep 2023 21:42:21 -0400 Received: from mail-vs1-xe31.google.com (mail-vs1-xe31.google.com [IPv6:2607:f8b0:4864:20::e31]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 14FB8A9; Wed, 20 Sep 2023 18:42:15 -0700 (PDT) Received: by mail-vs1-xe31.google.com with SMTP id ada2fe7eead31-45274236ef6so228622137.3; Wed, 20 Sep 2023 18:42:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1695260534; x=1695865334; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=H6KMWbUCoc8DexqhlNXXHeZryH/GRdUKaDnFHjWc3FE=; b=ZG+uxVGTNoec2F1DRYV+KAFSq8gvUvWhkGt7jwsk1LXbvsuS7aqhfIFdWwR8JHieG8 CDZSVq4NEFGj0K3T8d7DXT/RdTmiCH85dIt3zBxfh9/07qgmusLkaM66Ar56p7PKUBtP u6miHIkAUp1Cjwd1J6h9MnXZ6EhGulqsND5PG885KCHeQ78mwKu4dzItyBdF8dEyhj4K yBezvWoL3kdlMAyptBYuqEg2WRDD4b5p38qDs7ERgJVPXNs3iDFKzqBVdbgdeWOBRTcf KU9aE0oInpnprV5p0dZIWwj6lpimJByOCN6rG6z4dRN9XLtXMxkeimo+mUm1dat5A3aN OG3g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695260534; x=1695865334; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=H6KMWbUCoc8DexqhlNXXHeZryH/GRdUKaDnFHjWc3FE=; b=oLMCqhperk5GHFH4OeE883EIJT33i6PJGCaV4jXbNRtYcYcXz3+clvEo1g/BtwuZdM F+d67qFTbgaE45uDIr6+l+7xzqjPl8/h5AWm0fnhe1eQ5F61P6+Ii0XWxNRcEGgM9+N6 8tlbgWYXSqhqJ84d59HAjJep0G59vGfR8f5yEJBPA/AOafcus47nTEIazgwan4UhAWxe ABoyouyr2RmAdPceJK+LXGFCAsSC6OjzRqsI4ei8jaK1xF8+qYdTrtwCwZeReJmDi6Kp W0msuTLRm79mpCgo8uFLf0cG+YiWR79Sauh+5346fv7aYm7W086n5obPWG3N+VzOHdp6 0WTQ== X-Gm-Message-State: AOJu0YyxEDJquWEfKEliTy102b3zOsgU7zms5LvZ1XOIheoVZ5YsM7mz nEdYlawnVn/HOtK1YI+GuW4Gh36cuWGFmSVYkH6kP+4lUjc= X-Received: by 2002:a67:bc09:0:b0:44e:d6c3:51d4 with SMTP id t9-20020a67bc09000000b0044ed6c351d4mr4625646vsn.18.1695260534071; Wed, 20 Sep 2023 18:42:14 -0700 (PDT) MIME-Version: 1.0 References: <108791.1695199151@warthog.procyon.org.uk> <650af9a2aa74_37bf362941f@willemb.c.googlers.com.notmuch> In-Reply-To: <650af9a2aa74_37bf362941f@willemb.c.googlers.com.notmuch> From: Willem de Bruijn Date: Wed, 20 Sep 2023 21:41:38 -0400 Message-ID: Subject: Re: [PATCH net v2] ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data() To: David Howells , netdev@vger.kernel.org Cc: syzbot+62cbf263225ae13ff153@syzkaller.appspotmail.com, Eric Dumazet , "David S. Miller" , David Ahern , Paolo Abeni , Jakub Kicinski , bpf@vger.kernel.org, syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Wed, 20 Sep 2023 18:42:24 -0700 (PDT) On Wed, Sep 20, 2023 at 9:54=E2=80=AFAM Willem de Bruijn wrote: > > David Howells wrote: > > Including the transhdrlen in length is a problem when the packet is > > partially filled (e.g. something like send(MSG_MORE) happened previousl= y) > > when appending to an IPv4 or IPv6 packet as we don't want to repeat the > > transport header or account for it twice. This can happen under some > > circumstances, such as splicing into an L2TP socket. > > > > The symptom observed is a warning in __ip6_append_data(): > > > > WARNING: CPU: 1 PID: 5042 at net/ipv6/ip6_output.c:1800 __ip6_appen= d_data.isra.0+0x1be8/0x47f0 net/ipv6/ip6_output.c:1800 > > > > that occurs when MSG_SPLICE_PAGES is used to append more data to an alr= eady > > partially occupied skbuff. The warning occurs when 'copy' is larger th= an > > the amount of data in the message iterator. This is because the reques= ted > > length includes the transport header length when it shouldn't. This ca= n be > > triggered by, for example: > > > > sfd =3D socket(AF_INET6, SOCK_DGRAM, IPPROTO_L2TP); > > bind(sfd, ...); // ::1 > > connect(sfd, ...); // ::1 port 7 > > send(sfd, buffer, 4100, MSG_MORE); > > sendfile(sfd, dfd, NULL, 1024); > > > > Fix this by deducting transhdrlen from length in ip{,6}_append_data() r= ight > > before we clear transhdrlen if there is already a packet that we're goi= ng > > to try appending to. > > > > Reported-by: syzbot+62cbf263225ae13ff153@syzkaller.appspotmail.com > > Link: https://lore.kernel.org/r/0000000000001c12b30605378ce8@google.com= / > > Signed-off-by: David Howells > > cc: Eric Dumazet > > cc: Willem de Bruijn > > cc: "David S. Miller" > > cc: David Ahern > > cc: Paolo Abeni > > cc: Jakub Kicinski > > cc: netdev@vger.kernel.org > > cc: bpf@vger.kernel.org > > cc: syzkaller-bugs@googlegroups.com > > Link: https://lore.kernel.org/r/75315.1695139973@warthog.procyon.org.uk= / # v1 > > --- > > net/ipv4/ip_output.c | 1 + > > net/ipv6/ip6_output.c | 1 + > > 2 files changed, 2 insertions(+) > > > > diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c > > index 4ab877cf6d35..9646f2d9afcf 100644 > > --- a/net/ipv4/ip_output.c > > +++ b/net/ipv4/ip_output.c > > @@ -1354,6 +1354,7 @@ int ip_append_data(struct sock *sk, struct flowi4= *fl4, > > if (err) > > return err; > > } else { > > + length -=3D transhdrlen; > > transhdrlen =3D 0; > > } > > > > diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c > > index 54fc4c711f2c..6a4ce7f622e9 100644 > > --- a/net/ipv6/ip6_output.c > > +++ b/net/ipv6/ip6_output.c > > @@ -1888,6 +1888,7 @@ int ip6_append_data(struct sock *sk, > > length +=3D exthdrlen; > > transhdrlen +=3D exthdrlen; > > } else { > > + length -=3D transhdrlen; > > transhdrlen =3D 0; > > } > > > > Definitely a much simpler patch, thanks. > > So the current model is that callers with non-zero transhdrlen always > pass to __ip_append_data payload length + transhdrlen. > > I do see that udp does this: ulen +=3D sizeof(struct udphdr); This calls > ip_make_skb if not corked, but directly ip_append_data if corked. > > Then __ip_append_data will use transhdrlen in its packet calculations, > and reset that to zero after allocating the first new skb. > > So if corked *and* fragmentation, which would cause a new skb to be > allocated, the next skb would incorrectly reserve udp header space, > because the second __ip_append_data call will again pass transhdrlen. > If so, then this patch fixes that. But that has never been reported, > so I'm most likely misreading some part.. This works today because udp only includes transhdrlen if not corked. In udpv6_sendmsg: if (up->pending) { ... goto do_append_data; } ulen +=3D sizeof(struct udphdr); So ip6_append_data is called with ulen =3D=3D len once data is pending, so subtracting transhdrlen (which is still sizeof(udphdr)) would not be correct. l2tp_ip6_sendmsg more or less follows udpv6_sendmsg, but it unconditionally sets ulen =3D len + transhdrlen. So maybe the fix is in L2TP: +++ b/net/l2tp/l2tp_ip6.c @@ -507,7 +507,6 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) */ if (len > INT_MAX - transhdrlen) return -EMSGSIZE; - ulen =3D len + transhdrlen; /* Mirror BSD error message compatibility */ if (msg->msg_flags & MSG_OOB) @@ -628,6 +627,7 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) back_from_confirm: lock_sock(sk); + ulen =3D len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen := 0; As said, only raw, udp and l2p can possibly pass MSG_MORE and so cause secondary invocations of ip6_append_data for the same send. With raw passing transhdrlen 0, and udp as discussed above, we only have to consider l2tp.