Received: by 2002:ab2:1689:0:b0:1f7:5705:b850 with SMTP id d9csp516242lqa;
        Sat, 27 Apr 2024 11:25:15 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCVdEUuL/4NnvQbsawJwHrrZUJZsxpt31yE6TMw9cOUUTrITWPvhUAikF0WN4PP8cL50Ofb9ByuiLhIUcX7LiVghBkwsPt0+fzsbUFe1rQ==
X-Google-Smtp-Source: AGHT+IGGNEC8198c9heK/Tl6crqYOur5UsubbUTX3Cf1kRK4xNi9Gel+MvF9O3eqe+cHdBIATWV7
X-Received: by 2002:a05:622a:40a:b0:437:acb8:ef92 with SMTP id n10-20020a05622a040a00b00437acb8ef92mr6683918qtx.34.1714242314718;
        Sat, 27 Apr 2024 11:25:14 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1714242314; cv=pass;
        d=google.com; s=arc-20160816;
        b=zq0lYgoS4kxKZPEB6kNrvyllSYBfOqYV9n2XHwhiSJlNdjf8743FkxM/fMV0Sm40gZ
         pdVffrqWSFZe9uhn/MBuaKRpOfqOmSAnRwR1scqYGL6Aal8ksIebBFjxoyeU7N453kMy
         fDGEzjIE026Lpdju8PSScejLmzu1WA+oIB6JgSvGZlnEBPWWAp1HcAPW8yIEw+pqzI0D
         qsgX/bL0+RGuQJ6zakfEnQyEi4y/IZfh6LaQd/tSXBjtTlnc/EriUoAufJpnMcjtrEZ5
         +dtDLRf4ogeYa156oIu8OQ9oGQXLmPHWwD3MIVc7Uk+xbfRNv0Dtu4d7OL+lFCCmFLwU
         MfZg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=M8uzoOllrZUh31+ptzWzx2PkzBC/tgOjkKHQHqcA99s=;
        fh=ggwz+p970fp2MID353VJKs7ZlRkyBmAbNtQXvkmN3U4=;
        b=CEW4w5cieEiY2GixB7xalMSvLsXxcVom+5TyQTxBZoH8hPhtO5YDwQcTDtgMyedxrm
         Nfsx511/09tmKyrq9flFqGu7R1zDnbWvjgsv/JAgbNSt02mIiFmnm3ZYaPhEEpYcLC1D
         D5PTUEdsVqUtVG43Hw63gR3SaXq6nQnfH4M59Lf4QpK7qrl1NybPSsClgIx+BZeUO4AG
         lYeGU8bQSnH65rzFrHQN38qWRbVcspxERMMJixodMaYOAWEqwmq+QDgkD67Yx/79PyzF
         Jtlc8C15IlYqtu74dn5W61rjC7rHVAzQZ8+0nMp8g1LbPh1yY/u4P56pwslojAZnWeRv
         RwFg==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=fail header.i=@nbd.name header.s=20160729 header.b=biur4J6z;
       arc=pass (i=1 dkim=pass dkdomain=nbd.name dmarc=pass fromdomain=nbd.name);
       spf=pass (google.com: domain of linux-kernel+bounces-161125-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-161125-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nbd.name
Return-Path: <linux-kernel+bounces-161125-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id k15-20020a05622a03cf00b004368ac46e3csi23258884qtx.81.2024.04.27.11.25.14
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 27 Apr 2024 11:25:14 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-161125-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@nbd.name header.s=20160729 header.b=biur4J6z;
       arc=pass (i=1 dkim=pass dkdomain=nbd.name dmarc=pass fromdomain=nbd.name);
       spf=pass (google.com: domain of linux-kernel+bounces-161125-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-161125-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nbd.name
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 3370A1C20F10
	for <linux.lists.archive@gmail.com>; Sat, 27 Apr 2024 18:25:14 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 498E9145B18;
	Sat, 27 Apr 2024 18:24:32 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=fail reason="signature verification failed" (1024-bit key) header.d=nbd.name header.i=@nbd.name header.b="biur4J6z"
Received: from nbd.name (nbd.name [46.4.11.11])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1B6EE1F19A;
	Sat, 27 Apr 2024 18:24:30 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=46.4.11.11
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1714242271; cv=none; b=OW5HkuX3onk/eeJfY+NZjKxquxxN78/JwJ6VOi9iuxPzfkoAQ7ss7tUicnVvkO0otxuM2F+zCuLGeOIkBl4MEEQw76otWg5UOIBrm6gyJ1u7yIVJ/ZiEJam/CLWNXPQtDab9r+LoHWA/hBejLsAb+FU/9B1COEHxaYt5nHB3+vI=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1714242271; c=relaxed/simple;
	bh=TGmQ90K9LgkbDUX9pFF2mber4vODF+ZtEEldYc47C4M=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version; b=BhpYccae1Z//4CZQUDv6UKbbLRIklmLOE7pgFgveLPEElM/yezOpraF9fbXveAKQ6db3YxSK7W+Sn02CEMfHn0CxXs2IFgPvw+IsK3Z5ETQeAQe3dhf++3ch4M/Qi3B3SCWo+7T1eXrnz2wSlcVW24QGoZ6VlyVyWKs7Vu/t0KI=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=nbd.name; spf=none smtp.mailfrom=nbd.name; dkim=pass (1024-bit key) header.d=nbd.name header.i=@nbd.name header.b=biur4J6z; arc=none smtp.client-ip=46.4.11.11
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=nbd.name
Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=nbd.name
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nbd.name;
	s=20160729; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:
	Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
	Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
	:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
	List-Post:List-Owner:List-Archive;
	bh=M8uzoOllrZUh31+ptzWzx2PkzBC/tgOjkKHQHqcA99s=; b=biur4J6z54z/klcNpeqTZ0OjwD
	O3Y3rjkGIK7UX1BHW3WS2KArYUefHTrDeQc+HWuRhbe4HRBg5ngYL2pZAdMKNX9OvJVYAowQ4mVrZ
	gmrY+40mZ08XiXtnaBB5qyjLj6ArI/fJkyuLv3N/7oDE5JqfTCHcuvGSjUm9CKCsnsBs=;
Received: from p54ae9c93.dip0.t-ipconnect.de ([84.174.156.147] helo=localhost.localdomain)
	by ds12 with esmtpsa  (TLS1.3) tls TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
	(Exim 4.96)
	(envelope-from <nbd@nbd.name>)
	id 1s0mil-008hL3-0x;
	Sat, 27 Apr 2024 20:24:23 +0200
From: Felix Fietkau <nbd@nbd.name>
To: netdev@vger.kernel.org,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,
	Steffen Klassert <steffen.klassert@secunet.com>,
	Willem de Bruijn <willemb@google.com>
Cc: linux-kernel@vger.kernel.org
Subject: [PATCH net 2/2] net: core: reject skb_copy(_expand) for fraglist GSO skbs
Date: Sat, 27 Apr 2024 20:24:19 +0200
Message-ID: <20240427182420.24673-2-nbd@nbd.name>
X-Mailer: git-send-email 2.44.0
In-Reply-To: <20240427182420.24673-1-nbd@nbd.name>
References: <20240427182420.24673-1-nbd@nbd.name>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

SKB_GSO_FRAGLIST skbs must not be linearized, otherwise they become
invalid. Return NULL if such an skb is passed to skb_copy or
skb_copy_expand, in order to prevent a crash on a potential later
call to skb_gso_segment.

Fixes: 3a1296a38d0c ("net: Support GRO/GSO fraglist chaining.")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
---
 net/core/skbuff.c | 27 +++++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index b99127712e67..4096e679f61c 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2123,11 +2123,17 @@ static inline int skb_alloc_rx_flag(const struct sk_buff *skb)
 
 struct sk_buff *skb_copy(const struct sk_buff *skb, gfp_t gfp_mask)
 {
-	int headerlen = skb_headroom(skb);
-	unsigned int size = skb_end_offset(skb) + skb->data_len;
-	struct sk_buff *n = __alloc_skb(size, gfp_mask,
-					skb_alloc_rx_flag(skb), NUMA_NO_NODE);
+	struct sk_buff *n;
+	unsigned int size;
+	int headerlen;
+
+	if (WARN_ON_ONCE(skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST))
+		return NULL;
 
+	headerlen = skb_headroom(skb);
+	size = skb_end_offset(skb) + skb->data_len;
+	n = __alloc_skb(size, gfp_mask,
+			skb_alloc_rx_flag(skb), NUMA_NO_NODE);
 	if (!n)
 		return NULL;
 
@@ -2455,12 +2461,17 @@ struct sk_buff *skb_copy_expand(const struct sk_buff *skb,
 	/*
 	 *	Allocate the copy buffer
 	 */
-	struct sk_buff *n = __alloc_skb(newheadroom + skb->len + newtailroom,
-					gfp_mask, skb_alloc_rx_flag(skb),
-					NUMA_NO_NODE);
-	int oldheadroom = skb_headroom(skb);
 	int head_copy_len, head_copy_off;
+	struct sk_buff *n;
+	int oldheadroom;
+
+	if (WARN_ON_ONCE(skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST))
+		return NULL;
 
+	oldheadroom = skb_headroom(skb);
+	n = __alloc_skb(newheadroom + skb->len + newtailroom,
+			gfp_mask, skb_alloc_rx_flag(skb),
+			NUMA_NO_NODE);
 	if (!n)
 		return NULL;
 
-- 
2.44.0