Merge branch 'tcp-take-care-of-another-syzbot-issue'
Eric Dumazet says: ==================== tcp: take care of another syzbot issue This is a minor issue: It took months for syzbot to find a C repro, and even with it, I had to spend a lot of time to understand KFENCE was a prereq. With the default kfence 500ms interval, I had to be very patient to trigger the kernel warning and perform my analysis. This series targets net-next tree, because I added a new generic helper in the first patch, then fixed the issue in the second one. They can be backported once proven solid. ==================== Link: https://lore.kernel.org/r/20220222032113.4005821-1-eric.dumazet@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
This commit is contained in:
Jakub Kicinski
commit
fa4fad40d5
|
|
@ -1536,6 +1536,11 @@ static inline unsigned int skb_end_offset(const struct sk_buff *skb)
|
|||
{
|
||||
return skb->end;
|
||||
}
|
||||
|
||||
static inline void skb_set_end_offset(struct sk_buff *skb, unsigned int offset)
|
||||
{
|
||||
skb->end = offset;
|
||||
}
|
||||
#else
|
||||
static inline unsigned char *skb_end_pointer(const struct sk_buff *skb)
|
||||
{
|
||||
|
|
@ -1546,6 +1551,11 @@ static inline unsigned int skb_end_offset(const struct sk_buff *skb)
|
|||
{
|
||||
return skb->end - skb->head;
|
||||
}
|
||||
|
||||
static inline void skb_set_end_offset(struct sk_buff *skb, unsigned int offset)
|
||||
{
|
||||
skb->end = skb->head + offset;
|
||||
}
|
||||
#endif
|
||||
|
||||
/* Internal */
|
||||
|
|
@ -1785,19 +1795,19 @@ static inline int skb_unclone(struct sk_buff *skb, gfp_t pri)
|
|||
return 0;
|
||||
}
|
||||
|
||||
/* This variant of skb_unclone() makes sure skb->truesize is not changed */
|
||||
/* This variant of skb_unclone() makes sure skb->truesize
|
||||
* and skb_end_offset() are not changed, whenever a new skb->head is needed.
|
||||
*
|
||||
* Indeed there is no guarantee that ksize(kmalloc(X)) == ksize(kmalloc(X))
|
||||
* when various debugging features are in place.
|
||||
*/
|
||||
int __skb_unclone_keeptruesize(struct sk_buff *skb, gfp_t pri);
|
||||
static inline int skb_unclone_keeptruesize(struct sk_buff *skb, gfp_t pri)
|
||||
{
|
||||
might_sleep_if(gfpflags_allow_blocking(pri));
|
||||
|
||||
if (skb_cloned(skb)) {
|
||||
unsigned int save = skb->truesize;
|
||||
int res;
|
||||
|
||||
res = pskb_expand_head(skb, 0, 0, pri);
|
||||
skb->truesize = save;
|
||||
return res;
|
||||
}
|
||||
if (skb_cloned(skb))
|
||||
return __skb_unclone_keeptruesize(skb, pri);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -201,7 +201,7 @@ static void __build_skb_around(struct sk_buff *skb, void *data,
|
|||
skb->head = data;
|
||||
skb->data = data;
|
||||
skb_reset_tail_pointer(skb);
|
||||
skb->end = skb->tail + size;
|
||||
skb_set_end_offset(skb, size);
|
||||
skb->mac_header = (typeof(skb->mac_header))~0U;
|
||||
skb->transport_header = (typeof(skb->transport_header))~0U;
|
||||
|
||||
|
|
@ -1736,11 +1736,10 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
|
|||
skb->head = data;
|
||||
skb->head_frag = 0;
|
||||
skb->data += off;
|
||||
|
||||
skb_set_end_offset(skb, size);
|
||||
#ifdef NET_SKBUFF_DATA_USES_OFFSET
|
||||
skb->end = size;
|
||||
off = nhead;
|
||||
#else
|
||||
skb->end = skb->head + size;
|
||||
#endif
|
||||
skb->tail += off;
|
||||
skb_headers_offset_update(skb, nhead);
|
||||
|
|
@ -1788,6 +1787,38 @@ struct sk_buff *skb_realloc_headroom(struct sk_buff *skb, unsigned int headroom)
|
|||
}
|
||||
EXPORT_SYMBOL(skb_realloc_headroom);
|
||||
|
||||
int __skb_unclone_keeptruesize(struct sk_buff *skb, gfp_t pri)
|
||||
{
|
||||
unsigned int saved_end_offset, saved_truesize;
|
||||
struct skb_shared_info *shinfo;
|
||||
int res;
|
||||
|
||||
saved_end_offset = skb_end_offset(skb);
|
||||
saved_truesize = skb->truesize;
|
||||
|
||||
res = pskb_expand_head(skb, 0, 0, pri);
|
||||
if (res)
|
||||
return res;
|
||||
|
||||
skb->truesize = saved_truesize;
|
||||
|
||||
if (likely(skb_end_offset(skb) == saved_end_offset))
|
||||
return 0;
|
||||
|
||||
shinfo = skb_shinfo(skb);
|
||||
|
||||
/* We are about to change back skb->end,
|
||||
* we need to move skb_shinfo() to its new location.
|
||||
*/
|
||||
memmove(skb->head + saved_end_offset,
|
||||
shinfo,
|
||||
offsetof(struct skb_shared_info, frags[shinfo->nr_frags]));
|
||||
|
||||
skb_set_end_offset(skb, saved_end_offset);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* skb_expand_head - reallocate header of &sk_buff
|
||||
* @skb: buffer to reallocate
|
||||
|
|
@ -6044,11 +6075,7 @@ static int pskb_carve_inside_header(struct sk_buff *skb, const u32 off,
|
|||
skb->head = data;
|
||||
skb->data = data;
|
||||
skb->head_frag = 0;
|
||||
#ifdef NET_SKBUFF_DATA_USES_OFFSET
|
||||
skb->end = size;
|
||||
#else
|
||||
skb->end = skb->head + size;
|
||||
#endif
|
||||
skb_set_end_offset(skb, size);
|
||||
skb_set_tail_pointer(skb, skb_headlen(skb));
|
||||
skb_headers_offset_update(skb, 0);
|
||||
skb->cloned = 0;
|
||||
|
|
@ -6186,11 +6213,7 @@ static int pskb_carve_inside_nonlinear(struct sk_buff *skb, const u32 off,
|
|||
skb->head = data;
|
||||
skb->head_frag = 0;
|
||||
skb->data = data;
|
||||
#ifdef NET_SKBUFF_DATA_USES_OFFSET
|
||||
skb->end = size;
|
||||
#else
|
||||
skb->end = skb->head + size;
|
||||
#endif
|
||||
skb_set_end_offset(skb, size);
|
||||
skb_reset_tail_pointer(skb);
|
||||
skb_headers_offset_update(skb, 0);
|
||||
skb->cloned = 0;
|
||||
|
|
|
|||
Loading…
Reference in New Issue