p71924506
/
linux_old1
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge branch 'tcp-take-care-of-another-syzbot-issue' 

Eric Dumazet says:

====================
tcp: take care of another syzbot issue

This is a minor issue: It took months for syzbot to find a C repro,
and even with it, I had to spend a lot of time to understand KFENCE
was a prereq. With the default kfence 500ms interval, I had to be
very patient to trigger the kernel warning and perform my analysis.

This series targets net-next tree, because I added a new generic helper
in the first patch, then fixed the issue in the second one.
They can be backported once proven solid.
====================

Link: https://lore.kernel.org/r/20220222032113.4005821-1-eric.dumazet@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
This commit is contained in:
Jakub Kicinski 2022-02-22 19:44:06 -08:00
parent 0ebea8f9b8 2b88cba558
commit fa4fad40d5
2 changed files with 56 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
include/linux/skbuff.h
View File

@ -1536,6 +1536,11 @@ static inline unsigned int skb_end_offset(const struct sk_buff *skb)
{ {
return skb->end; return skb->end;
} }
static inline void skb_set_end_offset(struct sk_buff *skb, unsigned int offset)
{
skb->end = offset;
}
#else #else
static inline unsigned char *skb_end_pointer(const struct sk_buff *skb) static inline unsigned char *skb_end_pointer(const struct sk_buff *skb)
{ {
@ -1546,6 +1551,11 @@ static inline unsigned int skb_end_offset(const struct sk_buff *skb)
{ {
return skb->end - skb->head; return skb->end - skb->head;
} }
static inline void skb_set_end_offset(struct sk_buff *skb, unsigned int offset)
{
skb->end = skb->head + offset;
}
#endif #endif
/* Internal */ /* Internal */
@ -1785,19 +1795,19 @@ static inline int skb_unclone(struct sk_buff *skb, gfp_t pri)
return 0; return 0;
} }
/* This variant of skb_unclone() makes sure skb->truesize is not changed */ /* This variant of skb_unclone() makes sure skb->truesize
* and skb_end_offset() are not changed, whenever a new skb->head is needed.
*
* Indeed there is no guarantee that ksize(kmalloc(X)) == ksize(kmalloc(X))
* when various debugging features are in place.
*/
int __skb_unclone_keeptruesize(struct sk_buff *skb, gfp_t pri);
static inline int skb_unclone_keeptruesize(struct sk_buff *skb, gfp_t pri) static inline int skb_unclone_keeptruesize(struct sk_buff *skb, gfp_t pri)
{ {
might_sleep_if(gfpflags_allow_blocking(pri)); might_sleep_if(gfpflags_allow_blocking(pri));
if (skb_cloned(skb)) { if (skb_cloned(skb))
unsigned int save = skb->truesize; return __skb_unclone_keeptruesize(skb, pri);
int res;
res = pskb_expand_head(skb, 0, 0, pri);
skb->truesize = save;
return res;
}
return 0; return 0;
} }

51
net/core/skbuff.c
View File

@ -201,7 +201,7 @@ static void __build_skb_around(struct sk_buff *skb, void *data,
skb->head = data; skb->head = data;
skb->data = data; skb->data = data;
skb_reset_tail_pointer(skb); skb_reset_tail_pointer(skb);
skb->end = skb->tail + size; skb_set_end_offset(skb, size);
skb->mac_header = (typeof(skb->mac_header))~0U; skb->mac_header = (typeof(skb->mac_header))~0U;
skb->transport_header = (typeof(skb->transport_header))~0U; skb->transport_header = (typeof(skb->transport_header))~0U;
@ -1736,11 +1736,10 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
skb->head = data; skb->head = data;
skb->head_frag = 0; skb->head_frag = 0;
skb->data += off; skb->data += off;
skb_set_end_offset(skb, size);
#ifdef NET_SKBUFF_DATA_USES_OFFSET #ifdef NET_SKBUFF_DATA_USES_OFFSET
skb->end = size;
off = nhead; off = nhead;
#else
skb->end = skb->head + size;
#endif #endif
skb->tail += off; skb->tail += off;
skb_headers_offset_update(skb, nhead); skb_headers_offset_update(skb, nhead);
@ -1788,6 +1787,38 @@ struct sk_buff *skb_realloc_headroom(struct sk_buff *skb, unsigned int headroom)
} }
EXPORT_SYMBOL(skb_realloc_headroom); EXPORT_SYMBOL(skb_realloc_headroom);
int __skb_unclone_keeptruesize(struct sk_buff *skb, gfp_t pri)
{
unsigned int saved_end_offset, saved_truesize;
struct skb_shared_info *shinfo;
int res;
saved_end_offset = skb_end_offset(skb);
saved_truesize = skb->truesize;
res = pskb_expand_head(skb, 0, 0, pri);
if (res)
return res;
skb->truesize = saved_truesize;
if (likely(skb_end_offset(skb) == saved_end_offset))
return 0;
shinfo = skb_shinfo(skb);
/* We are about to change back skb->end,
* we need to move skb_shinfo() to its new location.
*/
memmove(skb->head + saved_end_offset,
shinfo,
offsetof(struct skb_shared_info, frags[shinfo->nr_frags]));
skb_set_end_offset(skb, saved_end_offset);
return 0;
}
/** /**
* skb_expand_head - reallocate header of &sk_buff * skb_expand_head - reallocate header of &sk_buff
* @skb: buffer to reallocate * @skb: buffer to reallocate
@ -6044,11 +6075,7 @@ static int pskb_carve_inside_header(struct sk_buff *skb, const u32 off,
skb->head = data; skb->head = data;
skb->data = data; skb->data = data;
skb->head_frag = 0; skb->head_frag = 0;
#ifdef NET_SKBUFF_DATA_USES_OFFSET skb_set_end_offset(skb, size);
skb->end = size;
#else
skb->end = skb->head + size;
#endif
skb_set_tail_pointer(skb, skb_headlen(skb)); skb_set_tail_pointer(skb, skb_headlen(skb));
skb_headers_offset_update(skb, 0); skb_headers_offset_update(skb, 0);
skb->cloned = 0; skb->cloned = 0;
@ -6186,11 +6213,7 @@ static int pskb_carve_inside_nonlinear(struct sk_buff *skb, const u32 off,
skb->head = data; skb->head = data;
skb->head_frag = 0; skb->head_frag = 0;
skb->data = data; skb->data = data;
#ifdef NET_SKBUFF_DATA_USES_OFFSET skb_set_end_offset(skb, size);
skb->end = size;
#else
skb->end = skb->head + size;
#endif
skb_reset_tail_pointer(skb); skb_reset_tail_pointer(skb);
skb_headers_offset_update(skb, 0); skb_headers_offset_update(skb, 0);
skb->cloned = 0; skb->cloned = 0;