From patchwork Tue Jun  5 15:27:02 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Christoph Lameter (Ampere)" <cl@linux.com>
X-Patchwork-Id: 10448489
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	32F8E600CA for <patchwork-linux-mm@patchwork.kernel.org>;
	Tue,  5 Jun 2018 15:27:07 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 238D3206E2
	for <patchwork-linux-mm@patchwork.kernel.org>;
	Tue,  5 Jun 2018 15:27:07 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 1815528464; Tue,  5 Jun 2018 15:27:07 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AAE56206E2
	for <patchwork-linux-mm@patchwork.kernel.org>;
	Tue,  5 Jun 2018 15:27:06 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 905516B0005; Tue,  5 Jun 2018 11:27:05 -0400 (EDT)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 88D696B0006; Tue,  5 Jun 2018 11:27:05 -0400 (EDT)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 72E976B0007; Tue,  5 Jun 2018 11:27:05 -0400 (EDT)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-qt0-f198.google.com (mail-qt0-f198.google.com
	[209.85.216.198])
	by kanga.kvack.org (Postfix) with ESMTP id 4434C6B0005
	for <linux-mm@kvack.org>; Tue,  5 Jun 2018 11:27:05 -0400 (EDT)
Received: by mail-qt0-f198.google.com with SMTP id 12-v6so2666991qtq.8
	for <linux-mm@kvack.org>; Tue, 05 Jun 2018 08:27:05 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:dkim-signature:date:from:to:cc:subject
	:in-reply-to:message-id:references:user-agent:mime-version
	:feedback-id;
	bh=r91y8OjGYYTn/NKjruqnZDWG4He2D498hkFxVmz59I4=;
	b=ld2HzpktI58V8kscDI1LRu+QIoUbMrpqWBbhD6wmrIJ4Uj3MO3c6X6vz6I2+mBqQsS
	rkE6QH8U/BL8J156K+HGLLwuOP7PR6BakmCNSIb8ptXamWxXEtp/sTZdXKTVSbkpU+VC
	pw/OLgLOPLzb+dv+ZXdB+2z+UMAWcz2whWOPQD1U1nXNRqD4wDKynB2m3aEFpIzELkJC
	5qBtEb0rzCcSDUgMkLmTik6D5jw5DB2YXWI+1zB9yAGRiwzrDalmPPsyP1gu3WelGUs4
	dMXYg/F7jBGF+Jwr+UxjlxVTxK808x0yDSw2amSQkhxyvHAjTUGre30LHqTM4qMhz/Zh
	AmHw==
X-Gm-Message-State: APt69E1ohN/cltJSqZ7NHAzq3Y9nE7OkFbrCo3r9EPwGi79Mu5IECRzf
	hGNTKvkz2HUX3vPYn+mzXXVx3rbOS+oegK/0KCZUdZk2U5Kcq+MZTXCiTl1N08cTj3Hltc7aInm
	8tBkxkWprN4TeCMOTqjh6/Aku4UNNtP4NLYYcXLWAH8XLHlePktuDOdFOW8/cTRU=
X-Received: by 2002:a0c:da0a:: with SMTP id
	x10-v6mr8483282qvj.158.1528212425009;
	Tue, 05 Jun 2018 08:27:05 -0700 (PDT)
X-Google-Smtp-Source: 
 ADUXVKJYETJJx6cA1sYSfp65K134HDZwIArJ3OTjIW02nxTzC5V8kTntdk22tptwNtq9nILz5GA8
X-Received: by 2002:a0c:da0a:: with SMTP id
	x10-v6mr8483156qvj.158.1528212423253;
	Tue, 05 Jun 2018 08:27:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1528212423; cv=none;
	d=google.com; s=arc-20160816;
	b=qMgHqmvDML7+ErFNI270DdUFp2i7oNv3hICnVj8/BPMMv8k5llhHEifbtNw4SXhvCP
	HeKWCb6h00kNG/j4rUzDkJtYkgA6oxiLlAwVNVyKnvcGswQkpAhQQZRcGY8tNilEKCWc
	nTn0mPfQ843cBbPuinClI4Pg2U66tClMmQJEfEvhWVLkMGdzAjPXkUlry7LMuQkikmXd
	tGH7ipu9RLHgHC+PYPYrXdH87V881sY35vj++1DF2Rj5LV+ECeIxaidRTXxQ8g/WlO3F
	JyhGbx1CbzLMnX3dqVbpJat0rBMm5Ba3atoRdt6llmrF4wur2uEzQI6pc7l7jpDXbZlo
	UsLw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=feedback-id:mime-version:user-agent:references:message-id
	:in-reply-to:subject:cc:to:from:date:dkim-signature
	:arc-authentication-results;
	bh=r91y8OjGYYTn/NKjruqnZDWG4He2D498hkFxVmz59I4=;
	b=F2vCmujd9zjCZTDlIYo4F66suEQummHlumOKXOX/RLMVR0LslyCUHsy+C4lczTD/dI
	jKTBXG20SRHoUvrSXQxNG8Agr7RbWZ+HzyPUwdOBBg893ksh9MapFGBZfD/t1ZwllqEx
	ueN2ZMHQ/rhTjyntkVU40CeKBIVzWK/Xhf3ziYDIK9gZrImvXCBztan4KELS10BQYwdN
	2jTMqaIkA+UtDO/z13q87oRhPvE/sHXhWKS8W+s9jX9+bgtRzGsEYDXZqFGwAMQ8j8cH
	DnW9OeWmcB7wSg6Yll+OEhcd2nDzpIqEY3+n77kT8h6mtWQXe3Z4+8GbvvSW8CRTCaKi
	GP0Q==
ARC-Authentication-Results: i=1; mx.google.com;
	dkim=pass header.i=@amazonses.com
	header.s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug header.b=EKcchyYl;
	spf=pass (google.com: domain of
	01000163d08f00b4-068f6b54-5d34-447d-90c6-010a24fc36d5-000000@amazonses.com
	designates 54.240.9.114 as permitted sender)
	smtp.mailfrom=01000163d08f00b4-068f6b54-5d34-447d-90c6-010a24fc36d5-000000@amazonses.com
Received: from a9-114.smtp-out.amazonses.com (a9-114.smtp-out.amazonses.com.
	[54.240.9.114]) by mx.google.com with ESMTPS id
	k7-v6si3090415qkd.125.2018.06.05.08.27.03 for <linux-mm@kvack.org>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Tue, 05 Jun 2018 08:27:03 -0700 (PDT)
Received-SPF: pass (google.com: domain of
	01000163d08f00b4-068f6b54-5d34-447d-90c6-010a24fc36d5-000000@amazonses.com
	designates 54.240.9.114 as permitted sender)
	client-ip=54.240.9.114;
Authentication-Results: mx.google.com; dkim=pass header.i=@amazonses.com
	header.s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug header.b=EKcchyYl;
	spf=pass (google.com: domain of
	01000163d08f00b4-068f6b54-5d34-447d-90c6-010a24fc36d5-000000@amazonses.com
	designates 54.240.9.114 as permitted sender)
	smtp.mailfrom=01000163d08f00b4-068f6b54-5d34-447d-90c6-010a24fc36d5-000000@amazonses.com
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
	s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1528212422;
	h=Date:From:To:cc:Subject:In-Reply-To:Message-ID:References:MIME-Version:Content-Type:Feedback-ID;
	bh=I9hacnFTsFS/wt2MnXXjFXeMm9UD5bwpR9l1dDgqpCw=;
	b=EKcchyYlxyEdxjuKJLi5hAq93D9c+wusV13wEA9v4pOLU9dyOdrOKLKNnRAmYl5r
	s4sp8wY0fTcVvZd1gDZegGfQIoAjuatgEz+ggo5Fj6BVspsvvekplkxmSwvAB40JbOM
	FbPrMo/7HPicbvatDRAmNWe8CfffN1AL9XvQPacM=
Date: Tue, 5 Jun 2018 15:27:02 +0000
From: Christopher Lameter <cl@linux.com>
X-X-Sender: cl@nuc-kabylake
To: Anton Eidelman <anton@lightbitslabs.com>
cc: Kees Cook <keescook@chromium.org>, Matthew Wilcox <willy@infradead.org>,
	Laura Abbott <labbott@redhat.com>, Linux-MM <linux-mm@kvack.org>,
	linux-hardened@lists.openwall.com
Subject: Re: HARDENED_USERCOPY will BUG on multiple slub objects coalesced
	into an sk_buff fragment
In-Reply-To: 
 <CAKYffwpAAgD+a+0kebid43tpyS6L+8o=4hBbDvhfgaoV_gze1g@mail.gmail.com>
Message-ID: 
 <01000163d08f00b4-068f6b54-5d34-447d-90c6-010a24fc36d5-000000@email.amazonses.com>
References: 
 <CAKYffwqAXWUhdmU7t+OzK1A2oODS+WsfMKJZyWVTwxzR2QbHbw@mail.gmail.com>
	<55be03eb-3d0d-d43d-b0a4-669341e6d9ab@redhat.com>
	<CAGXu5jKYsS2jnRcb9RhFwvB-FLdDhVyAf+=CZ0WFB9UwPdefpw@mail.gmail.com>
	<20180601205837.GB29651@bombadil.infradead.org>
	<CAGXu5jLvN5bmakZ3aDu4TRB9+_DYVaCX2LTLtKvsqgYpjMaNsA@mail.gmail.com>
	<CAKYffwpAAgD+a+0kebid43tpyS6L+8o=4hBbDvhfgaoV_gze1g@mail.gmail.com>
User-Agent: Alpine 2.21 (DEB 202 2017-01-01)
MIME-Version: 1.0
X-SES-Outgoing: 2018.06.05-54.240.9.114
Feedback-ID: 
 1.us-east-1.fQZZZ0Xtj2+TD7V5apTT/NrT6QKuPgzCT/IC7XYgDKI=:AmazonSES
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

On Fri, 1 Jun 2018, Anton Eidelman wrote:

> I do not have a way of reproducing this decent enough to recommend: I'll
> keep digging.

If you can reproduce it: Could you try the following patch?



Subject: [NET] Fix false positives of skb_can_coalesce

Skb fragments may be slab objects. Two slab objects may reside
in the same slab page. In that case skb_can_coalesce() may return
true althought the skb cannot be expanded because it would
cross a slab boundary.

Enabling slab debugging will avoid the issue since red zones will
be inserted and thus the skb_can_coalesce() check will not detect
neighboring objects and return false.

Signed-off-by: Christoph Lameter <cl@linux.com>

Index: linux/include/linux/skbuff.h
===================================================================
--- linux.orig/include/linux/skbuff.h
+++ linux/include/linux/skbuff.h
@@ -3010,8 +3010,29 @@ static inline bool skb_can_coalesce(stru
 	if (i) {
 		const struct skb_frag_struct *frag = &skb_shinfo(skb)->frags[i - 1];

-		return page == skb_frag_page(frag) &&
-		       off == frag->page_offset + skb_frag_size(frag);
+		if (page != skb_frag_page(frag))
+			return false;
+
+		if (off != frag->page_offset + skb_frag_size(frag))
+			return false;
+
+		/*
+		 * This may be a slab page and we may have pointers
+		 * to different slab objects in the same page
+		 */
+		if (!PageSlab(skb_frag_page(frag)))
+			return true;
+
+		/*
+		 * We could still return true if we would check here
+		 * if the two fragments are within the same
+		 * slab object. But that is complicated and
+		 * I guess we would need a new slab function
+		 * to check if two pointers are within the same
+		 * object.
+		 */
+		return false;
+
 	}
 	return false;
 }