From patchwork Sat Apr 27 18:24:19 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Felix Fietkau <nbd@nbd.name>
X-Patchwork-Id: 13645726
X-Patchwork-Delegate: kuba@kernel.org
Received: from nbd.name (nbd.name [46.4.11.11])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1B6EE1F19A;
	Sat, 27 Apr 2024 18:24:30 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=46.4.11.11
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1714242271; cv=none;
 b=OW5HkuX3onk/eeJfY+NZjKxquxxN78/JwJ6VOi9iuxPzfkoAQ7ss7tUicnVvkO0otxuM2F+zCuLGeOIkBl4MEEQw76otWg5UOIBrm6gyJ1u7yIVJ/ZiEJam/CLWNXPQtDab9r+LoHWA/hBejLsAb+FU/9B1COEHxaYt5nHB3+vI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1714242271; c=relaxed/simple;
	bh=TGmQ90K9LgkbDUX9pFF2mber4vODF+ZtEEldYc47C4M=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=BhpYccae1Z//4CZQUDv6UKbbLRIklmLOE7pgFgveLPEElM/yezOpraF9fbXveAKQ6db3YxSK7W+Sn02CEMfHn0CxXs2IFgPvw+IsK3Z5ETQeAQe3dhf++3ch4M/Qi3B3SCWo+7T1eXrnz2wSlcVW24QGoZ6VlyVyWKs7Vu/t0KI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=nbd.name;
 spf=none smtp.mailfrom=nbd.name;
 dkim=pass (1024-bit key) header.d=nbd.name header.i=@nbd.name
 header.b=biur4J6z; arc=none smtp.client-ip=46.4.11.11
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=nbd.name
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=nbd.name
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=nbd.name header.i=@nbd.name
 header.b="biur4J6z"
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nbd.name;
	s=20160729; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:
	Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
	Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
	:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
	List-Post:List-Owner:List-Archive;
	bh=M8uzoOllrZUh31+ptzWzx2PkzBC/tgOjkKHQHqcA99s=; b=biur4J6z54z/klcNpeqTZ0OjwD
	O3Y3rjkGIK7UX1BHW3WS2KArYUefHTrDeQc+HWuRhbe4HRBg5ngYL2pZAdMKNX9OvJVYAowQ4mVrZ
	gmrY+40mZ08XiXtnaBB5qyjLj6ArI/fJkyuLv3N/7oDE5JqfTCHcuvGSjUm9CKCsnsBs=;
Received: from p54ae9c93.dip0.t-ipconnect.de ([84.174.156.147]
 helo=localhost.localdomain)
	by ds12 with esmtpsa  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
	(Exim 4.96)
	(envelope-from <nbd@nbd.name>)
	id 1s0mil-008hL3-0x;
	Sat, 27 Apr 2024 20:24:23 +0200
From: Felix Fietkau <nbd@nbd.name>
To: netdev@vger.kernel.org,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,
	Steffen Klassert <steffen.klassert@secunet.com>,
	Willem de Bruijn <willemb@google.com>
Cc: linux-kernel@vger.kernel.org
Subject: [PATCH net 2/2] net: core: reject skb_copy(_expand) for fraglist GSO
 skbs
Date: Sat, 27 Apr 2024 20:24:19 +0200
Message-ID: <20240427182420.24673-2-nbd@nbd.name>
X-Mailer: git-send-email 2.44.0
In-Reply-To: <20240427182420.24673-1-nbd@nbd.name>
References: <20240427182420.24673-1-nbd@nbd.name>
Precedence: bulk
X-Mailing-List: netdev@vger.kernel.org
List-Id: <netdev.vger.kernel.org>
List-Subscribe: <mailto:netdev+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:netdev+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Patchwork-Delegate: kuba@kernel.org

SKB_GSO_FRAGLIST skbs must not be linearized, otherwise they become
invalid. Return NULL if such an skb is passed to skb_copy or
skb_copy_expand, in order to prevent a crash on a potential later
call to skb_gso_segment.

Fixes: 3a1296a38d0c ("net: Support GRO/GSO fraglist chaining.")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
---
 net/core/skbuff.c | 27 +++++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index b99127712e67..4096e679f61c 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2123,11 +2123,17 @@ static inline int skb_alloc_rx_flag(const struct sk_buff *skb)
 
 struct sk_buff *skb_copy(const struct sk_buff *skb, gfp_t gfp_mask)
 {
-	int headerlen = skb_headroom(skb);
-	unsigned int size = skb_end_offset(skb) + skb->data_len;
-	struct sk_buff *n = __alloc_skb(size, gfp_mask,
-					skb_alloc_rx_flag(skb), NUMA_NO_NODE);
+	struct sk_buff *n;
+	unsigned int size;
+	int headerlen;
+
+	if (WARN_ON_ONCE(skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST))
+		return NULL;
 
+	headerlen = skb_headroom(skb);
+	size = skb_end_offset(skb) + skb->data_len;
+	n = __alloc_skb(size, gfp_mask,
+			skb_alloc_rx_flag(skb), NUMA_NO_NODE);
 	if (!n)
 		return NULL;
 
@@ -2455,12 +2461,17 @@ struct sk_buff *skb_copy_expand(const struct sk_buff *skb,
 	/*
 	 *	Allocate the copy buffer
 	 */
-	struct sk_buff *n = __alloc_skb(newheadroom + skb->len + newtailroom,
-					gfp_mask, skb_alloc_rx_flag(skb),
-					NUMA_NO_NODE);
-	int oldheadroom = skb_headroom(skb);
 	int head_copy_len, head_copy_off;
+	struct sk_buff *n;
+	int oldheadroom;
+
+	if (WARN_ON_ONCE(skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST))
+		return NULL;
 
+	oldheadroom = skb_headroom(skb);
+	n = __alloc_skb(newheadroom + skb->len + newtailroom,
+			gfp_mask, skb_alloc_rx_flag(skb),
+			NUMA_NO_NODE);
 	if (!n)
 		return NULL;