From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Kuniyuki Iwashima <kuniyu@amazon.com>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH 5.10 36/57] dccp/tcp: Avoid negative sk_forward_alloc by ipv6_pinfo.pktoptions.
Date: Mon, 20 Feb 2023 14:36:44 +0100 [thread overview]
Message-ID: <20230220133550.603742539@linuxfoundation.org> (raw)
In-Reply-To: <20230220133549.360169435@linuxfoundation.org>
From: Kuniyuki Iwashima <kuniyu@amazon.com>
commit ca43ccf41224b023fc290073d5603a755fd12eed upstream.
Eric Dumazet pointed out [0] that when we call skb_set_owner_r()
for ipv6_pinfo.pktoptions, sk_rmem_schedule() has not been called,
resulting in a negative sk_forward_alloc.
We add a new helper which clones a skb and sets its owner only
when sk_rmem_schedule() succeeds.
Note that we move skb_set_owner_r() forward in (dccp|tcp)_v6_do_rcv()
because tcp_send_synack() can make sk_forward_alloc negative before
ipv6_opt_accepted() in the crossed SYN-ACK or self-connect() cases.
[0]: https://lore.kernel.org/netdev/CANn89iK9oc20Jdi_41jb9URdF210r7d1Y-+uypbMSbOfY6jqrg@mail.gmail.com/
Fixes: 323fbd0edf3f ("net: dccp: Add handling of IPV6_PKTOPTIONS to dccp_v6_do_rcv()")
Fixes: 3df80d9320bc ("[DCCP]: Introduce DCCPv6")
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/sock.h | 13 +++++++++++++
net/dccp/ipv6.c | 7 ++-----
net/ipv6/tcp_ipv6.c | 10 +++-------
3 files changed, 18 insertions(+), 12 deletions(-)
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -2243,6 +2243,19 @@ static inline __must_check bool skb_set_
return false;
}
+static inline struct sk_buff *skb_clone_and_charge_r(struct sk_buff *skb, struct sock *sk)
+{
+ skb = skb_clone(skb, sk_gfp_mask(sk, GFP_ATOMIC));
+ if (skb) {
+ if (sk_rmem_schedule(sk, skb, skb->truesize)) {
+ skb_set_owner_r(skb, sk);
+ return skb;
+ }
+ __kfree_skb(skb);
+ }
+ return NULL;
+}
+
void sk_reset_timer(struct sock *sk, struct timer_list *timer,
unsigned long expires);
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -541,11 +541,9 @@ static struct sock *dccp_v6_request_recv
*own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash), NULL);
/* Clone pktoptions received with SYN, if we own the req */
if (*own_req && ireq->pktopts) {
- newnp->pktoptions = skb_clone(ireq->pktopts, GFP_ATOMIC);
+ newnp->pktoptions = skb_clone_and_charge_r(ireq->pktopts, newsk);
consume_skb(ireq->pktopts);
ireq->pktopts = NULL;
- if (newnp->pktoptions)
- skb_set_owner_r(newnp->pktoptions, newsk);
}
return newsk;
@@ -605,7 +603,7 @@ static int dccp_v6_do_rcv(struct sock *s
--ANK (980728)
*/
if (np->rxopt.all)
- opt_skb = skb_clone(skb, GFP_ATOMIC);
+ opt_skb = skb_clone_and_charge_r(skb, sk);
if (sk->sk_state == DCCP_OPEN) { /* Fast path */
if (dccp_rcv_established(sk, skb, dccp_hdr(skb), skb->len))
@@ -669,7 +667,6 @@ ipv6_pktoptions:
np->flow_label = ip6_flowlabel(ipv6_hdr(opt_skb));
if (ipv6_opt_accepted(sk, opt_skb,
&DCCP_SKB_CB(opt_skb)->header.h6)) {
- skb_set_owner_r(opt_skb, sk);
memmove(IP6CB(opt_skb),
&DCCP_SKB_CB(opt_skb)->header.h6,
sizeof(struct inet6_skb_parm));
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1406,14 +1406,11 @@ static struct sock *tcp_v6_syn_recv_sock
/* Clone pktoptions received with SYN, if we own the req */
if (ireq->pktopts) {
- newnp->pktoptions = skb_clone(ireq->pktopts,
- sk_gfp_mask(sk, GFP_ATOMIC));
+ newnp->pktoptions = skb_clone_and_charge_r(ireq->pktopts, newsk);
consume_skb(ireq->pktopts);
ireq->pktopts = NULL;
- if (newnp->pktoptions) {
+ if (newnp->pktoptions)
tcp_v6_restore_cb(newnp->pktoptions);
- skb_set_owner_r(newnp->pktoptions, newsk);
- }
}
} else {
if (!req_unhash && found_dup_sk) {
@@ -1481,7 +1478,7 @@ static int tcp_v6_do_rcv(struct sock *sk
--ANK (980728)
*/
if (np->rxopt.all)
- opt_skb = skb_clone(skb, sk_gfp_mask(sk, GFP_ATOMIC));
+ opt_skb = skb_clone_and_charge_r(skb, sk);
if (sk->sk_state == TCP_ESTABLISHED) { /* Fast path */
struct dst_entry *dst;
@@ -1563,7 +1560,6 @@ ipv6_pktoptions:
if (np->repflow)
np->flow_label = ip6_flowlabel(ipv6_hdr(opt_skb));
if (ipv6_opt_accepted(sk, opt_skb, &TCP_SKB_CB(opt_skb)->header.h6)) {
- skb_set_owner_r(opt_skb, sk);
tcp_v6_restore_cb(opt_skb);
opt_skb = xchg(&np->pktoptions, opt_skb);
} else {
next prev parent reply other threads:[~2023-02-20 13:55 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-20 13:36 [PATCH 5.10 00/57] 5.10.169-rc1 review Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 01/57] ASoC: Intel: sof_rt5682: always set dpcm_capture for amplifiers Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 02/57] selftests/bpf: Verify copy_register_state() preserves parent/live fields Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 03/57] ALSA: hda: Do not unset preset when cleaning up codec Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 04/57] ASoC: cs42l56: fix DT probe Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 05/57] tools/virtio: fix the vringh test for virtio ring changes Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 06/57] net/rose: Fix to not accept on connected socket Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 07/57] net: stmmac: do not stop RX_CLK in Rx LPI state for qcs404 SoC Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 08/57] net: sched: sch: Bounds check priority Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 09/57] s390/decompressor: specify __decompress() buf len to avoid overflow Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 10/57] nvme-fc: fix a missing queue put in nvmet_fc_ls_create_association Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 11/57] platform/x86: touchscreen_dmi: Add Chuwi Vi8 (CWI501) DMI match Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 12/57] nvmem: core: add error handling for dev_set_name Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 13/57] nvmem: core: remove nvmem_config wp_gpio Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 14/57] nvmem: core: fix cleanup after dev_set_name() Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 15/57] nvmem: core: fix registration vs use race Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 16/57] aio: fix mremap after fork null-deref Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 17/57] [PATCH v2 1/1] s390/signal: fix endless loop in do_signal Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 18/57] ovl: remove privs in ovl_copyfile() Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 19/57] ovl: remove privs in ovl_fallocate() Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 20/57] netfilter: nft_tproxy: restrict to prerouting hook Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 21/57] mmc: jz4740: Work around bug on JZ4760(B) Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 22/57] mmc: sdio: fix possible resource leaks in some error paths Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 23/57] mmc: mmc_spi: fix error handling in mmc_spi_probe() Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 24/57] ALSA: hda/conexant: add a new hda codec SN6180 Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 25/57] ALSA: hda/realtek - fixed wrong gpio assigned Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 26/57] sched/psi: Fix use-after-free in ep_remove_wait_queue() Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 27/57] hugetlb: check for undefined shift on 32 bit architectures Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 28/57] Revert "mm: Always release pages to the buddy allocator in memblock_free_late()." Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 29/57] net: Fix unwanted sign extension in netdev_stats_to_stats64() Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 30/57] revert "squashfs: harden sanity check in squashfs_read_xattr_id_table" Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 31/57] ixgbe: allow to increase MTU to 3K with XDP enabled Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 32/57] i40e: add double of VLAN header when computing the max MTU Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 33/57] net: bgmac: fix BCM5358 support by setting correct flags Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 34/57] sctp: sctp_sock_filter(): avoid list_entry() on possibly empty list Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 35/57] net/sched: tcindex: update imperfect hash filters respecting rcu Greg Kroah-Hartman
2023-02-20 13:36 ` Greg Kroah-Hartman [this message]
2023-02-20 13:36 ` [PATCH 5.10 37/57] net/usb: kalmia: Dont pass act_len in usb_bulk_msg error path Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 38/57] net: openvswitch: fix possible memory leak in ovs_meter_cmd_set() Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 39/57] net: stmmac: fix order of dwmac5 FlexPPS parametrization sequence Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 40/57] bnxt_en: Fix mqprio and XDP ring checking logic Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 41/57] net: stmmac: Restrict warning on disabling DMA store and fwd mode Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 42/57] net: mpls: fix stale pointer if allocation fails during device rename Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 43/57] ixgbe: add double of VLAN header when computing the max MTU Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 44/57] ipv6: Fix datagram socket connection with DSCP Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 45/57] ipv6: Fix tcp " Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 46/57] nilfs2: fix underflow in second superblock position calculations Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 47/57] drm/i915/gen11: Moving WAs to icl_gt_workarounds_init() Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 48/57] drm/i915/gen11: Wa_1408615072/Wa_1407596294 should be on GT list Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 49/57] flow_offload: fill flags to action structure Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 50/57] net/sched: act_ctinfo: use percpu stats Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.10 51/57] i40e: Add checking for null for nlmsg_find_attr() Greg Kroah-Hartman
2023-02-20 13:37 ` [PATCH 5.10 52/57] net/sched: tcindex: search key must be 16 bits Greg Kroah-Hartman
2023-02-20 13:37 ` [PATCH 5.10 53/57] kvm: initialize all of the kvm_debugregs structure before sending it to userspace Greg Kroah-Hartman
2023-02-20 13:37 ` [PATCH 5.10 54/57] alarmtimer: Prevent starvation by small intervals and SIG_IGN Greg Kroah-Hartman
2023-02-20 13:37 ` [PATCH 5.10 55/57] ASoC: SOF: Intel: hda-dai: fix possible stream_tag leak Greg Kroah-Hartman
2023-02-20 13:37 ` [PATCH 5.10 56/57] net: sched: sch: Fix off by one in htb_activate_prios() Greg Kroah-Hartman
2023-02-20 13:37 ` [PATCH 5.10 57/57] nvmem: core: fix return value Greg Kroah-Hartman
2023-02-20 19:05 ` [PATCH 5.10 00/57] 5.10.169-rc1 review Pavel Machek
2023-02-21 8:03 ` Naresh Kamboju
2023-02-21 14:20 ` Jon Hunter
2023-02-21 14:58 ` Sudip Mukherjee (Codethink)
2023-02-21 16:21 ` Guenter Roeck
2023-02-21 19:54 ` Florian Fainelli
2023-02-21 23:50 ` Shuah Khan
2023-02-22 8:44 ` zhouzhixiu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230220133550.603742539@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=kuniyu@amazon.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.