From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 763A93D669D; Tue, 16 Jun 2026 18:39:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781635163; cv=none; b=uYFeAQ/HDX7Gtko6qhEgu8tQSoEMabbU1twVpjEACfuK+H5lU+/mJ3PXLxv8P77q9vzGbK1kXsBCWll0Lzx4cZDu8JVmMN6xTb2fxEDlM3CW9lfG+2TF/tWrMIVrL+YOMXJcek4FMIFGlkyml0Kbk9P5Gt1VQOV92an6Tp8E+Mo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781635163; c=relaxed/simple; bh=lxc91tWlr8LnTSbHz0krrCNDmlliIhgL6s7H33BoPuQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=QLCcqUXRsmPP5uCCz+p+AcYMpytoalTYq/m3oPUvdPD1YPttRM5/ycuSUNa2OCTG6yU9GG0NBV7ktzJX3xfzcSWAjoIIM7pv84a//PQNw+SQOLYkLUJn+MRBuzocHSKmgqn3rc7LoeBNA8oS7/inEeyPMAumfP2n/LXLGrKfSh0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=Y0/9ap5M; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="Y0/9ap5M" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7AA841F000E9; Tue, 16 Jun 2026 18:39:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1781635162; bh=BikgtaG1LiJ8D3QhEp6SNiD7D1Qi1O0sfdL9bGJCYKk=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=Y0/9ap5MChsCanv6CGgWW5JGxlOQEadgIidK3vn9JZ8xgxFNkFWYlBUs7lkwBjt9Y e1gwWkLYYseEG8vdHSpOydCIZu0VmDQLqctUcc9l23TdJ8x3SoFZmoD741iaM0v0o/ Dp2SEo4gE3Zvnz0t+3pm/ix+Hk+yLw+VdUBhH/x8= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Minh Nguyen , Willem de Bruijn , Paolo Abeni , Sasha Levin Subject: [PATCH 5.15 369/411] net: skbuff: fix missing zerocopy reference in pskb_carve helpers Date: Tue, 16 Jun 2026 20:30:07 +0530 Message-ID: <20260616145120.939704891@linuxfoundation.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260616145100.376842714@linuxfoundation.org> References: <20260616145100.376842714@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 5.15-stable review patch. If anyone has any objections, please let me know. ------------------ From: Minh Nguyen [ Upstream commit 98d0912e9f841e5529a5b89a972805f34cb1c69d ] pskb_carve_inside_header() and pskb_carve_inside_nonlinear() both copy the old skb_shared_info header into a new buffer via memcpy(), which includes the destructor_arg pointer (uarg) for MSG_ZEROCOPY skbs. Neither function calls net_zcopy_get() for the new shinfo, creating an unaccounted holder: every skb_shared_info with destructor_arg set will call skb_zcopy_clear() once when freed, but the corresponding net_zcopy_get() was never called for the new copy. Repeated calls drive uarg->refcnt to zero prematurely, freeing ubuf_info_msgzc while TX skbs still hold live destructor_arg pointers. KASAN reports use-after-free on a freed ubuf_info_msgzc: BUG: KASAN: slab-use-after-free in skb_release_data+0x77b/0x810 Read of size 8 at addr ffff88801574d3e8 by task poc/220 Call Trace: skb_release_data+0x77b/0x810 kfree_skb_list_reason+0x13e/0x610 skb_release_data+0x4cd/0x810 sk_skb_reason_drop+0xf3/0x340 skb_queue_purge_reason+0x282/0x440 rds_tcp_inc_free+0x1e/0x30 rds_recvmsg+0x354/0x1780 __sys_recvmsg+0xdf/0x180 Allocated by task 219: msg_zerocopy_realloc+0x157/0x7b0 tcp_sendmsg_locked+0x2892/0x3ba0 Freed by task 219: ip_recv_error+0x74a/0xb10 tcp_recvmsg+0x475/0x530 The skb consuming the late access still referenced the same uarg via shinfo->destructor_arg copied by pskb_carve_inside_nonlinear() without a refcount bump. This has been verified to be reliably exploitable: a working proof-of-concept achieves full root privilege escalation from an unprivileged local user on a default kernel configuration. The fix follows the pattern of pskb_expand_head() which has the same memcpy/cloned structure. For pskb_carve_inside_header(), net_zcopy_get() is placed after skb_orphan_frags() succeeds, so the orphan error path needs no cleanup. For pskb_carve_inside_nonlinear(), net_zcopy_get() is placed after all failure points and just before skb_release_data(), so no error path needs cleanup at all -- matching pskb_expand_head() more closely and avoiding the need for a balancing net_zcopy_put(). Fixes: 6fa01ccd8830 ("skbuff: Add pskb_extract() helper function") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-sonnet-4-6 Signed-off-by: Minh Nguyen Reviewed-by: Willem de Bruijn Link: https://patch.msgid.link/20260526041240.329462-1-minhnguyen.080505@gmail.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- net/core/skbuff.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -6256,6 +6256,8 @@ static int pskb_carve_inside_header(stru kfree(data); return -ENOMEM; } + if (skb_zcopy(skb)) + net_zcopy_get(skb_zcopy(skb)); for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) skb_frag_ref(skb, i); if (skb_has_frag_list(skb)) @@ -6404,6 +6406,8 @@ static int pskb_carve_inside_nonlinear(s kfree(data); return -ENOMEM; } + if (skb_zcopy(skb)) + net_zcopy_get(skb_zcopy(skb)); skb_release_data(skb); skb->head = data;