From: Jakub Kicinski <kuba@kernel.org>
To: davem@davemloft.net
Cc: netdev@vger.kernel.org, edumazet@google.com, pabeni@redhat.com,
andrew+netdev@lunn.ch, horms@kernel.org, shuah@kernel.org,
linux-kselftest@vger.kernel.org, Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH net 08/12] net: shaper: fix undersized reply skb allocation in GROUP command
Date: Tue, 5 May 2026 17:06:24 -0700 [thread overview]
Message-ID: <20260506000628.1501691-9-kuba@kernel.org> (raw)
In-Reply-To: <20260506000628.1501691-1-kuba@kernel.org>
net_shaper_group_send_reply() writes both the NET_SHAPER_A_IFINDEX
attribute (via net_shaper_fill_binding()) and the nested
NET_SHAPER_A_HANDLE attribute (via net_shaper_fill_handle()), but
the reply skb at the call site in net_shaper_nl_group_doit() is
allocated using net_shaper_handle_size(), which only accounts for
the nested handle.
The allocation is therefore short by nla_total_size(sizeof(u32))
(8 bytes) for the IFINDEX attribute. In practice the slab allocator
rounds up the small allocation so the bug is latent, but the size
accounting is wrong and could bite if the reply grew further.
Introduce net_shaper_group_reply_size() that accounts for the full
reply payload and use it both at the genlmsg_new() call site and in
the defensive WARN_ONCE message.
Fixes: 5d5d4700e75d ("net-shapers: implement NL group operation")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
---
net/shaper/shaper.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/net/shaper/shaper.c b/net/shaper/shaper.c
index 2ba397fa3bfd..10d76f7148bf 100644
--- a/net/shaper/shaper.c
+++ b/net/shaper/shaper.c
@@ -90,6 +90,12 @@ static int net_shaper_handle_size(void)
nla_total_size(sizeof(u32)));
}
+static int net_shaper_group_reply_size(void)
+{
+ return nla_total_size(sizeof(u32)) + /* NET_SHAPER_A_IFINDEX */
+ net_shaper_handle_size(); /* NET_SHAPER_A_HANDLE */
+}
+
static int net_shaper_fill_binding(struct sk_buff *msg,
const struct net_shaper_binding *binding,
u32 type)
@@ -1225,7 +1231,7 @@ static int net_shaper_group_send_reply(struct net_shaper_binding *binding,
free_msg:
/* Should never happen as msg is pre-allocated with enough space. */
WARN_ONCE(true, "calculated message payload length (%d)",
- net_shaper_handle_size());
+ net_shaper_group_reply_size());
nlmsg_free(msg);
return -EMSGSIZE;
}
@@ -1273,7 +1279,7 @@ int net_shaper_nl_group_doit(struct sk_buff *skb, struct genl_info *info)
/* Prepare the msg reply in advance, to avoid device operation
* rollback on allocation failure.
*/
- msg = genlmsg_new(net_shaper_handle_size(), GFP_KERNEL);
+ msg = genlmsg_new(net_shaper_group_reply_size(), GFP_KERNEL);
if (!msg) {
ret = -ENOMEM;
goto free_leaves;
--
2.54.0
next prev parent reply other threads:[~2026-05-06 0:06 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-06 0:06 [PATCH net 00/12] net: shaper: fix various minor bugs Jakub Kicinski
2026-05-06 0:06 ` [PATCH net 01/12] net: shaper: drop redundant xa_lock() bracketing Jakub Kicinski
2026-05-06 15:30 ` Paolo Abeni
2026-05-06 22:33 ` Jakub Kicinski
2026-05-07 7:10 ` Paolo Abeni
2026-05-06 0:06 ` [PATCH net 02/12] net: shaper: flip the polarity of the valid flag Jakub Kicinski
2026-05-06 0:06 ` [PATCH net 03/12] net: shaper: fix trivial ordering issue in net_shaper_commit() Jakub Kicinski
2026-05-06 0:06 ` [PATCH net 04/12] net: shaper: try to avoid violating RCU Jakub Kicinski
2026-05-06 15:22 ` Paolo Abeni
2026-05-06 15:32 ` Paolo Abeni
2026-05-06 22:35 ` Jakub Kicinski
2026-05-06 0:06 ` [PATCH net 05/12] net: shaper: reject duplicate leaves in GROUP request Jakub Kicinski
2026-05-06 0:06 ` [PATCH net 06/12] selftests: drv-net: add shaper test for duplicate leaves Jakub Kicinski
2026-05-06 16:40 ` Breno Leitao
2026-05-06 22:35 ` Jakub Kicinski
2026-05-06 0:06 ` [PATCH net 07/12] net: shaper: set ret to -ENOMEM when genlmsg_new() fails in group_doit Jakub Kicinski
2026-05-06 0:06 ` Jakub Kicinski [this message]
2026-05-06 0:06 ` [PATCH net 09/12] tools: ynl: add scope qualifier for definitions Jakub Kicinski
2026-05-06 2:32 ` Jakub Kicinski
2026-05-06 0:06 ` [PATCH net 10/12] net: shaper: reject handle IDs exceeding internal bit-width Jakub Kicinski
2026-05-06 0:06 ` [PATCH net 11/12] net: shaper: enforce singleton NETDEV scope with id 0 Jakub Kicinski
2026-05-06 0:06 ` [PATCH net 12/12] net: shaper: reject QUEUE scope handle with missing id Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260506000628.1501691-9-kuba@kernel.org \
--to=kuba@kernel.org \
--cc=andrew+netdev@lunn.ch \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=shuah@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox