* [PATCH net 2/2] net: core: reject skb_copy(_expand) for fraglist GSO skbs
2024-04-27 18:24 [PATCH net 1/2] net: bridge: fix multicast-to-unicast with fraglist GSO Felix Fietkau
@ 2024-04-27 18:24 ` Felix Fietkau
2024-04-30 11:07 ` [PATCH net 1/2] net: bridge: fix multicast-to-unicast with fraglist GSO Paolo Abeni
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Felix Fietkau @ 2024-04-27 18:24 UTC (permalink / raw)
To: netdev, David S. Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, Steffen Klassert, Willem de Bruijn
Cc: linux-kernel
SKB_GSO_FRAGLIST skbs must not be linearized, otherwise they become
invalid. Return NULL if such an skb is passed to skb_copy or
skb_copy_expand, in order to prevent a crash on a potential later
call to skb_gso_segment.
Fixes: 3a1296a38d0c ("net: Support GRO/GSO fraglist chaining.")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
---
net/core/skbuff.c | 27 +++++++++++++++++++--------
1 file changed, 19 insertions(+), 8 deletions(-)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index b99127712e67..4096e679f61c 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2123,11 +2123,17 @@ static inline int skb_alloc_rx_flag(const struct sk_buff *skb)
struct sk_buff *skb_copy(const struct sk_buff *skb, gfp_t gfp_mask)
{
- int headerlen = skb_headroom(skb);
- unsigned int size = skb_end_offset(skb) + skb->data_len;
- struct sk_buff *n = __alloc_skb(size, gfp_mask,
- skb_alloc_rx_flag(skb), NUMA_NO_NODE);
+ struct sk_buff *n;
+ unsigned int size;
+ int headerlen;
+
+ if (WARN_ON_ONCE(skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST))
+ return NULL;
+ headerlen = skb_headroom(skb);
+ size = skb_end_offset(skb) + skb->data_len;
+ n = __alloc_skb(size, gfp_mask,
+ skb_alloc_rx_flag(skb), NUMA_NO_NODE);
if (!n)
return NULL;
@@ -2455,12 +2461,17 @@ struct sk_buff *skb_copy_expand(const struct sk_buff *skb,
/*
* Allocate the copy buffer
*/
- struct sk_buff *n = __alloc_skb(newheadroom + skb->len + newtailroom,
- gfp_mask, skb_alloc_rx_flag(skb),
- NUMA_NO_NODE);
- int oldheadroom = skb_headroom(skb);
int head_copy_len, head_copy_off;
+ struct sk_buff *n;
+ int oldheadroom;
+
+ if (WARN_ON_ONCE(skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST))
+ return NULL;
+ oldheadroom = skb_headroom(skb);
+ n = __alloc_skb(newheadroom + skb->len + newtailroom,
+ gfp_mask, skb_alloc_rx_flag(skb),
+ NUMA_NO_NODE);
if (!n)
return NULL;
--
2.44.0
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH net 1/2] net: bridge: fix multicast-to-unicast with fraglist GSO
2024-04-27 18:24 [PATCH net 1/2] net: bridge: fix multicast-to-unicast with fraglist GSO Felix Fietkau
2024-04-27 18:24 ` [PATCH net 2/2] net: core: reject skb_copy(_expand) for fraglist GSO skbs Felix Fietkau
@ 2024-04-30 11:07 ` Paolo Abeni
2024-05-01 9:00 ` Nikolay Aleksandrov
2024-05-01 10:50 ` patchwork-bot+netdevbpf
3 siblings, 0 replies; 5+ messages in thread
From: Paolo Abeni @ 2024-04-30 11:07 UTC (permalink / raw)
To: Felix Fietkau, netdev, Roopa Prabhu, Nikolay Aleksandrov,
David S. Miller, Eric Dumazet, Jakub Kicinski, Linus Lüssing
Cc: bridge, linux-kernel
On Sat, 2024-04-27 at 20:24 +0200, Felix Fietkau wrote:
> Calling skb_copy on a SKB_GSO_FRAGLIST skb is not valid, since it returns
> an invalid linearized skb. This code only needs to change the ethernet
> header, so pskb_copy is the right function to call here.
>
> Fixes: 6db6f0eae605 ("bridge: multicast to unicast")
> Signed-off-by: Felix Fietkau <nbd@nbd.name>
> ---
> net/bridge/br_forward.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c
> index 7431f89e897b..d7c35f55bd69 100644
> --- a/net/bridge/br_forward.c
> +++ b/net/bridge/br_forward.c
> @@ -266,7 +266,7 @@ static void maybe_deliver_addr(struct net_bridge_port *p, struct sk_buff *skb,
> if (skb->dev == p->dev && ether_addr_equal(src, addr))
> return;
>
> - skb = skb_copy(skb, GFP_ATOMIC);
> + skb = pskb_copy(skb, GFP_ATOMIC);
> if (!skb) {
> DEV_STATS_INC(dev, tx_dropped);
> return;
LGTM, but let's wait a little more time for Nikolay
Acked-by: Paolo Abeni <pabeni@redhat.com>
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH net 1/2] net: bridge: fix multicast-to-unicast with fraglist GSO
2024-04-27 18:24 [PATCH net 1/2] net: bridge: fix multicast-to-unicast with fraglist GSO Felix Fietkau
2024-04-27 18:24 ` [PATCH net 2/2] net: core: reject skb_copy(_expand) for fraglist GSO skbs Felix Fietkau
2024-04-30 11:07 ` [PATCH net 1/2] net: bridge: fix multicast-to-unicast with fraglist GSO Paolo Abeni
@ 2024-05-01 9:00 ` Nikolay Aleksandrov
2024-05-01 10:50 ` patchwork-bot+netdevbpf
3 siblings, 0 replies; 5+ messages in thread
From: Nikolay Aleksandrov @ 2024-05-01 9:00 UTC (permalink / raw)
To: Felix Fietkau, netdev, Roopa Prabhu, David S. Miller,
Eric Dumazet, Jakub Kicinski, Paolo Abeni, Linus Lüssing
Cc: bridge, linux-kernel
On 27/04/2024 21:24, Felix Fietkau wrote:
> Calling skb_copy on a SKB_GSO_FRAGLIST skb is not valid, since it returns
> an invalid linearized skb. This code only needs to change the ethernet
> header, so pskb_copy is the right function to call here.
>
> Fixes: 6db6f0eae605 ("bridge: multicast to unicast")
> Signed-off-by: Felix Fietkau <nbd@nbd.name>
> ---
> net/bridge/br_forward.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c
> index 7431f89e897b..d7c35f55bd69 100644
> --- a/net/bridge/br_forward.c
> +++ b/net/bridge/br_forward.c
> @@ -266,7 +266,7 @@ static void maybe_deliver_addr(struct net_bridge_port *p, struct sk_buff *skb,
> if (skb->dev == p->dev && ether_addr_equal(src, addr))
> return;
>
> - skb = skb_copy(skb, GFP_ATOMIC);
> + skb = pskb_copy(skb, GFP_ATOMIC);
> if (!skb) {
> DEV_STATS_INC(dev, tx_dropped);
> return;
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH net 1/2] net: bridge: fix multicast-to-unicast with fraglist GSO
2024-04-27 18:24 [PATCH net 1/2] net: bridge: fix multicast-to-unicast with fraglist GSO Felix Fietkau
` (2 preceding siblings ...)
2024-05-01 9:00 ` Nikolay Aleksandrov
@ 2024-05-01 10:50 ` patchwork-bot+netdevbpf
3 siblings, 0 replies; 5+ messages in thread
From: patchwork-bot+netdevbpf @ 2024-05-01 10:50 UTC (permalink / raw)
To: Felix Fietkau
Cc: netdev, roopa, razor, davem, edumazet, kuba, pabeni,
linus.luessing, bridge, linux-kernel
Hello:
This series was applied to netdev/net.git (main)
by David S. Miller <davem@davemloft.net>:
On Sat, 27 Apr 2024 20:24:18 +0200 you wrote:
> Calling skb_copy on a SKB_GSO_FRAGLIST skb is not valid, since it returns
> an invalid linearized skb. This code only needs to change the ethernet
> header, so pskb_copy is the right function to call here.
>
> Fixes: 6db6f0eae605 ("bridge: multicast to unicast")
> Signed-off-by: Felix Fietkau <nbd@nbd.name>
>
> [...]
Here is the summary with links:
- [net,1/2] net: bridge: fix multicast-to-unicast with fraglist GSO
https://git.kernel.org/netdev/net/c/59c878cbcdd8
- [net,2/2] net: core: reject skb_copy(_expand) for fraglist GSO skbs
https://git.kernel.org/netdev/net/c/d091e579b864
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 5+ messages in thread