From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Miller Subject: Re: [PATCH net] tun: fix tun_napi_alloc_frags() frag allocator Date: Fri, 16 Feb 2018 16:21:17 -0500 (EST) Message-ID: <20180216.162117.1787932940366763800.davem@davemloft.net> References: <1518716586.3715.205.camel@gmail.com> <1518734835.3715.209.camel@gmail.com> Mime-Version: 1.0 Content-Type: Text/Plain; charset=iso-8859-1 Content-Transfer-Encoding: 8BIT Cc: mark.rutland@arm.com, netdev@vger.kernel.org, willemb@google.com, peterpenkov96@gmail.com To: eric.dumazet@gmail.com Return-path: Received: from shards.monkeyblade.net ([184.105.139.130]:59156 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750727AbeBPVVT (ORCPT ); Fri, 16 Feb 2018 16:21:19 -0500 In-Reply-To: <1518734835.3715.209.camel@gmail.com> Sender: netdev-owner@vger.kernel.org List-ID: From: Eric Dumazet Date: Thu, 15 Feb 2018 14:47:15 -0800 > From: Eric Dumazet > > > While fuzzing arm64 v4.16-rc1 with Syzkaller, I've been hitting a > misaligned atomic in __skb_clone: > >         atomic_inc(&(skb_shinfo(skb)->dataref)); > > where dataref doesn't have the required natural alignment, and the > atomic operation faults. e.g. i often see it aligned to a single > byte boundary rather than a four byte boundary. > > AFAICT, the skb_shared_info is misaligned at the instant it's > allocated in __napi_alloc_skb() __napi_alloc_skb() > > > Problem is caused by tun_napi_alloc_frags() using > napi_alloc_frag() with user provided seg sizes, > leading to other users of this API getting unaligned > page fragments. > > Since we would like to not necessarily add paddings or alignments to > the frags that tun_napi_alloc_frags() attaches to the skb, switch to > another page frag allocator. > > As a bonus skb_page_frag_refill() can use GFP_KERNEL allocations, > meaning that we can not deplete memory reserves as easily. > > Fixes: 90e33d459407 ("tun: enable napi_gro_frags() for TUN/TAP driver") > Signed-off-by: Eric Dumazet > Reported-by: Mark Rutland > Tested-by: Mark Rutland Applied and queued up for -stable, thanks Eric.