public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed
* [PATCH net 1/2] net: bridge: fix multicast-to-unicast with fraglist GSO
@ 2024-04-27 18:24 Felix Fietkau
  2024-04-27 18:24 ` [PATCH net 2/2] net: core: reject skb_copy(_expand) for fraglist GSO skbs Felix Fietkau
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: Felix Fietkau @ 2024-04-27 18:24 UTC (permalink / raw)
  To: netdev, Roopa Prabhu, Nikolay Aleksandrov, David S. Miller,
	Eric Dumazet, Jakub Kicinski, Paolo Abeni, Linus Lüssing
  Cc: bridge, linux-kernel

Calling skb_copy on a SKB_GSO_FRAGLIST skb is not valid, since it returns
an invalid linearized skb. This code only needs to change the ethernet
header, so pskb_copy is the right function to call here.

Fixes: 6db6f0eae605 ("bridge: multicast to unicast")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
---
 net/bridge/br_forward.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c
index 7431f89e897b..d7c35f55bd69 100644
--- a/net/bridge/br_forward.c
+++ b/net/bridge/br_forward.c
@@ -266,7 +266,7 @@ static void maybe_deliver_addr(struct net_bridge_port *p, struct sk_buff *skb,
 	if (skb->dev == p->dev && ether_addr_equal(src, addr))
 		return;
 
-	skb = skb_copy(skb, GFP_ATOMIC);
+	skb = pskb_copy(skb, GFP_ATOMIC);
 	if (!skb) {
 		DEV_STATS_INC(dev, tx_dropped);
 		return;
-- 
2.44.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* [PATCH net 2/2] net: core: reject skb_copy(_expand) for fraglist GSO skbs
  2024-04-27 18:24 [PATCH net 1/2] net: bridge: fix multicast-to-unicast with fraglist GSO Felix Fietkau
@ 2024-04-27 18:24 ` Felix Fietkau
  2024-04-30 11:07 ` [PATCH net 1/2] net: bridge: fix multicast-to-unicast with fraglist GSO Paolo Abeni
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: Felix Fietkau @ 2024-04-27 18:24 UTC (permalink / raw)
  To: netdev, David S. Miller, Eric Dumazet, Jakub Kicinski,
	Paolo Abeni, Steffen Klassert, Willem de Bruijn
  Cc: linux-kernel

SKB_GSO_FRAGLIST skbs must not be linearized, otherwise they become
invalid. Return NULL if such an skb is passed to skb_copy or
skb_copy_expand, in order to prevent a crash on a potential later
call to skb_gso_segment.

Fixes: 3a1296a38d0c ("net: Support GRO/GSO fraglist chaining.")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
---
 net/core/skbuff.c | 27 +++++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index b99127712e67..4096e679f61c 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2123,11 +2123,17 @@ static inline int skb_alloc_rx_flag(const struct sk_buff *skb)
 
 struct sk_buff *skb_copy(const struct sk_buff *skb, gfp_t gfp_mask)
 {
-	int headerlen = skb_headroom(skb);
-	unsigned int size = skb_end_offset(skb) + skb->data_len;
-	struct sk_buff *n = __alloc_skb(size, gfp_mask,
-					skb_alloc_rx_flag(skb), NUMA_NO_NODE);
+	struct sk_buff *n;
+	unsigned int size;
+	int headerlen;
+
+	if (WARN_ON_ONCE(skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST))
+		return NULL;
 
+	headerlen = skb_headroom(skb);
+	size = skb_end_offset(skb) + skb->data_len;
+	n = __alloc_skb(size, gfp_mask,
+			skb_alloc_rx_flag(skb), NUMA_NO_NODE);
 	if (!n)
 		return NULL;
 
@@ -2455,12 +2461,17 @@ struct sk_buff *skb_copy_expand(const struct sk_buff *skb,
 	/*
 	 *	Allocate the copy buffer
 	 */
-	struct sk_buff *n = __alloc_skb(newheadroom + skb->len + newtailroom,
-					gfp_mask, skb_alloc_rx_flag(skb),
-					NUMA_NO_NODE);
-	int oldheadroom = skb_headroom(skb);
 	int head_copy_len, head_copy_off;
+	struct sk_buff *n;
+	int oldheadroom;
+
+	if (WARN_ON_ONCE(skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST))
+		return NULL;
 
+	oldheadroom = skb_headroom(skb);
+	n = __alloc_skb(newheadroom + skb->len + newtailroom,
+			gfp_mask, skb_alloc_rx_flag(skb),
+			NUMA_NO_NODE);
 	if (!n)
 		return NULL;
 
-- 
2.44.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH net 1/2] net: bridge: fix multicast-to-unicast with fraglist GSO
  2024-04-27 18:24 [PATCH net 1/2] net: bridge: fix multicast-to-unicast with fraglist GSO Felix Fietkau
  2024-04-27 18:24 ` [PATCH net 2/2] net: core: reject skb_copy(_expand) for fraglist GSO skbs Felix Fietkau
@ 2024-04-30 11:07 ` Paolo Abeni
  2024-05-01  9:00 ` Nikolay Aleksandrov
  2024-05-01 10:50 ` patchwork-bot+netdevbpf
  3 siblings, 0 replies; 5+ messages in thread
From: Paolo Abeni @ 2024-04-30 11:07 UTC (permalink / raw)
  To: Felix Fietkau, netdev, Roopa Prabhu, Nikolay Aleksandrov,
	David S. Miller, Eric Dumazet, Jakub Kicinski, Linus Lüssing
  Cc: bridge, linux-kernel

On Sat, 2024-04-27 at 20:24 +0200, Felix Fietkau wrote:
> Calling skb_copy on a SKB_GSO_FRAGLIST skb is not valid, since it returns
> an invalid linearized skb. This code only needs to change the ethernet
> header, so pskb_copy is the right function to call here.
> 
> Fixes: 6db6f0eae605 ("bridge: multicast to unicast")
> Signed-off-by: Felix Fietkau <nbd@nbd.name>
> ---
>  net/bridge/br_forward.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c
> index 7431f89e897b..d7c35f55bd69 100644
> --- a/net/bridge/br_forward.c
> +++ b/net/bridge/br_forward.c
> @@ -266,7 +266,7 @@ static void maybe_deliver_addr(struct net_bridge_port *p, struct sk_buff *skb,
>  	if (skb->dev == p->dev && ether_addr_equal(src, addr))
>  		return;
>  
> -	skb = skb_copy(skb, GFP_ATOMIC);
> +	skb = pskb_copy(skb, GFP_ATOMIC);
>  	if (!skb) {
>  		DEV_STATS_INC(dev, tx_dropped);
>  		return;

LGTM, but let's wait a little more time for Nikolay

Acked-by: Paolo Abeni <pabeni@redhat.com>


^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH net 1/2] net: bridge: fix multicast-to-unicast with fraglist GSO
  2024-04-27 18:24 [PATCH net 1/2] net: bridge: fix multicast-to-unicast with fraglist GSO Felix Fietkau
  2024-04-27 18:24 ` [PATCH net 2/2] net: core: reject skb_copy(_expand) for fraglist GSO skbs Felix Fietkau
  2024-04-30 11:07 ` [PATCH net 1/2] net: bridge: fix multicast-to-unicast with fraglist GSO Paolo Abeni
@ 2024-05-01  9:00 ` Nikolay Aleksandrov
  2024-05-01 10:50 ` patchwork-bot+netdevbpf
  3 siblings, 0 replies; 5+ messages in thread
From: Nikolay Aleksandrov @ 2024-05-01  9:00 UTC (permalink / raw)
  To: Felix Fietkau, netdev, Roopa Prabhu, David S. Miller,
	Eric Dumazet, Jakub Kicinski, Paolo Abeni, Linus Lüssing
  Cc: bridge, linux-kernel

On 27/04/2024 21:24, Felix Fietkau wrote:
> Calling skb_copy on a SKB_GSO_FRAGLIST skb is not valid, since it returns
> an invalid linearized skb. This code only needs to change the ethernet
> header, so pskb_copy is the right function to call here.
> 
> Fixes: 6db6f0eae605 ("bridge: multicast to unicast")
> Signed-off-by: Felix Fietkau <nbd@nbd.name>
> ---
>  net/bridge/br_forward.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c
> index 7431f89e897b..d7c35f55bd69 100644
> --- a/net/bridge/br_forward.c
> +++ b/net/bridge/br_forward.c
> @@ -266,7 +266,7 @@ static void maybe_deliver_addr(struct net_bridge_port *p, struct sk_buff *skb,
>  	if (skb->dev == p->dev && ether_addr_equal(src, addr))
>  		return;
>  
> -	skb = skb_copy(skb, GFP_ATOMIC);
> +	skb = pskb_copy(skb, GFP_ATOMIC);
>  	if (!skb) {
>  		DEV_STATS_INC(dev, tx_dropped);
>  		return;

Acked-by: Nikolay Aleksandrov <razor@blackwall.org>

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH net 1/2] net: bridge: fix multicast-to-unicast with fraglist GSO
  2024-04-27 18:24 [PATCH net 1/2] net: bridge: fix multicast-to-unicast with fraglist GSO Felix Fietkau
                   ` (2 preceding siblings ...)
  2024-05-01  9:00 ` Nikolay Aleksandrov
@ 2024-05-01 10:50 ` patchwork-bot+netdevbpf
  3 siblings, 0 replies; 5+ messages in thread
From: patchwork-bot+netdevbpf @ 2024-05-01 10:50 UTC (permalink / raw)
  To: Felix Fietkau
  Cc: netdev, roopa, razor, davem, edumazet, kuba, pabeni,
	linus.luessing, bridge, linux-kernel

Hello:

This series was applied to netdev/net.git (main)
by David S. Miller <davem@davemloft.net>:

On Sat, 27 Apr 2024 20:24:18 +0200 you wrote:
> Calling skb_copy on a SKB_GSO_FRAGLIST skb is not valid, since it returns
> an invalid linearized skb. This code only needs to change the ethernet
> header, so pskb_copy is the right function to call here.
> 
> Fixes: 6db6f0eae605 ("bridge: multicast to unicast")
> Signed-off-by: Felix Fietkau <nbd@nbd.name>
> 
> [...]

Here is the summary with links:
  - [net,1/2] net: bridge: fix multicast-to-unicast with fraglist GSO
    https://git.kernel.org/netdev/net/c/59c878cbcdd8
  - [net,2/2] net: core: reject skb_copy(_expand) for fraglist GSO skbs
    https://git.kernel.org/netdev/net/c/d091e579b864

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-05-01 10:50 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-04-27 18:24 [PATCH net 1/2] net: bridge: fix multicast-to-unicast with fraglist GSO Felix Fietkau
2024-04-27 18:24 ` [PATCH net 2/2] net: core: reject skb_copy(_expand) for fraglist GSO skbs Felix Fietkau
2024-04-30 11:07 ` [PATCH net 1/2] net: bridge: fix multicast-to-unicast with fraglist GSO Paolo Abeni
2024-05-01  9:00 ` Nikolay Aleksandrov
2024-05-01 10:50 ` patchwork-bot+netdevbpf

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox