From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B565033BBB9 for ; Thu, 2 Jul 2026 17:07:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.131 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783012055; cv=none; b=OUp27umOvuKbvG3vMeFZBAOm4yDCuvw3AQA95++nKFV9Tnc7kCAJfRa8mncfijjs4S9i9CEPG93QkRm8GpNUxfGY0TCS6APoBYY9sNn1gRz+ZVVHcNN5NGYkbn6MQAb2tZRz6/WmM+KafAtF4kz4/zdF3dNWO0EnknUpe4NR1u4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783012055; c=relaxed/simple; bh=F2zdOrejIvQnkAO0xZf/Vpd4zQ7u6NKC3lw97B5xC/c=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=Wy81yIy7ee+CKPCtQ5EShOgghLxc8TnxfIHwl3hF2ZJWI0IbWYextGaNVqYyK9SJRNtZmC/Y9l7DaGEFY+XX+T68savdUBko2mQR9s28C1+SZ6J36Rz0oKIlYU7NytVLfBU/Fz3Ixw1Bcc/lSqXONN04dwwHN4o82TbCypOLqUs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=suse.de; spf=pass smtp.mailfrom=suse.de; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.b=tfQweZZd; dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de header.b=wdsClWE2; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.b=tfQweZZd; dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de header.b=wdsClWE2; arc=none smtp.client-ip=195.135.223.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=suse.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.b="tfQweZZd"; dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de header.b="wdsClWE2"; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.b="tfQweZZd"; dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de header.b="wdsClWE2" Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 1196075821; Thu, 2 Jul 2026 17:07:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1783012052; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=Z9lWzy1veEaYSpwqXLfJuDZby+eduADIj2yeYtPyqjw=; b=tfQweZZdP0EqhQ2GIrZm+6KLdMA7MYCjXGNdtDCQ7HeYaJ3K18igyhG7wBBT7HRGPCFsBB szMcoIAYw/EgSo0Pliq0JFIjJQ/37kxttfY4yYf3dd2SAUcB+ezq8efqwpYRjQ5Q6W2PIL jzRutHl0t6Z50jFAhdTFZCpCUtgolFc= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1783012052; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=Z9lWzy1veEaYSpwqXLfJuDZby+eduADIj2yeYtPyqjw=; b=wdsClWE20LPl+yBq4H/xFkJSUO/mKBDEtjW2R8ImRRhcmZ/kabecGtKISduxrgaPaKIB+s B1bd+U3aeNTO8wBQ== Authentication-Results: smtp-out2.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1783012052; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=Z9lWzy1veEaYSpwqXLfJuDZby+eduADIj2yeYtPyqjw=; b=tfQweZZdP0EqhQ2GIrZm+6KLdMA7MYCjXGNdtDCQ7HeYaJ3K18igyhG7wBBT7HRGPCFsBB szMcoIAYw/EgSo0Pliq0JFIjJQ/37kxttfY4yYf3dd2SAUcB+ezq8efqwpYRjQ5Q6W2PIL jzRutHl0t6Z50jFAhdTFZCpCUtgolFc= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1783012052; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=Z9lWzy1veEaYSpwqXLfJuDZby+eduADIj2yeYtPyqjw=; b=wdsClWE20LPl+yBq4H/xFkJSUO/mKBDEtjW2R8ImRRhcmZ/kabecGtKISduxrgaPaKIB+s B1bd+U3aeNTO8wBQ== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 31AF2779AA; Thu, 2 Jul 2026 17:07:31 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id J8GPCNOaRmrYTgAAD6G6ig (envelope-from ); Thu, 02 Jul 2026 17:07:31 +0000 From: Pedro Falcato To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni Cc: Simon Horman , Jason Xing , Kuniyuki Iwashima , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, Pedro Falcato , Kees Cook Subject: [PATCH net-next v3] net: skb: isolate skb data area allocations into a separate bucket Date: Thu, 2 Jul 2026 18:07:28 +0100 Message-ID: <20260702170728.168755-1-pfalcato@suse.de> X-Mailer: git-send-email 2.54.0 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Flag: NO X-Spamd-Result: default: False [-2.80 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; MID_CONTAINS_FROM(1.00)[]; R_MISSING_CHARSET(0.50)[]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; FUZZY_RATELIMITED(0.00)[rspamd.com]; RCPT_COUNT_TWELVE(0.00)[12]; ARC_NA(0.00)[]; RCVD_TLS_ALL(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_VIA_SMTP_AUTH(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; URIBL_BLOCKED(0.00)[imap1.dmz-prg2.suse.org:helo,suse.de:email,suse.de:mid]; FROM_HAS_DN(0.00)[]; FREEMAIL_CC(0.00)[kernel.org,gmail.com,google.com,vger.kernel.org,suse.de]; TO_DN_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.de:email,suse.de:mid,imap1.dmz-prg2.suse.org:helo]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FREEMAIL_ENVRCPT(0.00)[gmail.com] X-Spam-Level: X-Spam-Score: -2.80 SKB data area allocations (as done from alloc_skb()) use kmalloc(). These allocations can be variably sized and their contents can be more or less controlled from userspace, which makes them useful for attackers that want to overwrite a use-after-free'd object from the same kmalloc slab (which often just requires the sizes to roughly match into the same kmalloc bucket). [0] is an easy example of an exploit that uses netlink skb allocation to target another similarly-sized accidentally freed object. While other mitigations like CONFIG_RANDOM_KMALLOC_CACHES exist, these are probabilistic. Use the existing kmem buckets API to further isolate these allocations in a guaranteed fashion, when CONFIG_SLAB_BUCKETS=y. Link: https://github.com/google/security-research/blob/master/pocs/linux/kernelctf/CVE-2023-4207_lts_cos_mitigation_2/docs/exploit.md [0] Reviewed-by: Kees Cook Acked-by: Jakub Kicinski Signed-off-by: Pedro Falcato --- v3: - rebase on net-next and resend net/core/skbuff.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 18dabb4e9cfa..9dc5a8548681 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -586,6 +586,8 @@ struct sk_buff *napi_build_skb(void *data, unsigned int frag_size) } EXPORT_SYMBOL(napi_build_skb); +static kmem_buckets *skb_data_buckets __ro_after_init; + static void *kmalloc_pfmemalloc(size_t obj_size, gfp_t flags, int node) { if (!gfp_pfmemalloc_allowed(flags)) @@ -593,7 +595,8 @@ static void *kmalloc_pfmemalloc(size_t obj_size, gfp_t flags, int node) if (!obj_size) return kmem_cache_alloc_node(net_hotdata.skb_small_head_cache, flags, node); - return kmalloc_node_track_caller(obj_size, flags, node); + return kmem_buckets_alloc_node_track_caller(skb_data_buckets, obj_size, + flags, node); } /* @@ -634,7 +637,7 @@ static void *kmalloc_reserve(unsigned int *size, gfp_t flags, int node, * Try a regular allocation, when that fails and we're not entitled * to the reserves, fail. */ - obj = kmalloc_node_track_caller(obj_size, + obj = kmem_buckets_alloc_node_track_caller(skb_data_buckets, obj_size, flags | __GFP_NOMEMALLOC | __GFP_NOWARN, node); if (likely(obj)) @@ -5215,6 +5218,7 @@ void __init skb_init(void) 0, SKB_SMALL_HEAD_HEADROOM, NULL); + skb_data_buckets = kmem_buckets_create("skb_data", SLAB_PANIC, 0, INT_MAX, NULL); skb_extensions_init(); } -- 2.54.0