From: Pedro Falcato <pfalcato@suse.de>
To: Harry Yoo <harry@kernel.org>
Cc: Vlastimil Babka <vbabka@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
Paolo Abeni <pabeni@redhat.com>,
linux-hardening@vger.kernel.org, linux-mm@kvack.org,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
Hao Li <hao.li@linux.dev>, Christoph Lameter <cl@gentwo.org>,
David Rientjes <rientjes@google.com>,
Roman Gushchin <roman.gushchin@linux.dev>,
Simon Horman <horms@kernel.org>,
Jason Xing <kerneljasonxing@gmail.com>,
Kuniyuki Iwashima <kuniyu@google.com>
Subject: Re: [PATCH 2/2] net: skb: isolate skb data area allocations into a separate bucket
Date: Thu, 4 Jun 2026 20:12:03 +0100 [thread overview]
Message-ID: <aiHIQ4ZxnMSifhmi@pedro-suse> (raw)
In-Reply-To: <6d70757a-a849-4828-89e7-f3d51bf8c9f8@kernel.org>
On Thu, Jun 04, 2026 at 02:30:34PM +0900, Harry Yoo wrote:
>
>
> On 6/3/26 3:31 AM, Pedro Falcato wrote:
> > SKB data area allocations (as done from alloc_skb()) use kmalloc().
> > These allocations can be variably sized and their contents can be more
> > or less controlled from userspace, which makes them useful for attackers
> > that want to overwrite a use-after-free'd object from the same kmalloc slab
> > (which often just requires the sizes to roughly match into the same kmalloc
> > bucket). [0] is an easy example of an exploit that uses netlink skb
> > allocation to target another similarly-sized accidentally freed object.
> >
> > While other mitigations like CONFIG_RANDOM_KMALLOC_CACHES exist, these are
> > probabilistic. Use the existing kmem buckets API to further isolate these
> > allocations in a guaranteed fashion, when CONFIG_SLAB_BUCKETS=y.
> >
> > Link: https://github.com/google/security-research/blob/master/pocs/linux/kernelctf/CVE-2023-4207_lts_cos_mitigation_2/docs/exploit.md [0]
> > Signed-off-by: Pedro Falcato <pfalcato@suse.de>
> > ---
> > net/core/skbuff.c | 5 ++++-
> > 1 file changed, 4 insertions(+), 1 deletion(-)
> >
> > diff --git a/net/core/skbuff.c b/net/core/skbuff.c
> > index 44a7f8401468..1f6c6b531ece 100644
> > --- a/net/core/skbuff.c
> > +++ b/net/core/skbuff.c
> > @@ -594,6 +594,8 @@ static void *kmalloc_pfmemalloc(size_t obj_size, gfp_t flags, int node)
> > return kmalloc_node_track_caller(obj_size, flags, node);
> > }
> >
> > +static kmem_buckets *skb_data_buckets __ro_after_init;
> > +
> > /*
> > * kmalloc_reserve is a wrapper around kmalloc_node_track_caller that tells
> > * the caller if emergency pfmemalloc reserves are being used. If it is and
> > @@ -632,7 +634,7 @@ static void *kmalloc_reserve(unsigned int *size, gfp_t flags, int node,
> > * Try a regular allocation, when that fails and we're not entitled
> > * to the reserves, fail.
> > */
> > - obj = kmalloc_node_track_caller(obj_size,
> > + obj = kmem_buckets_alloc_node_track_caller(skb_data_buckets, obj_size,
> > flags | __GFP_NOMEMALLOC | __GFP_NOWARN,
> > node);
> > if (likely(obj))
>
> What about kmalloc_pfmemalloc()?
Good point, that looks free as well.
Sidenote: isolating kmem_cache_alloc for possibly-aliasing caches could also
be useful. skb allocation has net_hotdata.skb_small_head_cache. It doesn't merge
with anything for $raisins (odd size, plus I don't think usercopy caches are
getting merged?) but it feels too... accidental?
Maybe passing something like SLAB_NO_MERGE and making the size
standard-looking would be nice. I have a size of 704 bytes per object, and
this probably causes some weird wastage for each slab.
--
Pedro
prev parent reply other threads:[~2026-06-04 19:12 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-02 18:31 [PATCH 0/2] net: isolate SKB data area allocations Pedro Falcato
2026-06-02 18:31 ` [PATCH 1/2] mm/slab: add a node-track-caller variant for kmem buckets allocation Pedro Falcato
2026-06-04 5:19 ` Harry Yoo
2026-06-04 19:12 ` Pedro Falcato
2026-06-02 18:31 ` [PATCH 2/2] net: skb: isolate skb data area allocations into a separate bucket Pedro Falcato
[not found] ` <6d70757a-a849-4828-89e7-f3d51bf8c9f8@kernel.org>
2026-06-04 19:12 ` Pedro Falcato [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aiHIQ4ZxnMSifhmi@pedro-suse \
--to=pfalcato@suse.de \
--cc=akpm@linux-foundation.org \
--cc=cl@gentwo.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=hao.li@linux.dev \
--cc=harry@kernel.org \
--cc=horms@kernel.org \
--cc=kerneljasonxing@gmail.com \
--cc=kuba@kernel.org \
--cc=kuniyu@google.com \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=rientjes@google.com \
--cc=roman.gushchin@linux.dev \
--cc=vbabka@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox