From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
To: Sabrina Dubroca <sd@queasysnail.net>, netdev@vger.kernel.org
Cc: Sabrina Dubroca <sd@queasysnail.net>,
Huzaifa Sidhpurwala <huzaifas@redhat.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>,
Pavel Begunkov <asml.silence@gmail.com>
Subject: Re: [PATCH net v3] net: gro: don't merge zcopy skbs
Date: Wed, 20 May 2026 17:38:31 -0400 [thread overview]
Message-ID: <willemdebruijn.kernel.8bb6e9bd9a42@gmail.com> (raw)
In-Reply-To: <c3b7f906bbfcbdfd7b4fa9d6c18a438870df85be.1779307748.git.sd@queasysnail.net>
Sabrina Dubroca wrote:
> skb_gro_receive() can currently copy frags between the source and GRO
> skb, without checking the zerocopy status, and in particular the
> SKBFL_MANAGED_FRAG_REFS flag.
>
> When SKBFL_MANAGED_FRAG_REFS is set, the skb doesn't hold a reference
> on the pages in shinfo->frags. Appending those frags to another skb's
> frags without fixing up the page refcount can lead to UAF.
>
> When either the last skb in the GRO chain (the one we would append
> frags to) or the source skb is zerocopy, don't merge the skbs.
>
> Fixes: 753f1ca4e1e5 ("net: introduce managed frags infrastructure")
> Reported-by: Huzaifa Sidhpurwala <huzaifas@redhat.com>
> Assisted-by: Claude:claude-mythos-preview
> Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
> ---
> net/core/gro.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> Huzaifa has found this to be exploitable to overwrite the page cache
>
> v3: maybe no stupid mistake this time. sorry again.
> v2: as Eric suggested, don't merge those skbs
> https://lore.kernel.org/netdev/9f5afc14ea4ecd22c70d6eaf279a94d10fe29448.1779289597.git.sd@queasysnail.net/
> v1: https://lore.kernel.org/netdev/4d583fc5401298453d0a2f1b4719a15be30c8e49.1779194090.git.sd@queasysnail.net/
>
> diff --git a/net/core/gro.c b/net/core/gro.c
> index 31d21de5b15a..bae89062a053 100644
> --- a/net/core/gro.c
> +++ b/net/core/gro.c
> @@ -109,6 +109,9 @@ int skb_gro_receive(struct sk_buff *p, struct sk_buff *skb)
> if (p->pp_recycle != skb->pp_recycle)
> return -ETOOMANYREFS;
>
> + if (skb_zcopy(p) || skb_zcopy(skb))
> + return -ETOOMANYREFS;
> +
As Pavel pointed out in a previous version, MSG_ZEROCOPY skbs are not
looped onto the receive path. From that PoV it's fine to add this
check as it will not match them.
What is the path that leads to managed frag skbs in the receive path?
I can believe that it exists, e.g., a page pool. But since Pavel also
brought up this question and knows the managed frag use much better
than I do.
> if (unlikely(p->len + len >= netif_get_gro_max_size(p->dev, p) ||
> NAPI_GRO_CB(skb)->flush))
> return -E2BIG;
> --
> 2.54.0
>
prev parent reply other threads:[~2026-05-20 21:38 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-20 20:44 [PATCH net v3] net: gro: don't merge zcopy skbs Sabrina Dubroca
2026-05-20 21:38 ` Willem de Bruijn [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=willemdebruijn.kernel.8bb6e9bd9a42@gmail.com \
--to=willemdebruijn.kernel@gmail.com \
--cc=asml.silence@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=huzaifas@redhat.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sd@queasysnail.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox