From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Kuniyuki Iwashima <kuniyu@amazon.com>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH 4.14 45/53] dccp/tcp: Avoid negative sk_forward_alloc by ipv6_pinfo.pktoptions.
Date: Mon, 20 Feb 2023 14:36:11 +0100 [thread overview]
Message-ID: <20230220133549.776182474@linuxfoundation.org> (raw)
In-Reply-To: <20230220133548.158615609@linuxfoundation.org>
From: Kuniyuki Iwashima <kuniyu@amazon.com>
commit ca43ccf41224b023fc290073d5603a755fd12eed upstream.
Eric Dumazet pointed out [0] that when we call skb_set_owner_r()
for ipv6_pinfo.pktoptions, sk_rmem_schedule() has not been called,
resulting in a negative sk_forward_alloc.
We add a new helper which clones a skb and sets its owner only
when sk_rmem_schedule() succeeds.
Note that we move skb_set_owner_r() forward in (dccp|tcp)_v6_do_rcv()
because tcp_send_synack() can make sk_forward_alloc negative before
ipv6_opt_accepted() in the crossed SYN-ACK or self-connect() cases.
[0]: https://lore.kernel.org/netdev/CANn89iK9oc20Jdi_41jb9URdF210r7d1Y-+uypbMSbOfY6jqrg@mail.gmail.com/
Fixes: 323fbd0edf3f ("net: dccp: Add handling of IPV6_PKTOPTIONS to dccp_v6_do_rcv()")
Fixes: 3df80d9320bc ("[DCCP]: Introduce DCCPv6")
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/sock.h | 13 +++++++++++++
net/dccp/ipv6.c | 7 ++-----
net/ipv6/tcp_ipv6.c | 10 +++-------
3 files changed, 18 insertions(+), 12 deletions(-)
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -2049,6 +2049,19 @@ static inline void skb_set_owner_r(struc
sk_mem_charge(sk, skb->truesize);
}
+static inline struct sk_buff *skb_clone_and_charge_r(struct sk_buff *skb, struct sock *sk)
+{
+ skb = skb_clone(skb, sk_gfp_mask(sk, GFP_ATOMIC));
+ if (skb) {
+ if (sk_rmem_schedule(sk, skb, skb->truesize)) {
+ skb_set_owner_r(skb, sk);
+ return skb;
+ }
+ __kfree_skb(skb);
+ }
+ return NULL;
+}
+
void sk_reset_timer(struct sock *sk, struct timer_list *timer,
unsigned long expires);
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -541,11 +541,9 @@ static struct sock *dccp_v6_request_recv
*own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash), NULL);
/* Clone pktoptions received with SYN, if we own the req */
if (*own_req && ireq->pktopts) {
- newnp->pktoptions = skb_clone(ireq->pktopts, GFP_ATOMIC);
+ newnp->pktoptions = skb_clone_and_charge_r(ireq->pktopts, newsk);
consume_skb(ireq->pktopts);
ireq->pktopts = NULL;
- if (newnp->pktoptions)
- skb_set_owner_r(newnp->pktoptions, newsk);
}
return newsk;
@@ -605,7 +603,7 @@ static int dccp_v6_do_rcv(struct sock *s
--ANK (980728)
*/
if (np->rxopt.all)
- opt_skb = skb_clone(skb, GFP_ATOMIC);
+ opt_skb = skb_clone_and_charge_r(skb, sk);
if (sk->sk_state == DCCP_OPEN) { /* Fast path */
if (dccp_rcv_established(sk, skb, dccp_hdr(skb), skb->len))
@@ -669,7 +667,6 @@ ipv6_pktoptions:
np->flow_label = ip6_flowlabel(ipv6_hdr(opt_skb));
if (ipv6_opt_accepted(sk, opt_skb,
&DCCP_SKB_CB(opt_skb)->header.h6)) {
- skb_set_owner_r(opt_skb, sk);
memmove(IP6CB(opt_skb),
&DCCP_SKB_CB(opt_skb)->header.h6,
sizeof(struct inet6_skb_parm));
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1242,14 +1242,11 @@ static struct sock *tcp_v6_syn_recv_sock
/* Clone pktoptions received with SYN, if we own the req */
if (ireq->pktopts) {
- newnp->pktoptions = skb_clone(ireq->pktopts,
- sk_gfp_mask(sk, GFP_ATOMIC));
+ newnp->pktoptions = skb_clone_and_charge_r(ireq->pktopts, newsk);
consume_skb(ireq->pktopts);
ireq->pktopts = NULL;
- if (newnp->pktoptions) {
+ if (newnp->pktoptions)
tcp_v6_restore_cb(newnp->pktoptions);
- skb_set_owner_r(newnp->pktoptions, newsk);
- }
}
} else {
if (!req_unhash && found_dup_sk) {
@@ -1317,7 +1314,7 @@ static int tcp_v6_do_rcv(struct sock *sk
--ANK (980728)
*/
if (np->rxopt.all)
- opt_skb = skb_clone(skb, sk_gfp_mask(sk, GFP_ATOMIC));
+ opt_skb = skb_clone_and_charge_r(skb, sk);
if (sk->sk_state == TCP_ESTABLISHED) { /* Fast path */
struct dst_entry *dst;
@@ -1399,7 +1396,6 @@ ipv6_pktoptions:
if (np->repflow)
np->flow_label = ip6_flowlabel(ipv6_hdr(opt_skb));
if (ipv6_opt_accepted(sk, opt_skb, &TCP_SKB_CB(opt_skb)->header.h6)) {
- skb_set_owner_r(opt_skb, sk);
tcp_v6_restore_cb(opt_skb);
opt_skb = xchg(&np->pktoptions, opt_skb);
} else {
next prev parent reply other threads:[~2023-02-20 13:39 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-20 13:35 [PATCH 4.14 00/53] 4.14.306-rc1 review Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 01/53] firewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 02/53] bus: sunxi-rsb: Fix error handling in sunxi_rsb_init() Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 03/53] ALSA: hda/via: Avoid potential array out-of-bound in add_secret_dac_path() Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 04/53] netrom: Fix use-after-free caused by accept on already connected socket Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 05/53] squashfs: harden sanity check in squashfs_read_xattr_id_table Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 06/53] sctp: do not check hb_timer.expires when resetting hb_timer Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 07/53] net: openvswitch: fix flow memory leak in ovs_flow_cmd_new Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 08/53] scsi: target: core: Fix warning on RT kernels Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 09/53] scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 10/53] net/x25: Fix to not accept on connected socket Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 11/53] usb: gadget: f_fs: Fix unbalanced spinlock in __ffs_ep0_queue_wait Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 12/53] fbcon: Check font dimension limits Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 13/53] watchdog: diag288_wdt: do not use stack buffers for hardware data Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 14/53] watchdog: diag288_wdt: fix __diag288() inline assembly Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 15/53] efi: Accept version 2 of memory attributes table Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 16/53] iio: hid: fix the retval in accel_3d_capture_sample Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 17/53] iio: adc: berlin2-adc: Add missing of_node_put() in error path Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 18/53] iio:adc:twl6030: Enable measurements of VUSB, VBAT and others Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 19/53] parisc: Fix return code of pdc_iodc_print() Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 20/53] parisc: Wire up PTRACE_GETREGS/PTRACE_SETREGS for compat case Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 21/53] mm: hugetlb: proc: check for hugetlb shared PMD in /proc/PID/smaps Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 22/53] mm/swapfile: add cond_resched() in get_swap_pages() Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 23/53] Squashfs: fix handling and sanity checking of xattr_ids count Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 24/53] serial: 8250_dma: Fix DMA Rx completion race Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 25/53] serial: 8250_dma: Fix DMA Rx rearm race Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 26/53] btrfs: limit device extents to the device size Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 27/53] ALSA: emux: Avoid potential array out-of-bound in snd_emux_xg_control() Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 28/53] ALSA: pci: lx6464es: fix a debug loop Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 29/53] pinctrl: aspeed: Fix confusing types in return value Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 30/53] pinctrl: single: fix potential NULL dereference Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 31/53] net: USB: Fix wrong-direction WARNING in plusb.c Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 32/53] usb: core: add quirk for Alcor Link AK9563 smartcard reader Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 33/53] migrate: hugetlb: check for hugetlb shared PMD in node migration Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 34/53] tools/virtio: fix the vringh test for virtio ring changes Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 35/53] net/rose: Fix to not accept on connected socket Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 36/53] nvme-fc: fix a missing queue put in nvmet_fc_ls_create_association Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 37/53] aio: fix mremap after fork null-deref Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 38/53] Revert "x86/fpu: Use _Alignof to avoid undefined behavior in TYPE_ALIGN" Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 39/53] mmc: sdio: fix possible resource leaks in some error paths Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 40/53] ALSA: hda/conexant: add a new hda codec SN6180 Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 41/53] hugetlb: check for undefined shift on 32 bit architectures Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 42/53] revert "squashfs: harden sanity check in squashfs_read_xattr_id_table" Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 43/53] i40e: add double of VLAN header when computing the max MTU Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 44/53] net: bgmac: fix BCM5358 support by setting correct flags Greg Kroah-Hartman
2023-02-20 13:36 ` Greg Kroah-Hartman [this message]
2023-02-20 13:36 ` [PATCH 4.14 46/53] net/usb: kalmia: Dont pass act_len in usb_bulk_msg error path Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 47/53] net: stmmac: Restrict warning on disabling DMA store and fwd mode Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 48/53] net: mpls: fix stale pointer if allocation fails during device rename Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 49/53] ipv6: Fix datagram socket connection with DSCP Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 50/53] ipv6: Fix tcp " Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 51/53] i40e: Add checking for null for nlmsg_find_attr() Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 52/53] kvm: initialize all of the kvm_debugregs structure before sending it to userspace Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 53/53] nilfs2: fix underflow in second superblock position calculations Greg Kroah-Hartman
2023-02-21 12:41 ` [PATCH 4.14 00/53] 4.14.306-rc1 review Naresh Kamboju
2023-02-21 16:19 ` Guenter Roeck
2023-02-23 2:55 ` Slade Watkins
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230220133549.776182474@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=kuniyu@amazon.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).