From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Kuniyuki Iwashima <kuniyu@amazon.com>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH 4.19 78/89] dccp/tcp: Avoid negative sk_forward_alloc by ipv6_pinfo.pktoptions.
Date: Mon, 20 Feb 2023 14:36:17 +0100 [thread overview]
Message-ID: <20230220133555.908947194@linuxfoundation.org> (raw)
In-Reply-To: <20230220133553.066768704@linuxfoundation.org>
From: Kuniyuki Iwashima <kuniyu@amazon.com>
commit ca43ccf41224b023fc290073d5603a755fd12eed upstream.
Eric Dumazet pointed out [0] that when we call skb_set_owner_r()
for ipv6_pinfo.pktoptions, sk_rmem_schedule() has not been called,
resulting in a negative sk_forward_alloc.
We add a new helper which clones a skb and sets its owner only
when sk_rmem_schedule() succeeds.
Note that we move skb_set_owner_r() forward in (dccp|tcp)_v6_do_rcv()
because tcp_send_synack() can make sk_forward_alloc negative before
ipv6_opt_accepted() in the crossed SYN-ACK or self-connect() cases.
[0]: https://lore.kernel.org/netdev/CANn89iK9oc20Jdi_41jb9URdF210r7d1Y-+uypbMSbOfY6jqrg@mail.gmail.com/
Fixes: 323fbd0edf3f ("net: dccp: Add handling of IPV6_PKTOPTIONS to dccp_v6_do_rcv()")
Fixes: 3df80d9320bc ("[DCCP]: Introduce DCCPv6")
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/sock.h | 13 +++++++++++++
net/dccp/ipv6.c | 7 ++-----
net/ipv6/tcp_ipv6.c | 10 +++-------
3 files changed, 18 insertions(+), 12 deletions(-)
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -2134,6 +2134,19 @@ static inline void skb_set_owner_r(struc
sk_mem_charge(sk, skb->truesize);
}
+static inline struct sk_buff *skb_clone_and_charge_r(struct sk_buff *skb, struct sock *sk)
+{
+ skb = skb_clone(skb, sk_gfp_mask(sk, GFP_ATOMIC));
+ if (skb) {
+ if (sk_rmem_schedule(sk, skb, skb->truesize)) {
+ skb_set_owner_r(skb, sk);
+ return skb;
+ }
+ __kfree_skb(skb);
+ }
+ return NULL;
+}
+
void sk_reset_timer(struct sock *sk, struct timer_list *timer,
unsigned long expires);
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -541,11 +541,9 @@ static struct sock *dccp_v6_request_recv
*own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash), NULL);
/* Clone pktoptions received with SYN, if we own the req */
if (*own_req && ireq->pktopts) {
- newnp->pktoptions = skb_clone(ireq->pktopts, GFP_ATOMIC);
+ newnp->pktoptions = skb_clone_and_charge_r(ireq->pktopts, newsk);
consume_skb(ireq->pktopts);
ireq->pktopts = NULL;
- if (newnp->pktoptions)
- skb_set_owner_r(newnp->pktoptions, newsk);
}
return newsk;
@@ -605,7 +603,7 @@ static int dccp_v6_do_rcv(struct sock *s
--ANK (980728)
*/
if (np->rxopt.all)
- opt_skb = skb_clone(skb, GFP_ATOMIC);
+ opt_skb = skb_clone_and_charge_r(skb, sk);
if (sk->sk_state == DCCP_OPEN) { /* Fast path */
if (dccp_rcv_established(sk, skb, dccp_hdr(skb), skb->len))
@@ -669,7 +667,6 @@ ipv6_pktoptions:
np->flow_label = ip6_flowlabel(ipv6_hdr(opt_skb));
if (ipv6_opt_accepted(sk, opt_skb,
&DCCP_SKB_CB(opt_skb)->header.h6)) {
- skb_set_owner_r(opt_skb, sk);
memmove(IP6CB(opt_skb),
&DCCP_SKB_CB(opt_skb)->header.h6,
sizeof(struct inet6_skb_parm));
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1268,14 +1268,11 @@ static struct sock *tcp_v6_syn_recv_sock
/* Clone pktoptions received with SYN, if we own the req */
if (ireq->pktopts) {
- newnp->pktoptions = skb_clone(ireq->pktopts,
- sk_gfp_mask(sk, GFP_ATOMIC));
+ newnp->pktoptions = skb_clone_and_charge_r(ireq->pktopts, newsk);
consume_skb(ireq->pktopts);
ireq->pktopts = NULL;
- if (newnp->pktoptions) {
+ if (newnp->pktoptions)
tcp_v6_restore_cb(newnp->pktoptions);
- skb_set_owner_r(newnp->pktoptions, newsk);
- }
}
} else {
if (!req_unhash && found_dup_sk) {
@@ -1343,7 +1340,7 @@ static int tcp_v6_do_rcv(struct sock *sk
--ANK (980728)
*/
if (np->rxopt.all)
- opt_skb = skb_clone(skb, sk_gfp_mask(sk, GFP_ATOMIC));
+ opt_skb = skb_clone_and_charge_r(skb, sk);
if (sk->sk_state == TCP_ESTABLISHED) { /* Fast path */
struct dst_entry *dst;
@@ -1425,7 +1422,6 @@ ipv6_pktoptions:
if (np->repflow)
np->flow_label = ip6_flowlabel(ipv6_hdr(opt_skb));
if (ipv6_opt_accepted(sk, opt_skb, &TCP_SKB_CB(opt_skb)->header.h6)) {
- skb_set_owner_r(opt_skb, sk);
tcp_v6_restore_cb(opt_skb);
opt_skb = xchg(&np->pktoptions, opt_skb);
} else {
next prev parent reply other threads:[~2023-02-20 13:43 UTC|newest]
Thread overview: 97+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-20 13:34 [PATCH 4.19 00/89] 4.19.273-rc1 review Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 01/89] firewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 02/89] bus: sunxi-rsb: Fix error handling in sunxi_rsb_init() Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 03/89] ALSA: hda/via: Avoid potential array out-of-bound in add_secret_dac_path() Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 04/89] netrom: Fix use-after-free caused by accept on already connected socket Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 05/89] squashfs: harden sanity check in squashfs_read_xattr_id_table Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 06/89] ata: libata: Fix sata_down_spd_limit() when no link speed is reported Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 07/89] net: openvswitch: fix flow memory leak in ovs_flow_cmd_new Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 08/89] scsi: target: core: Fix warning on RT kernels Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 09/89] scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 10/89] i2c: rk3x: fix a bunch of kernel-doc warnings Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 11/89] net/x25: Fix to not accept on connected socket Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 12/89] iio: adc: stm32-dfsdm: fill module aliases Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 13/89] usb: dwc3: dwc3-qcom: Fix typo in the dwc3 vbus override API Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 14/89] usb: dwc3: qcom: enable vbus override when in OTG dr-mode Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 15/89] usb: gadget: f_fs: Fix unbalanced spinlock in __ffs_ep0_queue_wait Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 16/89] vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 17/89] Input: i8042 - move __initconst to fix code styling warning Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 18/89] Input: i8042 - merge quirk tables Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 19/89] Input: i8042 - add TUXEDO devices to i8042 " Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 20/89] Input: i8042 - add Clevo PCX0DX to i8042 quirk table Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 21/89] nVMX x86: Check VMX-preemption timer controls on vmentry of L2 guests Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 22/89] KVM: VMX: Move VMX specific files to a "vmx" subdirectory Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 23/89] KVM: VMX: Move caching of MSR_IA32_XSS to hardware_setup() Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 24/89] KVM: x86/vmx: Do not skip segment attributes if unusable bit is set Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 25/89] thermal: intel: int340x: Protect trip temperature from concurrent updates Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 26/89] fbcon: Check font dimension limits Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 27/89] watchdog: diag288_wdt: do not use stack buffers for hardware data Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 28/89] watchdog: diag288_wdt: fix __diag288() inline assembly Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 29/89] efi: Accept version 2 of memory attributes table Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 30/89] iio: hid: fix the retval in accel_3d_capture_sample Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 31/89] iio: adc: berlin2-adc: Add missing of_node_put() in error path Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 32/89] iio:adc:twl6030: Enable measurements of VUSB, VBAT and others Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 33/89] parisc: Fix return code of pdc_iodc_print() Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 34/89] parisc: Wire up PTRACE_GETREGS/PTRACE_SETREGS for compat case Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 35/89] riscv: disable generation of unwind tables Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 36/89] mm: hugetlb: proc: check for hugetlb shared PMD in /proc/PID/smaps Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 37/89] mm/swapfile: add cond_resched() in get_swap_pages() Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 38/89] Squashfs: fix handling and sanity checking of xattr_ids count Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 39/89] serial: 8250_dma: Fix DMA Rx completion race Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 40/89] serial: 8250_dma: Fix DMA Rx rearm race Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 41/89] thermal: intel: int340x: Add locking to int340x_thermal_get_trip_type() Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 42/89] iio:adc:twl6030: Enable measurement of VAC Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 43/89] btrfs: limit device extents to the device size Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 44/89] ALSA: emux: Avoid potential array out-of-bound in snd_emux_xg_control() Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 45/89] IB/hfi1: Restore allocated resources on failed copyout Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 46/89] net: phy: add macros for PHYID matching Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 47/89] net: phy: meson-gxl: add g12a support Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 48/89] net: phy: meson-gxl: use MMD access dummy stubs for GXL, internal PHY Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 49/89] rds: rds_rm_zerocopy_callback() use list_first_entry() Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 50/89] selftests: forwarding: lib: quote the sysctl values Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 51/89] ALSA: pci: lx6464es: fix a debug loop Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 52/89] pinctrl: aspeed: Fix confusing types in return value Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 53/89] pinctrl: single: fix potential NULL dereference Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 54/89] pinctrl: intel: Convert unsigned to unsigned int Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 55/89] pinctrl: intel: Restore the pins that used to be in Direct IRQ mode Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 56/89] net: USB: Fix wrong-direction WARNING in plusb.c Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 57/89] usb: core: add quirk for Alcor Link AK9563 smartcard reader Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 58/89] usb: typec: altmodes/displayport: Fix probe pin assign check Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 59/89] riscv: Fixup race condition on PG_dcache_clean in flush_icache_pte Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.19 60/89] arm64: dts: meson-gx: Make mmc host controller interrupts level-sensitive Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 61/89] arm64: dts: meson-axg: " Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 62/89] bpf: Always return target ifindex in bpf_fib_lookup Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 63/89] migrate: hugetlb: check for hugetlb shared PMD in node migration Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 64/89] ASoC: cs42l56: fix DT probe Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 65/89] tools/virtio: fix the vringh test for virtio ring changes Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 66/89] net/rose: Fix to not accept on connected socket Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 67/89] nvme-fc: fix a missing queue put in nvmet_fc_ls_create_association Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 68/89] aio: fix mremap after fork null-deref Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 69/89] netfilter: nft_tproxy: restrict to prerouting hook Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 70/89] Revert "x86/fpu: Use _Alignof to avoid undefined behavior in TYPE_ALIGN" Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 71/89] mmc: sdio: fix possible resource leaks in some error paths Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 72/89] ALSA: hda/conexant: add a new hda codec SN6180 Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 73/89] ALSA: hda/realtek - fixed wrong gpio assigned Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 74/89] hugetlb: check for undefined shift on 32 bit architectures Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 75/89] revert "squashfs: harden sanity check in squashfs_read_xattr_id_table" Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 76/89] i40e: add double of VLAN header when computing the max MTU Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 77/89] net: bgmac: fix BCM5358 support by setting correct flags Greg Kroah-Hartman
2023-02-20 13:36 ` Greg Kroah-Hartman [this message]
2023-02-20 13:36 ` [PATCH 4.19 79/89] net/usb: kalmia: Dont pass act_len in usb_bulk_msg error path Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 80/89] net: stmmac: fix order of dwmac5 FlexPPS parametrization sequence Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 81/89] bnxt_en: Fix mqprio and XDP ring checking logic Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 82/89] net: stmmac: Restrict warning on disabling DMA store and fwd mode Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 83/89] net: mpls: fix stale pointer if allocation fails during device rename Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 84/89] ipv6: Fix datagram socket connection with DSCP Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 85/89] ipv6: Fix tcp " Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 86/89] i40e: Add checking for null for nlmsg_find_attr() Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 87/89] kvm: initialize all of the kvm_debugregs structure before sending it to userspace Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 88/89] nilfs2: fix underflow in second superblock position calculations Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.19 89/89] net: phy: meson-gxl: Add generic dummy stubs for MMD register access Greg Kroah-Hartman
2023-02-20 19:06 ` [PATCH 4.19 00/89] 4.19.273-rc1 review Pavel Machek
2023-02-21 12:27 ` Naresh Kamboju
2023-02-21 15:02 ` Sudip Mukherjee (Codethink)
2023-02-21 16:20 ` Guenter Roeck
2023-02-21 23:54 ` Shuah Khan
2023-02-22 8:51 ` zhouzhixiu
2023-02-22 14:43 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230220133555.908947194@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=kuniyu@amazon.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).