From: Christoph Paasch <christoph.paasch@gmail.com>
To: Vasily Averin <vvs@virtuozzo.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
David Ahern <dsahern@kernel.org>,
Jakub Kicinski <kuba@kernel.org>, netdev <netdev@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
kernel@openvz.org, Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
Julian Wiedmann <jwi@linux.ibm.com>
Subject: Re: [PATCH net-next v4] skb_expand_head() adjust skb->truesize incorrectly
Date: Wed, 1 Sep 2021 09:58:27 -0700 [thread overview]
Message-ID: <CALMXkpYB6bJQ4c7CNx4mdjfNtYxnLDCN5DXgh0A4RUUUkD69Jw@mail.gmail.com> (raw)
In-Reply-To: <ee5b763a-c39d-80fd-3dd4-bca159b5f5ac@virtuozzo.com>
Hello,
On Wed, Sep 1, 2021 at 1:12 AM Vasily Averin <vvs@virtuozzo.com> wrote:
>
> Christoph Paasch reports [1] about incorrect skb->truesize
> after skb_expand_head() call in ip6_xmit.
> This may happen because of two reasons:
> - skb_set_owner_w() for newly cloned skb is called too early,
> before pskb_expand_head() where truesize is adjusted for (!skb-sk) case.
> - pskb_expand_head() does not adjust truesize in (skb->sk) case.
> In this case sk->sk_wmem_alloc should be adjusted too.
>
> [1] https://lkml.org/lkml/2021/8/20/1082
>
> Fixes: f1260ff15a71 ("skbuff: introduce skb_expand_head()")
> Reported-by: Christoph Paasch <christoph.paasch@gmail.com>
> Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
> ---
> v4: decided to use is_skb_wmem() after pskb_expand_head() call
> fixed 'return (EXPRESSION);' in os_skb_wmem according to Eric Dumazet
> v3: removed __pskb_expand_head(),
> added is_skb_wmem() helper for skb with wmem-compatible destructors
> there are 2 ways to use it:
> - before pskb_expand_head(), to create skb clones
> - after successfull pskb_expand_head() to change owner on extended skb.
> v2: based on patch version from Eric Dumazet,
> added __pskb_expand_head() function, which can be forced
> to adjust skb->truesize and sk->sk_wmem_alloc.
> ---
> include/net/sock.h | 1 +
> net/core/skbuff.c | 35 ++++++++++++++++++++++++++---------
> net/core/sock.c | 8 ++++++++
> 3 files changed, 35 insertions(+), 9 deletions(-)
this introduces more issues with the syzkaller reproducer that I
shared earlier (see below for the output).
I don't have time at the moment to dig into these though - so just
sharing this as an FYI for now.
syzkaller login: [ 12.768064] cgroup: Unknown subsys name 'perf_event'
[ 12.769831] cgroup: Unknown subsys name 'net_cls'
[ 13.587819] ------------[ cut here ]------------
[ 13.588943] refcount_t: saturated; leaking memory.
[ 13.590166] WARNING: CPU: 1 PID: 1658 at lib/refcount.c:22
refcount_warn_saturate+0xce/0x1f0
[ 13.591909] Modules linked in:
[ 13.592595] CPU: 1 PID: 1658 Comm: syz-executor Not tainted
5.14.0ea78abdd8ff18baaea3211eabdd6a2a88169cfd6 #134
[ 13.594455] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
[ 13.596640] RIP: 0010:refcount_warn_saturate+0xce/0x1f0
[ 13.597651] Code: 1d 32 63 11 02 31 ff 89 de e8 1e 26 79 ff 84 db
75 d8 e8 b5 1e 79 ff 48 c7 c7 80 48 32 83 c6 05 12 63 11 02 01 e8 2f
39
[ 13.601049] RSP: 0018:ffffc9000091f2a8 EFLAGS: 00010286
[ 13.602077] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 13.603477] RDX: ffff888100fa2880 RSI: ffffffff8121e533 RDI: fffff52000123e47
[ 13.604758] RBP: ffff88810b88013c R08: 0000000000000001 R09: 0000000000000000
[ 13.606110] R10: ffffffff814135db R11: 0000000000000000 R12: ffff88810b880000
[ 13.607421] R13: 00000000fffffe03 R14: ffff8881094c97c0 R15: ffff88810b88013c
[ 13.608874] FS: 00007f8ad457d700(0000) GS:ffff88811b480000(0000)
knlGS:0000000000000000
[ 13.610515] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 13.611671] CR2: 0000000000000000 CR3: 00000001045d8000 CR4: 00000000000006e0
[ 13.613017] Call Trace:
[ 13.613521] skb_expand_head+0x35a/0x470
[ 13.614331] ip6_xmit+0x105f/0x1560
[ 13.615038] ? ip6_forward+0x22b0/0x22b0
[ 13.616011] ? ip6_dst_check+0x227/0x540
[ 13.616773] ? rt6_check_expired+0x250/0x250
[ 13.617657] ? __sk_dst_check+0xfb/0x200
[ 13.618424] ? inet6_csk_route_socket+0x59e/0x980
[ 13.619377] ? inet6_csk_addr2sockaddr+0x2a0/0x2a0
[ 13.620399] ? stack_trace_consume_entry+0x160/0x160
[ 13.621530] inet6_csk_xmit+0x2b3/0x430
[ 13.622290] ? kasan_save_stack+0x32/0x40
[ 13.623133] ? kasan_save_stack+0x1b/0x40
[ 13.623939] ? inet6_csk_route_socket+0x980/0x980
[ 13.624802] ? entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 13.625786] ? csum_ipv6_magic+0x26/0x70
[ 13.626653] ? inet6_csk_route_socket+0x980/0x980
[ 13.627480] __tcp_transmit_skb+0x186e/0x35d0
[ 13.628358] ? __tcp_select_window+0xa50/0xa50
[ 13.629153] ? __sanitizer_cov_trace_cmp4+0x1c/0x70
[ 13.630130] ? kasan_unpoison+0x23/0x50
[ 13.630872] ? __build_skb_around+0x241/0x300
[ 13.631667] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70
[ 13.632785] ? __alloc_skb+0x180/0x360
[ 13.633545] __tcp_send_ack.part.0+0x3da/0x650
[ 13.634333] tcp_send_ack+0x7d/0xa0
[ 13.635031] __tcp_ack_snd_check+0x156/0x8c0
[ 13.635957] tcp_rcv_established+0x1733/0x1d30
[ 13.636889] ? tcp_data_queue+0x4af0/0x4af0
[ 13.637753] tcp_v6_do_rcv+0x438/0x1380
[ 13.638523] __release_sock+0x1ad/0x310
[ 13.639306] release_sock+0x54/0x1a0
[ 13.640029] ? tcp_sendmsg_locked+0x2ee0/0x2ee0
[ 13.640953] tcp_sendmsg+0x36/0x40
[ 13.641710] inet6_sendmsg+0xb5/0x140
[ 13.642359] ? inet6_ioctl+0x2a0/0x2a0
[ 13.643092] ____sys_sendmsg+0x3b5/0x970
[ 13.643834] ? sock_release+0x1b0/0x1b0
[ 13.644593] ? __ia32_sys_recvmmsg+0x290/0x290
[ 13.645505] ? futex_wait_setup+0x2e0/0x2e0
[ 13.646350] ___sys_sendmsg+0xff/0x170
[ 13.647084] ? hash_futex+0x12/0x1f0
[ 13.647870] ? sendmsg_copy_msghdr+0x160/0x160
[ 13.648691] ? asm_exc_page_fault+0x1e/0x30
[ 13.649475] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[ 13.650523] ? __fget_files+0x1c2/0x2a0
[ 13.651245] ? __fget_light+0xea/0x270
[ 13.652027] ? sockfd_lookup_light+0xc3/0x170
[ 13.652845] __sys_sendmmsg+0x192/0x440
[ 13.653622] ? __ia32_sys_sendmsg+0xb0/0xb0
[ 13.654365] ? vfs_fileattr_set+0xb80/0xb80
[ 13.655085] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70
[ 13.656175] ? alloc_file_pseudo+0x1/0x250
[ 13.657026] ? sock_ioctl+0x1bb/0x670
[ 13.657861] ? __do_sys_futex+0xe7/0x3d0
[ 13.658697] ? __do_sys_futex+0xe7/0x3d0
[ 13.659379] ? __do_sys_futex+0xf0/0x3d0
[ 13.660090] ? __restore_fpregs_from_fpstate+0xa9/0xf0
[ 13.661212] ? fpregs_mark_activate+0x130/0x130
[ 13.662078] ? do_futex+0x1be0/0x1be0
[ 13.662846] __x64_sys_sendmmsg+0x98/0x100
[ 13.663706] ? syscall_exit_to_user_mode+0x1d/0x40
[ 13.664698] do_syscall_64+0x3b/0x90
[ 13.665450] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 13.666564] RIP: 0033:0x7f8ad3e8c469
[ 13.667204] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40
00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24
08
[ 13.670776] RSP: 002b:00007f8ad457cda8 EFLAGS: 00000246 ORIG_RAX:
0000000000000133
[ 13.672208] RAX: ffffffffffffffda RBX: 0000000000000133 RCX: 00007f8ad3e8c469
[ 13.673598] RDX: 0000000000000003 RSI: 00000000200008c0 RDI: 0000000000000003
[ 13.674946] RBP: 0000000000000133 R08: 0000000000000000 R09: 0000000000000000
[ 13.676397] R10: 0000000040044040 R11: 0000000000000246 R12: 000000000069bf8c
[ 13.677876] R13: 00007ffe38506fef R14: 00007f8ad455d000 R15: 0000000000000003
[ 13.679129] ---[ end trace 55e20198e13af26c ]---
[ 13.680043] ------------[ cut here ]------------
[ 13.681049] refcount_t: underflow; use-after-free.
[ 13.682005] WARNING: CPU: 1 PID: 1658 at lib/refcount.c:28
refcount_warn_saturate+0x103/0x1f0
[ 13.683658] Modules linked in:
[ 13.684246] CPU: 1 PID: 1658 Comm: syz-executor Tainted: G W
5.14.0ea78abdd8ff18baaea3211eabdd6a2a88169cfd6 #134
[ 13.686321] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
[ 13.688388] RIP: 0010:refcount_warn_saturate+0x103/0x1f0
[ 13.689502] Code: 1d fb 62 11 02 31 ff 89 de e8 e9 25 79 ff 84 db
75 a3 e8 80 1e 79 ff 48 c7 c7 80 49 32 83 c6 05 db 62 11 02 01 e8 fa
34
[ 13.692805] RSP: 0018:ffffc9000091eff8 EFLAGS: 00010286
[ 13.693756] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 13.695193] RDX: ffff888100fa2880 RSI: ffffffff8121e533 RDI: fffff52000123df1
[ 13.696696] RBP: ffff88810b88013c R08: 0000000000000001 R09: 0000000000000000
[ 13.697982] R10: ffffffff814135db R11: 0000000000000000 R12: ffff88810b88013c
[ 13.699291] R13: 00000000fffffe02 R14: ffff8881011a4c00 R15: ffff8881094c97c0
[ 13.700576] FS: 00007f8ad457d700(0000) GS:ffff88811b480000(0000)
knlGS:0000000000000000
[ 13.702031] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 13.703134] CR2: 0000000000000000 CR3: 00000001045d8000 CR4: 00000000000006e0
[ 13.704525] Call Trace:
[ 13.704973] __sock_wfree+0xec/0x110
[ 13.705737] ? sock_wfree+0x240/0x240
[ 13.706406] loopback_xmit+0x126/0x4b0
[ 13.707278] ? refcount_warn_saturate+0xce/0x1f0
[ 13.708208] dev_hard_start_xmit+0x16c/0x5c0
[ 13.709116] __dev_queue_xmit+0x1679/0x2970
[ 13.709912] ? netdev_core_pick_tx+0x2d0/0x2d0
[ 13.710758] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70
[ 13.711846] ? report_bug+0x38/0x210
[ 13.712656] ? handle_bug+0x3c/0x60
[ 13.713395] ? exc_invalid_op+0x14/0x40
[ 13.714119] ip6_finish_output2+0xb52/0x14c0
[ 13.715029] ip6_output+0x572/0x9e0
[ 13.715761] ? ip6_fragment+0x1f40/0x1f40
[ 13.716478] ip6_xmit+0xc6f/0x1560
[ 13.717083] ? ip6_forward+0x22b0/0x22b0
[ 13.717895] ? ip6_dst_check+0x227/0x540
[ 13.718689] ? rt6_check_expired+0x250/0x250
[ 13.719620] ? __sk_dst_check+0xfb/0x200
[ 13.720427] ? inet6_csk_route_socket+0x59e/0x980
[ 13.721408] ? inet6_csk_addr2sockaddr+0x2a0/0x2a0
[ 13.722286] ? stack_trace_consume_entry+0x160/0x160
[ 13.723186] inet6_csk_xmit+0x2b3/0x430
[ 13.723873] ? kasan_save_stack+0x32/0x40
[ 13.724682] ? kasan_save_stack+0x1b/0x40
[ 13.725422] ? inet6_csk_route_socket+0x980/0x980
[ 13.726398] ? entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 13.727478] ? csum_ipv6_magic+0x26/0x70
[ 13.728288] ? inet6_csk_route_socket+0x980/0x980
[ 13.729267] __tcp_transmit_skb+0x186e/0x35d0
[ 13.730048] ? __tcp_select_window+0xa50/0xa50
[ 13.730952] ? __sanitizer_cov_trace_cmp4+0x1c/0x70
[ 13.732007] ? kasan_unpoison+0x23/0x50
[ 13.732740] ? __build_skb_around+0x241/0x300
[ 13.733605] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70
[ 13.734749] ? __alloc_skb+0x180/0x360
[ 13.735506] __tcp_send_ack.part.0+0x3da/0x650
[ 13.736377] tcp_send_ack+0x7d/0xa0
[ 13.737015] __tcp_ack_snd_check+0x156/0x8c0
[ 13.737758] tcp_rcv_established+0x1733/0x1d30
[ 13.738679] ? tcp_data_queue+0x4af0/0x4af0
[ 13.739417] tcp_v6_do_rcv+0x438/0x1380
[ 13.740166] __release_sock+0x1ad/0x310
[ 13.740874] release_sock+0x54/0x1a0
[ 13.741527] ? tcp_sendmsg_locked+0x2ee0/0x2ee0
[ 13.742394] tcp_sendmsg+0x36/0x40
[ 13.743037] inet6_sendmsg+0xb5/0x140
[ 13.743752] ? inet6_ioctl+0x2a0/0x2a0
[ 13.744511] ____sys_sendmsg+0x3b5/0x970
[ 13.745325] ? sock_release+0x1b0/0x1b0
[ 13.746031] ? __ia32_sys_recvmmsg+0x290/0x290
[ 13.746914] ? futex_wait_setup+0x2e0/0x2e0
[ 13.747749] ___sys_sendmsg+0xff/0x170
[ 13.748393] ? hash_futex+0x12/0x1f0
[ 13.749036] ? sendmsg_copy_msghdr+0x160/0x160
[ 13.749972] ? asm_exc_page_fault+0x1e/0x30
[ 13.750870] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[ 13.751974] ? __fget_files+0x1c2/0x2a0
[ 13.752659] ? __fget_light+0xea/0x270
[ 13.753514] ? sockfd_lookup_light+0xc3/0x170
[ 13.754296] __sys_sendmmsg+0x192/0x440
[ 13.755102] ? __ia32_sys_sendmsg+0xb0/0xb0
[ 13.755917] ? vfs_fileattr_set+0xb80/0xb80
[ 13.756692] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70
[ 13.757790] ? alloc_file_pseudo+0x1/0x250
[ 13.758675] ? sock_ioctl+0x1bb/0x670
[ 13.759341] ? __do_sys_futex+0xe7/0x3d0
[ 13.760040] ? __do_sys_futex+0xe7/0x3d0
[ 13.760762] ? __do_sys_futex+0xf0/0x3d0
[ 13.761585] ? __restore_fpregs_from_fpstate+0xa9/0xf0
[ 13.762511] ? fpregs_mark_activate+0x130/0x130
[ 13.763382] ? do_futex+0x1be0/0x1be0
[ 13.764044] __x64_sys_sendmmsg+0x98/0x100
[ 13.764831] ? syscall_exit_to_user_mode+0x1d/0x40
[ 13.765814] do_syscall_64+0x3b/0x90
[ 13.766607] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 13.767467] RIP: 0033:0x7f8ad3e8c469
[ 13.768206] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40
00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24
08
[ 13.771618] RSP: 002b:00007f8ad457cda8 EFLAGS: 00000246 ORIG_RAX:
0000000000000133
[ 13.773054] RAX: ffffffffffffffda RBX: 0000000000000133 RCX: 00007f8ad3e8c469
[ 13.774260] RDX: 0000000000000003 RSI: 00000000200008c0 RDI: 0000000000000003
[ 13.775586] RBP: 0000000000000133 R08: 0000000000000000 R09: 0000000000000000
[ 13.776909] R10: 0000000040044040 R11: 0000000000000246 R12: 000000000069bf8c
[ 13.778390] R13: 00007ffe38506fef R14: 00007f8ad455d000 R15: 0000000000000003
[ 13.779752] ---[ end trace 55e20198e13af26d ]---
[ 13.780935] ------------[ cut here ]------------
[ 13.781986] WARNING: CPU: 0 PID: 1658 at net/core/skbuff.c:5429
skb_try_coalesce+0x1019/0x12c0
[ 13.783740] Modules linked in:
[ 13.784398] CPU: 0 PID: 1658 Comm: syz-executor Tainted: G W
5.14.0ea78abdd8ff18baaea3211eabdd6a2a88169cfd6 #134
[ 13.786692] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
[ 13.788958] RIP: 0010:skb_try_coalesce+0x1019/0x12c0
[ 13.789930] Code: 24 20 bf 01 00 00 00 8b 40 20 44 0f b7 f0 44 89
f6 e8 0b 2b cf fe 41 83 ee 01 0f 85 01 f3 ff ff e9 42 f6 ff ff e8 67
2c
[ 13.793371] RSP: 0018:ffffc9000091f530 EFLAGS: 00010293
[ 13.794316] RAX: 0000000000000000 RBX: 0000000000000c00 RCX: 0000000000000000
[ 13.795688] RDX: ffff888100fa2880 RSI: ffffffff826767a9 RDI: 0000000000000003
[ 13.797093] RBP: ffff888109496de0 R08: 0000000000000c00 R09: 0000000000000000
[ 13.798381] R10: ffffffff82676122 R11: 0000000000000000 R12: ffff888100efc0e0
[ 13.799766] R13: ffff8881046baac0 R14: 0000000000001000 R15: ffff888100efc156
[ 13.801052] FS: 00007f8ad457d700(0000) GS:ffff88811b400000(0000)
knlGS:0000000000000000
[ 13.802463] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 13.803603] CR2: 00007f83d8028000 CR3: 00000001045d8000 CR4: 00000000000006f0
[ 13.805079] Call Trace:
[ 13.805622] tcp_try_coalesce+0x312/0x870
[ 13.806488] ? tcp_ack_update_rtt+0xfc0/0xfc0
[ 13.807406] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70
[ 13.808483] ? tcp_try_rmem_schedule+0x99b/0x16e0
[ 13.809296] tcp_queue_rcv+0x73/0x670
[ 13.810013] tcp_data_queue+0x11e5/0x4af0
[ 13.810844] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80
[ 13.811890] ? tcp_urg+0x108/0xb60
[ 13.812536] ? tcp_data_ready+0x550/0x550
[ 13.813362] ? tcp_enter_cwr+0x3f0/0x4d0
[ 13.814148] ? __sanitizer_cov_trace_cmp4+0x1c/0x70
[ 13.815014] ? ktime_get+0xf4/0x150
[ 13.815637] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70
[ 13.816721] tcp_rcv_established+0x83a/0x1d30
[ 13.817541] ? tcp_data_queue+0x4af0/0x4af0
[ 13.818375] tcp_v6_do_rcv+0x438/0x1380
[ 13.819160] __release_sock+0x1ad/0x310
[ 13.819975] release_sock+0x54/0x1a0
[ 13.820745] ? tcp_sendmsg_locked+0x2ee0/0x2ee0
[ 13.821662] tcp_sendmsg+0x36/0x40
[ 13.822351] inet6_sendmsg+0xb5/0x140
[ 13.823115] ? inet6_ioctl+0x2a0/0x2a0
[ 13.823909] ____sys_sendmsg+0x3b5/0x970
[ 13.824720] ? sock_release+0x1b0/0x1b0
[ 13.825521] ? __ia32_sys_recvmmsg+0x290/0x290
[ 13.826441] ? futex_wait_setup+0x2e0/0x2e0
[ 13.827308] ___sys_sendmsg+0xff/0x170
[ 13.828112] ? hash_futex+0x12/0x1f0
[ 13.828853] ? sendmsg_copy_msghdr+0x160/0x160
[ 13.829804] ? asm_exc_page_fault+0x1e/0x30
[ 13.830660] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[ 13.831760] ? __fget_files+0x1c2/0x2a0
[ 13.832576] ? __fget_light+0xea/0x270
[ 13.833349] ? sockfd_lookup_light+0xc3/0x170
[ 13.834289] __sys_sendmmsg+0x192/0x440
[ 13.835065] ? __ia32_sys_sendmsg+0xb0/0xb0
[ 13.835918] ? vfs_fileattr_set+0xb80/0xb80
[ 13.836823] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70
[ 13.837941] ? alloc_file_pseudo+0x1/0x250
[ 13.838810] ? sock_ioctl+0x1bb/0x670
[ 13.839550] ? __do_sys_futex+0xe7/0x3d0
[ 13.840369] ? __do_sys_futex+0xe7/0x3d0
[ 13.841205] ? __do_sys_futex+0xf0/0x3d0
[ 13.842022] ? __restore_fpregs_from_fpstate+0xa9/0xf0
[ 13.843115] ? fpregs_mark_activate+0x130/0x130
[ 13.844074] ? do_futex+0x1be0/0x1be0
[ 13.844868] __x64_sys_sendmmsg+0x98/0x100
[ 13.845725] ? syscall_exit_to_user_mode+0x1d/0x40
[ 13.846754] do_syscall_64+0x3b/0x90
[ 13.847472] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 13.848550] RIP: 0033:0x7f8ad3e8c469
[ 13.849289] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40
00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24
08
[ 13.852935] RSP: 002b:00007f8ad457cda8 EFLAGS: 00000246 ORIG_RAX:
0000000000000133
[ 13.854476] RAX: ffffffffffffffda RBX: 0000000000000133 RCX: 00007f8ad3e8c469
[ 13.855896] RDX: 0000000000000003 RSI: 00000000200008c0 RDI: 0000000000000003
[ 13.857304] RBP: 0000000000000133 R08: 0000000000000000 R09: 0000000000000000
[ 13.858756] R10: 0000000040044040 R11: 0000000000000246 R12: 000000000069bf8c
[ 13.860168] R13: 00007ffe38506fef R14: 00007f8ad455d000 R15: 0000000000000003
[ 13.861597] ---[ end trace 55e20198e13af26e ]---
>
> diff --git a/include/net/sock.h b/include/net/sock.h
> index 95b2577..173d58c 100644
> --- a/include/net/sock.h
> +++ b/include/net/sock.h
> @@ -1695,6 +1695,7 @@ struct sk_buff *sock_wmalloc(struct sock *sk, unsigned long size, int force,
> gfp_t priority);
> void __sock_wfree(struct sk_buff *skb);
> void sock_wfree(struct sk_buff *skb);
> +bool is_skb_wmem(const struct sk_buff *skb);
> struct sk_buff *sock_omalloc(struct sock *sk, unsigned long size,
> gfp_t priority);
> void skb_orphan_partial(struct sk_buff *skb);
> diff --git a/net/core/skbuff.c b/net/core/skbuff.c
> index f931176..09991cb 100644
> --- a/net/core/skbuff.c
> +++ b/net/core/skbuff.c
> @@ -1804,28 +1804,45 @@ struct sk_buff *skb_realloc_headroom(struct sk_buff *skb, unsigned int headroom)
> struct sk_buff *skb_expand_head(struct sk_buff *skb, unsigned int headroom)
> {
> int delta = headroom - skb_headroom(skb);
> + int osize = skb_end_offset(skb);
> + struct sk_buff *oskb = NULL;
> + struct sock *sk = skb->sk;
>
> if (WARN_ONCE(delta <= 0,
> "%s is expecting an increase in the headroom", __func__))
> return skb;
>
> - /* pskb_expand_head() might crash, if skb is shared */
> + delta = SKB_DATA_ALIGN(delta);
> + /* pskb_expand_head() might crash, if skb is shared.
> + * Also we should clone skb if its destructor does
> + * not adjust skb->truesize and sk->sk_wmem_alloc
> + */
> if (skb_shared(skb)) {
> struct sk_buff *nskb = skb_clone(skb, GFP_ATOMIC);
>
> - if (likely(nskb)) {
> - if (skb->sk)
> - skb_set_owner_w(nskb, skb->sk);
> - consume_skb(skb);
> - } else {
> + if (unlikely(!nskb)) {
> kfree_skb(skb);
> + return NULL;
> }
> + oskb = skb;
> skb = nskb;
> }
> - if (skb &&
> - pskb_expand_head(skb, SKB_DATA_ALIGN(delta), 0, GFP_ATOMIC)) {
> + if (pskb_expand_head(skb, delta, 0, GFP_ATOMIC)) {
> kfree_skb(skb);
> - skb = NULL;
> + kfree_skb(oskb);
> + return NULL;
> + }
> + if (oskb) {
> + if (sk)
> + skb_set_owner_w(skb, sk);
> + consume_skb(oskb);
> + } else if (sk) {
> + delta = osize - skb_end_offset(skb);
> + if (!is_skb_wmem(skb))
> + skb_set_owner_w(skb, sk);
> + skb->truesize += delta;
> + if (sk_fullsock(sk))
> + refcount_add(delta, &sk->sk_wmem_alloc);
> }
> return skb;
> }
> diff --git a/net/core/sock.c b/net/core/sock.c
> index 950f1e7..6cbda43 100644
> --- a/net/core/sock.c
> +++ b/net/core/sock.c
> @@ -2227,6 +2227,14 @@ void skb_set_owner_w(struct sk_buff *skb, struct sock *sk)
> }
> EXPORT_SYMBOL(skb_set_owner_w);
>
> +bool is_skb_wmem(const struct sk_buff *skb)
> +{
> + return skb->destructor == sock_wfree ||
> + skb->destructor == __sock_wfree ||
> + (IS_ENABLED(CONFIG_INET) && skb->destructor == tcp_wfree);
> +}
> +EXPORT_SYMBOL(is_skb_wmem);
> +
> static bool can_skb_orphan_partial(const struct sk_buff *skb)
> {
> #ifdef CONFIG_TLS_DEVICE
> --
> 1.8.3.1
>
next prev parent reply other threads:[~2021-09-01 16:58 UTC|newest]
Thread overview: 106+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <cover.1625665132.git.vvs@virtuozzo.com>
2021-07-07 14:04 ` [PATCH IPV6 1/1] ipv6: allocate enough headroom in ip6_finish_output2() Vasily Averin
2021-07-07 14:45 ` David Ahern
2021-07-07 16:42 ` Jakub Kicinski
2021-07-07 17:41 ` Eric Dumazet
2021-07-07 17:53 ` Vasily Averin
2021-07-07 18:30 ` Jakub Kicinski
2021-07-07 18:50 ` Eric Dumazet
2021-07-09 9:04 ` [PATCH IPV6 v2 0/4] " Vasily Averin
2021-07-12 6:44 ` [PATCH IPV6 v3 0/1] " Vasily Averin
[not found] ` <cover.1626069562.git.vvs@virtuozzo.com>
2021-07-12 6:45 ` [PATCH IPV6 v3 1/1] " Vasily Averin
2021-07-12 18:30 ` patchwork-bot+netdevbpf
2021-07-13 7:46 ` Vasily Averin
2021-07-13 12:01 ` [PATCH NET v4 0/1] " Vasily Averin
[not found] ` <cover.1626177047.git.vvs@virtuozzo.com>
2021-07-13 12:01 ` [PATCH NET v4 1/1] " Vasily Averin
2021-07-18 10:44 ` Vasily Averin
2021-07-18 15:22 ` David Ahern
2021-07-18 17:04 ` David Miller
2021-07-19 7:55 ` [PATCH NET] ipv6: ip6_finish_output2: set sk into newly allocated nskb Vasily Averin
2021-07-20 10:10 ` patchwork-bot+netdevbpf
2021-07-13 12:31 ` [PATCH IPV6 v3 1/1] ipv6: allocate enough headroom in ip6_finish_output2() Vasily Averin
2021-07-12 13:26 ` [PATCH NET 0/7] skbuff: introduce pskb_realloc_headroom() Vasily Averin
[not found] ` <cover.1626093470.git.vvs@virtuozzo.com>
2021-07-12 13:26 ` [PATCH NET 1/7] " Vasily Averin
2021-07-12 17:53 ` Jakub Kicinski
2021-07-12 18:45 ` Vasily Averin
2021-07-13 20:57 ` [PATCH NET v2 0/7] skbuff: introduce skb_expand_head() Vasily Averin
2021-08-02 8:52 ` [PATCH NET v3 " Vasily Averin
[not found] ` <cover.1627891754.git.vvs@virtuozzo.com>
2021-08-02 8:52 ` [PATCH NET v3 1/7] " Vasily Averin
2021-08-02 8:52 ` [PATCH NET v3 2/7] ipv6: use skb_expand_head in ip6_finish_output2 Vasily Averin
2021-08-02 8:52 ` [PATCH NET v3 3/7] ipv6: use skb_expand_head in ip6_xmit Vasily Averin
2021-08-02 8:52 ` [PATCH NET v3 4/7] ipv4: use skb_expand_head in ip_finish_output2 Vasily Averin
2021-08-02 8:52 ` [PATCH NET v3 5/7] vrf: use skb_expand_head in vrf_finish_output Vasily Averin
2021-08-05 11:55 ` Julian Wiedmann
2021-08-05 12:55 ` Vasily Averin
2021-08-06 7:49 ` [PATCH NET v4 0/7] skbuff: introduce skb_expand_head() Vasily Averin
2021-08-06 10:14 ` David Miller
2021-08-06 12:53 ` [PATCH NET] vrf: fix null pointer dereference in vrf_finish_output() Vasily Averin
2021-08-06 22:42 ` Jakub Kicinski
2021-08-07 6:41 ` Vasily Averin
[not found] ` <cover.1628235065.git.vvs@virtuozzo.com>
2021-08-06 7:49 ` [PATCH NET v4 1/7] skbuff: introduce skb_expand_head() Vasily Averin
2021-08-06 7:50 ` [PATCH NET v4 2/7] ipv6: use skb_expand_head in ip6_finish_output2 Vasily Averin
2021-08-06 7:50 ` [PATCH NET v4 3/7] ipv6: use skb_expand_head in ip6_xmit Vasily Averin
[not found] ` <CALMXkpaay1y=0tkbnskr4gf-HTMjJJsVryh4Prnej_ws-hJvBg@mail.gmail.com>
2021-08-20 22:44 ` Christoph Paasch
2021-08-21 6:21 ` Vasily Averin
2021-08-22 17:04 ` Christoph Paasch
2021-08-22 17:13 ` Christoph Paasch
2021-08-23 5:44 ` Vasily Averin
2021-08-23 5:59 ` Vasily Averin
2021-08-23 7:56 ` [PATCH NET-NEXT] ipv6: skb_expand_head() adjust skb->truesize incorrectly Vasily Averin
2021-08-23 17:25 ` Christoph Paasch
2021-08-23 21:45 ` Eric Dumazet
2021-08-23 21:51 ` Eric Dumazet
2021-08-23 22:23 ` Eric Dumazet
2021-08-24 8:50 ` Vasily Averin
2021-08-24 17:21 ` Vasily Averin
2021-08-25 17:49 ` Christoph Paasch
2021-08-29 12:59 ` [PATCH v2] " Vasily Averin
2021-08-30 5:52 ` [PATCH net-next " Vasily Averin
2021-08-30 16:01 ` [PATCH " Eric Dumazet
2021-08-30 18:09 ` Vasily Averin
2021-08-30 18:37 ` Vasily Averin
2021-08-30 19:58 ` Eric Dumazet
2021-08-31 14:34 ` [PATCH net-next v3 RFC] " Vasily Averin
2021-08-31 19:38 ` Eric Dumazet
2021-09-01 6:20 ` Vasily Averin
2021-09-01 8:11 ` [PATCH net-next v4] " Vasily Averin
2021-09-01 16:58 ` Christoph Paasch [this message]
2021-09-01 19:17 ` Eric Dumazet
2021-09-02 3:59 ` Vasily Averin
2021-09-02 4:32 ` Eric Dumazet
2021-09-02 4:48 ` Eric Dumazet
2021-09-02 7:13 ` Vasily Averin
2021-09-02 7:33 ` Vasily Averin
2021-09-02 8:31 ` Vasily Averin
2021-09-02 11:12 ` [PATCH net-next v5] " Vasily Averin
2021-09-02 15:53 ` Christoph Paasch
2021-09-02 16:32 ` Vasily Averin
2021-09-06 18:01 ` [PATCH net v6] " Vasily Averin
2021-09-06 18:03 ` Vasily Averin
2021-08-27 15:23 ` [PATCH NET-NEXT] ipv6: " Vasily Averin
2021-08-27 16:47 ` Eric Dumazet
2021-08-28 8:01 ` Vasily Averin
2021-08-06 7:50 ` [PATCH NET v4 4/7] ipv4: use skb_expand_head in ip_finish_output2 Vasily Averin
2021-08-06 7:50 ` [PATCH NET v4 5/7] vrf: use skb_expand_head in vrf_finish_output Vasily Averin
2021-08-06 7:50 ` [PATCH NET v4 6/7] ax25: use skb_expand_head Vasily Averin
2021-08-06 7:50 ` [PATCH NET v4 7/7] bpf: use skb_expand_head in bpf_out_neigh_v4/6 Vasily Averin
2021-08-02 8:52 ` [PATCH NET v3 6/7] ax25: use skb_expand_head Vasily Averin
2021-08-02 8:52 ` [PATCH NET v3 7/7] bpf: use skb_expand_head in bpf_out_neigh_v4/6 Vasily Averin
[not found] ` <cover.1626206993.git.vvs@virtuozzo.com>
2021-07-13 20:57 ` [PATCH NET v2 1/7] skbuff: introduce skb_expand_head() Vasily Averin
2021-07-13 20:58 ` [PATCH NET v2 2/7] ipv6: use skb_expand_head in ip6_finish_output2 Vasily Averin
2021-07-13 20:58 ` [PATCH NET v2 3/7] ipv6: use skb_expand_head in ip6_xmit Vasily Averin
2021-07-13 20:58 ` [PATCH NET v2 4/7] ipv4: use skb_expand_head in ip_finish_output2 Vasily Averin
2021-07-13 20:58 ` [PATCH NET v2 5/7] vrf: use skb_expand_head in vrf_finish_output Vasily Averin
2021-07-13 20:58 ` [PATCH NET v2 6/7] ax25: use skb_expand_head Vasily Averin
2021-07-13 20:58 ` [PATCH NET v2 7/7] bpf: use skb_expand_head in bpf_out_neigh_v4/6 Vasily Averin
2021-07-12 13:26 ` [PATCH NET 2/7] ipv6: use pskb_realloc_headroom in ip6_finish_output2 Vasily Averin
2021-07-12 13:26 ` [PATCH NET 3/7] ipv6: use pskb_realloc_headroom in ip6_xmit refactoring Vasily Averin
2021-07-12 13:27 ` [PATCH NET 4/7] ipv4: use pskb_realloc_headroom in ip_finish_output2 Vasily Averin
2021-07-12 13:27 ` [PATCH NET 5/7] vrf: use pskb_realloc_headroom in vrf_finish_output Vasily Averin
2021-07-12 13:27 ` [PATCH NET 6/7] ax25: use pskb_realloc_headroom Vasily Averin
2021-07-12 13:27 ` [PATCH NET 7/7] bpf: use pskb_realloc_headroom in bpf_out_neigh_v4/6 Vasily Averin
[not found] ` <cover.1625818825.git.vvs@virtuozzo.com>
2021-07-09 9:04 ` [PATCH IPV6 v2 1/4] ipv6: allocate enough headroom in ip6_finish_output2() Vasily Averin
2021-07-09 17:58 ` David Miller
2021-07-10 2:53 ` Vasily Averin
2021-07-09 9:04 ` [PATCH IPV6 v2 2/4] ipv6: use new helper skb_expand_head() in ip6_xmit() Vasily Averin
2021-07-09 9:05 ` [PATCH IPV6 v2 3/4] ipv6: ip6_finish_output2 refactoring Vasily Averin
2021-07-09 9:05 ` [PATCH IPV6 v2 4/4] ipv6: ip6_xmit refactoring Vasily Averin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CALMXkpYB6bJQ4c7CNx4mdjfNtYxnLDCN5DXgh0A4RUUUkD69Jw@mail.gmail.com \
--to=christoph.paasch@gmail.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=eric.dumazet@gmail.com \
--cc=jwi@linux.ibm.com \
--cc=kernel@openvz.org \
--cc=kuba@kernel.org \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=vvs@virtuozzo.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.