[thirdparty/kernel/stable-queue.git] / queue-6.8 / net-core-reject-skb_copy-_expand-for-fraglist-gso-sk.patch

From 37cf3888f0008752845711f937a174dc7a622776 Mon Sep 17 00:00:00 2001
From: Sasha Levin <sashal@kernel.org>
Date: Sat, 27 Apr 2024 20:24:19 +0200
Subject: net: core: reject skb_copy(_expand) for fraglist GSO skbs

From: Felix Fietkau <nbd@nbd.name>

[ Upstream commit d091e579b864fa790dd6a0cd537a22c383126681 ]

SKB_GSO_FRAGLIST skbs must not be linearized, otherwise they become
invalid. Return NULL if such an skb is passed to skb_copy or
skb_copy_expand, in order to prevent a crash on a potential later
call to skb_gso_segment.

Fixes: 3a1296a38d0c ("net: Support GRO/GSO fraglist chaining.")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/core/skbuff.c | 27 +++++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 71dee435d549d..570269c477549 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2014,11 +2014,17 @@ static inline int skb_alloc_rx_flag(const struct sk_buff *skb)
 
 struct sk_buff *skb_copy(const struct sk_buff *skb, gfp_t gfp_mask)
 {
-	int headerlen = skb_headroom(skb);
-	unsigned int size = skb_end_offset(skb) + skb->data_len;
-	struct sk_buff *n = __alloc_skb(size, gfp_mask,
-					skb_alloc_rx_flag(skb), NUMA_NO_NODE);
+	struct sk_buff *n;
+	unsigned int size;
+	int headerlen;
+
+	if (WARN_ON_ONCE(skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST))
+		return NULL;
 
+	headerlen = skb_headroom(skb);
+	size = skb_end_offset(skb) + skb->data_len;
+	n = __alloc_skb(size, gfp_mask,
+			skb_alloc_rx_flag(skb), NUMA_NO_NODE);
 	if (!n)
 		return NULL;
 
@@ -2346,12 +2352,17 @@ struct sk_buff *skb_copy_expand(const struct sk_buff *skb,
 	/*
 	 *	Allocate the copy buffer
 	 */
-	struct sk_buff *n = __alloc_skb(newheadroom + skb->len + newtailroom,
-					gfp_mask, skb_alloc_rx_flag(skb),
-					NUMA_NO_NODE);
-	int oldheadroom = skb_headroom(skb);
 	int head_copy_len, head_copy_off;
+	struct sk_buff *n;
+	int oldheadroom;
+
+	if (WARN_ON_ONCE(skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST))
+		return NULL;
 
+	oldheadroom = skb_headroom(skb);
+	n = __alloc_skb(newheadroom + skb->len + newtailroom,
+			gfp_mask, skb_alloc_rx_flag(skb),
+			NUMA_NO_NODE);
 	if (!n)
 		return NULL;
 
-- 
2.43.0
Commit	Line	Data
6018f1b3 SL	1	From 37cf3888f0008752845711f937a174dc7a622776 Mon Sep 17 00:00:00 2001
	2	From: Sasha Levin <sashal@kernel.org>
	3	Date: Sat, 27 Apr 2024 20:24:19 +0200
	4	Subject: net: core: reject skb_copy(_expand) for fraglist GSO skbs
	5
	6	From: Felix Fietkau <nbd@nbd.name>
	7
	8	[ Upstream commit d091e579b864fa790dd6a0cd537a22c383126681 ]
	9
	10	SKB_GSO_FRAGLIST skbs must not be linearized, otherwise they become
	11	invalid. Return NULL if such an skb is passed to skb_copy or
	12	skb_copy_expand, in order to prevent a crash on a potential later
	13	call to skb_gso_segment.
	14
	15	Fixes: 3a1296a38d0c ("net: Support GRO/GSO fraglist chaining.")
	16	Signed-off-by: Felix Fietkau <nbd@nbd.name>
	17	Signed-off-by: David S. Miller <davem@davemloft.net>
	18	Signed-off-by: Sasha Levin <sashal@kernel.org>
	19	---
	20	net/core/skbuff.c \| 27 +++++++++++++++++++--------
	21	1 file changed, 19 insertions(+), 8 deletions(-)
	22
	23	diff --git a/net/core/skbuff.c b/net/core/skbuff.c
	24	index 71dee435d549d..570269c477549 100644
	25	--- a/net/core/skbuff.c
	26	+++ b/net/core/skbuff.c
	27	@@ -2014,11 +2014,17 @@ static inline int skb_alloc_rx_flag(const struct sk_buff *skb)
	28
	29	struct sk_buff skb_copy(const struct sk_buff skb, gfp_t gfp_mask)
	30	{
	31	- int headerlen = skb_headroom(skb);
	32	- unsigned int size = skb_end_offset(skb) + skb->data_len;
	33	- struct sk_buff *n = __alloc_skb(size, gfp_mask,
	34	- skb_alloc_rx_flag(skb), NUMA_NO_NODE);
	35	+ struct sk_buff *n;
	36	+ unsigned int size;
	37	+ int headerlen;
	38	+
	39	+ if (WARN_ON_ONCE(skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST))
	40	+ return NULL;
	41
	42	+ headerlen = skb_headroom(skb);
	43	+ size = skb_end_offset(skb) + skb->data_len;
	44	+ n = __alloc_skb(size, gfp_mask,
	45	+ skb_alloc_rx_flag(skb), NUMA_NO_NODE);
	46	if (!n)
	47	return NULL;
	48
	49	@@ -2346,12 +2352,17 @@ struct sk_buff skb_copy_expand(const struct sk_buff skb,
	50	/*
	51	* Allocate the copy buffer
	52	*/
	53	- struct sk_buff *n = __alloc_skb(newheadroom + skb->len + newtailroom,
	54	- gfp_mask, skb_alloc_rx_flag(skb),
	55	- NUMA_NO_NODE);
	56	- int oldheadroom = skb_headroom(skb);
	57	int head_copy_len, head_copy_off;
	58	+ struct sk_buff *n;
	59	+ int oldheadroom;
	60	+
	61	+ if (WARN_ON_ONCE(skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST))
	62	+ return NULL;
	63
	64	+ oldheadroom = skb_headroom(skb);
65	+ n = __alloc_skb(newheadroom + skb->len + newtailroom,
66	+ gfp_mask, skb_alloc_rx_flag(skb),
67	+ NUMA_NO_NODE);
68	if (!n)
69	return NULL;
70
71	--
72	2.43.0
73