[thirdparty/kernel/stable-queue.git] / releases / 5.0.10 / net-strparser-partially-revert-strparser-call-skb_unclone-conditionally.patch

From foo@baz Sat Apr 20 16:43:09 CEST 2019
From: Jakub Kicinski <jakub.kicinski@netronome.com>
Date: Wed, 10 Apr 2019 11:04:32 -0700
Subject: net: strparser: partially revert "strparser: Call skb_unclone conditionally"

From: Jakub Kicinski <jakub.kicinski@netronome.com>

[ Upstream commit 4a9c2e3746e6151fd5d077259d79ce9ca86d47d7 ]

This reverts the first part of commit 4e485d06bb8c ("strparser: Call
skb_unclone conditionally").  To build a message with multiple
fragments we need our own root of frag_list.  We can't simply
use the frag_list of orig_skb, because it will lead to linking
all orig_skbs together creating very long frag chains, and causing
stack overflow on kfree_skb() (which is called recursively on
the frag_lists).

BUG: stack guard page was hit at 00000000d40fad41 (stack is 0000000029dde9f4..000000008cce03d5)
kernel stack overflow (double-fault): 0000 [#1] PREEMPT SMP
RIP: 0010:free_one_page+0x2b/0x490

Call Trace:
  __free_pages_ok+0x143/0x2c0
  skb_release_data+0x8e/0x140
  ? skb_release_data+0xad/0x140
  kfree_skb+0x32/0xb0

  [...]

  skb_release_data+0xad/0x140
  ? skb_release_data+0xad/0x140
  kfree_skb+0x32/0xb0
  skb_release_data+0xad/0x140
  ? skb_release_data+0xad/0x140
  kfree_skb+0x32/0xb0
  skb_release_data+0xad/0x140
  ? skb_release_data+0xad/0x140
  kfree_skb+0x32/0xb0
  skb_release_data+0xad/0x140
  ? skb_release_data+0xad/0x140
  kfree_skb+0x32/0xb0
  skb_release_data+0xad/0x140
  __kfree_skb+0xe/0x20
  tcp_disconnect+0xd6/0x4d0
  tcp_close+0xf4/0x430
  ? tcp_check_oom+0xf0/0xf0
  tls_sk_proto_close+0xe4/0x1e0 [tls]
  inet_release+0x36/0x60
  __sock_release+0x37/0xa0
  sock_close+0x11/0x20
  __fput+0xa2/0x1d0
  task_work_run+0x89/0xb0
  exit_to_usermode_loop+0x9a/0xa0
  do_syscall_64+0xc0/0xf0
  entry_SYSCALL_64_after_hwframe+0x44/0xa9

Let's leave the second unclone conditional, as I'm not entirely
sure what is its purpose :)

Fixes: 4e485d06bb8c ("strparser: Call skb_unclone conditionally")
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/strparser/strparser.c |   12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

--- a/net/strparser/strparser.c
+++ b/net/strparser/strparser.c
@@ -140,13 +140,11 @@ static int __strp_recv(read_descriptor_t
 			/* We are going to append to the frags_list of head.
 			 * Need to unshare the frag_list.
 			 */
-			if (skb_has_frag_list(head)) {
-				err = skb_unclone(head, GFP_ATOMIC);
-				if (err) {
-					STRP_STATS_INCR(strp->stats.mem_fail);
-					desc->error = err;
-					return 0;
-				}
+			err = skb_unclone(head, GFP_ATOMIC);
+			if (err) {
+				STRP_STATS_INCR(strp->stats.mem_fail);
+				desc->error = err;
+				return 0;
 			}
 
 			if (unlikely(skb_shinfo(head)->frag_list)) {
Commit	Line	Data
0ee3da53 GKH	1	From foo@baz Sat Apr 20 16:43:09 CEST 2019
	2	From: Jakub Kicinski <jakub.kicinski@netronome.com>
	3	Date: Wed, 10 Apr 2019 11:04:32 -0700
	4	Subject: net: strparser: partially revert "strparser: Call skb_unclone conditionally"
	5
	6	From: Jakub Kicinski <jakub.kicinski@netronome.com>
	7
	8	[ Upstream commit 4a9c2e3746e6151fd5d077259d79ce9ca86d47d7 ]
	9
	10	This reverts the first part of commit 4e485d06bb8c ("strparser: Call
	11	skb_unclone conditionally"). To build a message with multiple
	12	fragments we need our own root of frag_list. We can't simply
	13	use the frag_list of orig_skb, because it will lead to linking
	14	all orig_skbs together creating very long frag chains, and causing
	15	stack overflow on kfree_skb() (which is called recursively on
	16	the frag_lists).
	17
	18	BUG: stack guard page was hit at 00000000d40fad41 (stack is 0000000029dde9f4..000000008cce03d5)
	19	kernel stack overflow (double-fault): 0000 [#1] PREEMPT SMP
	20	RIP: 0010:free_one_page+0x2b/0x490
	21
	22	Call Trace:
	23	__free_pages_ok+0x143/0x2c0
	24	skb_release_data+0x8e/0x140
	25	? skb_release_data+0xad/0x140
	26	kfree_skb+0x32/0xb0
	27
	28	[...]
	29
	30	skb_release_data+0xad/0x140
	31	? skb_release_data+0xad/0x140
	32	kfree_skb+0x32/0xb0
	33	skb_release_data+0xad/0x140
	34	? skb_release_data+0xad/0x140
	35	kfree_skb+0x32/0xb0
	36	skb_release_data+0xad/0x140
	37	? skb_release_data+0xad/0x140
	38	kfree_skb+0x32/0xb0
	39	skb_release_data+0xad/0x140
	40	? skb_release_data+0xad/0x140
	41	kfree_skb+0x32/0xb0
	42	skb_release_data+0xad/0x140
	43	__kfree_skb+0xe/0x20
	44	tcp_disconnect+0xd6/0x4d0
	45	tcp_close+0xf4/0x430
	46	? tcp_check_oom+0xf0/0xf0
	47	tls_sk_proto_close+0xe4/0x1e0 [tls]
	48	inet_release+0x36/0x60
	49	__sock_release+0x37/0xa0
	50	sock_close+0x11/0x20
	51	__fput+0xa2/0x1d0
	52	task_work_run+0x89/0xb0
	53	exit_to_usermode_loop+0x9a/0xa0
	54	do_syscall_64+0xc0/0xf0
	55	entry_SYSCALL_64_after_hwframe+0x44/0xa9
	56
	57	Let's leave the second unclone conditional, as I'm not entirely
	58	sure what is its purpose :)
	59
	60	Fixes: 4e485d06bb8c ("strparser: Call skb_unclone conditionally")
	61	Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
	62	Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
	63	Reviewed-by: Eric Dumazet <edumazet@google.com>
	64	Signed-off-by: David S. Miller <davem@davemloft.net>
65	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
66	---
67	net/strparser/strparser.c \| 12 +++++-------
68	1 file changed, 5 insertions(+), 7 deletions(-)
69
70	--- a/net/strparser/strparser.c
71	+++ b/net/strparser/strparser.c
72	@@ -140,13 +140,11 @@ static int __strp_recv(read_descriptor_t
73	/* We are going to append to the frags_list of head.
74	* Need to unshare the frag_list.
75	*/
76	- if (skb_has_frag_list(head)) {
77	- err = skb_unclone(head, GFP_ATOMIC);
78	- if (err) {
79	- STRP_STATS_INCR(strp->stats.mem_fail);
80	- desc->error = err;
81	- return 0;
82	- }
83	+ err = skb_unclone(head, GFP_ATOMIC);
84	+ if (err) {
85	+ STRP_STATS_INCR(strp->stats.mem_fail);
86	+ desc->error = err;
87	+ return 0;
88	}
89
90	if (unlikely(skb_shinfo(head)->frag_list)) {