From 97838c49bd2988a40c97500f52d13e5033429cad Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 20 Mar 2021 13:34:20 +0100 Subject: [PATCH] 5.4-stable patches added patches: net-qrtr-fix-__netdev_alloc_skb-call.patch --- ...net-qrtr-fix-__netdev_alloc_skb-call.patch | 54 +++++++++++++++++++ queue-5.4/series | 1 + 2 files changed, 55 insertions(+) create mode 100644 queue-5.4/net-qrtr-fix-__netdev_alloc_skb-call.patch diff --git a/queue-5.4/net-qrtr-fix-__netdev_alloc_skb-call.patch b/queue-5.4/net-qrtr-fix-__netdev_alloc_skb-call.patch new file mode 100644 index 00000000000..08be2447196 --- /dev/null +++ b/queue-5.4/net-qrtr-fix-__netdev_alloc_skb-call.patch @@ -0,0 +1,54 @@ +From 093b036aa94e01a0bea31a38d7f0ee28a2749023 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Mon, 1 Mar 2021 02:22:40 +0300 +Subject: net/qrtr: fix __netdev_alloc_skb call + +From: Pavel Skripkin + +commit 093b036aa94e01a0bea31a38d7f0ee28a2749023 upstream. + +syzbot found WARNING in __alloc_pages_nodemask()[1] when order >= MAX_ORDER. +It was caused by a huge length value passed from userspace to qrtr_tun_write_iter(), +which tries to allocate skb. Since the value comes from the untrusted source +there is no need to raise a warning in __alloc_pages_nodemask(). + +[1] WARNING in __alloc_pages_nodemask+0x5f8/0x730 mm/page_alloc.c:5014 +Call Trace: + __alloc_pages include/linux/gfp.h:511 [inline] + __alloc_pages_node include/linux/gfp.h:524 [inline] + alloc_pages_node include/linux/gfp.h:538 [inline] + kmalloc_large_node+0x60/0x110 mm/slub.c:3999 + __kmalloc_node_track_caller+0x319/0x3f0 mm/slub.c:4496 + __kmalloc_reserve net/core/skbuff.c:150 [inline] + __alloc_skb+0x4e4/0x5a0 net/core/skbuff.c:210 + __netdev_alloc_skb+0x70/0x400 net/core/skbuff.c:446 + netdev_alloc_skb include/linux/skbuff.h:2832 [inline] + qrtr_endpoint_post+0x84/0x11b0 net/qrtr/qrtr.c:442 + qrtr_tun_write_iter+0x11f/0x1a0 net/qrtr/tun.c:98 + call_write_iter include/linux/fs.h:1901 [inline] + new_sync_write+0x426/0x650 fs/read_write.c:518 + vfs_write+0x791/0xa30 fs/read_write.c:605 + ksys_write+0x12d/0x250 fs/read_write.c:658 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Reported-by: syzbot+80dccaee7c6630fa9dcf@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Acked-by: Alexander Lobakin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/qrtr/qrtr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/qrtr/qrtr.c ++++ b/net/qrtr/qrtr.c +@@ -264,7 +264,7 @@ int qrtr_endpoint_post(struct qrtr_endpo + if (len == 0 || len & 3) + return -EINVAL; + +- skb = netdev_alloc_skb(NULL, len); ++ skb = __netdev_alloc_skb(NULL, len, GFP_ATOMIC | __GFP_NOWARN); + if (!skb) + return -ENOMEM; + diff --git a/queue-5.4/series b/queue-5.4/series index e37baf78df8..eb0cec8f3f6 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -24,3 +24,4 @@ nfsd-repair-misuse-of-sv_lock-in-5.10.16-rt30.patch svcrdma-disable-timeouts-on-rdma-backchannel.patch vfio-iommu_api-should-be-selected.patch sunrpc-fix-refcount-leak-for-rpc-auth-modules.patch +net-qrtr-fix-__netdev_alloc_skb-call.patch -- 2.47.3