From patchwork Thu Oct 19 16:40:39 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Willem de Bruijn X-Patchwork-Id: 828226 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="QxDGx9AV"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3yHvnB6NJpz9t6m for ; Fri, 20 Oct 2017 03:40:46 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753057AbdJSQko (ORCPT ); Thu, 19 Oct 2017 12:40:44 -0400 Received: from mail-io0-f193.google.com ([209.85.223.193]:43524 "EHLO mail-io0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753007AbdJSQkn (ORCPT ); Thu, 19 Oct 2017 12:40:43 -0400 Received: by mail-io0-f193.google.com with SMTP id 134so10480651ioo.0 for ; Thu, 19 Oct 2017 09:40:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=CDct7x+3XqGzvXWkfxMUWm6YgYLOdwsAOmsVPdwokNg=; b=QxDGx9AVyEMRFtZptEl1nY0SY9/GfWFTdlNfpW8UbXsBUoEsG9tNPYr10I5UN3Ks3m sg16QnGnno0eWuE6rOIbmCFIwzzoW48EpUs3NSB1LBWW0lnL2Uk94kTEuCaUU0rCyzMM l8fnop9nNFnziKzPu/2w+mnxNbREq5zUmRAQwat4NMKPw0WiNqdG+pmbkWwTYWkyyZg0 626qd6DzxVlQ9ijNo1VnKXds2AupEdxJk0IvqK83bj3wdSnbnjw+yfHHkJ3f2l2eBcuW 1QxuWQgxNLYnzD2qIWU0DYQCetfHIkqXrh/2cYXYWjO2qjY9jy5I3zTRC7SSPH/2GceH /NPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=CDct7x+3XqGzvXWkfxMUWm6YgYLOdwsAOmsVPdwokNg=; b=b6Unbpr826Uv30UWVFDXE69xdofPEcYCsEcW1R7PH8H30IawNnh9Ic9MvrchCBiaMA BJg6LETpPnkD756z9/IUfEXOAViNuvhI9tfZ6L6QGrJAl4KY62SVHx6mlu2s1SjarLXX 3Mowt2IQ4NlGR2fle1OouALsmQq5U/pPtKXQvMTOcvAEsh6AZqsiW060z9EIyHaPMf0E 2CNlXa19kIK1mf/Qauy0GW9m3mXFfdnVUK+a8NCK325Gy/J/DFTb/Bt8ewxUm6ETNJZo Y1Szsa4TCHWcDXH2i7vSfS/GyJf5vlSXUD0umkNaYOLjyu+NPcpVd9oX8G9SVNR82bH3 rO8Q== X-Gm-Message-State: AMCzsaX6+tKGzbuiPygGAuZDZUcvP8fDHqq+kGV2EhJ9syLXWMGfn9wr CtmBBRvht79OBhukTkI3K4GmZJ2z X-Google-Smtp-Source: ABhQp+QVMkW+pmFbNlQV2odG2+slVHsc8vmosaKB/8G7OeTI6lIkx6oa04SwU83jryloxdLyTP2S2w== X-Received: by 10.107.9.27 with SMTP id j27mr2846856ioi.111.1508431242269; Thu, 19 Oct 2017 09:40:42 -0700 (PDT) Received: from willemb1.nyc.corp.google.com ([100.101.212.81]) by smtp.gmail.com with ESMTPSA id w96sm7557371ioe.76.2017.10.19.09.40.41 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 19 Oct 2017 09:40:41 -0700 (PDT) From: Willem de Bruijn To: netdev@vger.kernel.org Cc: davem@davemloft.net, edumazet@google.com, Willem de Bruijn Subject: [PATCH net] sock: correct sk_wmem_queued accounting on efault in tcp zerocopy Date: Thu, 19 Oct 2017 12:40:39 -0400 Message-Id: <20171019164039.20927-1-willemdebruijn.kernel@gmail.com> X-Mailer: git-send-email 2.15.0.rc1.287.g2b38de12cc-goog Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Willem de Bruijn Syzkaller hits WARN_ON(sk->sk_wmem_queued) in sk_stream_kill_queues after triggering an EFAULT in __zerocopy_sg_from_iter. On this error, skb_zerocopy_stream_iter resets the skb to its state before the operation with __pskb_trim. It cannot kfree_skb like datagram callers, as the skb may have data from a previous send call. __pskb_trim calls skb_condense for unowned skbs, which adjusts their truesize. These tcp skbuffs are owned and their truesize must add up to sk_wmem_queued. But they match because their skb->sk is NULL until tcp_transmit_skb. Temporarily set skb->sk when calling __pskb_trim to signal that the skbuffs are owned and avoid the skb_condense path. Fixes: 52267790ef52 ("sock: add MSG_ZEROCOPY") Signed-off-by: Willem de Bruijn Reviewed-by: Eric Dumazet --- net/core/skbuff.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index e62476beee95..24656076906d 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -1124,9 +1124,13 @@ int skb_zerocopy_iter_stream(struct sock *sk, struct sk_buff *skb, err = __zerocopy_sg_from_iter(sk, skb, &msg->msg_iter, len); if (err == -EFAULT || (err == -EMSGSIZE && skb->len == orig_len)) { + struct sock *save_sk = skb->sk; + /* Streams do not free skb on error. Reset to prev state. */ msg->msg_iter = orig_iter; + skb->sk = sk; ___pskb_trim(skb, orig_len); + skb->sk = save_sk; return err; }