From patchwork Fri Dec 21 18:03:13 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paolo Abeni X-Patchwork-Id: 1017669 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43LxMx5xZLz9sBh for ; Sat, 22 Dec 2018 05:04:13 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391208AbeLUSEK (ORCPT ); Fri, 21 Dec 2018 13:04:10 -0500 Received: from mx1.redhat.com ([209.132.183.28]:44725 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387627AbeLUSEJ (ORCPT ); Fri, 21 Dec 2018 13:04:09 -0500 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 46CBB7E9D7; Fri, 21 Dec 2018 18:04:09 +0000 (UTC) Received: from dhcppc1.redhat.com (ovpn-116-27.ams2.redhat.com [10.36.116.27]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2A7214521; Fri, 21 Dec 2018 18:04:07 +0000 (UTC) From: Paolo Abeni To: netdev@vger.kernel.org Cc: "David S. Miller" , Florian Westphal Subject: [PATCH net-next v2 1/3] net: fix possible user-after-free in skb_ext_add() Date: Fri, 21 Dec 2018 19:03:13 +0100 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Fri, 21 Dec 2018 18:04:09 +0000 (UTC) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On cow we can free the old extension: we must avoid dereferencing such extension after skb_ext_maybe_cow(). Since 'new' contents are always equal to 'old' after the copy, we can fix the above accessing the relevant data using 'new'. Fixes: df5042f4c5b9 ("sk_buff: add skb extension infrastructure") Signed-off-by: Paolo Abeni Acked-by: Florian Westphal --- net/core/skbuff.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index cb0bf4215745..e1d88762f659 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -5666,13 +5666,13 @@ void *skb_ext_add(struct sk_buff *skb, enum skb_ext_id id) if (!new) return NULL; - if (__skb_ext_exist(old, id)) { + if (__skb_ext_exist(new, id)) { if (old != new) skb->extensions = new; goto set_active; } - newoff = old->chunks; + newoff = new->chunks; } else { newoff = SKB_EXT_CHUNKSIZEOF(*new); From patchwork Fri Dec 21 18:03:14 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paolo Abeni X-Patchwork-Id: 1017668 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43LxMw31n6z9sBh for ; Sat, 22 Dec 2018 05:04:12 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391244AbeLUSEL (ORCPT ); Fri, 21 Dec 2018 13:04:11 -0500 Received: from mx1.redhat.com ([209.132.183.28]:44508 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391197AbeLUSEK (ORCPT ); Fri, 21 Dec 2018 13:04:10 -0500 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id AFA77C05D410; Fri, 21 Dec 2018 18:04:10 +0000 (UTC) Received: from dhcppc1.redhat.com (ovpn-116-27.ams2.redhat.com [10.36.116.27]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9DA174521; Fri, 21 Dec 2018 18:04:09 +0000 (UTC) From: Paolo Abeni To: netdev@vger.kernel.org Cc: "David S. Miller" , Florian Westphal Subject: [PATCH net-next v2 2/3] net: drop the unused helper skb_ext_get() Date: Fri, 21 Dec 2018 19:03:14 +0100 Message-Id: <41fa1a7eb89518c3bb67e33f53f393ea0d2b8b42.1545413818.git.pabeni@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Fri, 21 Dec 2018 18:04:10 +0000 (UTC) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Such helper is currently unused, and skb extension users are better off using skb_ext_add()/skb_ext_del(). So let's drop it. Signed-off-by: Paolo Abeni Acked-by: Florian Westphal --- include/linux/skbuff.h | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index 3f741b04e55d..2a57a365c711 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -3938,16 +3938,6 @@ static inline void skb_ext_put(struct sk_buff *skb) __skb_ext_put(skb->extensions); } -static inline void skb_ext_get(struct sk_buff *skb) -{ - if (skb->active_extensions) { - struct skb_ext *ext = skb->extensions; - - if (ext) - refcount_inc(&ext->refcnt); - } -} - static inline void __skb_ext_copy(struct sk_buff *dst, const struct sk_buff *src) { @@ -3995,7 +3985,6 @@ static inline void *skb_ext_find(const struct sk_buff *skb, enum skb_ext_id id) } #else static inline void skb_ext_put(struct sk_buff *skb) {} -static inline void skb_ext_get(struct sk_buff *skb) {} static inline void skb_ext_del(struct sk_buff *skb, int unused) {} static inline void __skb_ext_copy(struct sk_buff *d, const struct sk_buff *s) {} static inline void skb_ext_copy(struct sk_buff *dst, const struct sk_buff *s) {} From patchwork Fri Dec 21 18:03:15 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paolo Abeni X-Patchwork-Id: 1017670 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43LxN03nFZz9sBh for ; Sat, 22 Dec 2018 05:04:16 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391311AbeLUSEP (ORCPT ); Fri, 21 Dec 2018 13:04:15 -0500 Received: from mx1.redhat.com ([209.132.183.28]:10639 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391197AbeLUSEM (ORCPT ); Fri, 21 Dec 2018 13:04:12 -0500 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 3103B76233; Fri, 21 Dec 2018 18:04:12 +0000 (UTC) Received: from dhcppc1.redhat.com (ovpn-116-27.ams2.redhat.com [10.36.116.27]) by smtp.corp.redhat.com (Postfix) with ESMTP id 178BA45BB; Fri, 21 Dec 2018 18:04:10 +0000 (UTC) From: Paolo Abeni To: netdev@vger.kernel.org Cc: "David S. Miller" , Florian Westphal Subject: [PATCH net-next v2 3/3] net: minor cleanup in skb_ext_add() Date: Fri, 21 Dec 2018 19:03:15 +0100 Message-Id: <76dff768078f418b5b1e7555e468b11256cc9d6d.1545413818.git.pabeni@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Fri, 21 Dec 2018 18:04:12 +0000 (UTC) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org When the extension to be added is already present, the only skb field we may need to update is 'extensions': we can reorder the code and avoid a branch. v1 -> v2: - be sure to flag the newly added extension as active Signed-off-by: Paolo Abeni Acked-by: Florian Westphal --- net/core/skbuff.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index e1d88762f659..37317ffec146 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -5666,11 +5666,8 @@ void *skb_ext_add(struct sk_buff *skb, enum skb_ext_id id) if (!new) return NULL; - if (__skb_ext_exist(new, id)) { - if (old != new) - skb->extensions = new; + if (__skb_ext_exist(new, id)) goto set_active; - } newoff = new->chunks; } else { @@ -5684,8 +5681,8 @@ void *skb_ext_add(struct sk_buff *skb, enum skb_ext_id id) newlen = newoff + skb_ext_type_len[id]; new->chunks = newlen; new->offset[id] = newoff; - skb->extensions = new; set_active: + skb->extensions = new; skb->active_extensions |= 1 << id; return skb_ext_get_ptr(new, id); }