From patchwork Sat Mar 18 21:02:59 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Soheil Hassas Yeganeh X-Patchwork-Id: 740636 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3vlw1j2fCKz9ryr for ; Sun, 19 Mar 2017 08:14:01 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="Kg30wY8R"; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751350AbdCRVNS (ORCPT ); Sat, 18 Mar 2017 17:13:18 -0400 Received: from mail-qt0-f196.google.com ([209.85.216.196]:33166 "EHLO mail-qt0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751187AbdCRVMZ (ORCPT ); Sat, 18 Mar 2017 17:12:25 -0400 Received: by mail-qt0-f196.google.com with SMTP id r45so13363433qte.0 for ; Sat, 18 Mar 2017 14:12:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=8w1Ghp6jxwGBeRzuUeWxLdcXalx8Bjfoc6j87slv4Mw=; b=Kg30wY8R3Sd+CRUCNwC8WbQe5LcigiH6UQ7K6lI6Js2OwBtyIvaP1gqcAZaupNl+os vr8brkzFshQHrpSCyaN5PYPKEqdGRtWeY0nb6WjN7GdheJyvphj0lfWdGUOf5r7eQZnu KnVkwLTOWhUm1ohE4Xm9cABkyx1GiYc4Wy+IN6RNM4Td82P+6f3woJS63UV+WoAL61pm XiX1gldfvVr716lAJyvZ7szn7bMvEJi0RIFyrEGjpqPkAQFMGDTtiznCA7P870hI5vq2 qUVHH2cfEeSqpiEIYQs54iztmqB8M0dvhuUrHpxVSFoQCJpnWXzZpCKu/QJJrXlqsDY1 uDQQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=8w1Ghp6jxwGBeRzuUeWxLdcXalx8Bjfoc6j87slv4Mw=; b=WCA8y4SUK4oO5Gk7djSo0ExqUF4ZBNcQ9I9bWbKPUmgv0L+kqgow6H/ryCozajCwft 81kfUmk+obT5Dc8mD52CImicdSTPaqWURx6nwJSnciTgLbmfHREXatAXwsxNC7ZlUllK 3RjXdbaHlq89HdiY1mACtg5QfGTmCtJaOraru0tK9vUZgyjYwTvpN/Ngst0zb7zKECn0 DuImhHRb2XgJz1+meDX234NHtUbjPvCTgHi22jRA1I7vdIwOv4teKS4la0UAn2Aw7s2E rHUNiRe+nN7k2gK/rBfFAh95Evor0eJ34XC089BJTFY/gAKTk9YteiNoQdYZfxdME8br mgyg== X-Gm-Message-State: AFeK/H1lFPEn/LzciCtPhzIYoMCDzEth/z4eVHyFqF5q1JQi3v0dSX2Inbk1VSPRSWjd9w== X-Received: by 10.200.36.106 with SMTP id d39mr19289874qtd.32.1489870989377; Sat, 18 Mar 2017 14:03:09 -0700 (PDT) Received: from z.nyc.corp.google.com ([172.26.104.94]) by smtp.gmail.com with ESMTPSA id f66sm8850808qkj.13.2017.03.18.14.03.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 18 Mar 2017 14:03:08 -0700 (PDT) From: Soheil Hassas Yeganeh To: davem@davemloft.net, netdev@vger.kernel.org Cc: zzoru007@gmail.com, Soheil Hassas Yeganeh , Eric Dumazet , Willem de Bruijn Subject: [PATCH net 1/2] tcp: fix SCM_TIMESTAMPING_OPT_STATS for normal skbs Date: Sat, 18 Mar 2017 17:02:59 -0400 Message-Id: <20170318210300.163288-1-soheil.kdev@gmail.com> X-Mailer: git-send-email 2.12.0.367.g23dc2f6d3c-goog Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Soheil Hassas Yeganeh __sock_recv_timestamp can be called for both normal skbs (for receive timestamps) and for skbs on the error queue (for transmit timestamps). Commit 1c885808e456 (tcp: SOF_TIMESTAMPING_OPT_STATS option for SO_TIMESTAMPING) assumes any skb passed to __sock_recv_timestamp are from the error queue, containing OPT_STATS in the content of the skb. This results in accessing invalid memory or generating junk data. To fix this, set skb->pkt_type to PACKET_OUTGOING for packets on the error queue. This is safe because on the receive path on local sockets skb->pkt_type is never set to PACKET_OUTGOING. With that, copy OPT_STATS from a packet, only if its pkt_type is PACKET_OUTGOING. Fixes: 1c885808e456 ("tcp: SOF_TIMESTAMPING_OPT_STATS option for SO_TIMESTAMPING") Reported-by: JongHwan Kim Signed-off-by: Soheil Hassas Yeganeh Signed-off-by: Eric Dumazet Signed-off-by: Willem de Bruijn --- net/core/skbuff.c | 10 ++++++++++ net/socket.c | 13 ++++++++++++- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index cd4ba8c6b609..b1fbd1958eb6 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -3694,6 +3694,15 @@ static void sock_rmem_free(struct sk_buff *skb) atomic_sub(skb->truesize, &sk->sk_rmem_alloc); } +static void skb_set_err_queue(struct sk_buff *skb) +{ + /* pkt_type of skbs received on local sockets is never PACKET_OUTGOING. + * So, it is safe to (mis)use it to mark skbs on the error queue. + */ + skb->pkt_type = PACKET_OUTGOING; + BUILD_BUG_ON(PACKET_OUTGOING == 0); +} + /* * Note: We dont mem charge error packets (no sk_forward_alloc changes) */ @@ -3707,6 +3716,7 @@ int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb) skb->sk = sk; skb->destructor = sock_rmem_free; atomic_add(skb->truesize, &sk->sk_rmem_alloc); + skb_set_err_queue(skb); /* before exiting rcu section, make sure dst is refcounted */ skb_dst_force(skb); diff --git a/net/socket.c b/net/socket.c index e034fe4164be..692d6989d2c2 100644 --- a/net/socket.c +++ b/net/socket.c @@ -652,6 +652,16 @@ int kernel_sendmsg(struct socket *sock, struct msghdr *msg, } EXPORT_SYMBOL(kernel_sendmsg); +static bool skb_is_err_queue(const struct sk_buff *skb) +{ + /* pkt_type of skbs enqueued on the error queue are set to + * PACKET_OUTGOING in skb_set_err_queue(). This is only safe to do + * in recvmsg, since skbs received on a local socket will never + * have a pkt_type of PACKET_OUTGOING. + */ + return skb->pkt_type == PACKET_OUTGOING; +} + /* * called from sock_recv_timestamp() if sock_flag(sk, SOCK_RCVTSTAMP) */ @@ -695,7 +705,8 @@ void __sock_recv_timestamp(struct msghdr *msg, struct sock *sk, put_cmsg(msg, SOL_SOCKET, SCM_TIMESTAMPING, sizeof(tss), &tss); - if (skb->len && (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS)) + if (skb_is_err_queue(skb) && skb->len && + (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS)) put_cmsg(msg, SOL_SOCKET, SCM_TIMESTAMPING_OPT_STATS, skb->len, skb->data); }