From patchwork Fri Feb 1 19:41:57 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Salyzyn X-Patchwork-Id: 1035090 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=android.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=android.com header.i=@android.com header.b="RyPm2Z/h"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43rnZ10D7Sz9s6w for ; Sat, 2 Feb 2019 06:42:33 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729448AbfBATm1 (ORCPT ); Fri, 1 Feb 2019 14:42:27 -0500 Received: from mail-pg1-f193.google.com ([209.85.215.193]:39997 "EHLO mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729303AbfBATm0 (ORCPT ); Fri, 1 Feb 2019 14:42:26 -0500 Received: by mail-pg1-f193.google.com with SMTP id z10so3397031pgp.7 for ; Fri, 01 Feb 2019 11:42:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=android.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=ikkrNAAb5W6LlYZAOE4T04sldz3VVYnPcJ+f/96f/sI=; b=RyPm2Z/hmsrjwWW9fGANcB5l4A9O0xjaMrGtm4fNLkUGrLEvL1Dsuo1kKqDhbl4mcN a0Q6+mFSHblqyIW5ojbBFTuJksGUiWv4Mejq19BQoun6WF3aTyc1lXmImxft5CjOGD+F dcuruJ5tchXCm9NvYXkHDfAf3p4y4seIG9U/Kq6PcaCuBq1UNux38WTAPVbyfd8ERNzq VljU5NBS57lGV7eR3YJyvaOecYTL+Kblez4Rek387mo8BUq5ufpL6gnLZJWNAhqnnjML +yk7LBo5D/BktMnwBSbHncnAi1XW1KCyvIb01y/YBXSaefePQJnZXoyS4MzNOSvy+W8M 0QkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=ikkrNAAb5W6LlYZAOE4T04sldz3VVYnPcJ+f/96f/sI=; b=pf2kKENOyjaeVB9wVkbyc3OCNyJjLqtXOzbV5Ib0cIotEEZh10Ro3fSeDbEY/IRvZ6 Gp/rNLPI7vaEk8YrFpNHLThMYSeawDVsOqWvbbNQvRYyYsBxhPPFTKcDWkQaFs2cli8W jtfLhQDTQQZc7LSLlGZyRyDn/y6DA0GcRhaKjA6mtd7duJJAROC+zns3YK4ocpeoeq3N a3JMaJJHrWiPusqcRYse5vDQ7wi9O4r5+1WK0g2JWBZgBHl3TaBFyna2bf5R59WX+LWm 418S08SLjcamz5sQYAq0vz3lR0B62g4m8CFpXNecHayv8Y3GytogHtyJlotpyLQ8nZDd SmCQ== X-Gm-Message-State: AJcUukfTKFXxds6JN5MdI7pOLJjVcCHyNij+affaEFvDtvcLz+MYejOI HBOxCku1k9HSqYhWBH0sUrp48Q== X-Google-Smtp-Source: ALg8bN4iktMfMqLSre8tNeSNvw3QP0+jSdwPVMDbUZk7UhaN6hD62m2/n6PrzDde1d4bwKjnv6LU+A== X-Received: by 2002:a62:6b8a:: with SMTP id g132mr41043441pfc.201.1549050145483; Fri, 01 Feb 2019 11:42:25 -0800 (PST) Received: from nebulus.mtv.corp.google.com ([2620:0:1000:1612:b4fb:6752:f21f:3502]) by smtp.gmail.com with ESMTPSA id f13sm9721125pgq.82.2019.02.01.11.42.24 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 01 Feb 2019 11:42:24 -0800 (PST) From: Mark Salyzyn To: linux-kernel@vger.kernel.org Cc: Mark Salyzyn , Ronen Arad , "David S . Miller" , Dmitry Safonov , David Ahern , Kirill Tkhai , Andrei Vagin , Li RongQing , YU Bo , Denys Vlasenko , netdev@vger.kernel.org Subject: stable 3.18 backport: netlink: Trim skb to alloc size to avoid MSG_TRUNC Date: Fri, 1 Feb 2019 11:41:57 -0800 Message-Id: <20190201194211.44372-1-salyzyn@android.com> X-Mailer: git-send-email 2.20.1.611.gfbb209baf1-goog MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Direct this upstream db65a3aaf29ecce2e34271d52e8d2336b97bd9fe sha to stable 3.18. This patch addresses a race condition where a call to nlk->max_recvmsg_len = max(nlk->max_recvmsg_len, len); nlk->max_recvmsg_len = min_t(size_t, nlk->max_recvmsg_len, one thread in-between another thread: skb = netlink_alloc_skb(sk, and skb_reserve(skb, skb_tailroom(skb) - nlk->max_recvmsg_len); in netlink_dump. The result can be a negative value and will cause a kernel panic ad BUG at net/core/skbuff.c because the negative value turns into an extremely large positive value. Original commit: netlink_dump() allocates skb based on the calculated min_dump_alloc or a per socket max_recvmsg_len. min_alloc_size is maximum space required for any single netdev attributes as calculated by rtnl_calcit(). max_recvmsg_len tracks the user provided buffer to netlink_recvmsg. It is capped at 16KiB. The intention is to avoid small allocations and to minimize the number of calls required to obtain dump information for all net devices. netlink_dump packs as many small messages as could fit within an skb that was sized for the largest single netdev information. The actual space available within an skb is larger than what is requested. It could be much larger and up to near 2x with align to next power of 2 approach. Allowing netlink_dump to use all the space available within the allocated skb increases the buffer size a user has to provide to avoid truncaion (i.e. MSG_TRUNG flag set). It was observed that with many VLANs configured on at least one netdev, a larger buffer of near 64KiB was necessary to avoid "Message truncated" error in "ip link" or "bridge [-c[ompressvlans]] vlan show" when min_alloc_size was only little over 32KiB. This patch trims skb to allocated size in order to allow the user to avoid truncation with more reasonable buffer size. Signed-off-by: Ronen Arad Signed-off-by: David S. Miller (cherry pick commit db65a3aaf29ecce2e34271d52e8d2336b97bd9fe) Signed-off-by: Mark Salyzyn --- net/netlink/af_netlink.c | 32 +++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 50096e0edd8e..57d9a72f8b6d 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -1977,6 +1977,7 @@ static int netlink_dump(struct sock *sk) struct nlmsghdr *nlh; struct module *module; int err = -ENOBUFS; + int alloc_min_size; int alloc_size; mutex_lock(nlk->cb_mutex); @@ -1985,9 +1986,6 @@ static int netlink_dump(struct sock *sk) goto errout_skb; } - cb = &nlk->cb; - alloc_size = max_t(int, cb->min_dump_alloc, NLMSG_GOODSIZE); - if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf) goto errout_skb; @@ -1996,22 +1994,34 @@ static int netlink_dump(struct sock *sk) * to reduce number of system calls on dump operations, if user * ever provided a big enough buffer. */ + cb = &nlk->cb; + alloc_min_size = max_t(int, cb->min_dump_alloc, NLMSG_GOODSIZE); + if (alloc_size < nlk->max_recvmsg_len) { - skb = netlink_alloc_skb(sk, - nlk->max_recvmsg_len, - nlk->portid, + alloc_size = nlk->max_recvmsg_len; + skb = netlink_alloc_skb(sk, alloc_size, nlk->portid, (GFP_KERNEL & ~__GFP_WAIT) | __GFP_NOWARN | __GFP_NORETRY); - /* available room should be exact amount to avoid MSG_TRUNC */ - if (skb) - skb_reserve(skb, skb_tailroom(skb) - - nlk->max_recvmsg_len); } - if (!skb) + if (!skb) { + alloc_size = alloc_min_size; skb = netlink_alloc_skb(sk, alloc_size, nlk->portid, (GFP_KERNEL & ~__GFP_WAIT)); + } if (!skb) goto errout_skb; + + /* Trim skb to allocated size. User is expected to provide buffer as + * large as max(min_dump_alloc, 16KiB (mac_recvmsg_len capped at + * netlink_recvmsg())). dump will pack as many smaller messages as + * could fit within the allocated skb. skb is typically allocated + * with larger space than required (could be as much as near 2x the + * requested size with align to next power of 2 approach). Allowing + * dump to use the excess space makes it difficult for a user to have a + * reasonable static buffer based on the expected largest dump of a + * single netdev. The outcome is MSG_TRUNC error. + */ + skb_reserve(skb, skb_tailroom(skb) - alloc_size); netlink_skb_set_owner_r(skb, sk); if (nlk->dump_done_errno > 0)