Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7162fb24 authored by Eric Dumazet's avatar Eric Dumazet Committed by David S. Miller
Browse files

tcp: do not underestimate skb->truesize in tcp_trim_head() 



Andrey found a way to trigger the WARN_ON_ONCE(delta < len) in
skb_try_coalesce() using syzkaller and a filter attached to a TCP
socket over loopback interface.

I believe one issue with looped skbs is that tcp_trim_head() can end up
producing skb with under estimated truesize.

It hardly matters for normal conditions, since packets sent over
loopback are never truncated.

Bytes trimmed from skb->head should not change skb truesize, since
skb->head is not reallocated.

Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 19cdead3

net/ipv4/tcp_output.c

+12 −7
Original line number Diff line number Diff line
@@ -1267,7 +1267,7 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len, 
 * eventually). The difference is that pulled data not copied, but

 * immediately discarded.

 */

static void __pskb_trim_head(struct sk_buff *skb, int len)

static int __pskb_trim_head(struct sk_buff *skb, int len)

{

	struct skb_shared_info *shinfo;

	int i, k, eat;
@@ -1277,7 +1277,7 @@ static void __pskb_trim_head(struct sk_buff *skb, int len) 
		__skb_pull(skb, eat);

		len -= eat;

		if (!len)

			return;

			return 0;

	}

	eat = len;

	k = 0;
@@ -1303,23 +1303,28 @@ static void __pskb_trim_head(struct sk_buff *skb, int len) 
	skb_reset_tail_pointer(skb);

	skb->data_len -= len;

	skb->len = skb->data_len;

	return len;

}



/* Remove acked data from a packet in the transmit queue. */

int tcp_trim_head(struct sock *sk, struct sk_buff *skb, u32 len)

{

	u32 delta_truesize;



	if (skb_unclone(skb, GFP_ATOMIC))

		return -ENOMEM;



	__pskb_trim_head(skb, len);

	delta_truesize = __pskb_trim_head(skb, len);



	TCP_SKB_CB(skb)->seq += len;

	skb->ip_summed = CHECKSUM_PARTIAL;



	skb->truesize	     -= len;

	sk->sk_wmem_queued   -= len;

	sk_mem_uncharge(sk, len);

	if (delta_truesize) {

		skb->truesize	   -= delta_truesize;

		sk->sk_wmem_queued -= delta_truesize;

		sk_mem_uncharge(sk, delta_truesize);

		sock_set_flag(sk, SOCK_QUEUE_SHRUNK);

	}



	/* Any change of skb->len requires recalculation of tso factor. */

	if (tcp_skb_pcount(skb) > 1)