From 1d0adb2191b7c26798dd8a9f2ab5ca770bf2ee76 Mon Sep 17 00:00:00 2001 From: Xin Long Date: Thu, 14 Feb 2019 16:31:24 +0800 Subject: [PATCH] sctp: increase sk_wmem_alloc when head->truesize is increased mainline inclusion from mainline-4.20 commit 0d32f17717e6 category: bugfix bugzilla: 6163 CVE: NA ------------------------------------------------- I changed to count sk_wmem_alloc by skb truesize instead of 1 to fix the sk_wmem_alloc leak caused by later truesize's change in xfrm in Commit 02968ccf0125 ("sctp: count sk_wmem_alloc by skb truesize in sctp_packet_transmit"). But I should have also increased sk_wmem_alloc when head->truesize is increased in sctp_packet_gso_append() as xfrm does. Otherwise, sctp gso packet will cause sk_wmem_alloc underflow. Fixes: 02968ccf0125 ("sctp: count sk_wmem_alloc by skb truesize in sctp_packet_transmit") Signed-off-by: Xin Long Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller Signed-off-by: Lin Miaohe Signed-off-by: Mao Wenan Reviewed-by: Wei Yongjun Signed-off-by: Yang Yingliang --- net/sctp/output.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/sctp/output.c b/net/sctp/output.c index b0e74a3e77ec..025f48e14a91 100644 --- a/net/sctp/output.c +++ b/net/sctp/output.c @@ -410,6 +410,7 @@ static void sctp_packet_gso_append(struct sk_buff *head, struct sk_buff *skb) head->truesize += skb->truesize; head->data_len += skb->len; head->len += skb->len; + refcount_add(skb->truesize, &head->sk->sk_wmem_alloc); __skb_header_release(skb); } -- GitLab