sctp: count sk_wmem_alloc by skb truesize in sctp_packet_transmit

mainline inclusion from mainline-4.20 commit 02968ccf0125 category: bugfix bugzilla: 6163 CVE: NA ------------------------------------------------- Now sctp increases sk_wmem_alloc by 1 when doing set_owner_w for the skb allocked in sctp_packet_transmit and decreases by 1 when freeing this skb. But when this skb goes through networking stack, some subcomponents might change skb->truesize and add the same amount on sk_wmem_alloc. However sctp doesn't know the amount to decrease by, it would cause a leak on sk->sk_wmem_alloc and the sock can never be freed. Xiumei found this issue when it hit esp_output_head() by using sctp over ipsec, where skb->truesize is added and so is sk->sk_wmem_alloc. Since sctp has used sk_wmem_queued to count for writable space since Commit cd305c74b0f8 ("sctp: use sk_wmem_queued to check for writable space"), it's ok to fix it by counting sk_wmem_alloc by skb truesize in sctp_packet_transmit. Fixes: cac2661c ("esp4: Avoid skb_cow_data whenever possible") Reported-by: N Xiumei Mu <xmu@redhat.com> Signed-off-by: N Xin Long <lucien.xin@gmail.com> Signed-off-by: N David S. Miller <davem@davemloft.net> Signed-off-by: N Lin Miaohe <linmiaohe@huawei.com> Signed-off-by: N Mao Wenan <maowenan@huawei.com> Reviewed-by: N Wei Yongjun <weiyongjun1@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>

sctp: count sk_wmem_alloc by skb truesize in sctp_packet_transmit
mainline inclusion from mainline-4.20 commit 02968ccf0125 category: bugfix bugzilla: 6163 CVE: NA ------------------------------------------------- Now sctp increases sk_wmem_alloc by 1 when doing set_owner_w for the skb allocked in sctp_packet_transmit and decreases by 1 when freeing this skb. But when this skb goes through networking stack, some subcomponents might change skb->truesize and add the same amount on sk_wmem_alloc. However sctp doesn't know the amount to decrease by, it would cause a leak on sk->sk_wmem_alloc and the sock can never be freed. Xiumei found this issue when it hit esp_output_head() by using sctp over ipsec, where skb->truesize is added and so is sk->sk_wmem_alloc. Since sctp has used sk_wmem_queued to count for writable space since Commit cd305c74b0f8 ("sctp: use sk_wmem_queued to check for writable space"), it's ok to fix it by counting sk_wmem_alloc by skb truesize in sctp_packet_transmit. Fixes: cac2661c ("esp4: Avoid skb_cow_data whenever possible") Reported-by: N Xiumei Mu <xmu@redhat.com> Signed-off-by: N Xin Long <lucien.xin@gmail.com> Signed-off-by: N David S. Miller <davem@davemloft.net> Signed-off-by: N Lin Miaohe <linmiaohe@huawei.com> Signed-off-by: N Mao Wenan <maowenan@huawei.com> Reviewed-by: N Wei Yongjun <weiyongjun1@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>
af608a1e · Xin Long · Xie XiuQi · 23183c43 · af608a1e
隐藏空白更改
内联并排

Showing with 1 addition and 20 deletion

net/sctp/output.c net/sctp/output.c +1 -20

未找到文件。
--- a/net/sctp/output.c
+++ b/net/sctp/output.c
@@ -399,25 +399,6 @@ enum sctp_xmit sctp_packet_append_chunk(struct sctp_packet *packet,
 	return retval;
 }

-static void sctp_packet_release_owner(struct sk_buff *skb)
-{
-	sk_free(skb->sk);
-}
-
-static void sctp_packet_set_owner_w(struct sk_buff *skb, struct sock *sk)
-{
-	skb_orphan(skb);
-	skb->sk = sk;
-	skb->destructor = sctp_packet_release_owner;
-
-	/*
-	 * The data chunks have already been accounted for in sctp_sendmsg(),
-	 * therefore only reserve a single byte to keep socket around until
-	 * the packet has been transmitted.
-	 */
-	refcount_inc(&sk->sk_wmem_alloc);
-}
-
 static void sctp_packet_gso_append(struct sk_buff *head, struct sk_buff *skb)
 {
 	if (SCTP_OUTPUT_CB(head)->last == head)
@@ -604,7 +585,7 @@ int sctp_packet_transmit(struct sctp_packet *packet, gfp_t gfp)
 	if (!head)
 		goto out;
 	skb_reserve(head, packet->overhead + MAX_HEADER);
-	sctp_packet_set_owner_w(head, sk);
+	skb_set_owner_w(head, sk);

 	/* set sctp header */
 	sh = skb_push(head, sizeof(struct sctphdr));