Commit bd37d000 authored by Vasily Averin's avatar Vasily Averin Committed by Ziyang Xuan
Browse files

skbuff: introduce skb_expand_head() 

mainline inclusion
from mainline-v5.15-rc1
commit f1260ff1
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9HVTH
CVE: CVE-2024-26921

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f1260ff15a71b8fc122b2c9abd8a7abffb6e0168



--------------------------------

Like skb_realloc_headroom(), new helper increases headroom of specified skb.
Unlike skb_realloc_headroom(), it does not allocate a new skb if possible;
copies skb->sk on new skb when as needed and frees original skb in case
of failures.

This helps to simplify ip[6]_finish_output2() and a few other similar cases.

Signed-off-by: default avatarVasily Averin <vvs@virtuozzo.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarZiyang Xuan <william.xuanziyang@huawei.com>
parent a37954d8

include/linux/skbuff.h

+1 −0
Original line number Diff line number Diff line
@@ -1181,6 +1181,7 @@ static inline struct sk_buff *__pskb_copy(struct sk_buff *skb, int headroom, 
int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail, gfp_t gfp_mask);

struct sk_buff *skb_realloc_headroom(struct sk_buff *skb,

				     unsigned int headroom);

struct sk_buff *skb_expand_head(struct sk_buff *skb, unsigned int headroom);

struct sk_buff *skb_copy_expand(const struct sk_buff *skb, int newheadroom,

				int newtailroom, gfp_t priority);

int __must_check skb_to_sgvec_nomark(struct sk_buff *skb, struct scatterlist *sg,

net/core/skbuff.c

+42 −0
Original line number Diff line number Diff line
@@ -1773,6 +1773,48 @@ int __skb_unclone_keeptruesize(struct sk_buff *skb, gfp_t pri) 
	return 0;

}



/**

 *	skb_expand_head - reallocate header of &sk_buff

 *	@skb: buffer to reallocate

 *	@headroom: needed headroom

 *

 *	Unlike skb_realloc_headroom, this one does not allocate a new skb

 *	if possible; copies skb->sk to new skb as needed

 *	and frees original skb in case of failures.

 *

 *	It expect increased headroom and generates warning otherwise.

 */



struct sk_buff *skb_expand_head(struct sk_buff *skb, unsigned int headroom)

{

	int delta = headroom - skb_headroom(skb);



	if (WARN_ONCE(delta <= 0,

		      "%s is expecting an increase in the headroom", __func__))

		return skb;



	/* pskb_expand_head() might crash, if skb is shared */

	if (skb_shared(skb)) {

		struct sk_buff *nskb = skb_clone(skb, GFP_ATOMIC);



		if (likely(nskb)) {

			if (skb->sk)

				skb_set_owner_w(nskb, skb->sk);

			consume_skb(skb);

		} else {

			kfree_skb(skb);

		}

		skb = nskb;

	}

	if (skb &&

	    pskb_expand_head(skb, SKB_DATA_ALIGN(delta), 0, GFP_ATOMIC)) {

		kfree_skb(skb);

		skb = NULL;

	}

	return skb;

}

EXPORT_SYMBOL(skb_expand_head);



/**

 *	skb_copy_expand	-	copy and expand sk_buff

 *	@skb: buffer to copy