From nobody Mon Apr 6 00:07:21 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5B18FC6FA82 for ; Tue, 13 Sep 2022 14:51:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234638AbiIMOvT (ORCPT ); Tue, 13 Sep 2022 10:51:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46380 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234477AbiIMOsq (ORCPT ); Tue, 13 Sep 2022 10:48:46 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 254574E871; Tue, 13 Sep 2022 07:25:16 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 18B0BB80F9E; Tue, 13 Sep 2022 14:25:13 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5FA9AC433D7; Tue, 13 Sep 2022 14:25:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1663079111; bh=rM5Kf/cPl4VUdONLEtw/0ycA4Hsu4Dx65GEYKH11jmI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=SvQmNctgLld2F5mcy9p809yqVyEGqA7JIhoBAPqukbP7pw9ybp81/zoX5swKjbtJc U4Ozg3x4OWAiIwa7en3lWOvPltrQm6wOwjfCl3Pfh5ssWFgx27kusXjpfLE4MPZ+L6 ccbQEy/snyp5etxddRyAVAZTcmcY5Z7r4CmAVK2U= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Marc Dionne , David Howells , linux-afs@lists.infradead.org, Sasha Levin Subject: [PATCH 5.10 53/79] rxrpc: Fix an insufficiently large sglist in rxkad_verify_packet_2() Date: Tue, 13 Sep 2022 16:04:58 +0200 Message-Id: <20220913140352.798703357@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220913140350.291927556@linuxfoundation.org> References: <20220913140350.291927556@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: David Howells [ Upstream commit 0d40f728e28393a8817d1fcae923dfa3409e488c ] rxkad_verify_packet_2() has a small stack-allocated sglist of 4 elements, but if that isn't sufficient for the number of fragments in the socket buffer, we try to allocate an sglist large enough to hold all the fragments. However, for large packets with a lot of fragments, this isn't sufficient and we need at least one additional fragment. The problem manifests as skb_to_sgvec() returning -EMSGSIZE and this then getting returned by userspace. Most of the time, this isn't a problem as rxrpc sets a limit of 5692, big enough for 4 jumbo subpackets to be glued together; occasionally, however, the server will ignore the reported limit and give a packet that's a lot bigger - say 19852 bytes with ->nr_frags being 7. skb_to_sgvec() then tries to return a "zeroth" fragment that seems to occur before the fragments counted by ->nr_frags and we hit the end of the sglist too early. Note that __skb_to_sgvec() also has an skb_walk_frags() loop that is recursive up to 24 deep. I'm not sure if I need to take account of that too - or if there's an easy way of counting those frags too. Fix this by counting an extra frag and allocating a larger sglist based on that. Fixes: d0d5c0cd1e71 ("rxrpc: Use skb_unshare() rather than skb_cow_data()") Reported-by: Marc Dionne Signed-off-by: David Howells cc: linux-afs@lists.infradead.org Signed-off-by: Sasha Levin --- net/rxrpc/rxkad.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/rxrpc/rxkad.c b/net/rxrpc/rxkad.c index f114dc2af5cf3..5345e8eefd33c 100644 --- a/net/rxrpc/rxkad.c +++ b/net/rxrpc/rxkad.c @@ -451,7 +451,7 @@ static int rxkad_verify_packet_2(struct rxrpc_call *cal= l, struct sk_buff *skb, * directly into the target buffer. */ sg =3D _sg; - nsg =3D skb_shinfo(skb)->nr_frags; + nsg =3D skb_shinfo(skb)->nr_frags + 1; if (nsg <=3D 4) { nsg =3D 4; } else { --=20 2.35.1