Kees Cook ce098da149 skbuff: Introduce slab_build_skb() ... syzkaller reported: BUG: KASAN: slab-out-of-bounds in __build_skb_around+0x235/0x340 net/core/skbuff.c:294 Write of size 32 at addr ffff88802aa172c0 by task syz-executor413/5295 For bpf_prog_test_run_skb(), which uses a kmalloc()ed buffer passed to build_skb(). When build_skb() is passed a frag_size of 0, it means the buffer came from kmalloc. In these cases, ksize() is used to find its actual size, but since the allocation may not have been made to that size, actually perform the krealloc() call so that all the associated buffer size checking will be correctly notified (and use the "new" pointer so that compiler hinting works correctly). Split this logic out into a new interface, slab_build_skb(), but leave the original 0 checking for now to catch any stragglers. Reported-by: syzbot+fda18eaa8c12534ccb3b@syzkaller.appspotmail.com Link: https://groups.google.com/g/syzkaller-bugs/c/UnIKxTtU5-0/m/-wbXinkgAQAJ Fixes: 38931d8989 ("mm: Make ksize() a reporting-only function") Cc: Pavel Begunkov <asml.silence@gmail.com> Cc: pepsipu <soopthegoop@gmail.com> Cc: syzbot+fda18eaa8c12534ccb3b@syzkaller.appspotmail.com Cc: Vlastimil Babka <vbabka@suse.cz> Cc: kasan-dev <kasan-dev@googlegroups.com> Cc: Andrii Nakryiko <andrii@kernel.org> Cc: ast@kernel.org Cc: Daniel Borkmann <daniel@iogearbox.net> Cc: Hao Luo <haoluo@google.com> Cc: Jesper Dangaard Brouer <hawk@kernel.org> Cc: John Fastabend <john.fastabend@gmail.com> Cc: jolsa@kernel.org Cc: KP Singh <kpsingh@kernel.org> Cc: martin.lau@linux.dev Cc: Stanislav Fomichev <sdf@google.com> Cc: song@kernel.org Cc: Yonghong Song <yhs@fb.com> Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20221208060256.give.994-kees@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>		2022-12-09 19:47:41 -08:00
..
Makefile	qed: Remove IP services API.	2022-04-22 15:15:23 -07:00
qed_chain.c
qed_cxt.c
qed_cxt.h
qed_dbg_hsi.h	qed: fix typos in comments	2022-05-22 20:44:30 +01:00
qed_dcbx.c
qed_dcbx.h
qed_debug.c	qed (gcc13): use u16 for fid to be big enough	2022-11-02 20:38:08 -07:00
qed_debug.h
qed_dev_api.h
qed_dev.c	qlogic: qed: fix clang -Wformat warnings	2022-07-12 20:36:41 -07:00
qed_devlink.c	net: devlink: let the core report the driver name instead of the drivers	2022-11-30 21:49:38 -08:00
qed_devlink.h
qed_fcoe.c
qed_fcoe.h
qed_hsi.h
qed_hw.c
qed_hw.h
qed_init_fw_funcs.c	qed: remove unnecessary memset in qed_init_fw_funcs	2022-03-21 10:59:56 +00:00
qed_init_ops.c
qed_init_ops.h
qed_int.c	net: ethernet: move from strlcpy with unused retval to strscpy	2022-08-31 14:11:26 -07:00
qed_int.h	qed*: enhance tx timeout debug info	2021-12-03 18:24:20 -08:00
qed_iro_hsi.h
qed_iscsi.c
qed_iscsi.h
qed_iwarp.c
qed_iwarp.h
qed_l2.c
qed_l2.h
qed_ll2.c	skbuff: Introduce slab_build_skb()	2022-12-09 19:47:41 -08:00
qed_ll2.h
qed_main.c	qed: Remove unnecessary synchronize_irq() before free_irq()	2022-05-17 13:02:34 +02:00
qed_mcp.c	qed: avoid defines prefixed with CONFIG	2022-11-25 08:13:09 +00:00
qed_mcp.h	qed: prevent a fw assert during device shutdown	2022-02-10 15:27:44 +00:00
qed_mfw_hsi.h	treewide: Replace zero-length arrays with flexible-array members	2022-02-17 07:00:39 -06:00
qed_mng_tlv.c
qed_nvmetcp_fw_funcs.c
qed_nvmetcp_fw_funcs.h
qed_nvmetcp.c
qed_nvmetcp.h
qed_ooo.c
qed_ooo.h
qed_ptp.c
qed_ptp.h
qed_rdma.c	qed: Use bitmap_empty()	2022-07-06 19:55:14 -07:00
qed_rdma.h
qed_reg_addr.h	qed*: enhance tx timeout debug info	2021-12-03 18:24:20 -08:00
qed_roce.c	qed: replace bitmap_weight with bitmap_empty in qed_roce_stop()	2022-05-02 06:30:40 -07:00
qed_roce.h
qed_selftest.c
qed_selftest.h
qed_sp_commands.c
qed_sp.h
qed_spq.c
qed_sriov.c	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2022-03-10 17:16:56 -08:00
qed_sriov.h	qed: validate and restrict untrusted VFs vlan promisc mode	2022-03-03 10:26:20 +00:00
qed_vf.c	net: qlogic: check the return value of dma_alloc_coherent() in qed_vf_hw_prepare()	2022-03-07 11:28:38 +00:00
qed_vf.h	qed: fix typos in comments	2022-05-22 20:44:30 +01:00
qed.h