syzbot and other bots reported that we have to enable user copy to/from skb->head. [1]
We can prevent access to skb_shared_info, which is a nice improvement over standard kmem_cache.
Layout of these kmem_cache objects is:
< SKB_SMALL_HEAD_HEADROOM >< struct skb_shared_info >
usercopy: Kernel memory overwrite attempt detected to SLUB object 'skbuff_small_head' (offset 32, size 20)! ------------[ cut here ]------------ kernel BUG at mm/usercopy.c:102 !
[...]
LKFT also reported this problem on today's Linux next-20230209.
Link: https://lore.kernel.org/linux-next/CA+G9fYs-i-c2KTSA7Ai4ES_ZESY1ZnM=Zuo8P1jN... Reported-by: Linux Kernel Functional Testing lkft@linaro.org
Fixes: bf9f1baa279f ("net: add dedicated kmem_cache for typical/small skb->head") Reported-by: syzbot syzkaller@googlegroups.com Signed-off-by: Eric Dumazet edumazet@google.com
Tested-by: Linux Kernel Functional Testing lkft@linaro.org
Thanks for providing a quick fix.
-- Linaro LKFT https://lkft.linaro.org
-
Naresh Kamboju