From: Eric Dumazet <eric.duma...@gmail.com>
Date: Thu, 15 Feb 2018 14:47:15 -0800
> From: Eric Dumazet <eduma...@google.com>
>
> <Mark Rutland reported>
> While fuzzing arm64 v4.16-rc1 with Syzkaller, I've been hitting a
> misaligned atomic in __skb_clone:
>
> atomic_inc(&(skb_shinfo(skb)->dataref));
>
> where dataref doesn't have the required natural alignment, and the
> atomic operation faults. e.g. i often see it aligned to a single
> byte boundary rather than a four byte boundary.
>
> AFAICT, the skb_shared_info is misaligned at the instant it's
> allocated in __napi_alloc_skb() __napi_alloc_skb()
> </end of report>
>
> Problem is caused by tun_napi_alloc_frags() using
> napi_alloc_frag() with user provided seg sizes,
> leading to other users of this API getting unaligned
> page fragments.
>
> Since we would like to not necessarily add paddings or alignments to
> the frags that tun_napi_alloc_frags() attaches to the skb, switch to
> another page frag allocator.
>
> As a bonus skb_page_frag_refill() can use GFP_KERNEL allocations,
> meaning that we can not deplete memory reserves as easily.
>
> Fixes: 90e33d459407 ("tun: enable napi_gro_frags() for TUN/TAP driver")
> Signed-off-by: Eric Dumazet <eduma...@google.com>
> Reported-by: Mark Rutland <mark.rutl...@arm.com>
> Tested-by: Mark Rutland <mark.rutl...@arm.com>
Applied and queued up for -stable, thanks Eric.
