tun: fix tun_napi_alloc_frags() frag allocator

<Mark Rutland reported>
    While fuzzing arm64 v4.16-rc1 with Syzkaller, I've been hitting a
    misaligned atomic in __skb_clone:

        atomic_inc(&(skb_shinfo(skb)->dataref));

   where dataref doesn't have the required natural alignment, and the
   atomic operation faults. e.g. i often see it aligned to a single
   byte boundary rather than a four byte boundary.

   AFAICT, the skb_shared_info is misaligned at the instant it's
   allocated in __napi_alloc_skb()  __napi_alloc_skb()
</end of report>

Problem is caused by tun_napi_alloc_frags() using
napi_alloc_frag() with user provided seg sizes,
leading to other users of this API getting unaligned
page fragments.

Since we would like to not necessarily add paddings or alignments to
the frags that tun_napi_alloc_frags() attaches to the skb, switch to
another page frag allocator.

As a bonus skb_page_frag_refill() can use GFP_KERNEL allocations,
meaning that we can not deplete memory reserves as easily.

Fixes: 90e33d459407 ("tun: enable napi_gro_frags() for TUN/TAP driver")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Mark Rutland <mark.rutland@arm.com>
Tested-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 6 insertions, 10 deletions

diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 81e6cc951e7f..b52258c327d2 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -1489,27 +1489,23 @@ static struct sk_buff *tun_napi_alloc_frags(struct tun_file *tfile,
         skb->truesize += skb->data_len;
 
         for (i = 1; i < it->nr_segs; i++) {
+                struct page_frag *pfrag = &current->task_frag;
                 size_t fragsz = it->iov[i].iov_len;
-                unsigned long offset;
-                struct page *page;
-                void *data;
 
                 if (fragsz == 0 || fragsz > PAGE_SIZE) {
                         err = -EINVAL;
                         goto free;
                 }
 
-                local_bh_disable();
-                data = napi_alloc_frag(fragsz);
-                local_bh_enable();
-                if (!data) {
+                if (!skb_page_frag_refill(fragsz, pfrag, GFP_KERNEL)) {
                         err = -ENOMEM;
                         goto free;
                 }
 
-                page = virt_to_head_page(data);
-                offset = data - page_address(page);
-                skb_fill_page_desc(skb, i - 1, page, offset, fragsz);
+                skb_fill_page_desc(skb, i - 1, pfrag->page,
+                                   pfrag->offset, fragsz);
+                page_ref_inc(pfrag->page);
+                pfrag->offset += fragsz;
         }
 
         return skb;