lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 15 Feb 2018 14:14:37 +0100
From:   Jon Maloy <jon.maloy@...csson.com>
To:     <davem@...emloft.net>, <netdev@...r.kernel.org>
CC:     <mohan.krishna.ghanta.krishnamurthy@...csson.com>,
        <tung.q.nguyen@...tech.com.au>, <hoang.h.le@...tech.com.au>,
        <jon.maloy@...csson.com>, <canh.d.luu@...tech.com.au>,
        <ying.xue@...driver.com>, <tipc-discussion@...ts.sourceforge.net>
Subject: [net-next v2 1/1] tipc: avoid unnecessary copying of bundled messages

A received sk buffer may contain dozens of smaller 'bundled' messages
which after extraction go each in their own direction.

Unfortunately, when we extract those messages using skb_clone() each
of the extracted buffers inherit the truesize value of the original
buffer. Apart from causing massive overaccounting of the base buffer's
memory, this often causes tipc_msg_validate() to come to the false
conclusion that the ratio truesize/datasize > 4, and perform an
unnecessary copying of the extracted buffer.

We now fix this problem by explicitly correcting the truesize value of
the buffer clones to be the truesize of the clone itself plus a
calculated fraction of the base buffer's overhead. This change
eliminates the overaccounting and at least mitigates the occurrence
of unnecessary buffer copying.

Reported-by: Hoang Le <hoang.h.le@...tek.com.au>
Acked-by: Ying Xue <ying.xue@...driver.com>
Signed-off-by: Jon Maloy <jon.maloy@...csson.com>
---
 net/tipc/msg.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/tipc/msg.c b/net/tipc/msg.c
index 4e1c6f6..ce0bfc4 100644
--- a/net/tipc/msg.c
+++ b/net/tipc/msg.c
@@ -416,8 +416,8 @@ bool tipc_msg_bundle(struct sk_buff *skb, struct tipc_msg *msg, u32 mtu)
  */
 bool tipc_msg_extract(struct sk_buff *skb, struct sk_buff **iskb, int *pos)
 {
+	int imsz, offset, clone_cnt, skb_overhead;
 	struct tipc_msg *msg;
-	int imsz, offset;
 
 	*iskb = NULL;
 	if (unlikely(skb_linearize(skb)))
@@ -434,6 +434,11 @@ bool tipc_msg_extract(struct sk_buff *skb, struct sk_buff **iskb, int *pos)
 	skb_pull(*iskb, offset);
 	imsz = msg_size(buf_msg(*iskb));
 	skb_trim(*iskb, imsz);
+
+	/* Scale extracted buffer's truesize to avoid double accounting */
+	clone_cnt = max_t(u32, 1, msg_msgcnt(msg));
+	skb_overhead = skb->truesize - skb->len;
+	(*iskb)->truesize = SKB_TRUESIZE(imsz) + skb_overhead / clone_cnt;
 	if (unlikely(!tipc_msg_validate(iskb)))
 		goto none;
 	*pos += align(imsz);
-- 
2.1.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ