| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <67D5F9F1-3416-4E08-9D5A-369ED5B4EA95@kernel.org>
Date: Tue, 06 Dec 2022 19:47:13 -0800
From: Kees Cook <kees@...nel.org>
To: Jakub Kicinski <kuba@...nel.org>, Kees Cook <keescook@...omium.org>
CC: "David S. Miller" <davem@...emloft.net>,
syzbot+fda18eaa8c12534ccb3b@...kaller.appspotmail.com,
Eric Dumazet <edumazet@...gle.com>,
Paolo Abeni <pabeni@...hat.com>,
Pavel Begunkov <asml.silence@...il.com>,
pepsipu <soopthegoop@...il.com>,
Vlastimil Babka <vbabka@...e.cz>,
kasan-dev <kasan-dev@...glegroups.com>,
Andrii Nakryiko <andrii@...nel.org>, ast@...nel.org,
bpf <bpf@...r.kernel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Hao Luo <haoluo@...gle.com>,
Jesper Dangaard Brouer <hawk@...nel.org>,
John Fastabend <john.fastabend@...il.com>, jolsa@...nel.org,
KP Singh <kpsingh@...nel.org>, martin.lau@...ux.dev,
Stanislav Fomichev <sdf@...gle.com>, song@...nel.org,
Yonghong Song <yhs@...com>, netdev@...r.kernel.org,
LKML <linux-kernel@...r.kernel.org>,
Menglong Dong <imagedong@...cent.com>,
David Ahern <dsahern@...nel.org>,
Martin KaFai Lau <kafai@...com>,
Luiz Augusto von Dentz <luiz.von.dentz@...el.com>,
Richard Gobert <richardbgobert@...il.com>,
Andrey Konovalov <andreyknvl@...il.com>,
David Rientjes <rientjes@...gle.com>,
linux-hardening@...r.kernel.org
Subject: Re: [PATCH] skbuff: Reallocate to ksize() in __build_skb_around()
On December 6, 2022 5:55:57 PM PST, Jakub Kicinski <kuba@...nel.org> wrote:
>On Tue, 6 Dec 2022 15:17:14 -0800 Kees Cook wrote:
>> - unsigned int size = frag_size ? : ksize(data);
>> + unsigned int size = frag_size;
>> +
>> + /* When frag_size == 0, the buffer came from kmalloc, so we
>> + * must find its true allocation size (and grow it to match).
>> + */
>> + if (unlikely(size == 0)) {
>> + void *resized;
>> +
>> + size = ksize(data);
>> + /* krealloc() will immediate return "data" when
>> + * "ksize(data)" is requested: it is the existing upper
>> + * bounds. As a result, GFP_ATOMIC will be ignored.
>> + */
>> + resized = krealloc(data, size, GFP_ATOMIC);
>> + if (WARN_ON(resized != data))
>> + data = resized;
>> + }
>>
>
>Aammgh. build_skb(0) is plain silly, AFAIK. The performance hit of
>using kmalloc()'ed heads is large because GRO can't free the metadata.
>So we end up carrying per-MTU skbs across to the application and then
>freeing them one by one. With pages we just aggregate up to 64k of data
>in a single skb.
This isn't changed by this patch, though? The users of kmalloc+build_skb are pre-existing.
>I can only grep out 3 cases of build_skb(.. 0), could we instead
>convert them into a new build_skb_slab(), and handle all the silliness
>in such a new helper? That'd be a win both for the memory safety and one
>fewer branch for the fast path.
When I went through callers, it was many more than 3. Regardless, I don't see the point: my patch has no more branches than the original code (in fact, it may actually be faster because I made the initial assignment unconditional, and zero-test-after-assign is almost free, where as before it tested before the assign. And now it's marked as unlikely to keep it out-of-line.
>I think it's worth doing, so LMK if you're okay to do this extra work,
>otherwise I can help (unless e.g. Eric tells me I'm wrong..).
I had been changing callers to round up (e.g. bnx2), but it seemed like centralizing this makes more sense. I don't think a different helper will clean this up.
-Kees
--
Kees Cook
Powered by blists - more mailing lists