lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 27 May 2021 11:43:20 +0100
From:   Colin Ian King <colin.king@...onical.com>
To:     Jesper Dangaard Brouer <brouer@...hat.com>
Cc:     Hangbin Liu <liuhangbin@...il.com>,
        Daniel Borkmann <daniel@...earbox.net>,
        Toke Høiland-Jørgensen <toke@...hat.com>,
        John Fastabend <john.fastabend@...il.com>, bpf@...r.kernel.org,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: re: bpf: Run devmap xdp_prog on flush instead of bulk enqueue

Hi,

Static analysis with Coverity on linux-next detected a minor issue that
was introduced with the following commit:

commit cb261b594b4108668e00f565184c7c221efe0359
Author: Jesper Dangaard Brouer <brouer@...hat.com>
Date:   Wed May 19 17:07:44 2021 +0800

    bpf: Run devmap xdp_prog on flush instead of bulk enqueue

The analysis is as follows:

370static void bq_xmit_all(struct xdp_dev_bulk_queue *bq, u32 flags)
371{
372        struct net_device *dev = bq->dev;
373        int sent = 0, drops = 0, err = 0;
374        unsigned int cnt = bq->count;
375        int to_send = cnt;
376        int i;
377
378        if (unlikely(!cnt))
379                return;
380
381        for (i = 0; i < cnt; i++) {
382                struct xdp_frame *xdpf = bq->q[i];
383
384                prefetch(xdpf);
385        }
386
387        if (bq->xdp_prog) {
388                to_send = dev_map_bpf_prog_run(bq->xdp_prog, bq->q,
cnt, dev);
389                if (!to_send)
390                        goto out;
391
   Unused value (UNUSED_VALUE)
   assigned_value: Assigning value from cnt - to_send to drops here, but
that stored value is overwritten before it can be used.

392                drops = cnt - to_send;
393        }
394
395        sent = dev->netdev_ops->ndo_xdp_xmit(dev, to_send, bq->q, flags);
396        if (sent < 0) {
397                /* If ndo_xdp_xmit fails with an errno, no frames have
398                 * been xmit'ed.
399                 */
400                err = sent;
401                sent = 0;
402        }
403
404        /* If not all frames have been transmitted, it is our
405         * responsibility to free them
406         */
407        for (i = sent; unlikely(i < to_send); i++)
408                xdp_return_frame_rx_napi(bq->q[i]);
409
410out:

   value_overwrite: Overwriting previous write to drops with value from
cnt - sent.

411        drops = cnt - sent;
412        bq->count = 0;
413        trace_xdp_devmap_xmit(bq->dev_rx, dev, sent, drops, err);
414}

drops is being calculated twice but the first value is not used. Not
sure if that was intentional or an oversight.

Colin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ