| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 27 May 2021 14:58:41 +0200
From: Maciej Fijalkowski <maciej.fijalkowski@...el.com>
To: Colin Ian King <colin.king@...onical.com>
Cc: Jesper Dangaard Brouer <brouer@...hat.com>,
Hangbin Liu <liuhangbin@...il.com>,
Daniel Borkmann <daniel@...earbox.net>,
Toke Høiland-Jørgensen <toke@...hat.com>,
John Fastabend <john.fastabend@...il.com>, bpf@...r.kernel.org,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: bpf: Run devmap xdp_prog on flush instead of bulk enqueue
On Thu, May 27, 2021 at 11:43:20AM +0100, Colin Ian King wrote:
> Hi,
>
> Static analysis with Coverity on linux-next detected a minor issue that
> was introduced with the following commit:
>
> commit cb261b594b4108668e00f565184c7c221efe0359
> Author: Jesper Dangaard Brouer <brouer@...hat.com>
> Date: Wed May 19 17:07:44 2021 +0800
>
> bpf: Run devmap xdp_prog on flush instead of bulk enqueue
>
> The analysis is as follows:
>
> 370static void bq_xmit_all(struct xdp_dev_bulk_queue *bq, u32 flags)
> 371{
> 372 struct net_device *dev = bq->dev;
> 373 int sent = 0, drops = 0, err = 0;
> 374 unsigned int cnt = bq->count;
> 375 int to_send = cnt;
> 376 int i;
> 377
> 378 if (unlikely(!cnt))
> 379 return;
> 380
> 381 for (i = 0; i < cnt; i++) {
> 382 struct xdp_frame *xdpf = bq->q[i];
> 383
> 384 prefetch(xdpf);
> 385 }
> 386
> 387 if (bq->xdp_prog) {
> 388 to_send = dev_map_bpf_prog_run(bq->xdp_prog, bq->q,
> cnt, dev);
> 389 if (!to_send)
> 390 goto out;
> 391
> Unused value (UNUSED_VALUE)
> assigned_value: Assigning value from cnt - to_send to drops here, but
> that stored value is overwritten before it can be used.
>
> 392 drops = cnt - to_send;
> 393 }
> 394
> 395 sent = dev->netdev_ops->ndo_xdp_xmit(dev, to_send, bq->q, flags);
> 396 if (sent < 0) {
> 397 /* If ndo_xdp_xmit fails with an errno, no frames have
> 398 * been xmit'ed.
> 399 */
> 400 err = sent;
> 401 sent = 0;
> 402 }
> 403
> 404 /* If not all frames have been transmitted, it is our
> 405 * responsibility to free them
> 406 */
> 407 for (i = sent; unlikely(i < to_send); i++)
FWIW at the time that I was suggesting a rewrite of bq_xmit_all we were
using the 'drops' above via:
for (i = 0; i < cnt - drops; i++) {
So looks like now the calculation at line 392 is actually not needed.
> 408 xdp_return_frame_rx_napi(bq->q[i]);
> 409
> 410out:
>
> value_overwrite: Overwriting previous write to drops with value from
> cnt - sent.
>
> 411 drops = cnt - sent;
> 412 bq->count = 0;
> 413 trace_xdp_devmap_xmit(bq->dev_rx, dev, sent, drops, err);
> 414}
>
> drops is being calculated twice but the first value is not used. Not
> sure if that was intentional or an oversight.
>
> Colin
Powered by blists - more mailing lists