| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4679ca25-572b-44aa-bc00-cb9dc1c0080c@suse.com>
Date: Thu, 17 Apr 2025 12:23:56 +0200
From: Jürgen Groß <jgross@...e.com>
To: Alexey <sdl@...ct.ru>, Jakub Kicinski <kuba@...nel.org>
Cc: Stefano Stabellini <sstabellini@...nel.org>,
Oleksandr Tyshchenko <oleksandr_tyshchenko@...m.com>,
"David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
Paolo Abeni <pabeni@...hat.com>, Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Jesper Dangaard Brouer <hawk@...nel.org>,
John Fastabend <john.fastabend@...il.com>, xen-devel@...ts.xenproject.org,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org, bpf@...r.kernel.org,
lvc-project@...uxtesting.org, stable@...r.kernel.org
Subject: Re: [PATCH] xen-netfront: handle NULL returned by
xdp_convert_buff_to_frame()
On 17.04.25 12:06, Alexey wrote:
>
> On 17.04.2025 11:51, Juergen Gross wrote:
>> On 17.04.25 10:45, Alexey wrote:
>>>
>>> On 17.04.2025 10:12, Jürgen Groß wrote:
>>>> On 17.04.25 09:00, Alexey wrote:
>>>>>
>>>>> On 17.04.2025 03:58, Jakub Kicinski wrote:
>>>>>> On Mon, 14 Apr 2025 18:34:01 +0000 Alexey Nepomnyashih wrote:
>>>>>>> get_page(pdata);
>>>>>> Please notice this get_page() here.
>>>>>>
>>>>>>> xdpf = xdp_convert_buff_to_frame(xdp);
>>>>>>> + if (unlikely(!xdpf)) {
>>>>>>> + trace_xdp_exception(queue->info->netdev, prog, act);
>>>>>>> + break;
>>>>>>> + }
>>>>> Do you mean that it would be better to move the get_page(pdata) call lower,
>>>>> after checking for NULL in xdpf, so that the reference count is only increased
>>>>> after a successful conversion?
>>>>
>>>> I think the error handling here is generally broken (or at least very
>>>> questionable).
>>>>
>>>> I suspect that in case of at least some errors the get_page() is leaking
>>>> even without this new patch.
>>>>
>>>> In case I'm wrong a comment reasoning why there is no leak should be
>>>> added.
>>>>
>>>>
>>>> Juergen
>>>
>>> I think pdata is freed in xdp_return_frame_rx_napi() -> __xdp_return()
>>
>> Agreed. But what if xennet_xdp_xmit() returns an error < 0?
>>
>> In this case xdp_return_frame_rx_napi() won't be called.
>>
>>
>> Juergen
>
> Agreed. There is no explicit freed pdata in the calling function
> xennet_get_responses(). Without this, the page referenced by pdata
> could be leaked.
>
> I suggest:
>
> case XDP_TX:
> - get_page(pdata);
> xdpf = xdp_convert_buff_to_frame(xdp);
> + if (unlikely(!xdpf)) {
> + trace_xdp_exception(queue->info->netdev, prog, act);
> + break;
> + }
> + get_page(pdata);
> err = xennet_xdp_xmit(queue->info->netdev, 1, &xdpf, 0);
> if (unlikely(!err))
> xdp_return_frame_rx_napi(xdpf);
> - else if (unlikely(err < 0))
> + else if (unlikely(err < 0)) {
> trace_xdp_exception(queue->info->netdev, prog, act);
> + xdp_return_frame_rx_napi(xdpf);
> + }
Could you please merge the two if () blocks, as they share the
call of xdp_return_frame_rx_napi() now? Something like:
if (unlikely(err <= 0)) {
if (err < 0)
trace_xdp_exception(queue->info->netdev, prog, act);
xdp_return_frame_rx_napi(xdpf);
}
> break;
> case XDP_REDIRECT:
> get_page(pdata);
> err = xdp_do_redirect(queue->info->netdev, xdp, prog);
> *need_xdp_flush = true;
> - if (unlikely(err))
> + if (unlikely(err)) {
> trace_xdp_exception(queue->info->netdev, prog, act);
> + __xdp_return(page_address(pdata), &xdp->mem, true, xdp);
> + }
> break;
Juergen
P.S.: please don't use HTML in emails
Download attachment "OpenPGP_0xB0DE9DD628BF132F.asc" of type "application/pgp-keys" (3684 bytes)
Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (496 bytes)
Powered by blists - more mailing lists