lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250517040530.GZ2023217@ZenIV>
Date: Sat, 17 May 2025 05:05:30 +0100
From: Al Viro <viro@...iv.linux.org.uk>
To: Stanislav Fomichev <stfomichev@...il.com>
Cc: netdev@...r.kernel.org, davem@...emloft.net, edumazet@...gle.com,
	kuba@...nel.org, pabeni@...hat.com, horms@...nel.org,
	willemb@...gle.com, sagi@...mberg.me, asml.silence@...il.com,
	almasrymina@...gle.com, kaiyuanz@...gle.com,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH net-next] net: devmem: remove min_t(iter_iov_len) in
 sendmsg

On Fri, May 16, 2025 at 08:53:09PM -0700, Stanislav Fomichev wrote:
> On 05/17, Al Viro wrote:
> > On Fri, May 16, 2025 at 07:17:23PM -0700, Stanislav Fomichev wrote:
> > > > Wait, in the same commit there's
> > > > +       if (iov_iter_type(from) != ITER_IOVEC)
> > > > +               return -EFAULT;
> > > > 
> > > > shortly prior to the loop iter_iov_{addr,len}() are used.  What am I missing now?
> > > 
> > > Yeah, I want to remove that part as well:
> > > 
> > > https://lore.kernel.org/netdev/20250516225441.527020-1-stfomichev@gmail.com/T/#u
> > > 
> > > Otherwise, sendmsg() with a single IOV is not accepted, which makes not
> > > sense.
> > 
> > Wait a minute.  What's there to prevent a call with two ranges far from each other?
> 
> It is perfectly possible to have a call with two disjoint ranges,
> net_devmem_get_niov_at should correctly resolve it to the IOVA in the
> dmabuf. Not sure I understand why it's an issue, can you pls clarify?

Er...  OK, the following is given an from with two iovecs.

	while (length && iov_iter_count(from)) {
		if (i == MAX_SKB_FRAGS)
			return -EMSGSIZE;

		virt_addr = (size_t)iter_iov_addr(from);

OK, that's iov_base of the first one.

		niov = net_devmem_get_niov_at(binding, virt_addr, &off, &size);
		if (!niov)
			return -EFAULT;
Whatever it does, it does *NOT* see iov_len of the first iovec.  Looks like
it tries to set something up, storing the length of what it had set up
into size

		size = min_t(size_t, size, length);
... no more than length, OK.  Suppose length is considerably more than iov_len
of the first iovec.

		size = min_t(size_t, size, iter_iov_len(from));
... now trim it down to iov_len of that sucker.  That's what you want to remove,
right?  What happens if iov_len is shorter than what we have in size?

		get_netmem(net_iov_to_netmem(niov));
		skb_add_rx_frag_netmem(skb, i, net_iov_to_netmem(niov), off,
				      size, PAGE_SIZE);
Still not looking at that iov_len...

		iov_iter_advance(from, size);
... and now that you've removed the second min_t, size happens to be greater
than that iovec[0].iov_len.  So we advance into the second iovec, skipping
size - iovec[0].iov_len bytes after iovev[1].iov_base.
		length -= size;
		i++;
	}
... and proceed into the second iteration.

Would you agree that behaviour ought to depend upon the iovec[0].iov_len?
If nothing else, it affects which data do you want to be sent, and I don't
see where would anything even look at that value with your change...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ