lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 13 Dec 2022 02:30:41 +0200
From:   Vladimir Oltean <>
To:     Lorenzo Bianconi <>
Cc:     Lorenzo Bianconi <>,,,,,,
Subject: Re: [PATCH v3 net-next 0/2] enetc: unlock XDP_REDIRECT for XDP

On Mon, Dec 12, 2022 at 10:15:31PM +0100, Lorenzo Bianconi wrote:
> Hi Vladimir,
> thx for testing. If we perform XDP_REDIRECT with SG XDP frames, the devmap
> code will always return an error and the driver is responsible to free the
> pending pages. Looking at the code, can the issue be the following?
> - enetc_flip_rx_buff() will unmap the page and set rx_swbd->page = NULL if
>   the page is not reusable.
> - enetc_xdp_free() will not be able to free the page since rx_swbd->page is
>   NULL.
> What do you think? I am wondering if we have a similar issue for 'linear' XDP
> buffer as well when xdp_do_redirect() returns an error. What do you think?

A bit more complicated, but that's the gist, yes. Thanks for the hint.
I was quite sure that this situation does not lead to a leak, because
even though rx_swbd->page becomes NULL, the reference to it is not lost.
But wrong I was. Not sure if you pointed out the condition where the
page is not reusable because that's the only part that's problematic,
or because you simply didn't notice that enetc_put_rx_buff() makes
rx_swbd->page = NULL too. In any case, it's normally quite rare for a
page to not be reusable, yet in this case, the way in which the page
becomes non reusable is the key to the bug.

Anyway, I've tested your patch set again with that fixed, and also
submitted the fix here:

It works as it should now. And yes, the issue should also be
reproducible with single buffer XDP, if we redirect to a devmap which
doesn't implement ndo_xdp_xmit or is down, for example.

Powered by blists - more mailing lists