lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 13 Dec 2022 02:30:41 +0200 From: Vladimir Oltean <vladimir.oltean@....com> To: Lorenzo Bianconi <lorenzo.bianconi@...hat.com> Cc: Lorenzo Bianconi <lorenzo@...nel.org>, netdev@...r.kernel.org, claudiu.manoil@....com, davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com Subject: Re: [PATCH v3 net-next 0/2] enetc: unlock XDP_REDIRECT for XDP non-linear On Mon, Dec 12, 2022 at 10:15:31PM +0100, Lorenzo Bianconi wrote: > Hi Vladimir, > > thx for testing. If we perform XDP_REDIRECT with SG XDP frames, the devmap > code will always return an error and the driver is responsible to free the > pending pages. Looking at the code, can the issue be the following? > > - enetc_flip_rx_buff() will unmap the page and set rx_swbd->page = NULL if > the page is not reusable. > - enetc_xdp_free() will not be able to free the page since rx_swbd->page is > NULL. > > What do you think? I am wondering if we have a similar issue for 'linear' XDP > buffer as well when xdp_do_redirect() returns an error. What do you think? A bit more complicated, but that's the gist, yes. Thanks for the hint. I was quite sure that this situation does not lead to a leak, because even though rx_swbd->page becomes NULL, the reference to it is not lost. But wrong I was. Not sure if you pointed out the condition where the page is not reusable because that's the only part that's problematic, or because you simply didn't notice that enetc_put_rx_buff() makes rx_swbd->page = NULL too. In any case, it's normally quite rare for a page to not be reusable, yet in this case, the way in which the page becomes non reusable is the key to the bug. Anyway, I've tested your patch set again with that fixed, and also submitted the fix here: https://patchwork.kernel.org/project/netdevbpf/patch/20221213001908.2347046-1-vladimir.oltean@nxp.com/ It works as it should now. And yes, the issue should also be reproducible with single buffer XDP, if we redirect to a devmap which doesn't implement ndo_xdp_xmit or is down, for example.
Powered by blists - more mailing lists