lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Tue, 13 Dec 2022 09:50:30 +0100
From:   Lorenzo Bianconi <>
To:     Vladimir Oltean <>
Cc:     Lorenzo Bianconi <>,,,,,,
Subject: Re: [PATCH v3 net-next 0/2] enetc: unlock XDP_REDIRECT for XDP

> On Mon, Dec 12, 2022 at 10:15:31PM +0100, Lorenzo Bianconi wrote:
> > Hi Vladimir,
> > 
> > thx for testing. If we perform XDP_REDIRECT with SG XDP frames, the devmap
> > code will always return an error and the driver is responsible to free the
> > pending pages. Looking at the code, can the issue be the following?
> > 
> > - enetc_flip_rx_buff() will unmap the page and set rx_swbd->page = NULL if
> >   the page is not reusable.
> > - enetc_xdp_free() will not be able to free the page since rx_swbd->page is
> >   NULL.
> > 
> > What do you think? I am wondering if we have a similar issue for 'linear' XDP
> > buffer as well when xdp_do_redirect() returns an error. What do you think?
> A bit more complicated, but that's the gist, yes. Thanks for the hint.
> I was quite sure that this situation does not lead to a leak, because
> even though rx_swbd->page becomes NULL, the reference to it is not lost.
> But wrong I was. Not sure if you pointed out the condition where the
> page is not reusable because that's the only part that's problematic,
> or because you simply didn't notice that enetc_put_rx_buff() makes
> rx_swbd->page = NULL too. In any case, it's normally quite rare for a
> page to not be reusable, yet in this case, the way in which the page
> becomes non reusable is the key to the bug.
> Anyway, I've tested your patch set again with that fixed, and also
> submitted the fix here:
> It works as it should now. And yes, the issue should also be
> reproducible with single buffer XDP, if we redirect to a devmap which
> doesn't implement ndo_xdp_xmit or is down, for example.

ack, cool now it is fixed. I will repost the series when net-next is open
adding your tested-by.


Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)

Powered by blists - more mailing lists