| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <87y1nh5f8k.fsf@cloudflare.com>
Date: Tue, 28 Mar 2023 12:42:14 +0200
From: Jakub Sitnicki <jakub@...udflare.com>
To: John Fastabend <john.fastabend@...il.com>
Cc: cong.wang@...edance.com, daniel@...earbox.net, lmb@...valent.com,
edumazet@...gle.com, bpf@...r.kernel.org, netdev@...r.kernel.org,
ast@...nel.org, andrii@...nel.org, will@...valent.com
Subject: Re: [PATCH bpf v2 01/12] bpf: sockmap, pass skb ownership through
read_skb
On Mon, Mar 27, 2023 at 10:54 AM -07, John Fastabend wrote:
> The read_skb hook calls consume_skb() now, but this means that if the
> recv_actor program wants to use the skb it needs to inc the ref cnt
> so that the consume_skb() doesn't kfree the sk_buff.
>
> This is problematic because in some error cases under memory pressure
> we may need to linearize the sk_buff from sk_psock_skb_ingress_enqueue().
> Then we get this,
>
> skb_linearize()
> __pskb_pull_tail()
> pskb_expand_head()
> BUG_ON(skb_shared(skb))
>
> Because we incremented users refcnt from sk_psock_verdict_recv() we
> hit the bug on with refcnt > 1 and trip it.
>
> To fix lets simply pass ownership of the sk_buff through the skb_read
> call. Then we can drop the consume from read_skb handlers and assume
> the verdict recv does any required kfree.
>
> Bug found while testing in our CI which runs in VMs that hit memory
> constraints rather regularly. William tested TCP read_skb handlers.
>
> [ 106.536188] ------------[ cut here ]------------
> [ 106.536197] kernel BUG at net/core/skbuff.c:1693!
> [ 106.536479] invalid opcode: 0000 [#1] PREEMPT SMP PTI
> [ 106.536726] CPU: 3 PID: 1495 Comm: curl Not tainted 5.19.0-rc5 #1
> [ 106.537023] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ArchLinux 1.16.0-1 04/01/2014
> [ 106.537467] RIP: 0010:pskb_expand_head+0x269/0x330
> [ 106.538585] RSP: 0018:ffffc90000138b68 EFLAGS: 00010202
> [ 106.538839] RAX: 000000000000003f RBX: ffff8881048940e8 RCX: 0000000000000a20
> [ 106.539186] RDX: 0000000000000002 RSI: 0000000000000000 RDI: ffff8881048940e8
> [ 106.539529] RBP: ffffc90000138be8 R08: 00000000e161fd1a R09: 0000000000000000
> [ 106.539877] R10: 0000000000000018 R11: 0000000000000000 R12: ffff8881048940e8
> [ 106.540222] R13: 0000000000000003 R14: 0000000000000000 R15: ffff8881048940e8
> [ 106.540568] FS: 00007f277dde9f00(0000) GS:ffff88813bd80000(0000) knlGS:0000000000000000
> [ 106.540954] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 106.541227] CR2: 00007f277eeede64 CR3: 000000000ad3e000 CR4: 00000000000006e0
> [ 106.541569] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [ 106.541915] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [ 106.542255] Call Trace:
> [ 106.542383] <IRQ>
> [ 106.542487] __pskb_pull_tail+0x4b/0x3e0
> [ 106.542681] skb_ensure_writable+0x85/0xa0
> [ 106.542882] sk_skb_pull_data+0x18/0x20
> [ 106.543084] bpf_prog_b517a65a242018b0_bpf_skskb_http_verdict+0x3a9/0x4aa9
> [ 106.543536] ? migrate_disable+0x66/0x80
> [ 106.543871] sk_psock_verdict_recv+0xe2/0x310
> [ 106.544258] ? sk_psock_write_space+0x1f0/0x1f0
> [ 106.544561] tcp_read_skb+0x7b/0x120
> [ 106.544740] tcp_data_queue+0x904/0xee0
> [ 106.544931] tcp_rcv_established+0x212/0x7c0
> [ 106.545142] tcp_v4_do_rcv+0x174/0x2a0
> [ 106.545326] tcp_v4_rcv+0xe70/0xf60
> [ 106.545500] ip_protocol_deliver_rcu+0x48/0x290
> [ 106.545744] ip_local_deliver_finish+0xa7/0x150
>
> Fixes: 04919bed948dc ("tcp: Introduce tcp_read_skb()")
> Reported-by: William Findlay <will@...valent.com>
> Tested-by: William Findlay <will@...valent.com>
> Signed-off-by: John Fastabend <john.fastabend@...il.com>
> ---
Reviewed-by: Jakub Sitnicki <jakub@...udflare.com>
Powered by blists - more mailing lists