| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <7e73b2ee-45be-42d7-a1f4-9e573448051d@suse.com>
Date: Thu, 17 Apr 2025 15:22:35 +0200
From: Jürgen Groß <jgross@...e.com>
To: Alexey <sdl@...ct.ru>, Jakub Kicinski <kuba@...nel.org>
Cc: Stefano Stabellini <sstabellini@...nel.org>,
Oleksandr Tyshchenko <oleksandr_tyshchenko@...m.com>,
"David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
Paolo Abeni <pabeni@...hat.com>, Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Jesper Dangaard Brouer <hawk@...nel.org>,
John Fastabend <john.fastabend@...il.com>, xen-devel@...ts.xenproject.org,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org, bpf@...r.kernel.org,
lvc-project@...uxtesting.org, stable@...r.kernel.org
Subject: Re: [PATCH] xen-netfront: handle NULL returned by
xdp_convert_buff_to_frame()
On 17.04.25 13:19, Alexey wrote:
>
> On 17.04.2025 13:23, Jürgen Groß wrote:
>> On 17.04.25 12:06, Alexey wrote:
>>>
>>> On 17.04.2025 11:51, Juergen Gross wrote:
>>>> On 17.04.25 10:45, Alexey wrote:
>>>>>
>>>>> On 17.04.2025 10:12, Jürgen Groß wrote:
>>>>>> On 17.04.25 09:00, Alexey wrote:
>>>>>>>
>>>>>>> On 17.04.2025 03:58, Jakub Kicinski wrote:
>>>>>>>> On Mon, 14 Apr 2025 18:34:01 +0000 Alexey Nepomnyashih wrote:
>>>>>>>>> get_page(pdata);
>>>>>>>> Please notice this get_page() here.
>>>>>>>>
>>>>>>>>> xdpf = xdp_convert_buff_to_frame(xdp);
>>>>>>>>> + if (unlikely(!xdpf)) {
>>>>>>>>> + trace_xdp_exception(queue->info->netdev, prog, act);
>>>>>>>>> + break;
>>>>>>>>> + }
>>>>>>> Do you mean that it would be better to move the get_page(pdata) call lower,
>>>>>>> after checking for NULL in xdpf, so that the reference count is only
>>>>>>> increased
>>>>>>> after a successful conversion?
>>>>>>
>>>>>> I think the error handling here is generally broken (or at least very
>>>>>> questionable).
>>>>>>
>>>>>> I suspect that in case of at least some errors the get_page() is leaking
>>>>>> even without this new patch.
>>>>>>
>>>>>> In case I'm wrong a comment reasoning why there is no leak should be
>>>>>> added.
>>>>>>
>>>>>>
>>>>>> Juergen
>>>>>
>>>>> I think pdata is freed in xdp_return_frame_rx_napi() -> __xdp_return()
>>>>
>>>> Agreed. But what if xennet_xdp_xmit() returns an error < 0?
>>>>
>>>> In this case xdp_return_frame_rx_napi() won't be called.
>>>>
>>>>
>>>> Juergen
>>>
>>> Agreed. There is no explicit freed pdata in the calling function
>>> xennet_get_responses(). Without this, the page referenced by pdata
>>> could be leaked.
>>>
>>> I suggest:
>>
>> Could you please merge the two if () blocks, as they share the
>> call of xdp_return_frame_rx_napi() now? Something like:
>>
>> if (unlikely(err <= 0)) {
>> if (err < 0)
>> trace_xdp_exception(queue->info->netdev, prog, act);
>> xdp_return_frame_rx_napi(xdpf);
>> }
>>
>> Juergen
>>
>> P.S.: please don't use HTML in emails
>
> I can't do this because xennet_xdp_xmit() can return a value > 0
Yes, this is what the "if (unlikely(err <= 0))" is for.
Juergen
Download attachment "OpenPGP_0xB0DE9DD628BF132F.asc" of type "application/pgp-keys" (3684 bytes)
Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (496 bytes)
Powered by blists - more mailing lists