| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aCgQwfyQqkD2AUSs@mini-arch>
Date: Fri, 16 May 2025 21:29:53 -0700
From: Stanislav Fomichev <stfomichev@...il.com>
To: Al Viro <viro@...iv.linux.org.uk>
Cc: netdev@...r.kernel.org, davem@...emloft.net, edumazet@...gle.com,
kuba@...nel.org, pabeni@...hat.com, horms@...nel.org,
willemb@...gle.com, sagi@...mberg.me, asml.silence@...il.com,
almasrymina@...gle.com, kaiyuanz@...gle.com,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH net-next] net: devmem: remove min_t(iter_iov_len) in
sendmsg
On 05/17, Al Viro wrote:
> On Fri, May 16, 2025 at 08:53:09PM -0700, Stanislav Fomichev wrote:
> > On 05/17, Al Viro wrote:
> > > On Fri, May 16, 2025 at 07:17:23PM -0700, Stanislav Fomichev wrote:
> > > > > Wait, in the same commit there's
> > > > > + if (iov_iter_type(from) != ITER_IOVEC)
> > > > > + return -EFAULT;
> > > > >
> > > > > shortly prior to the loop iter_iov_{addr,len}() are used. What am I missing now?
> > > >
> > > > Yeah, I want to remove that part as well:
> > > >
> > > > https://lore.kernel.org/netdev/20250516225441.527020-1-stfomichev@gmail.com/T/#u
> > > >
> > > > Otherwise, sendmsg() with a single IOV is not accepted, which makes not
> > > > sense.
> > >
> > > Wait a minute. What's there to prevent a call with two ranges far from each other?
> >
> > It is perfectly possible to have a call with two disjoint ranges,
> > net_devmem_get_niov_at should correctly resolve it to the IOVA in the
> > dmabuf. Not sure I understand why it's an issue, can you pls clarify?
>
> Er... OK, the following is given an from with two iovecs.
>
> while (length && iov_iter_count(from)) {
> if (i == MAX_SKB_FRAGS)
> return -EMSGSIZE;
>
> virt_addr = (size_t)iter_iov_addr(from);
>
> OK, that's iov_base of the first one.
>
> niov = net_devmem_get_niov_at(binding, virt_addr, &off, &size);
> if (!niov)
> return -EFAULT;
> Whatever it does, it does *NOT* see iov_len of the first iovec. Looks like
> it tries to set something up, storing the length of what it had set up
> into size
>
> size = min_t(size_t, size, length);
> ... no more than length, OK. Suppose length is considerably more than iov_len
> of the first iovec.
>
> size = min_t(size_t, size, iter_iov_len(from));
> ... now trim it down to iov_len of that sucker. That's what you want to remove,
> right? What happens if iov_len is shorter than what we have in size?
>
> get_netmem(net_iov_to_netmem(niov));
> skb_add_rx_frag_netmem(skb, i, net_iov_to_netmem(niov), off,
> size, PAGE_SIZE);
> Still not looking at that iov_len...
>
> iov_iter_advance(from, size);
> ... and now that you've removed the second min_t, size happens to be greater
> than that iovec[0].iov_len. So we advance into the second iovec, skipping
> size - iovec[0].iov_len bytes after iovev[1].iov_base.
> length -= size;
> i++;
> }
> ... and proceed into the second iteration.
>
> Would you agree that behaviour ought to depend upon the iovec[0].iov_len?
> If nothing else, it affects which data do you want to be sent, and I don't
> see where would anything even look at that value with your change...
Yes, I think you have a point. I was thinking that net_devmem_get_niov_at
will expose max size of the chunk, but I agree that the iov might have
requested smaller part and it will bug out in case of multiple chunks...
Are you open to making iter_iov_len more ubuf friendly? Something like
the following:
static inline size_t iter_iov_len(const struct iov_iter *i)
{
if (iter->iter_type == ITER_UBUF)
return ni->count;
return iter_iov(i)->iov_len - i->iov_offset;
}
Or should I handle the iter_type here?
if (iter->iter_type == ITER_IOVEC)
size = min_t(size_t, size, iter_iov_len(from));
/* else
I don think I need to clamp to iov_iter_count() because length
should take care of it */
Powered by blists - more mailing lists