Message ID | 20230801220710.464-1-andrew.kanner@gmail.com (mailing list archive) |
---|---|
State | Superseded |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | [v4,1/2] drivers: net: prevent tun_build_skb() to exceed the packet size limit | expand |
On 8/1/23 4:07 PM, Andrew Kanner wrote: > @@ -1594,7 +1597,13 @@ static bool tun_can_build_skb(struct tun_struct *tun, struct tun_file *tfile, > if (zerocopy) > return false; > > - if (SKB_DATA_ALIGN(len + TUN_RX_PAD) + > + rcu_read_lock(); > + xdp_prog = rcu_dereference(tun->xdp_prog); > + if (xdp_prog) > + pad += XDP_PACKET_HEADROOM; > + rcu_read_unlock(); since you do not care about the actual xdp_prog (only that one is set) I believe you can use rcu_access_pointer here.
On Tue, Aug 01, 2023 at 07:07:39PM -0600, David Ahern wrote: > On 8/1/23 4:07 PM, Andrew Kanner wrote: > > @@ -1594,7 +1597,13 @@ static bool tun_can_build_skb(struct tun_struct *tun, struct tun_file *tfile, > > if (zerocopy) > > return false; > > > > - if (SKB_DATA_ALIGN(len + TUN_RX_PAD) + > > + rcu_read_lock(); > > + xdp_prog = rcu_dereference(tun->xdp_prog); > > + if (xdp_prog) > > + pad += XDP_PACKET_HEADROOM; > > + rcu_read_unlock(); > > > since you do not care about the actual xdp_prog (only that one is set) I > believe you can use rcu_access_pointer here. Good point. Thanks, David. I'll resend both as v5. The correct cc-list for PATCH 2/2 is also needed. It fixes net/core/filter.c instead of drivers/net/tun.c now. pw-bot: changes-requested
On 02/08/2023 00.07, Andrew Kanner wrote: > Using the syzkaller repro with reduced packet size it was discovered > that XDP_PACKET_HEADROOM is not checked in tun_can_build_skb(), > although pad may be incremented in tun_build_skb(). This may end up > with exceeding the PAGE_SIZE limit in tun_build_skb(). > > Fixes: 7df13219d757 ("tun: reserve extra headroom only when XDP is set") > Link: https://syzkaller.appspot.com/bug?extid=f817490f5bd20541b90a > Signed-off-by: Andrew Kanner <andrew.kanner@gmail.com> > --- > > Notes: > v3 -> v4: > * fall back to v1, fixing only missing XDP_PACKET_HEADROOM in pad and > removing bpf_xdp_adjust_tail() check for frame_sz. > * added rcu read lock, noted by Jason Wang <jasowang@redhat.com> in v1 > * I decided to leave the packet length check in tun_can_build_skb() > instead of moving to tun_build_skb() suggested by Jason Wang > <jasowang@redhat.com>. Otherwise extra packets will be dropped > without falling back to tun_alloc_skb(). And in the discussion of v3 > Jesper Dangaard Brouer <jbrouer@redhat.com> noticed that XDP is ok > with a higher order pages if it's a contiguous physical memory > allocation, so falling to tun_alloc_skb() -> do_xdp_generic() should > be ok. > > v2 -> v3: > * attach the forgotten changelog > > v1 -> v2: > * merged 2 patches in 1, fixing both issues: WARN_ON_ONCE with > syzkaller repro and missing XDP_PACKET_HEADROOM in pad > * changed the title and description of the execution path, suggested > by Jason Wang <jasowang@redhat.com> > * move the limit check from tun_can_build_skb() to tun_build_skb() to > remove duplication and locking issue, and also drop the packet in > case of a failed check - noted by Jason Wang <jasowang@redhat.com> > > drivers/net/tun.c | 11 ++++++++++- > 1 file changed, 10 insertions(+), 1 deletion(-) > > diff --git a/drivers/net/tun.c b/drivers/net/tun.c > index d75456adc62a..a1d04bc9485f 100644 > --- a/drivers/net/tun.c > +++ b/drivers/net/tun.c > @@ -1582,6 +1582,9 @@ static void tun_rx_batched(struct tun_struct *tun, struct tun_file *tfile, > static bool tun_can_build_skb(struct tun_struct *tun, struct tun_file *tfile, > int len, int noblock, bool zerocopy) > { > + struct bpf_prog *xdp_prog; > + int pad = TUN_RX_PAD; > + > if ((tun->flags & TUN_TYPE_MASK) != IFF_TAP) > return false; > > @@ -1594,7 +1597,13 @@ static bool tun_can_build_skb(struct tun_struct *tun, struct tun_file *tfile, > if (zerocopy) > return false; > > - if (SKB_DATA_ALIGN(len + TUN_RX_PAD) + > + rcu_read_lock(); > + xdp_prog = rcu_dereference(tun->xdp_prog); > + if (xdp_prog) > + pad += XDP_PACKET_HEADROOM; > + rcu_read_unlock(); > + Isolated seen, I guess, this is a correct fix to 7df13219d757. > + if (SKB_DATA_ALIGN(len + pad) + > SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) > PAGE_SIZE) > return false; > Question to Jason Wang: Why fall back (to e.g. tun_alloc_skb()) when size is above PAGE_SIZE? AFAIK tun_build_skb() *can* create get larger packets than PAGE_SIZE from it's page_frag. Is there a reason for this limitation? (To Andrew, I assume a change in this area is another patch). --Jesper
On Wed, Aug 2, 2023 at 10:14 PM Jesper Dangaard Brouer <hawk@kernel.org> wrote: > > > > On 02/08/2023 00.07, Andrew Kanner wrote: > > Using the syzkaller repro with reduced packet size it was discovered > > that XDP_PACKET_HEADROOM is not checked in tun_can_build_skb(), > > although pad may be incremented in tun_build_skb(). This may end up > > with exceeding the PAGE_SIZE limit in tun_build_skb(). > > > > Fixes: 7df13219d757 ("tun: reserve extra headroom only when XDP is set") > > Link: https://syzkaller.appspot.com/bug?extid=f817490f5bd20541b90a > > Signed-off-by: Andrew Kanner <andrew.kanner@gmail.com> > > --- > > > > Notes: > > v3 -> v4: > > * fall back to v1, fixing only missing XDP_PACKET_HEADROOM in pad and > > removing bpf_xdp_adjust_tail() check for frame_sz. > > * added rcu read lock, noted by Jason Wang <jasowang@redhat.com> in v1 > > * I decided to leave the packet length check in tun_can_build_skb() > > instead of moving to tun_build_skb() suggested by Jason Wang > > <jasowang@redhat.com>. Otherwise extra packets will be dropped > > without falling back to tun_alloc_skb(). And in the discussion of v3 > > Jesper Dangaard Brouer <jbrouer@redhat.com> noticed that XDP is ok > > with a higher order pages if it's a contiguous physical memory > > allocation, so falling to tun_alloc_skb() -> do_xdp_generic() should > > be ok. > > > > v2 -> v3: > > * attach the forgotten changelog > > > > v1 -> v2: > > * merged 2 patches in 1, fixing both issues: WARN_ON_ONCE with > > syzkaller repro and missing XDP_PACKET_HEADROOM in pad > > * changed the title and description of the execution path, suggested > > by Jason Wang <jasowang@redhat.com> > > * move the limit check from tun_can_build_skb() to tun_build_skb() to > > remove duplication and locking issue, and also drop the packet in > > case of a failed check - noted by Jason Wang <jasowang@redhat.com> > > > > drivers/net/tun.c | 11 ++++++++++- > > 1 file changed, 10 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/net/tun.c b/drivers/net/tun.c > > index d75456adc62a..a1d04bc9485f 100644 > > --- a/drivers/net/tun.c > > +++ b/drivers/net/tun.c > > @@ -1582,6 +1582,9 @@ static void tun_rx_batched(struct tun_struct *tun, struct tun_file *tfile, > > static bool tun_can_build_skb(struct tun_struct *tun, struct tun_file *tfile, > > int len, int noblock, bool zerocopy) > > { > > + struct bpf_prog *xdp_prog; > > + int pad = TUN_RX_PAD; > > + > > if ((tun->flags & TUN_TYPE_MASK) != IFF_TAP) > > return false; > > > > @@ -1594,7 +1597,13 @@ static bool tun_can_build_skb(struct tun_struct *tun, struct tun_file *tfile, > > if (zerocopy) > > return false; > > > > - if (SKB_DATA_ALIGN(len + TUN_RX_PAD) + > > + rcu_read_lock(); > > + xdp_prog = rcu_dereference(tun->xdp_prog); > > + if (xdp_prog) > > + pad += XDP_PACKET_HEADROOM; > > + rcu_read_unlock(); > > + > > Isolated seen, I guess, this is a correct fix to 7df13219d757. I think so. Actually, I think we can probably always count XDP_PACKET_HEADROOM here. Since there's a window that XDP program might be attached in the middle of tun_can_build_skb() and tun_build_skb(). > > > + if (SKB_DATA_ALIGN(len + pad) + > > SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) > PAGE_SIZE) > > return false; > > > > Question to Jason Wang: > Why fall back (to e.g. tun_alloc_skb()) when size is above PAGE_SIZE? > > AFAIK tun_build_skb() *can* create get larger packets than PAGE_SIZE > from it's page_frag. Is there a reason for this limitation? I couldn't recall but I think we can relax. Thanks > > (To Andrew, I assume a change in this area is another patch). > > --Jesper > > >
On Thu, Aug 03, 2023 at 11:19:47AM +0800, Jason Wang wrote: > > > @@ -1594,7 +1597,13 @@ static bool tun_can_build_skb(struct tun_struct *tun, struct tun_file *tfile, > > > if (zerocopy) > > > return false; > > > > > > - if (SKB_DATA_ALIGN(len + TUN_RX_PAD) + > > > + rcu_read_lock(); > > > + xdp_prog = rcu_dereference(tun->xdp_prog); > > > + if (xdp_prog) > > > + pad += XDP_PACKET_HEADROOM; > > > + rcu_read_unlock(); > > > + > > > > Isolated seen, I guess, this is a correct fix to 7df13219d757. > > I think so. > > Actually, I think we can probably always count XDP_PACKET_HEADROOM > here. Since there's a window that XDP program might be attached in the > middle of tun_can_build_skb() and tun_build_skb(). Thanks, that makes sense. I will do it in v5. > > Question to Jason Wang: > > Why fall back (to e.g. tun_alloc_skb()) when size is above PAGE_SIZE? > > > > AFAIK tun_build_skb() *can* create get larger packets than PAGE_SIZE > > from it's page_frag. Is there a reason for this limitation? > > I couldn't recall but I think we can relax. Jesper already sent enough info for this idea in v2, I will use it for the next patch/series. Jesper, I will add this tag for this next patch/series if you don't mind: Suggested-by: Jesper Dangaard Brouer <hawk@kernel.org>
On 03/08/2023 19.53, Andrew Kanner wrote: >>> Question to Jason Wang: >>> Why fall back (to e.g. tun_alloc_skb()) when size is above PAGE_SIZE? >>> >>> AFAIK tun_build_skb()*can* create get larger packets than PAGE_SIZE >>> from it's page_frag. Is there a reason for this limitation? >> >> I couldn't recall but I think we can relax. > > Jesper already sent enough info for this idea in v2, I will use it for > the next patch/series. > I have some more input and considerations when selecting the new constant that replace PAGE_SIZE. Lets see if Eric Dumazet or Alex Duyck disagree? ("inventors" of page_frag scheme) The function tun_alloc_skb() uses a page_frag scheme for allocation. The maximim size is 32768 bytes (Order-3), but using something that is close to this max alloc size can cause memory waste and fragmentation. My suggestion would be to use the constant SKB_MAX_ALLOC (16KiB). Maybe Eric or Alex would recommend using something smaller? (e.g. 8192) page_frag limit comes from: #define SKB_FRAG_PAGE_ORDER get_order(32768) > Jesper, I will add this tag for this next patch/series if you don't > mind: > Suggested-by: Jesper Dangaard Brouer <hawk@kernel.org> ACK
diff --git a/drivers/net/tun.c b/drivers/net/tun.c index d75456adc62a..a1d04bc9485f 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -1582,6 +1582,9 @@ static void tun_rx_batched(struct tun_struct *tun, struct tun_file *tfile, static bool tun_can_build_skb(struct tun_struct *tun, struct tun_file *tfile, int len, int noblock, bool zerocopy) { + struct bpf_prog *xdp_prog; + int pad = TUN_RX_PAD; + if ((tun->flags & TUN_TYPE_MASK) != IFF_TAP) return false; @@ -1594,7 +1597,13 @@ static bool tun_can_build_skb(struct tun_struct *tun, struct tun_file *tfile, if (zerocopy) return false; - if (SKB_DATA_ALIGN(len + TUN_RX_PAD) + + rcu_read_lock(); + xdp_prog = rcu_dereference(tun->xdp_prog); + if (xdp_prog) + pad += XDP_PACKET_HEADROOM; + rcu_read_unlock(); + + if (SKB_DATA_ALIGN(len + pad) + SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) > PAGE_SIZE) return false;
Using the syzkaller repro with reduced packet size it was discovered that XDP_PACKET_HEADROOM is not checked in tun_can_build_skb(), although pad may be incremented in tun_build_skb(). This may end up with exceeding the PAGE_SIZE limit in tun_build_skb(). Fixes: 7df13219d757 ("tun: reserve extra headroom only when XDP is set") Link: https://syzkaller.appspot.com/bug?extid=f817490f5bd20541b90a Signed-off-by: Andrew Kanner <andrew.kanner@gmail.com> --- Notes: v3 -> v4: * fall back to v1, fixing only missing XDP_PACKET_HEADROOM in pad and removing bpf_xdp_adjust_tail() check for frame_sz. * added rcu read lock, noted by Jason Wang <jasowang@redhat.com> in v1 * I decided to leave the packet length check in tun_can_build_skb() instead of moving to tun_build_skb() suggested by Jason Wang <jasowang@redhat.com>. Otherwise extra packets will be dropped without falling back to tun_alloc_skb(). And in the discussion of v3 Jesper Dangaard Brouer <jbrouer@redhat.com> noticed that XDP is ok with a higher order pages if it's a contiguous physical memory allocation, so falling to tun_alloc_skb() -> do_xdp_generic() should be ok. v2 -> v3: * attach the forgotten changelog v1 -> v2: * merged 2 patches in 1, fixing both issues: WARN_ON_ONCE with syzkaller repro and missing XDP_PACKET_HEADROOM in pad * changed the title and description of the execution path, suggested by Jason Wang <jasowang@redhat.com> * move the limit check from tun_can_build_skb() to tun_build_skb() to remove duplication and locking issue, and also drop the packet in case of a failed check - noted by Jason Wang <jasowang@redhat.com> drivers/net/tun.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-)