From: Florian Westphal <fw@strlen.de>
To: Xin Long <lucien.xin@gmail.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>,
network dev <netdev@vger.kernel.org>, davem <davem@davemloft.net>,
Paolo Abeni <pabeni@redhat.com>, Florian Westphal <fw@strlen.de>
Subject: Re: [PATCH net] udp: fix a skb extensions leak
Date: Mon, 30 Mar 2020 18:13:36 +0200 [thread overview]
Message-ID: <20200330161336.GD23604@breakpoint.cc> (raw)
In-Reply-To: <CADvbK_egz4aYOHa2+FPL6V+vXcfRGst6zEiUxqskpHc3fOk-oA@mail.gmail.com>
Xin Long <lucien.xin@gmail.com> wrote:
> On Mon, Mar 30, 2020 at 4:29 PM Steffen Klassert
> <steffen.klassert@secunet.com> wrote:
> >
> > On Thu, Mar 26, 2020 at 05:06:25PM +0800, Xin Long wrote:
> > > On udp rx path udp_rcv_segment() may do segment where the frag skbs
> > > will get the header copied from the head skb in skb_segment_list()
> > > by calling __copy_skb_header(), which could overwrite the frag skbs'
> > > extensions by __skb_ext_copy() and cause a leak.
> > >
> > > This issue was found after loading esp_offload where a sec path ext
> > > is set in the skb.
> > >
> > > On udp tx gso path, it works well as the frag skbs' extensions are
> > > not set. So this issue should be fixed on udp's rx path only and
> > > release the frag skbs' extensions before going to do segment.
> >
> > Are you sure that this affects only the RX path? What if such
> > a packet is forwarded? Also, I think TCP has the same problem.
> You're right, just confirm it exists on the forwarded path.
> __copy_skb_header() is also called by skb_segment(), but
> I don't have tests to reproduce it on other protocols like TCP.
skb_segment() is fine, either nskb is a new allocation or a clone
with head state already discarded.
> > If a skb in the fraglist has a secpath, it is still valid.
> > So maybe instead of dropping it here and assign the one
> > from the head skb, we could just keep the secpath. But
> > I don't know about other extensions. I've CCed Florian,
> > he might know a bit more about other extensions. Also,
> > it might be good to check if the extensions of the GRO
> > packets are all the same before merging.
> >
> Not sure if we can improve __copy_skb_header() or add
> a new function to copy these members ONLY when nskb's
> are not set.
I don't see how.
next prev parent reply other threads:[~2020-03-30 16:13 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-26 9:06 [PATCH net] udp: fix a skb extensions leak Xin Long
2020-03-26 9:28 ` Xin Long
2020-03-30 4:54 ` David Miller
2020-03-30 8:29 ` Steffen Klassert
2020-03-30 16:13 ` Xin Long
2020-03-30 16:13 ` Florian Westphal [this message]
2020-03-30 13:27 ` Florian Westphal
2020-03-30 13:45 ` Steffen Klassert
2020-03-30 14:11 ` Florian Westphal
2020-03-30 14:39 ` Steffen Klassert
2020-03-30 16:14 ` Xin Long
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200330161336.GD23604@breakpoint.cc \
--to=fw@strlen.de \
--cc=davem@davemloft.net \
--cc=lucien.xin@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.