From: John Fastabend <john.fastabend@gmail.com>
To: lmb@cloudflare.com, jakub@cloudflare.com, daniel@iogearbox.net
Cc: netdev@vger.kernel.org, bpf@vger.kernel.org,
john.fastabend@gmail.com, ast@kernel.org
Subject: [bpf-next PATCH v2 02/12] bpf: sockmap, bpf_tcp_ingress needs to subtract bytes from sg.size
Date: Wed, 13 May 2020 12:12:50 -0700 [thread overview]
Message-ID: <158939717033.15176.12533943232686062367.stgit@john-Precision-5820-Tower> (raw)
In-Reply-To: <158939706939.15176.10993188758954570904.stgit@john-Precision-5820-Tower>
In bpf_tcp_ingress we used apply_bytes to subtract bytes from sg.size
which is used to track total bytes in a message. But this is not
correct because apply_bytes is itself modified in the main loop doing
the mem_charge.
Then at the end of this we have sg.size incorrectly set and out of
sync with actual sk values. Then we can get a splat if we try to
cork the data later and again try to redirect the msg to ingress. To
fix instead of trying to track msg.size do the easy thing and include
it as part of the sk_msg_xfer logic so that when the msg is moved the
sg.size is always correct.
To reproduce the below users will need ingress + cork and hit an
error path that will then try to 'free' the skmsg.
[ 173.699981] BUG: KASAN: null-ptr-deref in sk_msg_free_elem+0xdd/0x120
[ 173.699987] Read of size 8 at addr 0000000000000008 by task test_sockmap/5317
[ 173.700000] CPU: 2 PID: 5317 Comm: test_sockmap Tainted: G I 5.7.0-rc1+ #43
[ 173.700005] Hardware name: Dell Inc. Precision 5820 Tower/002KVM, BIOS 1.9.2 01/24/2019
[ 173.700009] Call Trace:
[ 173.700021] dump_stack+0x8e/0xcb
[ 173.700029] ? sk_msg_free_elem+0xdd/0x120
[ 173.700034] ? sk_msg_free_elem+0xdd/0x120
[ 173.700042] __kasan_report+0x102/0x15f
[ 173.700052] ? sk_msg_free_elem+0xdd/0x120
[ 173.700060] kasan_report+0x32/0x50
[ 173.700070] sk_msg_free_elem+0xdd/0x120
[ 173.700080] __sk_msg_free+0x87/0x150
[ 173.700094] tcp_bpf_send_verdict+0x179/0x4f0
[ 173.700109] tcp_bpf_sendpage+0x3ce/0x5d0
Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface")
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
---
0 files changed
diff --git a/include/linux/skmsg.h b/include/linux/skmsg.h
index 8a709f6..ad31c9f 100644
--- a/include/linux/skmsg.h
+++ b/include/linux/skmsg.h
@@ -187,6 +187,7 @@ static inline void sk_msg_xfer(struct sk_msg *dst, struct sk_msg *src,
dst->sg.data[which] = src->sg.data[which];
dst->sg.data[which].length = size;
dst->sg.size += size;
+ src->sg.size -= size;
src->sg.data[which].length -= size;
src->sg.data[which].offset += size;
}
diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
index 5a05327..26bac78 100644
--- a/net/ipv4/tcp_bpf.c
+++ b/net/ipv4/tcp_bpf.c
@@ -125,7 +125,6 @@ static int bpf_tcp_ingress(struct sock *sk, struct sk_psock *psock,
if (!ret) {
msg->sg.start = i;
- msg->sg.size -= apply_bytes;
sk_psock_queue_msg(psock, tmp);
sk_psock_data_ready(sk, psock);
} else {
next prev parent reply other threads:[~2020-05-13 19:13 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-13 19:12 [bpf-next PATCH v2 00/12] bpf: selftests, test_sockmap improvements John Fastabend
2020-05-13 19:12 ` [bpf-next PATCH v2 01/12] bpf: sockmap, msg_pop_data can incorrecty set an sge length John Fastabend
2020-05-13 19:12 ` John Fastabend [this message]
2020-05-13 19:13 ` [bpf-next PATCH v2 03/12] bpf: selftests, move sockmap bpf prog header into progs John Fastabend
2020-05-13 19:13 ` [bpf-next PATCH v2 04/12] bpf: selftests, remove prints from sockmap tests John Fastabend
2020-05-13 19:13 ` [bpf-next PATCH v2 05/12] bpf: selftests, sockmap test prog run without setting cgroup John Fastabend
2020-05-13 19:14 ` [bpf-next PATCH v2 06/12] bpf: selftests, print error in test_sockmap error cases John Fastabend
2020-05-13 19:14 ` [bpf-next PATCH v2 07/12] bpf: selftests, improve test_sockmap total bytes counter John Fastabend
2020-05-13 19:14 ` [bpf-next PATCH v2 08/12] bpf: selftests, break down test_sockmap into subtests John Fastabend
2020-05-13 19:15 ` [bpf-next PATCH v2 09/12] bpf: selftests, provide verbose option for selftests execution John Fastabend
2020-05-13 19:15 ` [bpf-next PATCH v2 10/12] bpf: selftests, add whitelist option to test_sockmap John Fastabend
2020-05-13 19:15 ` [bpf-next PATCH v2 11/12] bpf: selftests, add blacklist " John Fastabend
2020-05-13 19:16 ` [bpf-next PATCH v2 12/12] bpf: selftests, add ktls tests " John Fastabend
2020-05-16 1:02 ` [bpf-next PATCH v2 00/12] bpf: selftests, test_sockmap improvements Daniel Borkmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=158939717033.15176.12533943232686062367.stgit@john-Precision-5820-Tower \
--to=john.fastabend@gmail.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=jakub@cloudflare.com \
--cc=lmb@cloudflare.com \
--cc=netdev@vger.kernel.org \
--subject='Re: [bpf-next PATCH v2 02/12] bpf: sockmap, bpf_tcp_ingress needs to subtract bytes from sg.size' \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.