* [PATCH net-next] tuntap: add sanity checks about msg_controllen in sendmsg
@ 2022-03-01 6:43 Harold Huang
2022-03-02 2:05 ` Jakub Kicinski
2022-03-03 2:24 ` Harold Huang
0 siblings, 2 replies; 7+ messages in thread
From: Harold Huang @ 2022-03-01 6:43 UTC (permalink / raw)
To: netdev
Cc: jasowang, edumazet, Harold Huang, Eric Dumazet, David S. Miller,
Jakub Kicinski, Michael S. Tsirkin, Alexei Starovoitov,
Daniel Borkmann, Jesper Dangaard Brouer, John Fastabend,
open list, open list:VIRTIO HOST (VHOST),
open list:VIRTIO HOST (VHOST), open list:XDP (eXpress Data Path)
In patch [1], tun_msg_ctl was added to allow pass batched xdp buffers to
tun_sendmsg. Although we donot use msg_controllen in this path, we should
check msg_controllen to make sure the caller pass a valid msg_ctl.
[1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fe8dd45bb7556246c6b76277b1ba4296c91c2505
Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
Suggested-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Harold Huang <baymaxhuang@gmail.com>
---
drivers/net/tap.c | 3 ++-
drivers/net/tun.c | 3 ++-
drivers/vhost/net.c | 1 +
3 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/net/tap.c b/drivers/net/tap.c
index 8e3a28ba6b28..ba2ef5437e16 100644
--- a/drivers/net/tap.c
+++ b/drivers/net/tap.c
@@ -1198,7 +1198,8 @@ static int tap_sendmsg(struct socket *sock, struct msghdr *m,
struct xdp_buff *xdp;
int i;
- if (ctl && (ctl->type == TUN_MSG_PTR)) {
+ if (m->msg_controllen == sizeof(struct tun_msg_ctl) &&
+ ctl && ctl->type == TUN_MSG_PTR) {
for (i = 0; i < ctl->num; i++) {
xdp = &((struct xdp_buff *)ctl->ptr)[i];
tap_get_user_xdp(q, xdp);
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 969ea69fd29d..2a0d8a5d7aec 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -2501,7 +2501,8 @@ static int tun_sendmsg(struct socket *sock, struct msghdr *m, size_t total_len)
if (!tun)
return -EBADFD;
- if (ctl && (ctl->type == TUN_MSG_PTR)) {
+ if (m->msg_controllen == sizeof(struct tun_msg_ctl) &&
+ ctl && ctl->type == TUN_MSG_PTR) {
struct tun_page tpage;
int n = ctl->num;
int flush = 0, queued = 0;
diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
index 28ef323882fb..792ab5f23647 100644
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -473,6 +473,7 @@ static void vhost_tx_batch(struct vhost_net *net,
goto signal_used;
msghdr->msg_control = &ctl;
+ msghdr->msg_controllen = sizeof(ctl);
err = sock->ops->sendmsg(sock, msghdr, 0);
if (unlikely(err < 0)) {
vq_err(&nvq->vq, "Fail to batch sending packets\n");
--
2.27.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH net-next] tuntap: add sanity checks about msg_controllen in sendmsg
2022-03-01 6:43 [PATCH net-next] tuntap: add sanity checks about msg_controllen in sendmsg Harold Huang
@ 2022-03-02 2:05 ` Jakub Kicinski
2022-03-02 3:37 ` Harold Huang
2022-03-03 2:24 ` Harold Huang
1 sibling, 1 reply; 7+ messages in thread
From: Jakub Kicinski @ 2022-03-02 2:05 UTC (permalink / raw)
To: Harold Huang
Cc: netdev, jasowang, edumazet, Eric Dumazet, David S. Miller,
Michael S. Tsirkin, Alexei Starovoitov, Daniel Borkmann,
Jesper Dangaard Brouer, John Fastabend, open list,
open list:VIRTIO HOST (VHOST), open list:VIRTIO HOST (VHOST),
open list:XDP (eXpress Data Path)
On Tue, 1 Mar 2022 14:43:14 +0800 Harold Huang wrote:
> In patch [1], tun_msg_ctl was added to allow pass batched xdp buffers to
> tun_sendmsg. Although we donot use msg_controllen in this path, we should
> check msg_controllen to make sure the caller pass a valid msg_ctl.
>
> [1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fe8dd45bb7556246c6b76277b1ba4296c91c2505
>
> Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
> Suggested-by: Jason Wang <jasowang@redhat.com>
> Signed-off-by: Harold Huang <baymaxhuang@gmail.com>
Would you mind resending the same patch? It looks like it depended on
your other change so the build bot was unable to apply and test it.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH net-next] tuntap: add sanity checks about msg_controllen in sendmsg
2022-03-02 2:05 ` Jakub Kicinski
@ 2022-03-02 3:37 ` Harold Huang
0 siblings, 0 replies; 7+ messages in thread
From: Harold Huang @ 2022-03-02 3:37 UTC (permalink / raw)
To: Jakub Kicinski
Cc: netdev, Jason Wang, Eric Dumazet, Eric Dumazet, David S. Miller,
Michael S. Tsirkin, Alexei Starovoitov, Daniel Borkmann,
Jesper Dangaard Brouer, John Fastabend, open list,
open list:VIRTIO HOST (VHOST), open list:VIRTIO HOST (VHOST),
open list:XDP (eXpress Data Path)
On Wed, Mar 2, 2022 at 10:05 AM Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Tue, 1 Mar 2022 14:43:14 +0800 Harold Huang wrote:
> > In patch [1], tun_msg_ctl was added to allow pass batched xdp buffers to
> > tun_sendmsg. Although we donot use msg_controllen in this path, we should
> > check msg_controllen to make sure the caller pass a valid msg_ctl.
> >
> > [1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fe8dd45bb7556246c6b76277b1ba4296c91c2505
> >
> > Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
> > Suggested-by: Jason Wang <jasowang@redhat.com>
> > Signed-off-by: Harold Huang <baymaxhuang@gmail.com>
>
> Would you mind resending the same patch? It looks like it depended on
> your other change so the build bot was unable to apply and test it.
Yes, it depends on this patch [1] which has been applied to netdev. I
see this patch could be applied to netdev by git am. But if I use
another patch that could be applied to linux master, it could not be
applied to netdev anymore.
[1]: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/commit/?id=fb3f903769e8
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH net-next] tuntap: add sanity checks about msg_controllen in sendmsg
2022-03-01 6:43 [PATCH net-next] tuntap: add sanity checks about msg_controllen in sendmsg Harold Huang
2022-03-02 2:05 ` Jakub Kicinski
@ 2022-03-03 2:24 ` Harold Huang
2022-03-03 3:59 ` Jason Wang
2022-03-03 6:10 ` patchwork-bot+netdevbpf
1 sibling, 2 replies; 7+ messages in thread
From: Harold Huang @ 2022-03-03 2:24 UTC (permalink / raw)
To: netdev
Cc: jasowang, edumazet, Harold Huang, Eric Dumazet, David S. Miller,
Jakub Kicinski, Michael S. Tsirkin, Alexei Starovoitov,
Daniel Borkmann, Jesper Dangaard Brouer, John Fastabend,
open list, open list:VIRTIO HOST (VHOST),
open list:VIRTIO HOST (VHOST), open list:XDP (eXpress Data Path)
In patch [1], tun_msg_ctl was added to allow pass batched xdp buffers to
tun_sendmsg. Although we donot use msg_controllen in this path, we should
check msg_controllen to make sure the caller pass a valid msg_ctl.
[1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fe8dd45bb7556246c6b76277b1ba4296c91c2505
Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
Suggested-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Harold Huang <baymaxhuang@gmail.com>
---
drivers/net/tap.c | 3 ++-
drivers/net/tun.c | 3 ++-
drivers/vhost/net.c | 1 +
3 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/net/tap.c b/drivers/net/tap.c
index 8e3a28ba6b28..ba2ef5437e16 100644
--- a/drivers/net/tap.c
+++ b/drivers/net/tap.c
@@ -1198,7 +1198,8 @@ static int tap_sendmsg(struct socket *sock, struct msghdr *m,
struct xdp_buff *xdp;
int i;
- if (ctl && (ctl->type == TUN_MSG_PTR)) {
+ if (m->msg_controllen == sizeof(struct tun_msg_ctl) &&
+ ctl && ctl->type == TUN_MSG_PTR) {
for (i = 0; i < ctl->num; i++) {
xdp = &((struct xdp_buff *)ctl->ptr)[i];
tap_get_user_xdp(q, xdp);
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 969ea69fd29d..2a0d8a5d7aec 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -2501,7 +2501,8 @@ static int tun_sendmsg(struct socket *sock, struct msghdr *m, size_t total_len)
if (!tun)
return -EBADFD;
- if (ctl && (ctl->type == TUN_MSG_PTR)) {
+ if (m->msg_controllen == sizeof(struct tun_msg_ctl) &&
+ ctl && ctl->type == TUN_MSG_PTR) {
struct tun_page tpage;
int n = ctl->num;
int flush = 0, queued = 0;
diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
index 28ef323882fb..792ab5f23647 100644
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -473,6 +473,7 @@ static void vhost_tx_batch(struct vhost_net *net,
goto signal_used;
msghdr->msg_control = &ctl;
+ msghdr->msg_controllen = sizeof(ctl);
err = sock->ops->sendmsg(sock, msghdr, 0);
if (unlikely(err < 0)) {
vq_err(&nvq->vq, "Fail to batch sending packets\n");
--
2.27.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH net-next] tuntap: add sanity checks about msg_controllen in sendmsg
2022-03-03 2:24 ` Harold Huang
@ 2022-03-03 3:59 ` Jason Wang
2022-03-03 6:10 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 7+ messages in thread
From: Jason Wang @ 2022-03-03 3:59 UTC (permalink / raw)
To: Harold Huang, netdev
Cc: edumazet, Eric Dumazet, David S. Miller, Jakub Kicinski,
Michael S. Tsirkin, Alexei Starovoitov, Daniel Borkmann,
Jesper Dangaard Brouer, John Fastabend, open list,
open list:VIRTIO HOST (VHOST), open list:VIRTIO HOST (VHOST),
open list:XDP (eXpress Data Path)
在 2022/3/3 上午10:24, Harold Huang 写道:
> In patch [1], tun_msg_ctl was added to allow pass batched xdp buffers to
> tun_sendmsg. Although we donot use msg_controllen in this path, we should
> check msg_controllen to make sure the caller pass a valid msg_ctl.
>
> [1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fe8dd45bb7556246c6b76277b1ba4296c91c2505
>
> Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
> Suggested-by: Jason Wang <jasowang@redhat.com>
> Signed-off-by: Harold Huang <baymaxhuang@gmail.com>
Acked-by: Jason Wang <jasowang@redhat.com>
> ---
> drivers/net/tap.c | 3 ++-
> drivers/net/tun.c | 3 ++-
> drivers/vhost/net.c | 1 +
> 3 files changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/tap.c b/drivers/net/tap.c
> index 8e3a28ba6b28..ba2ef5437e16 100644
> --- a/drivers/net/tap.c
> +++ b/drivers/net/tap.c
> @@ -1198,7 +1198,8 @@ static int tap_sendmsg(struct socket *sock, struct msghdr *m,
> struct xdp_buff *xdp;
> int i;
>
> - if (ctl && (ctl->type == TUN_MSG_PTR)) {
> + if (m->msg_controllen == sizeof(struct tun_msg_ctl) &&
> + ctl && ctl->type == TUN_MSG_PTR) {
> for (i = 0; i < ctl->num; i++) {
> xdp = &((struct xdp_buff *)ctl->ptr)[i];
> tap_get_user_xdp(q, xdp);
> diff --git a/drivers/net/tun.c b/drivers/net/tun.c
> index 969ea69fd29d..2a0d8a5d7aec 100644
> --- a/drivers/net/tun.c
> +++ b/drivers/net/tun.c
> @@ -2501,7 +2501,8 @@ static int tun_sendmsg(struct socket *sock, struct msghdr *m, size_t total_len)
> if (!tun)
> return -EBADFD;
>
> - if (ctl && (ctl->type == TUN_MSG_PTR)) {
> + if (m->msg_controllen == sizeof(struct tun_msg_ctl) &&
> + ctl && ctl->type == TUN_MSG_PTR) {
> struct tun_page tpage;
> int n = ctl->num;
> int flush = 0, queued = 0;
> diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
> index 28ef323882fb..792ab5f23647 100644
> --- a/drivers/vhost/net.c
> +++ b/drivers/vhost/net.c
> @@ -473,6 +473,7 @@ static void vhost_tx_batch(struct vhost_net *net,
> goto signal_used;
>
> msghdr->msg_control = &ctl;
> + msghdr->msg_controllen = sizeof(ctl);
> err = sock->ops->sendmsg(sock, msghdr, 0);
> if (unlikely(err < 0)) {
> vq_err(&nvq->vq, "Fail to batch sending packets\n");
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH net-next] tuntap: add sanity checks about msg_controllen in sendmsg
@ 2022-03-03 3:59 ` Jason Wang
0 siblings, 0 replies; 7+ messages in thread
From: Jason Wang @ 2022-03-03 3:59 UTC (permalink / raw)
To: Harold Huang, netdev
Cc: Daniel Borkmann, Eric Dumazet, Michael S. Tsirkin,
John Fastabend, Alexei Starovoitov, open list, edumazet,
open list:VIRTIO HOST (VHOST),
Jakub Kicinski, open list:XDP (eXpress Data Path),
open list:VIRTIO HOST (VHOST),
David S. Miller, Jesper Dangaard Brouer
在 2022/3/3 上午10:24, Harold Huang 写道:
> In patch [1], tun_msg_ctl was added to allow pass batched xdp buffers to
> tun_sendmsg. Although we donot use msg_controllen in this path, we should
> check msg_controllen to make sure the caller pass a valid msg_ctl.
>
> [1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fe8dd45bb7556246c6b76277b1ba4296c91c2505
>
> Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
> Suggested-by: Jason Wang <jasowang@redhat.com>
> Signed-off-by: Harold Huang <baymaxhuang@gmail.com>
Acked-by: Jason Wang <jasowang@redhat.com>
> ---
> drivers/net/tap.c | 3 ++-
> drivers/net/tun.c | 3 ++-
> drivers/vhost/net.c | 1 +
> 3 files changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/tap.c b/drivers/net/tap.c
> index 8e3a28ba6b28..ba2ef5437e16 100644
> --- a/drivers/net/tap.c
> +++ b/drivers/net/tap.c
> @@ -1198,7 +1198,8 @@ static int tap_sendmsg(struct socket *sock, struct msghdr *m,
> struct xdp_buff *xdp;
> int i;
>
> - if (ctl && (ctl->type == TUN_MSG_PTR)) {
> + if (m->msg_controllen == sizeof(struct tun_msg_ctl) &&
> + ctl && ctl->type == TUN_MSG_PTR) {
> for (i = 0; i < ctl->num; i++) {
> xdp = &((struct xdp_buff *)ctl->ptr)[i];
> tap_get_user_xdp(q, xdp);
> diff --git a/drivers/net/tun.c b/drivers/net/tun.c
> index 969ea69fd29d..2a0d8a5d7aec 100644
> --- a/drivers/net/tun.c
> +++ b/drivers/net/tun.c
> @@ -2501,7 +2501,8 @@ static int tun_sendmsg(struct socket *sock, struct msghdr *m, size_t total_len)
> if (!tun)
> return -EBADFD;
>
> - if (ctl && (ctl->type == TUN_MSG_PTR)) {
> + if (m->msg_controllen == sizeof(struct tun_msg_ctl) &&
> + ctl && ctl->type == TUN_MSG_PTR) {
> struct tun_page tpage;
> int n = ctl->num;
> int flush = 0, queued = 0;
> diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
> index 28ef323882fb..792ab5f23647 100644
> --- a/drivers/vhost/net.c
> +++ b/drivers/vhost/net.c
> @@ -473,6 +473,7 @@ static void vhost_tx_batch(struct vhost_net *net,
> goto signal_used;
>
> msghdr->msg_control = &ctl;
> + msghdr->msg_controllen = sizeof(ctl);
> err = sock->ops->sendmsg(sock, msghdr, 0);
> if (unlikely(err < 0)) {
> vq_err(&nvq->vq, "Fail to batch sending packets\n");
_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH net-next] tuntap: add sanity checks about msg_controllen in sendmsg
2022-03-03 2:24 ` Harold Huang
2022-03-03 3:59 ` Jason Wang
@ 2022-03-03 6:10 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 7+ messages in thread
From: patchwork-bot+netdevbpf @ 2022-03-03 6:10 UTC (permalink / raw)
To: Harold Huang
Cc: netdev, jasowang, edumazet, eric.dumazet, davem, kuba, mst, ast,
daniel, hawk, john.fastabend, linux-kernel, kvm, virtualization,
bpf
Hello:
This patch was applied to netdev/net-next.git (master)
by Jakub Kicinski <kuba@kernel.org>:
On Thu, 3 Mar 2022 10:24:40 +0800 you wrote:
> In patch [1], tun_msg_ctl was added to allow pass batched xdp buffers to
> tun_sendmsg. Although we donot use msg_controllen in this path, we should
> check msg_controllen to make sure the caller pass a valid msg_ctl.
>
> [1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fe8dd45bb7556246c6b76277b1ba4296c91c2505
>
> Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
> Suggested-by: Jason Wang <jasowang@redhat.com>
> Signed-off-by: Harold Huang <baymaxhuang@gmail.com>
>
> [...]
Here is the summary with links:
- [net-next] tuntap: add sanity checks about msg_controllen in sendmsg
https://git.kernel.org/netdev/net-next/c/74a335a07a17
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2022-03-03 6:10 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-01 6:43 [PATCH net-next] tuntap: add sanity checks about msg_controllen in sendmsg Harold Huang
2022-03-02 2:05 ` Jakub Kicinski
2022-03-02 3:37 ` Harold Huang
2022-03-03 2:24 ` Harold Huang
2022-03-03 3:59 ` Jason Wang
2022-03-03 3:59 ` Jason Wang
2022-03-03 6:10 ` patchwork-bot+netdevbpf
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.