From: Eric Dumazet <edumazet@google.com>
To: Vasily Averin <vvs@virtuozzo.com>
Cc: netdev <netdev@vger.kernel.org>
Subject: Re: [PATCH] tcp: detect use sendpage for slab-based objects
Date: Thu, 21 Feb 2019 08:00:47 -0800 [thread overview]
Message-ID: <CANn89i+tJA1zHN9Hbw58UQOEDY2iZCAssJcZ-+Y7C=zsNW3VSA@mail.gmail.com> (raw)
In-Reply-To: <a8655149-80b9-c75d-6528-0b851ea85de8@virtuozzo.com>
On Thu, Feb 21, 2019 at 7:30 AM Vasily Averin <vvs@virtuozzo.com> wrote:
>
> There was few incidents when XFS over network block device generates
> IO requests with slab-based metadata. If these requests are processed
> via sendpage path tcp_sendpage() calls skb_can_coalesce() and merges
> neighbour slab objects into one skb fragment.
>
> If receiving side is located on the same host tcp_recvmsg() can trigger
> following BUG_ON
> usercopy: kernel memory exposure attempt detected
> from XXXXXX (kmalloc-512) (1024 bytes)
>
> This patch helps to detect the reason of similar incidents on sending side.
>
> Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
> ---
> net/ipv4/tcp.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
> index 2079145a3b7c..cf9572f4fc0f 100644
> --- a/net/ipv4/tcp.c
> +++ b/net/ipv4/tcp.c
> @@ -996,6 +996,7 @@ ssize_t do_tcp_sendpages(struct sock *sk, struct page *page, int offset,
> goto wait_for_memory;
>
> if (can_coalesce) {
> + WARN_ON_ONCE(PageSlab(page));
Please use VM_WARN_ON_ONCE() to make this a nop for CONFIG_VM_DEBUG=n
Also the whole tcp_sendpage() should be protected, not only the coalescing part.
(The get_page() done few lines later should not be attempted either)
> skb_frag_size_add(&skb_shinfo(skb)->frags[i - 1], copy);
> } else {
> get_page(page);
> --
> 2.17.1
>
It seems the bug has nothing to do with TCP, and belongs to the caller.
Otherwise you need to add the check to all existing .sendpage() /
.sendpage_locked() handler out there.
next prev parent reply other threads:[~2019-02-21 16:01 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-21 15:30 [PATCH] tcp: detect use sendpage for slab-based objects Vasily Averin
2019-02-21 16:00 ` Eric Dumazet [this message]
2019-02-22 14:02 ` Vasily Averin
2019-02-22 16:39 ` Eric Dumazet
2019-02-25 9:15 ` Vasily Averin
2019-02-25 9:32 ` Vasily Averin
2019-03-04 12:58 ` Vasily Averin
2019-03-04 15:51 ` Eric Dumazet
2019-03-05 14:24 ` Vasily Averin
[not found] ` <CANn89iKss+mzwbeZgy3Bzct6sBe3UeyezXXGocAYtOe9pP8a9w@mail.gmail.com>
2019-03-05 15:11 ` Eric Dumazet
2019-03-05 16:44 ` Eric Dumazet
2019-03-05 18:35 ` Vasily Averin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CANn89i+tJA1zHN9Hbw58UQOEDY2iZCAssJcZ-+Y7C=zsNW3VSA@mail.gmail.com' \
--to=edumazet@google.com \
--cc=netdev@vger.kernel.org \
--cc=vvs@virtuozzo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.