From: Lorenzo Bianconi <lorenzo@kernel.org>
To: Jesper Dangaard Brouer <brouer@redhat.com>
Cc: netdev@vger.kernel.org, bpf@vger.kernel.org, davem@davemloft.net,
lorenzo.bianconi@redhat.com, echaudro@redhat.com,
sameehj@amazon.com, kuba@kernel.org
Subject: Re: [PATCH net-next 4/6] xdp: add multi-buff support to xdp_return_{buff/frame}
Date: Thu, 20 Aug 2020 09:56:05 +0200 [thread overview]
Message-ID: <20200820075605.GC2282@lore-desk> (raw)
In-Reply-To: <20200820095222.711ccfa7@carbon>
[-- Attachment #1: Type: text/plain, Size: 2347 bytes --]
> On Wed, 19 Aug 2020 15:13:49 +0200
> Lorenzo Bianconi <lorenzo@kernel.org> wrote:
>
> > diff --git a/net/core/xdp.c b/net/core/xdp.c
> > index 884f140fc3be..006b24b5d276 100644
> > --- a/net/core/xdp.c
> > +++ b/net/core/xdp.c
> > @@ -370,19 +370,55 @@ static void __xdp_return(void *data, struct xdp_mem_info *mem, bool napi_direct)
> >
> > void xdp_return_frame(struct xdp_frame *xdpf)
> > {
> > + struct skb_shared_info *sinfo;
> > + int i;
> > +
> > __xdp_return(xdpf->data, &xdpf->mem, false);
>
> There is a use-after-free race here. The xdpf->data contains the
> shared_info (xdp_get_shared_info_from_frame(xdpf)). Thus you cannot
> free/return the page and use this data area below.
right, thx for pointing this out. I will fix it in v2.
Regards,
Lorenzo
>
> > + if (!xdpf->mb)
> > + return;
> > +
> > + sinfo = xdp_get_shared_info_from_frame(xdpf);
> > + for (i = 0; i < sinfo->nr_frags; i++) {
> > + struct page *page = skb_frag_page(&sinfo->frags[i]);
> > +
> > + __xdp_return(page_address(page), &xdpf->mem, false);
> > + }
> > }
> > EXPORT_SYMBOL_GPL(xdp_return_frame);
> >
> > void xdp_return_frame_rx_napi(struct xdp_frame *xdpf)
> > {
> > + struct skb_shared_info *sinfo;
> > + int i;
> > +
> > __xdp_return(xdpf->data, &xdpf->mem, true);
>
> Same issue.
>
> > + if (!xdpf->mb)
> > + return;
> > +
> > + sinfo = xdp_get_shared_info_from_frame(xdpf);
> > + for (i = 0; i < sinfo->nr_frags; i++) {
> > + struct page *page = skb_frag_page(&sinfo->frags[i]);
> > +
> > + __xdp_return(page_address(page), &xdpf->mem, true);
> > + }
> > }
> > EXPORT_SYMBOL_GPL(xdp_return_frame_rx_napi);
> >
> > void xdp_return_buff(struct xdp_buff *xdp)
> > {
> > + struct skb_shared_info *sinfo;
> > + int i;
> > +
> > __xdp_return(xdp->data, &xdp->rxq->mem, true);
>
> Same issue.
>
> > + if (!xdp->mb)
> > + return;
> > +
> > + sinfo = xdp_get_shared_info_from_buff(xdp);
> > + for (i = 0; i < sinfo->nr_frags; i++) {
> > + struct page *page = skb_frag_page(&sinfo->frags[i]);
> > +
> > + __xdp_return(page_address(page), &xdp->rxq->mem, true);
> > + }
> > }
>
>
>
> --
> Best regards,
> Jesper Dangaard Brouer
> MSc.CS, Principal Kernel Engineer at Red Hat
> LinkedIn: http://www.linkedin.com/in/brouer
>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
next prev parent reply other threads:[~2020-08-20 7:56 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-19 13:13 [PATCH net-next 0/6] mvneta: introduce XDP multi-buffer support Lorenzo Bianconi
2020-08-19 13:13 ` [PATCH net-next 1/6] xdp: introduce mb in xdp_buff/xdp_frame Lorenzo Bianconi
2020-08-23 14:08 ` Shay Agroskin
2020-08-24 8:44 ` Jesper Dangaard Brouer
2020-08-26 9:47 ` Shay Agroskin
2020-08-19 13:13 ` [PATCH net-next 2/6] xdp: initialize xdp_buff mb bit to 0 in all XDP drivers Lorenzo Bianconi
2020-08-19 13:13 ` [PATCH net-next 3/6] net: mvneta: update mb bit before passing the xdp buffer to eBPF layer Lorenzo Bianconi
2020-08-20 8:02 ` Jesper Dangaard Brouer
2020-08-20 8:11 ` Lorenzo Bianconi
2020-08-20 19:38 ` Maciej Fijalkowski
2020-08-21 7:43 ` Lorenzo Bianconi
2020-08-19 13:13 ` [PATCH net-next 4/6] xdp: add multi-buff support to xdp_return_{buff/frame} Lorenzo Bianconi
2020-08-20 7:52 ` Jesper Dangaard Brouer
2020-08-20 7:56 ` Lorenzo Bianconi [this message]
2020-08-19 13:13 ` [PATCH net-next 5/6] net: mvneta: add multi buffer support to XDP_TX Lorenzo Bianconi
2020-08-19 13:13 ` [PATCH net-next 6/6] net: mvneta: enable jumbo frames for XDP Lorenzo Bianconi
2020-08-19 19:23 ` Jakub Kicinski
2020-08-19 20:22 ` Lorenzo Bianconi
2020-08-19 21:14 ` Jakub Kicinski
2020-08-19 21:58 ` John Fastabend
2020-08-20 7:47 ` Jesper Dangaard Brouer
2020-08-20 7:54 ` Lorenzo Bianconi
2020-08-20 13:16 ` [PATCH net-next 0/6] mvneta: introduce XDP multi-buffer support Jesper Dangaard Brouer
2020-08-20 13:36 ` Lorenzo Bianconi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200820075605.GC2282@lore-desk \
--to=lorenzo@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brouer@redhat.com \
--cc=davem@davemloft.net \
--cc=echaudro@redhat.com \
--cc=kuba@kernel.org \
--cc=lorenzo.bianconi@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=sameehj@amazon.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.