From: Jesper Dangaard Brouer <brouer@redhat.com>
To: Lorenzo Bianconi <lorenzo@kernel.org>
Cc: netdev@vger.kernel.org, bpf@vger.kernel.org, davem@davemloft.net,
lorenzo.bianconi@redhat.com, echaudro@redhat.com,
sameehj@amazon.com, kuba@kernel.org, brouer@redhat.com
Subject: Re: [PATCH net-next 4/6] xdp: add multi-buff support to xdp_return_{buff/frame}
Date: Thu, 20 Aug 2020 09:52:22 +0200 [thread overview]
Message-ID: <20200820095222.711ccfa7@carbon> (raw)
In-Reply-To: <7ff49193140f3cb5341732612c72bcc2c5fb3372.1597842004.git.lorenzo@kernel.org>
On Wed, 19 Aug 2020 15:13:49 +0200
Lorenzo Bianconi <lorenzo@kernel.org> wrote:
> diff --git a/net/core/xdp.c b/net/core/xdp.c
> index 884f140fc3be..006b24b5d276 100644
> --- a/net/core/xdp.c
> +++ b/net/core/xdp.c
> @@ -370,19 +370,55 @@ static void __xdp_return(void *data, struct xdp_mem_info *mem, bool napi_direct)
>
> void xdp_return_frame(struct xdp_frame *xdpf)
> {
> + struct skb_shared_info *sinfo;
> + int i;
> +
> __xdp_return(xdpf->data, &xdpf->mem, false);
There is a use-after-free race here. The xdpf->data contains the
shared_info (xdp_get_shared_info_from_frame(xdpf)). Thus you cannot
free/return the page and use this data area below.
> + if (!xdpf->mb)
> + return;
> +
> + sinfo = xdp_get_shared_info_from_frame(xdpf);
> + for (i = 0; i < sinfo->nr_frags; i++) {
> + struct page *page = skb_frag_page(&sinfo->frags[i]);
> +
> + __xdp_return(page_address(page), &xdpf->mem, false);
> + }
> }
> EXPORT_SYMBOL_GPL(xdp_return_frame);
>
> void xdp_return_frame_rx_napi(struct xdp_frame *xdpf)
> {
> + struct skb_shared_info *sinfo;
> + int i;
> +
> __xdp_return(xdpf->data, &xdpf->mem, true);
Same issue.
> + if (!xdpf->mb)
> + return;
> +
> + sinfo = xdp_get_shared_info_from_frame(xdpf);
> + for (i = 0; i < sinfo->nr_frags; i++) {
> + struct page *page = skb_frag_page(&sinfo->frags[i]);
> +
> + __xdp_return(page_address(page), &xdpf->mem, true);
> + }
> }
> EXPORT_SYMBOL_GPL(xdp_return_frame_rx_napi);
>
> void xdp_return_buff(struct xdp_buff *xdp)
> {
> + struct skb_shared_info *sinfo;
> + int i;
> +
> __xdp_return(xdp->data, &xdp->rxq->mem, true);
Same issue.
> + if (!xdp->mb)
> + return;
> +
> + sinfo = xdp_get_shared_info_from_buff(xdp);
> + for (i = 0; i < sinfo->nr_frags; i++) {
> + struct page *page = skb_frag_page(&sinfo->frags[i]);
> +
> + __xdp_return(page_address(page), &xdp->rxq->mem, true);
> + }
> }
--
Best regards,
Jesper Dangaard Brouer
MSc.CS, Principal Kernel Engineer at Red Hat
LinkedIn: http://www.linkedin.com/in/brouer
next prev parent reply other threads:[~2020-08-20 7:52 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-19 13:13 [PATCH net-next 0/6] mvneta: introduce XDP multi-buffer support Lorenzo Bianconi
2020-08-19 13:13 ` [PATCH net-next 1/6] xdp: introduce mb in xdp_buff/xdp_frame Lorenzo Bianconi
2020-08-23 14:08 ` Shay Agroskin
2020-08-24 8:44 ` Jesper Dangaard Brouer
2020-08-26 9:47 ` Shay Agroskin
2020-08-19 13:13 ` [PATCH net-next 2/6] xdp: initialize xdp_buff mb bit to 0 in all XDP drivers Lorenzo Bianconi
2020-08-19 13:13 ` [PATCH net-next 3/6] net: mvneta: update mb bit before passing the xdp buffer to eBPF layer Lorenzo Bianconi
2020-08-20 8:02 ` Jesper Dangaard Brouer
2020-08-20 8:11 ` Lorenzo Bianconi
2020-08-20 19:38 ` Maciej Fijalkowski
2020-08-21 7:43 ` Lorenzo Bianconi
2020-08-19 13:13 ` [PATCH net-next 4/6] xdp: add multi-buff support to xdp_return_{buff/frame} Lorenzo Bianconi
2020-08-20 7:52 ` Jesper Dangaard Brouer [this message]
2020-08-20 7:56 ` Lorenzo Bianconi
2020-08-19 13:13 ` [PATCH net-next 5/6] net: mvneta: add multi buffer support to XDP_TX Lorenzo Bianconi
2020-08-19 13:13 ` [PATCH net-next 6/6] net: mvneta: enable jumbo frames for XDP Lorenzo Bianconi
2020-08-19 19:23 ` Jakub Kicinski
2020-08-19 20:22 ` Lorenzo Bianconi
2020-08-19 21:14 ` Jakub Kicinski
2020-08-19 21:58 ` John Fastabend
2020-08-20 7:47 ` Jesper Dangaard Brouer
2020-08-20 7:54 ` Lorenzo Bianconi
2020-08-20 13:16 ` [PATCH net-next 0/6] mvneta: introduce XDP multi-buffer support Jesper Dangaard Brouer
2020-08-20 13:36 ` Lorenzo Bianconi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200820095222.711ccfa7@carbon \
--to=brouer@redhat.com \
--cc=bpf@vger.kernel.org \
--cc=davem@davemloft.net \
--cc=echaudro@redhat.com \
--cc=kuba@kernel.org \
--cc=lorenzo.bianconi@redhat.com \
--cc=lorenzo@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=sameehj@amazon.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.