From: John Fastabend <john.fastabend@gmail.com>
To: Levi Zim via B4 Relay <devnull+rsworktech.outlook.com@kernel.org>,
John Fastabend <john.fastabend@gmail.com>,
Jakub Sitnicki <jakub@cloudflare.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>,
David Ahern <dsahern@kernel.org>
Cc: netdev@vger.kernel.org, bpf@vger.kernel.org,
linux-kernel@vger.kernel.org, Levi Zim <rsworktech@outlook.com>
Subject: RE: [PATCH net 2/2] tcp_bpf: fix copied value in tcp_bpf_sendmsg
Date: Sun, 08 Dec 2024 23:02:09 -0800 [thread overview]
Message-ID: <675695f1265b2_1abf20862@john.notmuch> (raw)
In-Reply-To: <20241130-tcp-bpf-sendmsg-v1-2-bae583d014f3@outlook.com>
Levi Zim via B4 Relay wrote:
> From: Levi Zim <rsworktech@outlook.com>
>
> bpf kselftest sockhash::test_txmsg_cork_hangs in test_sockmap.c triggers a
> kernel NULL pointer dereference:
Is it just the cork test that causes issue?
>
> BUG: kernel NULL pointer dereference, address: 0000000000000008
> ? __die_body+0x6e/0xb0
> ? __die+0x8b/0xa0
> ? page_fault_oops+0x358/0x3c0
> ? local_clock+0x19/0x30
> ? lock_release+0x11b/0x440
> ? kernelmode_fixup_or_oops+0x54/0x60
> ? __bad_area_nosemaphore+0x4f/0x210
> ? mmap_read_unlock+0x13/0x30
> ? bad_area_nosemaphore+0x16/0x20
> ? do_user_addr_fault+0x6fd/0x740
> ? prb_read_valid+0x1d/0x30
> ? exc_page_fault+0x55/0xd0
> ? asm_exc_page_fault+0x2b/0x30
> ? splice_to_socket+0x52e/0x630
> ? shmem_file_splice_read+0x2b1/0x310
> direct_splice_actor+0x47/0x70
> splice_direct_to_actor+0x133/0x300
> ? do_splice_direct+0x90/0x90
> do_splice_direct+0x64/0x90
> ? __ia32_sys_tee+0x30/0x30
> do_sendfile+0x214/0x300
> __se_sys_sendfile64+0x8e/0xb0
> __x64_sys_sendfile64+0x25/0x30
> x64_sys_call+0xb82/0x2840
> do_syscall_64+0x75/0x110
> entry_SYSCALL_64_after_hwframe+0x4b/0x53
>
> This is caused by tcp_bpf_sendmsg() returning a larger value(12289) than
> size (8192), which causes the while loop in splice_to_socket() to release
> an uninitialized pipe buf.
>
> The underlying cause is that this code assumes sk_msg_memcopy_from_iter()
> will copy all bytes upon success but it actually might only copy part of
> it.
The intent was to ensure we allocate a buffer large enough to fit the
data. I guess the cork + send here is not allocating enough bytes?
>
> This commit changes it to use the real copied bytes.
>
> Signed-off-by: Levi Zim <rsworktech@outlook.com>
> ---
> net/ipv4/tcp_bpf.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
> index 370993c03d31363c0f82a003d9e5b0ca3bbed721..8e46c4d618cbbff0d120fe4cd917624e5d5cae15 100644
> --- a/net/ipv4/tcp_bpf.c
> +++ b/net/ipv4/tcp_bpf.c
> @@ -496,7 +496,7 @@ static int tcp_bpf_send_verdict(struct sock *sk, struct sk_psock *psock,
> static int tcp_bpf_sendmsg(struct sock *sk, struct msghdr *msg, size_t size)
> {
> struct sk_msg tmp, *msg_tx = NULL;
> - int copied = 0, err = 0;
> + int copied = 0, err = 0, ret = 0;
> struct sk_psock *psock;
> long timeo;
> int flags;
> @@ -539,14 +539,14 @@ static int tcp_bpf_sendmsg(struct sock *sk, struct msghdr *msg, size_t size)
> copy = msg_tx->sg.size - osize;
> }
>
> - err = sk_msg_memcopy_from_iter(sk, &msg->msg_iter, msg_tx,
> + ret = sk_msg_memcopy_from_iter(sk, &msg->msg_iter, msg_tx,
> copy);
> - if (err < 0) {
> + if (ret < 0) {
> sk_msg_trim(sk, msg_tx, osize);
> goto out_err;
> }
>
> - copied += copy;
> + copied += ret;
> if (psock->cork_bytes) {
> if (size > psock->cork_bytes)
> psock->cork_bytes = 0;
>
> --
> 2.47.1
>
>
next prev parent reply other threads:[~2024-12-09 7:02 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-30 13:38 [PATCH net 0/2] Fix NPE discovered by running bpf kselftest Levi Zim via B4 Relay
2024-11-30 13:38 ` Levi Zim
2024-11-30 13:38 ` [PATCH net 1/2] skmsg: return copied bytes in sk_msg_memcopy_from_iter Levi Zim via B4 Relay
2024-11-30 13:38 ` Levi Zim
2024-11-30 13:38 ` [PATCH net 2/2] tcp_bpf: fix copied value in tcp_bpf_sendmsg Levi Zim via B4 Relay
2024-11-30 13:38 ` Levi Zim
2024-12-09 7:02 ` John Fastabend [this message]
2024-12-09 11:56 ` Levi Zim
2024-12-10 6:14 ` John Fastabend
2024-12-01 1:42 ` [PATCH net 0/2] Fix NPE discovered by running bpf kselftest Levi Zim
2024-12-04 1:01 ` Cong Wang
2024-12-04 6:49 ` Levi Zim
2024-12-17 15:43 ` Björn Töpel
2024-12-19 9:17 ` Björn Töpel
2024-12-20 7:56 ` John Fastabend
2024-12-20 9:00 ` Levi Zim
2024-12-20 9:03 ` Björn Töpel
2024-12-20 16:56 ` John Fastabend
2024-12-02 23:04 ` Jakub Kicinski
2024-12-03 6:42 ` Levi Zim
2024-12-20 22:20 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=675695f1265b2_1abf20862@john.notmuch \
--to=john.fastabend@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=davem@davemloft.net \
--cc=devnull+rsworktech.outlook.com@kernel.org \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=jakub@cloudflare.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=rsworktech@outlook.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.