From: Jakub Sitnicki <jakub@cloudflare.com>
To: Liu Jian <liujian56@huawei.com>, john.fastabend@gmail.com
Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, daniel@iogearbox.net, andrii@kernel.org,
netdev@vger.kernel.org, bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v2] skmsg: Fix wrong last sg check in sk_msg_recvmsg()
Date: Wed, 17 Aug 2022 11:02:53 +0200 [thread overview]
Message-ID: <87ilmrw7wm.fsf@cloudflare.com> (raw)
In-Reply-To: <20220809094915.150391-1-liujian56@huawei.com>
On Tue, Aug 09, 2022 at 05:49 PM +08, Liu Jian wrote:
> Fix one kernel NULL pointer dereference as below:
>
> [ 224.462334] Call Trace:
> [ 224.462394] __tcp_bpf_recvmsg+0xd3/0x380
> [ 224.462441] ? sock_has_perm+0x78/0xa0
> [ 224.462463] tcp_bpf_recvmsg+0x12e/0x220
> [ 224.462494] inet_recvmsg+0x5b/0xd0
> [ 224.462534] __sys_recvfrom+0xc8/0x130
> [ 224.462574] ? syscall_trace_enter+0x1df/0x2e0
> [ 224.462606] ? __do_page_fault+0x2de/0x500
> [ 224.462635] __x64_sys_recvfrom+0x24/0x30
> [ 224.462660] do_syscall_64+0x5d/0x1d0
> [ 224.462709] entry_SYSCALL_64_after_hwframe+0x65/0xca
>
> In commit 9974d37ea75f ("skmsg: Fix invalid last sg check in
> sk_msg_recvmsg()"), we change last sg check to sg_is_last(),
> but in sockmap redirection case (without stream_parser/stream_verdict/
> skb_verdict), we did not mark the end of the scatterlist. Check the
> sk_msg_alloc, sk_msg_page_add, and bpf_msg_push_data functions, they all
> do not mark the end of sg. They are expected to use sg.end for end
> judgment. So the judgment of '(i != msg_rx->sg.end)' is added back here.
>
> Fixes: 9974d37ea75f ("skmsg: Fix invalid last sg check in sk_msg_recvmsg()")
> Signed-off-by: Liu Jian <liujian56@huawei.com>
> ---
> v1->v2: change fix commit info in fixes tag and commit message.
> net/core/skmsg.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/net/core/skmsg.c b/net/core/skmsg.c
> index 81627892bdd4..385ae23580a5 100644
> --- a/net/core/skmsg.c
> +++ b/net/core/skmsg.c
> @@ -462,7 +462,7 @@ int sk_msg_recvmsg(struct sock *sk, struct sk_psock *psock, struct msghdr *msg,
>
> if (copied == len)
> break;
> - } while (!sg_is_last(sge));
> + } while ((i != msg_rx->sg.end) && !sg_is_last(sge));
>
> if (unlikely(peek)) {
> msg_rx = sk_psock_next_msg(psock, msg_rx);
> @@ -472,7 +472,7 @@ int sk_msg_recvmsg(struct sock *sk, struct sk_psock *psock, struct msghdr *msg,
> }
>
> msg_rx->sg.start = i;
> - if (!sge->length && sg_is_last(sge)) {
> + if (!sge->length && (i == msg_rx->sg.end || sg_is_last(sge))) {
> msg_rx = sk_psock_dequeue_msg(psock);
> kfree_sk_msg(msg_rx);
> }
Looks to me like I sk_msg_alloc does mark the end of a scatterlist:
sk_msg_alloc
sg_unmark_end
sg_set_page
sg_assign_page <- sets SG_END bit
Why do we unmark the SG end in sk_msg_page_add and bpf_msg_push_data?
John, do you recall?
As it might take a moment to figure it out, and we want to fix the
regression introduced by 9974d37ea75f ("skmsg: Fix invalid last sg check
in sk_msg_recvmsg()"):
Acked-by: Jakub Sitnicki <jakub@cloudflare.com>
next prev parent reply other threads:[~2022-08-17 9:12 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-09 9:49 [PATCH bpf-next v2] skmsg: Fix wrong last sg check in sk_msg_recvmsg() Liu Jian
2022-08-12 15:55 ` John Fastabend
2022-08-17 9:02 ` Jakub Sitnicki [this message]
2022-08-17 20:40 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ilmrw7wm.fsf@cloudflare.com \
--to=jakub@cloudflare.com \
--cc=andrii@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=john.fastabend@gmail.com \
--cc=kuba@kernel.org \
--cc=liujian56@huawei.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.