From: Matthew Wilcox <willy@infradead.org>
To: Eric Dumazet <edumazet@google.com>
Cc: "zhangpeng (AS)" <zhangpeng362@huawei.com>,
linux-mm@kvack.org, linux-fsdevel@vger.kernel.org,
netdev@vger.kernel.org, akpm@linux-foundation.org,
davem@davemloft.net, dsahern@kernel.org, kuba@kernel.org,
pabeni@redhat.com, arjunroy@google.com,
wangkefeng.wang@huawei.com
Subject: Re: SECURITY PROBLEM: Any user can crash the kernel with TCP ZEROCOPY
Date: Mon, 22 Jan 2024 17:12:26 +0000 [thread overview]
Message-ID: <Za6h-tB7plgKje5r@casper.infradead.org> (raw)
In-Reply-To: <CANn89iL4qUXsVDRNGgBOweZbJ6ErWMsH+EpOj-55Lky8JEEhqQ@mail.gmail.com>
On Mon, Jan 22, 2024 at 05:30:18PM +0100, Eric Dumazet wrote:
> On Mon, Jan 22, 2024 at 5:04 PM Matthew Wilcox <willy@infradead.org> wrote:
> > I'm disappointed to have no reaction from netdev so far. Let's see if a
> > more exciting subject line evinces some interest.
>
> Hmm, perhaps some of us were enjoying their weekend ?
I am all in favour of people taking time off! However the report came
in on Friday at 9am UTC so it had been more than a work day for anyone
anywhere in the world without response.
> I don't really know what changed recently, all I know is that TCP zero
> copy is for real network traffic.
>
> Real trafic uses order-0 pages, 4K at a time.
>
> If can_map_frag() needs to add another safety check, let's add it.
So it's your opinion that people don't actually use sendfile() from
a local file, and we can make this fail to zerocopy? That's good
because I had a slew of questions about what expectations we had around
cache coherency between pages mapped this way and write()/mmap() of
the original file. If we can just disallow this, we don't need to
have a discussion about it.
> syzbot is usually quite good at bisections, was a bug origin found ?
I have the impression that Huawei run syzkaller themselves without
syzbot. I suspect this bug has been there for a good long time.
Wonder why nobody's found it before; it doesn't seem complicated for a
fuzzer to stumble into.
next prev parent reply other threads:[~2024-01-22 17:12 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-19 9:20 [RFC PATCH] filemap: add mapping_mapped check in filemap_unaccount_folio() Peng Zhang
2024-01-19 13:40 ` Matthew Wilcox
2024-01-20 6:46 ` zhangpeng (AS)
2024-01-22 16:04 ` SECURITY PROBLEM: Any user can crash the kernel with TCP ZEROCOPY Matthew Wilcox
2024-01-22 16:30 ` Eric Dumazet
2024-01-22 17:12 ` Matthew Wilcox [this message]
2024-01-22 17:39 ` Eric Dumazet
2024-01-24 9:30 ` zhangpeng (AS)
2024-01-24 10:11 ` Eric Dumazet
2024-01-25 2:18 ` zhangpeng (AS)
2024-01-25 8:57 ` Eric Dumazet
2024-01-25 9:22 ` zhangpeng (AS)
2024-01-25 10:31 ` Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Za6h-tB7plgKje5r@casper.infradead.org \
--to=willy@infradead.org \
--cc=akpm@linux-foundation.org \
--cc=arjunroy@google.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=wangkefeng.wang@huawei.com \
--cc=zhangpeng362@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).