From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id F241FC46CD2 for ; Wed, 24 Jan 2024 10:12:02 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 6BD4C8D0002; Wed, 24 Jan 2024 05:12:02 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 6466F8D0001; Wed, 24 Jan 2024 05:12:02 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 50E148D0002; Wed, 24 Jan 2024 05:12:02 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 42BDA8D0001 for ; Wed, 24 Jan 2024 05:12:02 -0500 (EST) Received: from smtpin27.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 2838FA214C for ; Wed, 24 Jan 2024 10:12:02 +0000 (UTC) X-FDA: 81713788884.27.AC0723F Received: from mail-ed1-f49.google.com (mail-ed1-f49.google.com [209.85.208.49]) by imf04.hostedemail.com (Postfix) with ESMTP id 8828740003 for ; Wed, 24 Jan 2024 10:12:00 +0000 (UTC) Authentication-Results: imf04.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=jQAWqEob; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf04.hostedemail.com: domain of edumazet@google.com designates 209.85.208.49 as permitted sender) smtp.mailfrom=edumazet@google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1706091120; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=c0dfYPbVXfk5SHs/iVuFsnBUb4kmK2ZHh+R+vrVHhv0=; b=UR07S6/UTW0P5fXOm1k8SQ4Gh92iyXukeBl+IKYrdIJPSnqRnYA2qkj/Hu/VFlEzxPTIoU fB6OSCeyVMZdU2Btr1/zG0ZpXSbgqcm8JzIYBTS1aVz1byeJbTgJGuvUpB5Ik1YOhMlHwi +M32+bEGkrZlh3OQHUhAIw9y5jpPUR8= ARC-Authentication-Results: i=1; imf04.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=jQAWqEob; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf04.hostedemail.com: domain of edumazet@google.com designates 209.85.208.49 as permitted sender) smtp.mailfrom=edumazet@google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1706091120; a=rsa-sha256; cv=none; b=00jwZuDo/UDmTBMufjA7nRvZBztdCaaLm6gJRgIsSYfsfSWkzIKyg0qUKzeIJ3g+B++17b 1WAv2l1YWpc25lPA+vjsVr6BcrK8/28pPVsZl3FDZVoT8x7YBkoDewMUnxbcqHsbKLUhK6 AKkQuP7eiIncCFSZOZNFPfQQdBIfZAc= Received: by mail-ed1-f49.google.com with SMTP id 4fb4d7f45d1cf-55818b7053eso12939a12.0 for ; Wed, 24 Jan 2024 02:12:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1706091119; x=1706695919; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=c0dfYPbVXfk5SHs/iVuFsnBUb4kmK2ZHh+R+vrVHhv0=; b=jQAWqEobbGkcHM7lLPRACdMNFpxpTA/K4vVhUQovrD20N8CkIOCstNVeNIk7bv73fZ Cf66tXOdQ9YthehbCxM3oXAW78CQXeHnaxc2eHuSucnSIb8s32Y/2Y4N+FL/VhlF+o1f 6F9I36UfORlv56g/oWdB7GYhmnwXYcrYlAUP4Sui2L1ufemt6hsQNKI8DmBKI2oqN+Ua gcS65KJZM29wIJuqcRTSnoES+r4qWbeZufkslYSg+gtbadS2n+Pnk2lWjo1Ga0KmEriB bTkj1f2oW9Ip86/IPcerwlW+dVkjGukanw//8vcWtlEylVz2Fna1rIv7akKmWfGsCERf WXkw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706091119; x=1706695919; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=c0dfYPbVXfk5SHs/iVuFsnBUb4kmK2ZHh+R+vrVHhv0=; b=HOlAF/pw70ej6OxhW5wIAJKAd3fHl0Vkr0S6tMGGilvXyt3N15A/YvdC5POLqnFMKk CTPzm8cFb9vddXPavRokhnz4mywP/0S+qCYpBPW8sfPGzZRKdqxTxyoaojX696ncCsTS x54ly8nu+9xD8IQ3ZPnhX7e7+P+arC+S2RVwlgm3dK64Z/yOfn60N40Gs7P/IgjLY0hg u7HzeTzm6DBSw2yNwHUnBcXHJRG4vdFCE7g/45frCsfbokUOos8BGcJESoPWZZFhD7nm FlEdLmIgXBulfQb6pMYsVaw7a1I0Bf6gva39p4msoU3pGxaO4zxI0JFX4rWvYFtPf2ZE 7ILA== X-Gm-Message-State: AOJu0YzlqrgRl2rG1Zm2uG+D2JRSoHwWAlaT2TL6rJmZ7xRLWRdhOvrg kypyltECoIWw3FLi/uMUl+H1nrHj9Uhul/Bjop+/22Kqt6YxiVvRm4FG+VuaPNwei47dmbGh18/ OflEH4leGSfjo6CjUJsCCFmOIVmVndD/gPhNm X-Google-Smtp-Source: AGHT+IEv+2qSS2pv4rZ9VBB2DT8zXK7L7mYtmD72FrK+uY6AgAGcZqRbyGfOEabfIGTLcaRg2pqq+FKwhBjgQukqWXw= X-Received: by 2002:a05:6402:1d84:b0:55a:4959:4978 with SMTP id dk4-20020a0564021d8400b0055a49594978mr38863edb.7.1706091118505; Wed, 24 Jan 2024 02:11:58 -0800 (PST) MIME-Version: 1.0 References: <20240119092024.193066-1-zhangpeng362@huawei.com> <5106a58e-04da-372a-b836-9d3d0bd2507b@huawei.com> <4f78fea2-ced6-fc5a-c7f2-b33fcd226f06@huawei.com> In-Reply-To: <4f78fea2-ced6-fc5a-c7f2-b33fcd226f06@huawei.com> From: Eric Dumazet Date: Wed, 24 Jan 2024 11:11:47 +0100 Message-ID: Subject: Re: SECURITY PROBLEM: Any user can crash the kernel with TCP ZEROCOPY To: "zhangpeng (AS)" Cc: Matthew Wilcox , linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, netdev@vger.kernel.org, akpm@linux-foundation.org, davem@davemloft.net, dsahern@kernel.org, kuba@kernel.org, pabeni@redhat.com, arjunroy@google.com, wangkefeng.wang@huawei.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspam-User: X-Stat-Signature: gqc41tqcj7ia9fhwfrmmx1mtajxaya78 X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: 8828740003 X-HE-Tag: 1706091120-645737 X-HE-Meta: U2FsdGVkX18njDAyZgX4Gqy8i/yScx8VBZ6OExklmXFV9S7JMzC6JXCFZgGW0Qh9ViDISWVve/6OMjkfxLJ4QNtHyU80Us0YL2vwp4V3bq60y2zMA8QLJhUiBLCbXSt6p8S3e252/o4SmKoA719eSrIZFGx5+nGqi4aFGclyR9DsnQIWl0EGxRpYdOXgw3lwxQsHz2nWqPa6m3DQHvHKOYwz4dVF4yYYLNHTbDMkk6UQJhcMaH6Z5Mz9zqr+zFLVTbAojbCupOmGAbKMelq+8GEsCGNxolkRffsgLVoGgBlEP5lPeNo6as5aaoj7lXIxrFj5dV69qrIMxdHoBZF2qCl1Z1dQ1/lw0Rcr/w1AVho69O7dGLaMHgNIi/BeiHsBiJZzMnsXQBw8T0V5ti15/Jlg3NnLKm6JOsKS1wg7XVwkjzz0QTjSidxveXdQuo5fV1KIIytF5KJAlzijF6octYns2YjMA//oJ1zT+goQNSg0eiOC3TZvjAarwcQpRYizAe99ZNhUnxhOcNRwT0YP+YB6zRu0rt+Zs9/xKfexxV83P+6S5qk5uyOhVrdBLUTcdR/ScyKhYLWsQO/TwX0KX1ivm1XpwXuP3+iRY0TOj3ufJTwhUFmUqMvOuQatUyTiLqvumEIXPIwipMr3gFVxVCZadZQCUzmYYu6hRxfZdNBoIqeZK2TNLZ0s0fe37HnN7FiYUVjvHTYPWpsWsBXr61thhToNZ5FBZhrshap1ewDdSNh33a3zQJ4VgOuiZhbnz1fXnbRvSe3eeLsiHYoP9BFk4+UqncLtgmva5YAFjnPsPMkd3IEargGX3G69Zna/g93M0n89xk3A1uNaGO2e2HneJT9XFue/MryWFd+V1xo69j+TVGO0fa3C3WVCYt2kxr2TNCzw1P4QgFfok/vxZAkucT9D7Q6tfKkwu6w1MxpR2q9ofdQlpJOgW2fUK8RgIHTh9dJ2HfxN7rOPD78 ltA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Wed, Jan 24, 2024 at 10:30=E2=80=AFAM zhangpeng (AS) wrote: > > > By using git-bisect, the patch that introduces this issue is 05255b823a61= 7 > ("tcp: add TCP_ZEROCOPY_RECEIVE support for zerocopy receive."). v4.18-rc= 1. > > Currently, there are no other repro or c reproduction programs can reprod= uce > the issue. The syz log used to reproduce the issue is as follows: > > r3 =3D socket$inet_tcp(0x2, 0x1, 0x0) > mmap(&(0x7f0000ff9000/0x4000)=3Dnil, 0x4000, 0x0, 0x12, r3, 0x0) > r4 =3D socket$inet_tcp(0x2, 0x1, 0x0) > bind$inet(r4, &(0x7f0000000000)=3D{0x2, 0x4e24, @multicast1}, 0x10) > connect$inet(r4, &(0x7f00000006c0)=3D{0x2, 0x4e24, @empty}, 0x10) > r5 =3D openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)=3D'./file0\x00', > 0x181e42, 0x0) > fallocate(r5, 0x0, 0x0, 0x85b8818) > sendfile(r4, r5, 0x0, 0x3000) > getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23, > &(0x7f00000001c0)=3D{&(0x7f0000ffb000/0x3000)=3Dnil, 0x3000, 0x0, 0x0, > 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=3D0x10) > r6 =3D openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)=3D'./file0\x00', > 0x181e42, 0x0) > Could you try the following fix then ? (We also could remove the !skb_frag_off(frag) condition, as the !PageCompound() is necessary it seems :/) Thanks a lot ! diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 1baa484d21902d2492fc2830d960100dc09683bf..ee954ae7778a651a9da4de057e3= bafe35a6e10d6 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -1785,7 +1785,9 @@ static skb_frag_t *skb_advance_to_frag(struct sk_buff *skb, u32 offset_skb, static bool can_map_frag(const skb_frag_t *frag) { - return skb_frag_size(frag) =3D=3D PAGE_SIZE && !skb_frag_off(frag); + return skb_frag_size(frag) =3D=3D PAGE_SIZE && + !skb_frag_off(frag) && + !PageCompound(skb_frag_page(frag)); } static int find_next_mappable_frag(const skb_frag_t *frag,