From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9AE0AC47DD9 for ; Mon, 22 Jan 2024 17:12:34 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 09A696B007B; Mon, 22 Jan 2024 12:12:34 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 022D16B007D; Mon, 22 Jan 2024 12:12:33 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E055B6B007E; Mon, 22 Jan 2024 12:12:33 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id CBF2A6B007B for ; Mon, 22 Jan 2024 12:12:33 -0500 (EST) Received: from smtpin10.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 65E9BA1E57 for ; Mon, 22 Jan 2024 17:12:33 +0000 (UTC) X-FDA: 81707590986.10.2C8A839 Received: from casper.infradead.org (casper.infradead.org [90.155.50.34]) by imf21.hostedemail.com (Postfix) with ESMTP id 23C6A1C0010 for ; Mon, 22 Jan 2024 17:12:30 +0000 (UTC) Authentication-Results: imf21.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=VfYbAlV6; spf=none (imf21.hostedemail.com: domain of willy@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org; dmarc=none ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1705943551; a=rsa-sha256; cv=none; b=2JE2G1Bh/4bTGYdBLYSoEA9AAR82EqS1txWxS3YW7DIowLszPATMYxLHTpP+RRjqwEmUMK /8UCDlb8ftbILQtIlob4caTLbX8xgrwoNzYeAN8UFUj4YH0ItENFKdoTJKgQIOu/6Xt/Fl 9rlkvyR1MyN70J9iOz81lnKXzFvyhdM= ARC-Authentication-Results: i=1; imf21.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=VfYbAlV6; spf=none (imf21.hostedemail.com: domain of willy@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1705943551; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=OocAKhFNnuVz1CoUH7OyvE7TA9nNw+y+skld+4cN6dY=; b=wWT7LMqrYzEV4gOyoCTZVSJuhebu/D7FHphKiKXmjgUwWAOAgEmmWAc4H0WOcGUyUOSmzf thGF3kFoLKAyJta9szhLHB+TyO8JzQn7fIMDrIVL81DzW4iVVxpjn/b06dVMwqM+BkMymx gbQ2dDmiQ/a/pl1MyYOxbull3nCCc80= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Transfer-Encoding: Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date: Sender:Reply-To:Content-ID:Content-Description; bh=OocAKhFNnuVz1CoUH7OyvE7TA9nNw+y+skld+4cN6dY=; b=VfYbAlV6K7QQZG9f9GC3tkEAyb TEf8WQcrE1W2XPzRzNH8asCUM7MGml3nQQ2CtWuQHQtvubEJJvrTO/ryyGS5xqBdBcN9EJ0imzMWe BXARefnokht4DEYts66ZIP7bchDA8iRMXFfsFygJ9t6FeFL1YTpSZyICQDl2yjVijDKCZJB1qpzQb MX9td3CHd7INswtLh0wMUT7Cptr0dcMDaPsgmWO4vKmpSPK58tITReXY9L6FI8WpPVuLf7WbxJIiS 3ma82UEZ53WQp6PLnWaTD5y81ZoiCyoBvjZ233XsboBa8aDvabNvtwNLei4Cil7Bb/h2St041mwzN PVa5GRzw==; Received: from willy by casper.infradead.org with local (Exim 4.97.1 #2 (Red Hat Linux)) id 1rRxqU-00000000Uz8-1SZ5; Mon, 22 Jan 2024 17:12:26 +0000 Date: Mon, 22 Jan 2024 17:12:26 +0000 From: Matthew Wilcox To: Eric Dumazet Cc: "zhangpeng (AS)" , linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, netdev@vger.kernel.org, akpm@linux-foundation.org, davem@davemloft.net, dsahern@kernel.org, kuba@kernel.org, pabeni@redhat.com, arjunroy@google.com, wangkefeng.wang@huawei.com Subject: Re: SECURITY PROBLEM: Any user can crash the kernel with TCP ZEROCOPY Message-ID: References: <20240119092024.193066-1-zhangpeng362@huawei.com> <5106a58e-04da-372a-b836-9d3d0bd2507b@huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Rspamd-Server: rspam08 X-Rspamd-Queue-Id: 23C6A1C0010 X-Stat-Signature: c631wmrfw6zgxmgwqhcnw5z8i61wpts1 X-Rspam-User: X-HE-Tag: 1705943550-732253 X-HE-Meta: U2FsdGVkX1+m/dB2IylxkJP31/RQzb+rpLuZ3edQMRpG9lVpseEm07Hbdki4hhRUrLEhbHAd1uuXs8eSVQX3yI+8vJMWY0gNqCxwuk2YEmFfbrNiOSmCatpx/qoJr2jUUVBTA53lyDacYtm8OGfRAOQfSj6ujjLz1g7YfmnSmMEpdBwouxbzxzCckM+8j+MhsM79J8ZPBL+CGJ4e3Ymswjqctra8qKJ3cA78ZJH77SfI/3q2G2DCEYiENF6fV80ORnVEiguwdPWhCiy3MCSyqyAMtmrG1pY+72Fj5uovJmFr3Eei57MzbjWKzP5dLeCD4mOsjukDc/sYvflBWWyk91k8OGUgayYzTK/weBd6mxFP2IASH3hxQm+t4Y6S5RY0nsW9/LIsupYpgOHU7ItL4ELYqyrTWC5ZNf14tTRHpe8lS8PErmC9Erw4KB3k5Zl2maLQGEpoQ/ASrk2+zAyDMn+6NPCjA4EGGOuArSp9QJFzvY1Bkm2BZrO+VcP0f6uDX9cuZP44/rVIGy95PG29bL3l+E5PW4VKZmKxctb6KYm7jP92JuBu592eR9cNCsRJyn76ZITQtwWUQN2xizGNH7yvKuJ/btwR/4608uoCRYINp5OKznmos+ppIKRoB0AVwO5NnlOEe521Cj4n+/Ic60mG9YhUy5VdhYIyoK01s1qqddvQaGYNTdRrFGCHtsWR1odfsD9eLHDzCBgTzkwXZX/OPIDr99S/EIIEwrGJklQZa9KaTeyKcmBfSFnZ42w0/Jvcsx7/r5h2VcKPE7eWJH+e/uL+o1KgHK/a3/amCd9LqdHJsbT09/Og7T9SbFk9g6b2z2RI9gVlKCzMOCGuAQANMsmDkiDdQNEbJZ0klwGGraOng7bzh0ZCE9++s6dsH5HYnVXHj6QDrd7ISv0GpONpAuEqqnsibyfuPB+PzjAvugpIh21p3wDcYjnqwu+xZTB7Nw+Ua6c6m5DOCje 80QK6FL+ mAI4EFsBSwLOqVlpkwmCbl6CNa+9DRY6SqDGK2sU6rlYbbUxvH4bMRRA8i9P/wfLkXVo5/Kjpqs9UK/Cf8D+unyIHn4Yhe+WsCS44xlVMukFrXvscPzAuSmrhakpARlp/8BS+TNp2KEzQEtcJbIVFiRCIHxvjgA/3eT8FBom1pyAImZdeJ6mafbhGJI+AwX4JFajQ X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Mon, Jan 22, 2024 at 05:30:18PM +0100, Eric Dumazet wrote: > On Mon, Jan 22, 2024 at 5:04 PM Matthew Wilcox wrote: > > I'm disappointed to have no reaction from netdev so far. Let's see if a > > more exciting subject line evinces some interest. > > Hmm, perhaps some of us were enjoying their weekend ? I am all in favour of people taking time off! However the report came in on Friday at 9am UTC so it had been more than a work day for anyone anywhere in the world without response. > I don't really know what changed recently, all I know is that TCP zero > copy is for real network traffic. > > Real trafic uses order-0 pages, 4K at a time. > > If can_map_frag() needs to add another safety check, let's add it. So it's your opinion that people don't actually use sendfile() from a local file, and we can make this fail to zerocopy? That's good because I had a slew of questions about what expectations we had around cache coherency between pages mapped this way and write()/mmap() of the original file. If we can just disallow this, we don't need to have a discussion about it. > syzbot is usually quite good at bisections, was a bug origin found ? I have the impression that Huawei run syzkaller themselves without syzbot. I suspect this bug has been there for a good long time. Wonder why nobody's found it before; it doesn't seem complicated for a fuzzer to stumble into.