[PATCH net] xen-netfront: Add missing skb_mark_for_recycle

[PATCH net] xen-netfront: Add missing skb_mark_for_recycle

[Jesper Dangaard Brouer]

Notice that skb_mark_for_recycle() is introduced later than fixes tag in
6a5bcd84e886 ("page_pool: Allow drivers to hint on SKB recycling").

It is believed that fixes tag were missing a call to page_pool_release_page()
between v5.9 to v5.14, after which is should have used skb_mark_for_recycle().
Since v6.6 the call page_pool_release_page() were removed (in 535b9c61bdef
("net: page_pool: hide page_pool_release_page()") and remaining callers
converted (in commit 6bfef2ec0172 ("Merge branch
'net-page_pool-remove-page_pool_release_page'")).

This leak became visible in v6.8 via commit dba1b8a7ab68 ("mm/page_pool: catch
page_pool memory leaks").

Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for xen-netfront")
Reported-by: Arthur Borsboom <arthurborsboom@gmail.com>
Signed-off-by: Jesper Dangaard Brouer <hawk@kernel.org>
---
Compile tested only, can someone please test this

 drivers/net/xen-netfront.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
index ad29f370034e..8d2aee88526c 100644
--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -285,6 +285,7 @@ static struct sk_buff *xennet_alloc_one_rx_buffer(struct netfront_queue *queue)
 		return NULL;
 	}
 	skb_add_rx_frag(skb, 0, page, 0, 0, PAGE_SIZE);
+	skb_mark_for_recycle(skb);
 
 	/* Align ip header to a 16 bytes boundary */
 	skb_reserve(skb, NET_IP_ALIGN);

Re: [PATCH net] xen-netfront: Add missing skb_mark_for_recycle

[Marek Marczykowski-Górecki]

[-- Attachment #1: Type: text/plain, Size: 1810 bytes --]

On Wed, Mar 27, 2024 at 01:14:56PM +0100, Jesper Dangaard Brouer wrote:
> Notice that skb_mark_for_recycle() is introduced later than fixes tag in
> 6a5bcd84e886 ("page_pool: Allow drivers to hint on SKB recycling").
> 
> It is believed that fixes tag were missing a call to page_pool_release_page()
> between v5.9 to v5.14, after which is should have used skb_mark_for_recycle().
> Since v6.6 the call page_pool_release_page() were removed (in 535b9c61bdef
> ("net: page_pool: hide page_pool_release_page()") and remaining callers
> converted (in commit 6bfef2ec0172 ("Merge branch
> 'net-page_pool-remove-page_pool_release_page'")).
> 
> This leak became visible in v6.8 via commit dba1b8a7ab68 ("mm/page_pool: catch
> page_pool memory leaks").
> 
> Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for xen-netfront")
> Reported-by: Arthur Borsboom <arthurborsboom@gmail.com>
> Signed-off-by: Jesper Dangaard Brouer <hawk@kernel.org>
> ---
> Compile tested only, can someone please test this

I've got a confirmation it fixes the issue:
https://github.com/QubesOS/qubes-linux-kernel/pull/926#issuecomment-2026226944

>  drivers/net/xen-netfront.c |    1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
> index ad29f370034e..8d2aee88526c 100644
> --- a/drivers/net/xen-netfront.c
> +++ b/drivers/net/xen-netfront.c
> @@ -285,6 +285,7 @@ static struct sk_buff *xennet_alloc_one_rx_buffer(struct netfront_queue *queue)
>  		return NULL;
>  	}
>  	skb_add_rx_frag(skb, 0, page, 0, 0, PAGE_SIZE);
> +	skb_mark_for_recycle(skb);
>  
>  	/* Align ip header to a 16 bytes boundary */
>  	skb_reserve(skb, NET_IP_ALIGN);
> 
> 
> 

-- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [PATCH net] xen-netfront: Add missing skb_mark_for_recycle

[patchwork-bot+netdevbpf]

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Wed, 27 Mar 2024 13:14:56 +0100 you wrote:
> Notice that skb_mark_for_recycle() is introduced later than fixes tag in
> 6a5bcd84e886 ("page_pool: Allow drivers to hint on SKB recycling").
> 
> It is believed that fixes tag were missing a call to page_pool_release_page()
> between v5.9 to v5.14, after which is should have used skb_mark_for_recycle().
> Since v6.6 the call page_pool_release_page() were removed (in 535b9c61bdef
> ("net: page_pool: hide page_pool_release_page()") and remaining callers
> converted (in commit 6bfef2ec0172 ("Merge branch
> 'net-page_pool-remove-page_pool_release_page'")).
> 
> [...]

Here is the summary with links:
  - [net] xen-netfront: Add missing skb_mark_for_recycle
    https://git.kernel.org/netdev/net/c/037965402a01

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

Re: [PATCH net] xen-netfront: Add missing skb_mark_for_recycle

[Arthur Borsboom]

On Wed, 27 Mar 2024 at 13:15, Jesper Dangaard Brouer <hawk@kernel.org> wrote:
>
> Notice that skb_mark_for_recycle() is introduced later than fixes tag in
> 6a5bcd84e886 ("page_pool: Allow drivers to hint on SKB recycling").
>
> It is believed that fixes tag were missing a call to page_pool_release_page()
> between v5.9 to v5.14, after which is should have used skb_mark_for_recycle().
> Since v6.6 the call page_pool_release_page() were removed (in 535b9c61bdef
> ("net: page_pool: hide page_pool_release_page()") and remaining callers
> converted (in commit 6bfef2ec0172 ("Merge branch
> 'net-page_pool-remove-page_pool_release_page'")).
>
> This leak became visible in v6.8 via commit dba1b8a7ab68 ("mm/page_pool: catch
> page_pool memory leaks").
>
> Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for xen-netfront")
> Reported-by: Arthur Borsboom <arthurborsboom@gmail.com>
> Signed-off-by: Jesper Dangaard Brouer <hawk@kernel.org>
> ---
> Compile tested only, can someone please test this

I have tested this patch on Xen 4.18.1 with VM (Arch Linux) kernel 6.9.0-rc1.

Without the patch there are many trace traces and cloning the Linux
mainline git repository resulted in failures (same with kernel 6.8.1).
The patched kernel 6.9.0-rc1 performs as expected; cloning the git
repository was successful and no kernel traces observed.
Hereby my tested by:

Tested-by: Arthur Borsboom <arthurborsboom@gmail.com>



>  drivers/net/xen-netfront.c |    1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
> index ad29f370034e..8d2aee88526c 100644
> --- a/drivers/net/xen-netfront.c
> +++ b/drivers/net/xen-netfront.c
> @@ -285,6 +285,7 @@ static struct sk_buff *xennet_alloc_one_rx_buffer(struct netfront_queue *queue)
>                 return NULL;
>         }
>         skb_add_rx_frag(skb, 0, page, 0, 0, PAGE_SIZE);
> +       skb_mark_for_recycle(skb);
>
>         /* Align ip header to a 16 bytes boundary */
>         skb_reserve(skb, NET_IP_ALIGN);
>
>

Re: [PATCH net] xen-netfront: Add missing skb_mark_for_recycle

[Arthur Borsboom]

On Fri, 29 Mar 2024 at 10:47, Arthur Borsboom <arthurborsboom@gmail.com> wrote:
>
> On Wed, 27 Mar 2024 at 13:15, Jesper Dangaard Brouer <hawk@kernel.org> wrote:
> >
> > Notice that skb_mark_for_recycle() is introduced later than fixes tag in
> > 6a5bcd84e886 ("page_pool: Allow drivers to hint on SKB recycling").
> >
> > It is believed that fixes tag were missing a call to page_pool_release_page()
> > between v5.9 to v5.14, after which is should have used skb_mark_for_recycle().
> > Since v6.6 the call page_pool_release_page() were removed (in 535b9c61bdef
> > ("net: page_pool: hide page_pool_release_page()") and remaining callers
> > converted (in commit 6bfef2ec0172 ("Merge branch
> > 'net-page_pool-remove-page_pool_release_page'")).
> >
> > This leak became visible in v6.8 via commit dba1b8a7ab68 ("mm/page_pool: catch
> > page_pool memory leaks").
> >
> > Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for xen-netfront")
> > Reported-by: Arthur Borsboom <arthurborsboom@gmail.com>
> > Signed-off-by: Jesper Dangaard Brouer <hawk@kernel.org>
> > ---
> > Compile tested only, can someone please test this
>
> I have tested this patch on Xen 4.18.1 with VM (Arch Linux) kernel 6.9.0-rc1.
>
> Without the patch there are many trace traces and cloning the Linux
> mainline git repository resulted in failures (same with kernel 6.8.1).
> The patched kernel 6.9.0-rc1 performs as expected; cloning the git
> repository was successful and no kernel traces observed.
> Hereby my tested by:
>
> Tested-by: Arthur Borsboom <arthurborsboom@gmail.com>
>
>
>
> >  drivers/net/xen-netfront.c |    1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
> > index ad29f370034e..8d2aee88526c 100644
> > --- a/drivers/net/xen-netfront.c
> > +++ b/drivers/net/xen-netfront.c
> > @@ -285,6 +285,7 @@ static struct sk_buff *xennet_alloc_one_rx_buffer(struct netfront_queue *queue)
> >                 return NULL;
> >         }
> >         skb_add_rx_frag(skb, 0, page, 0, 0, PAGE_SIZE);
> > +       skb_mark_for_recycle(skb);
> >
> >         /* Align ip header to a 16 bytes boundary */
> >         skb_reserve(skb, NET_IP_ALIGN);
> >
> >

I don't see this patch yet in linux-next.

https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/log

Any idea in which kernel release this patch will be included?

Re: [PATCH net] xen-netfront: Add missing skb_mark_for_recycle

[Arthur Borsboom]

After having a better look, I have found the patch in linux-next

https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=0cd74ffcf4fb0536718241d59d2c124578624d83

On Tue, 2 Apr 2024 at 10:20, Arthur Borsboom <arthurborsboom@gmail.com> wrote:
>
> On Fri, 29 Mar 2024 at 10:47, Arthur Borsboom <arthurborsboom@gmail.com> wrote:
> >
> > On Wed, 27 Mar 2024 at 13:15, Jesper Dangaard Brouer <hawk@kernel.org> wrote:
> > >
> > > Notice that skb_mark_for_recycle() is introduced later than fixes tag in
> > > 6a5bcd84e886 ("page_pool: Allow drivers to hint on SKB recycling").
> > >
> > > It is believed that fixes tag were missing a call to page_pool_release_page()
> > > between v5.9 to v5.14, after which is should have used skb_mark_for_recycle().
> > > Since v6.6 the call page_pool_release_page() were removed (in 535b9c61bdef
> > > ("net: page_pool: hide page_pool_release_page()") and remaining callers
> > > converted (in commit 6bfef2ec0172 ("Merge branch
> > > 'net-page_pool-remove-page_pool_release_page'")).
> > >
> > > This leak became visible in v6.8 via commit dba1b8a7ab68 ("mm/page_pool: catch
> > > page_pool memory leaks").
> > >
> > > Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for xen-netfront")
> > > Reported-by: Arthur Borsboom <arthurborsboom@gmail.com>
> > > Signed-off-by: Jesper Dangaard Brouer <hawk@kernel.org>
> > > ---
> > > Compile tested only, can someone please test this
> >
> > I have tested this patch on Xen 4.18.1 with VM (Arch Linux) kernel 6.9.0-rc1.
> >
> > Without the patch there are many trace traces and cloning the Linux
> > mainline git repository resulted in failures (same with kernel 6.8.1).
> > The patched kernel 6.9.0-rc1 performs as expected; cloning the git
> > repository was successful and no kernel traces observed.
> > Hereby my tested by:
> >
> > Tested-by: Arthur Borsboom <arthurborsboom@gmail.com>
> >
> >
> >
> > >  drivers/net/xen-netfront.c |    1 +
> > >  1 file changed, 1 insertion(+)
> > >
> > > diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
> > > index ad29f370034e..8d2aee88526c 100644
> > > --- a/drivers/net/xen-netfront.c
> > > +++ b/drivers/net/xen-netfront.c
> > > @@ -285,6 +285,7 @@ static struct sk_buff *xennet_alloc_one_rx_buffer(struct netfront_queue *queue)
> > >                 return NULL;
> > >         }
> > >         skb_add_rx_frag(skb, 0, page, 0, 0, PAGE_SIZE);
> > > +       skb_mark_for_recycle(skb);
> > >
> > >         /* Align ip header to a 16 bytes boundary */
> > >         skb_reserve(skb, NET_IP_ALIGN);
> > >
> > >
>
> I don't see this patch yet in linux-next.
>
> https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/log
>
> Any idea in which kernel release this patch will be included?

Re: [PATCH net] xen-netfront: Add missing skb_mark_for_recycle

[Greg KH]

On Thu, Apr 25, 2024 at 02:39:38PM +0100, George Dunlap wrote:
> Greg,
> 
> We're issuing an XSA for this; can you issue a CVE?

To ask for a cve, please contact cve@kernel.org as per our
documentation.  Please provide the git id of the commit you wish to have
the cve assigned to.

thanks,

greg k-h

Re: [PATCH net] xen-netfront: Add missing skb_mark_for_recycle

[Andrew Cooper]

Hello,

Please could we request a CVE for "xen-netfront: Add missing
skb_mark_for_recycle" which is 037965402a010898d34f4e35327d22c0a95cd51f
in Linus' tree.

This is a kernel memory leak trigger-able from unprivileged userspace.

I can't see any evidence of this fix having been assigned a CVE thus far
on the linux-cve-annouce mailing list.

Thanks,

~Andrew


On 25/04/2024 4:13 pm, Greg KH wrote:
> On Thu, Apr 25, 2024 at 02:39:38PM +0100, George Dunlap wrote:
>> Greg,
>>
>> We're issuing an XSA for this; can you issue a CVE?
> To ask for a cve, please contact cve@kernel.org as per our
> documentation.  Please provide the git id of the commit you wish to have
> the cve assigned to.
>
> thanks,
>
> greg k-h

Re: [PATCH net] xen-netfront: Add missing skb_mark_for_recycle

[Greg KH]

On Tue, May 07, 2024 at 02:57:08PM +0100, Andrew Cooper wrote:
> Hello,
> 
> Please could we request a CVE for "xen-netfront: Add missing
> skb_mark_for_recycle" which is 037965402a010898d34f4e35327d22c0a95cd51f
> in Linus' tree.
> 
> This is a kernel memory leak trigger-able from unprivileged userspace.
> 
> I can't see any evidence of this fix having been assigned a CVE thus far
> on the linux-cve-annouce mailing list.

CVE-2024-27393 is now created for this, thanks.

greg k-h