* [PATCH v2 bpf] bpf: Add sk_is_inet and IS_ICSK check in tls_sw_has_ctx_tx/rx
@ 2024-10-30 16:18 zijianzhang
2024-11-01 22:12 ` Cong Wang
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: zijianzhang @ 2024-10-30 16:18 UTC (permalink / raw)
To: bpf
Cc: borisp, john.fastabend, kuba, davem, edumazet, pabeni, horms,
daniel, ast, stfomichev, netdev, Zijian Zhang
From: Zijian Zhang <zijianzhang@bytedance.com>
As the introduction of the support for vsock and unix sockets in sockmap,
tls_sw_has_ctx_tx/rx cannot presume the socket passed in must be IS_ICSK.
vsock and af_unix sockets have vsock_sock and unix_sock instead of
inet_connection_sock. For these sockets, tls_get_ctx may return an invalid
pointer and cause page fault in function tls_sw_ctx_rx.
BUG: unable to handle page fault for address: 0000000000040030
Workqueue: vsock-loopback vsock_loopback_work
RIP: 0010:sk_psock_strp_data_ready+0x23/0x60
Call Trace:
? __die+0x81/0xc3
? no_context+0x194/0x350
? do_page_fault+0x30/0x110
? async_page_fault+0x3e/0x50
? sk_psock_strp_data_ready+0x23/0x60
virtio_transport_recv_pkt+0x750/0x800
? update_load_avg+0x7e/0x620
vsock_loopback_work+0xd0/0x100
process_one_work+0x1a7/0x360
worker_thread+0x30/0x390
? create_worker+0x1a0/0x1a0
kthread+0x112/0x130
? __kthread_cancel_work+0x40/0x40
ret_from_fork+0x1f/0x40
v2:
- Add IS_ICSK check
Fixes: 0608c69c9a80 ("bpf: sk_msg, sock{map|hash} redirect through ULP")
Fixes: e91de6afa81c ("bpf: Fix running sk_skb program types with ktls")
Signed-off-by: Zijian Zhang <zijianzhang@bytedance.com>
---
include/net/tls.h | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/include/net/tls.h b/include/net/tls.h
index 3a33924db2bc..61fef2880114 100644
--- a/include/net/tls.h
+++ b/include/net/tls.h
@@ -390,8 +390,12 @@ tls_offload_ctx_tx(const struct tls_context *tls_ctx)
static inline bool tls_sw_has_ctx_tx(const struct sock *sk)
{
- struct tls_context *ctx = tls_get_ctx(sk);
+ struct tls_context *ctx;
+
+ if (!sk_is_inet(sk) || !inet_test_bit(IS_ICSK, sk))
+ return false;
+ ctx = tls_get_ctx(sk);
if (!ctx)
return false;
return !!tls_sw_ctx_tx(ctx);
@@ -399,8 +403,12 @@ static inline bool tls_sw_has_ctx_tx(const struct sock *sk)
static inline bool tls_sw_has_ctx_rx(const struct sock *sk)
{
- struct tls_context *ctx = tls_get_ctx(sk);
+ struct tls_context *ctx;
+
+ if (!sk_is_inet(sk) || !inet_test_bit(IS_ICSK, sk))
+ return false;
+ ctx = tls_get_ctx(sk);
if (!ctx)
return false;
return !!tls_sw_ctx_rx(ctx);
--
2.20.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH v2 bpf] bpf: Add sk_is_inet and IS_ICSK check in tls_sw_has_ctx_tx/rx
2024-10-30 16:18 [PATCH v2 bpf] bpf: Add sk_is_inet and IS_ICSK check in tls_sw_has_ctx_tx/rx zijianzhang
@ 2024-11-01 22:12 ` Cong Wang
2024-11-03 20:15 ` Jakub Kicinski
2024-11-05 23:01 ` Martin KaFai Lau
2 siblings, 0 replies; 6+ messages in thread
From: Cong Wang @ 2024-11-01 22:12 UTC (permalink / raw)
To: zijianzhang
Cc: bpf, borisp, john.fastabend, kuba, davem, edumazet, pabeni, horms,
daniel, ast, stfomichev, netdev
On Wed, Oct 30, 2024 at 04:18:55PM +0000, zijianzhang@bytedance.com wrote:
> From: Zijian Zhang <zijianzhang@bytedance.com>
>
> As the introduction of the support for vsock and unix sockets in sockmap,
> tls_sw_has_ctx_tx/rx cannot presume the socket passed in must be IS_ICSK.
> vsock and af_unix sockets have vsock_sock and unix_sock instead of
> inet_connection_sock. For these sockets, tls_get_ctx may return an invalid
> pointer and cause page fault in function tls_sw_ctx_rx.
>
> BUG: unable to handle page fault for address: 0000000000040030
> Workqueue: vsock-loopback vsock_loopback_work
> RIP: 0010:sk_psock_strp_data_ready+0x23/0x60
> Call Trace:
> ? __die+0x81/0xc3
> ? no_context+0x194/0x350
> ? do_page_fault+0x30/0x110
> ? async_page_fault+0x3e/0x50
> ? sk_psock_strp_data_ready+0x23/0x60
> virtio_transport_recv_pkt+0x750/0x800
> ? update_load_avg+0x7e/0x620
> vsock_loopback_work+0xd0/0x100
> process_one_work+0x1a7/0x360
> worker_thread+0x30/0x390
> ? create_worker+0x1a0/0x1a0
> kthread+0x112/0x130
> ? __kthread_cancel_work+0x40/0x40
> ret_from_fork+0x1f/0x40
>
> v2:
> - Add IS_ICSK check
>
> Fixes: 0608c69c9a80 ("bpf: sk_msg, sock{map|hash} redirect through ULP")
> Fixes: e91de6afa81c ("bpf: Fix running sk_skb program types with ktls")
>
> Signed-off-by: Zijian Zhang <zijianzhang@bytedance.com>
Reviewed-by: Cong Wang <cong.wang@bytedance.com>
Thanks.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v2 bpf] bpf: Add sk_is_inet and IS_ICSK check in tls_sw_has_ctx_tx/rx
2024-10-30 16:18 [PATCH v2 bpf] bpf: Add sk_is_inet and IS_ICSK check in tls_sw_has_ctx_tx/rx zijianzhang
2024-11-01 22:12 ` Cong Wang
@ 2024-11-03 20:15 ` Jakub Kicinski
2024-11-06 0:27 ` [External] " Zijian Zhang
2024-11-05 23:01 ` Martin KaFai Lau
2 siblings, 1 reply; 6+ messages in thread
From: Jakub Kicinski @ 2024-11-03 20:15 UTC (permalink / raw)
To: zijianzhang
Cc: bpf, borisp, john.fastabend, davem, edumazet, pabeni, horms,
daniel, ast, stfomichev, netdev
On Wed, 30 Oct 2024 16:18:55 +0000 zijianzhang@bytedance.com wrote:
> As the introduction of the support for vsock and unix sockets in sockmap,
> tls_sw_has_ctx_tx/rx cannot presume the socket passed in must be IS_ICSK.
> vsock and af_unix sockets have vsock_sock and unix_sock instead of
> inet_connection_sock. For these sockets, tls_get_ctx may return an invalid
> pointer and cause page fault in function tls_sw_ctx_rx.
Since it's touching TLS code:
Acked-by: Jakub Kicinski <kuba@kernel.org>
I wonder if we should move these helpers to skmsg or such, since only
bpf uses them.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v2 bpf] bpf: Add sk_is_inet and IS_ICSK check in tls_sw_has_ctx_tx/rx
2024-10-30 16:18 [PATCH v2 bpf] bpf: Add sk_is_inet and IS_ICSK check in tls_sw_has_ctx_tx/rx zijianzhang
2024-11-01 22:12 ` Cong Wang
2024-11-03 20:15 ` Jakub Kicinski
@ 2024-11-05 23:01 ` Martin KaFai Lau
2024-11-05 23:19 ` Martin KaFai Lau
2 siblings, 1 reply; 6+ messages in thread
From: Martin KaFai Lau @ 2024-11-05 23:01 UTC (permalink / raw)
To: zijianzhang
Cc: bpf, borisp, john.fastabend, kuba, davem, edumazet, pabeni, horms,
daniel, ast, stfomichev, netdev
On 10/30/24 9:18 AM, zijianzhang@bytedance.com wrote:
> From: Zijian Zhang <zijianzhang@bytedance.com>
>
> As the introduction of the support for vsock and unix sockets in sockmap,
> tls_sw_has_ctx_tx/rx cannot presume the socket passed in must be IS_ICSK.
> vsock and af_unix sockets have vsock_sock and unix_sock instead of
> inet_connection_sock. For these sockets, tls_get_ctx may return an invalid
> pointer and cause page fault in function tls_sw_ctx_rx.
> Fixes: 0608c69c9a80 ("bpf: sk_msg, sock{map|hash} redirect through ULP")
> Fixes: e91de6afa81c ("bpf: Fix running sk_skb program types with ktls")
Please tag the correct commit that introduced the bug. These SHAs are before the
vsock and unix sock support was added.
pw-bot: cr
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v2 bpf] bpf: Add sk_is_inet and IS_ICSK check in tls_sw_has_ctx_tx/rx
2024-11-05 23:01 ` Martin KaFai Lau
@ 2024-11-05 23:19 ` Martin KaFai Lau
0 siblings, 0 replies; 6+ messages in thread
From: Martin KaFai Lau @ 2024-11-05 23:19 UTC (permalink / raw)
To: zijianzhang
Cc: bpf, borisp, john.fastabend, kuba, davem, edumazet, pabeni, horms,
daniel, ast, stfomichev, netdev
On 11/5/24 3:01 PM, Martin KaFai Lau wrote:
> On 10/30/24 9:18 AM, zijianzhang@bytedance.com wrote:
>> From: Zijian Zhang <zijianzhang@bytedance.com>
>>
>> As the introduction of the support for vsock and unix sockets in sockmap,
>> tls_sw_has_ctx_tx/rx cannot presume the socket passed in must be IS_ICSK.
>> vsock and af_unix sockets have vsock_sock and unix_sock instead of
>> inet_connection_sock. For these sockets, tls_get_ctx may return an invalid
>> pointer and cause page fault in function tls_sw_ctx_rx.
>
>> Fixes: 0608c69c9a80 ("bpf: sk_msg, sock{map|hash} redirect through ULP")
>> Fixes: e91de6afa81c ("bpf: Fix running sk_skb program types with ktls")
>
> Please tag the correct commit that introduced the bug. These SHAs are before the
> vsock and unix sock support was added.
I just read the v1. Please also keep the "Acked-by: Stanislav Fomichev
<sdf@fomichev.me>".
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [External] Re: [PATCH v2 bpf] bpf: Add sk_is_inet and IS_ICSK check in tls_sw_has_ctx_tx/rx
2024-11-03 20:15 ` Jakub Kicinski
@ 2024-11-06 0:27 ` Zijian Zhang
0 siblings, 0 replies; 6+ messages in thread
From: Zijian Zhang @ 2024-11-06 0:27 UTC (permalink / raw)
To: Jakub Kicinski
Cc: bpf, borisp, john.fastabend, davem, edumazet, pabeni, horms,
daniel, ast, stfomichev, netdev
On 11/3/24 12:15 PM, Jakub Kicinski wrote:
> On Wed, 30 Oct 2024 16:18:55 +0000 zijianzhang@bytedance.com wrote:
>> As the introduction of the support for vsock and unix sockets in sockmap,
>> tls_sw_has_ctx_tx/rx cannot presume the socket passed in must be IS_ICSK.
>> vsock and af_unix sockets have vsock_sock and unix_sock instead of
>> inet_connection_sock. For these sockets, tls_get_ctx may return an invalid
>> pointer and cause page fault in function tls_sw_ctx_rx.
>
> Since it's touching TLS code:
>
> Acked-by: Jakub Kicinski <kuba@kernel.org>
>
> I wonder if we should move these helpers to skmsg or such, since only
> bpf uses them.
>
Agree, skmsg.h seems a better place for these two helpers.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-11-06 0:27 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-10-30 16:18 [PATCH v2 bpf] bpf: Add sk_is_inet and IS_ICSK check in tls_sw_has_ctx_tx/rx zijianzhang
2024-11-01 22:12 ` Cong Wang
2024-11-03 20:15 ` Jakub Kicinski
2024-11-06 0:27 ` [External] " Zijian Zhang
2024-11-05 23:01 ` Martin KaFai Lau
2024-11-05 23:19 ` Martin KaFai Lau
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).