From: Daniel Borkmann <dborkman@redhat.com>
To: David Miller <davem@davemloft.net>
Cc: tgraf@suug.ch, luto@amacapital.net,
torvalds@linux-foundation.org, kaber@trash.net,
netdev@vger.kernel.org
Subject: Re: Netlink mmap tx security?
Date: Wed, 17 Dec 2014 00:58:52 +0100 [thread overview]
Message-ID: <5490C73C.8010405@redhat.com> (raw)
In-Reply-To: <20141216.175817.576861457076632402.davem@davemloft.net>
On 12/16/2014 11:58 PM, David Miller wrote:
> From: Thomas Graf <tgraf@suug.ch>
> Date: Thu, 16 Oct 2014 08:07:53 +0100
>
>> On 10/16/14 at 08:45am, Daniel Borkmann wrote:
>>> On 10/15/2014 04:09 AM, David Miller wrote:
>>>> That would work as well.
>>>>
>>>> There are pros and cons to all of these approaches.
>>>>
>>>> I was thinking that if we do the "TX mmap --> copy to kernel buffer"
>>>> approach, then if in the future we find a way to make it work
>>>> reliably, we can avoid the copy. And frankly performance wise it's no
>>>> worse than what happens via normal sendmsg() calls.
>>>>
>>>> And all applications using NETLINK_RX_RING keep working and keep
>>>> getting the performance boost.
>>>
>>> That would be better, yes. This would avoid having such a TPACKET_V*
>>> API chaos we have in packet sockets if this could be fixed for netlink
>>> eventually.
>>
>> Only saw the second part of Dave's message now. I agree that this
>> is even a better option.
>
> Sorry for dropping the ball on this, here is the patch I have right
> now, any comments?
>
> ====================
> [PATCH] netlink: Always copy on mmap TX.
>
> Checking the file f_count and the nlk->mapped count is not completely
> sufficient to prevent the mmap'd area contents from changing from
> under us during netlink mmap sendmsg() operations.
>
> Be careful to sample the header's length field only once, because this
> could change from under us as well.
>
> Signed-off-by: David S. Miller <davem@davemloft.net>
Looks good to me, thanks for following up on this Dave!
Now this also leaves NETLINK_SKB_TX unused afterwards, so we should
get rid of these bits, too. It's only set in the broken 'exclusive'
path and tested for resetting the slot status in the skb destructor,
but _now_ we set it back immediately to NL_MMAP_STATUS_UNUSED instead
of a NL_MMAP_STATUS_RESERVED -> NL_MMAP_STATUS_UNUSED transition via
destructor.
The atomic (tx)ring->pending logic inside the send path seems also
unused now; similarly as in, resp. taken from packet sockets, it was
there to wait for completion (for blocking syscalls) until the
netlink_skb_destructor() has been invoked and thus the slot given
back to user space.
Anyways, above could probably be followed-up; other than that:
Fixes: 5fd96123ee19 ("netlink: implement memory mapped sendmsg()")
Acked-by: Daniel Borkmann <dborkman@redhat.com>
next prev parent reply other threads:[~2014-12-16 23:59 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CALCETrWsCqy7KEKPTOeHjrO1c2JE1E_seO_J+yA=sYFhS11NXQ@mail.gmail.com>
2014-05-12 21:08 ` Netlink mmap tx security? Andy Lutomirski
2014-10-11 22:29 ` Andy Lutomirski
2014-10-11 23:09 ` David Miller
2014-10-14 19:19 ` David Miller
2014-10-14 19:33 ` Andy Lutomirski
2014-10-14 20:00 ` David Miller
2014-10-14 22:16 ` Andy Lutomirski
2014-10-15 2:01 ` David Miller
2014-10-15 2:03 ` Andy Lutomirski
2014-10-15 2:09 ` David Miller
2014-10-16 6:45 ` Daniel Borkmann
2014-10-16 7:07 ` Thomas Graf
2014-12-16 22:58 ` David Miller
2014-12-16 23:58 ` Daniel Borkmann [this message]
2014-12-17 16:27 ` Thomas Graf
2014-12-18 17:36 ` David Miller
2014-12-17 0:02 ` Eric Dumazet
2014-12-17 16:26 ` Thomas Graf
2014-12-18 10:30 ` [PATCH net] netlink: Don't reorder loads/stores before marking mmap netlink frame as available Thomas Graf
2014-12-18 17:36 ` David Miller
2014-12-18 19:13 ` Linus Torvalds
2014-10-15 23:45 ` Netlink mmap tx security? Daniel Borkmann
2014-10-15 23:57 ` David Miller
2014-10-15 23:58 ` Andy Lutomirski
2014-10-16 3:34 ` David Miller
2014-10-16 5:52 ` Thomas Graf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5490C73C.8010405@redhat.com \
--to=dborkman@redhat.com \
--cc=davem@davemloft.net \
--cc=kaber@trash.net \
--cc=luto@amacapital.net \
--cc=netdev@vger.kernel.org \
--cc=tgraf@suug.ch \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).