* [PATCH bpf] bpf, test_run: Fix LIVE_FRAME frame update after a page has been recycled
@ 2024-10-30 10:48 Toke Høiland-Jørgensen
2024-10-30 14:43 ` Stanislav Fomichev
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Toke Høiland-Jørgensen @ 2024-10-30 10:48 UTC (permalink / raw)
To: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
Martin KaFai Lau, Eduard Zingerman, Song Liu, Yonghong Song,
John Fastabend, KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa,
David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Simon Horman, Jesper Dangaard Brouer, Alexander Lobakin
Cc: bpf, netdev, syzbot+d121e098da06af416d23,
Toke Høiland-Jørgensen
The test_run code detects whether a page has been modified and
re-initialises the xdp_frame structure if it has, using
xdp_update_frame_from_buff(). However, xdp_update_frame_from_buff()
doesn't touch frame->mem, so that wasn't correctly re-initialised, which
led to the pages from page_pool not being returned correctly. Syzbot
noticed this as a memory leak.
Fix this by also copying the frame->mem structure when re-initialising
the frame, like we do on initialisation of a new page from page_pool.
Reported-by: syzbot+d121e098da06af416d23@syzkaller.appspotmail.com
Tested-by: syzbot+d121e098da06af416d23@syzkaller.appspotmail.com
Fixes: e5995bc7e2ba ("bpf, test_run: fix crashes due to XDP frame overwriting/corruption")
Fixes: b530e9e1063e ("bpf: Add "live packet" mode for XDP in BPF_PROG_RUN")
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
---
net/bpf/test_run.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index 6d7a442ceb89be15501069655a51671d6ddfaf0e..501ec4249fedc3d34fe39aff50eea66f82b88a11 100644
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -246,6 +246,7 @@ static void reset_ctx(struct xdp_page_head *head)
head->ctx.data_meta = head->orig_ctx.data_meta;
head->ctx.data_end = head->orig_ctx.data_end;
xdp_update_frame_from_buff(&head->ctx, head->frame);
+ head->frame->mem = head->orig_ctx.rxq->mem;
}
static int xdp_recv_frames(struct xdp_frame **frames, int nframes,
---
base-commit: d0b98f6a17a5cb336121302bce0c97eb5fe32d16
change-id: 20241030-test-run-mem-fix-ac835c75ec3f
Best regards,
--
Toke Høiland-Jørgensen <toke@redhat.com>
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH bpf] bpf, test_run: Fix LIVE_FRAME frame update after a page has been recycled
2024-10-30 10:48 [PATCH bpf] bpf, test_run: Fix LIVE_FRAME frame update after a page has been recycled Toke Høiland-Jørgensen
@ 2024-10-30 14:43 ` Stanislav Fomichev
2024-10-30 15:54 ` Alexander Lobakin
2024-10-31 15:30 ` patchwork-bot+netdevbpf
2 siblings, 0 replies; 4+ messages in thread
From: Stanislav Fomichev @ 2024-10-30 14:43 UTC (permalink / raw)
To: Toke Høiland-Jørgensen
Cc: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
Martin KaFai Lau, Eduard Zingerman, Song Liu, Yonghong Song,
John Fastabend, KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa,
David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Simon Horman, Jesper Dangaard Brouer, Alexander Lobakin, bpf,
netdev, syzbot+d121e098da06af416d23
On 10/30, Toke Høiland-Jørgensen wrote:
> The test_run code detects whether a page has been modified and
> re-initialises the xdp_frame structure if it has, using
> xdp_update_frame_from_buff(). However, xdp_update_frame_from_buff()
> doesn't touch frame->mem, so that wasn't correctly re-initialised, which
> led to the pages from page_pool not being returned correctly. Syzbot
> noticed this as a memory leak.
>
> Fix this by also copying the frame->mem structure when re-initialising
> the frame, like we do on initialisation of a new page from page_pool.
>
> Reported-by: syzbot+d121e098da06af416d23@syzkaller.appspotmail.com
> Tested-by: syzbot+d121e098da06af416d23@syzkaller.appspotmail.com
> Fixes: e5995bc7e2ba ("bpf, test_run: fix crashes due to XDP frame overwriting/corruption")
> Fixes: b530e9e1063e ("bpf: Add "live packet" mode for XDP in BPF_PROG_RUN")
> Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Acked-by: Stanislav Fomichev <sdf@fomichev.me>
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH bpf] bpf, test_run: Fix LIVE_FRAME frame update after a page has been recycled
2024-10-30 10:48 [PATCH bpf] bpf, test_run: Fix LIVE_FRAME frame update after a page has been recycled Toke Høiland-Jørgensen
2024-10-30 14:43 ` Stanislav Fomichev
@ 2024-10-30 15:54 ` Alexander Lobakin
2024-10-31 15:30 ` patchwork-bot+netdevbpf
2 siblings, 0 replies; 4+ messages in thread
From: Alexander Lobakin @ 2024-10-30 15:54 UTC (permalink / raw)
To: Toke Høiland-Jørgensen
Cc: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
Martin KaFai Lau, Eduard Zingerman, Song Liu, Yonghong Song,
John Fastabend, KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa,
David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Simon Horman, Jesper Dangaard Brouer, bpf, netdev,
syzbot+d121e098da06af416d23
From: Toke Høiland-Jørgensen <toke@redhat.com>
Date: Wed, 30 Oct 2024 11:48:26 +0100
> The test_run code detects whether a page has been modified and
> re-initialises the xdp_frame structure if it has, using
> xdp_update_frame_from_buff(). However, xdp_update_frame_from_buff()
> doesn't touch frame->mem, so that wasn't correctly re-initialised, which
> led to the pages from page_pool not being returned correctly. Syzbot
> noticed this as a memory leak.
>
> Fix this by also copying the frame->mem structure when re-initialising
> the frame, like we do on initialisation of a new page from page_pool.
>
> Reported-by: syzbot+d121e098da06af416d23@syzkaller.appspotmail.com
> Tested-by: syzbot+d121e098da06af416d23@syzkaller.appspotmail.com
> Fixes: e5995bc7e2ba ("bpf, test_run: fix crashes due to XDP frame overwriting/corruption")
> Fixes: b530e9e1063e ("bpf: Add "live packet" mode for XDP in BPF_PROG_RUN")
> Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
Thanks,
Olek
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH bpf] bpf, test_run: Fix LIVE_FRAME frame update after a page has been recycled
2024-10-30 10:48 [PATCH bpf] bpf, test_run: Fix LIVE_FRAME frame update after a page has been recycled Toke Høiland-Jørgensen
2024-10-30 14:43 ` Stanislav Fomichev
2024-10-30 15:54 ` Alexander Lobakin
@ 2024-10-31 15:30 ` patchwork-bot+netdevbpf
2 siblings, 0 replies; 4+ messages in thread
From: patchwork-bot+netdevbpf @ 2024-10-31 15:30 UTC (permalink / raw)
To: =?utf-8?b?VG9rZSBIw7hpbGFuZC1Kw7hyZ2Vuc2VuIDx0b2tlQHJlZGhhdC5jb20+?=
Cc: ast, daniel, andrii, martin.lau, eddyz87, song, yonghong.song,
john.fastabend, kpsingh, sdf, haoluo, jolsa, davem, edumazet,
kuba, pabeni, horms, hawk, aleksander.lobakin, bpf, netdev,
syzbot+d121e098da06af416d23
Hello:
This patch was applied to bpf/bpf.git (master)
by Daniel Borkmann <daniel@iogearbox.net>:
On Wed, 30 Oct 2024 11:48:26 +0100 you wrote:
> The test_run code detects whether a page has been modified and
> re-initialises the xdp_frame structure if it has, using
> xdp_update_frame_from_buff(). However, xdp_update_frame_from_buff()
> doesn't touch frame->mem, so that wasn't correctly re-initialised, which
> led to the pages from page_pool not being returned correctly. Syzbot
> noticed this as a memory leak.
>
> [...]
Here is the summary with links:
- [bpf] bpf, test_run: Fix LIVE_FRAME frame update after a page has been recycled
https://git.kernel.org/bpf/bpf/c/c40dd8c47325
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-10-31 15:30 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-10-30 10:48 [PATCH bpf] bpf, test_run: Fix LIVE_FRAME frame update after a page has been recycled Toke Høiland-Jørgensen
2024-10-30 14:43 ` Stanislav Fomichev
2024-10-30 15:54 ` Alexander Lobakin
2024-10-31 15:30 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).