From: Vlad Buslov <vladbu@nvidia.com>
To: Florian Westphal <fw@strlen.de>
Cc: <davem@davemloft.net>, <kuba@kernel.org>, <pablo@netfilter.org>,
<mathew.j.martineau@linux.intel.com>,
<matthieu.baerts@tessares.net>, <steffen.klassert@secunet.com>,
<herbert@gondor.apana.org.au>, <saeedm@mellanox.com>,
<netdev@vger.kernel.org>
Subject: Re: [PATCH net] net: zero-initialize skb extensions on allocation
Date: Mon, 24 May 2021 14:23:56 +0300 [thread overview]
Message-ID: <ygnhy2c48jeb.fsf@nvidia.com> (raw)
In-Reply-To: <20210524100137.GA3194@breakpoint.cc>
On Mon 24 May 2021 at 13:01, Florian Westphal <fw@strlen.de> wrote:
> Vlad Buslov <vladbu@nvidia.com> wrote:
>> Function skb_ext_add() doesn't initialize created skb extension with any
>> value and leaves it up to the user.
>
> That was intentional.
>
> Its unlikely that all extensions are active at the same time on same skb.
>
> This is also the reason why the extension struct uses offset addressing
> to get the extension data rather than the simpler
>
> skb_ext {
> struct sec_path sp;
> struct nf_bridge_info nfbr;
> ...
> }
>
> So adding e.g. mptcp extension will only touch 1 cacheline instead of 3
> (or more if more extensions get added in the future).
>
> IOW, i would prefer if tc would add tc_skb_add_ext() or similar and
> zero whats needed there.
Got it. Thanks for the explanation!
>
>> Fix the issue by changing __skb_ext_alloc() function to request
>> zero-initialized memory from kmem cache. Note that skb extension allocation
>> in skb_ext_maybe_cow() is not changed because newly allocated memory is
>> immediately overwritten with content of old skb extension so there is no
>> need to pre-initialize it.
>>
>> Multiple users of skb extension API have already been manually setting
>> newly allocated skb extension memory to zero. Remove such code and rely on
>> skb extension API instead.
>
> Are you sure its safe?
Apparently it is not, since you found a problem with nf_bridge_alloc :)
>
>> static inline struct nf_bridge_info *nf_bridge_alloc(struct sk_buff *skb)
>> {
>> #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
>> - struct nf_bridge_info *b = skb_ext_add(skb, SKB_EXT_BRIDGE_NF);
>> -
>> - if (b)
>> - memset(b, 0, sizeof(*b));
>> -
>> - return b;
>> + return skb_ext_add(skb, SKB_EXT_BRIDGE_NF);
>
> So in the (unlikely) case where skb_ext_add did not allocate a new
> extension, the memory is no longer cleared.
>
> If the skb had an nf_bridge_info extension previously that got
> discarded earlier via skb_ext_del() this now leaks the old content.
So what would you suggest: provide a dedicated wrapper for TC skb
extension that will memset resulting extension to zero or refactor my
patch to zero-initialize specific skb extension in skb_ext_add() (only
the extension requested and also when previously discarded extension is
reused)?
next prev parent reply other threads:[~2021-05-24 11:24 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-24 6:19 [PATCH net] net: zero-initialize skb extensions on allocation Vlad Buslov
2021-05-24 10:01 ` Florian Westphal
2021-05-24 11:23 ` Vlad Buslov [this message]
2021-05-24 17:13 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ygnhy2c48jeb.fsf@nvidia.com \
--to=vladbu@nvidia.com \
--cc=davem@davemloft.net \
--cc=fw@strlen.de \
--cc=herbert@gondor.apana.org.au \
--cc=kuba@kernel.org \
--cc=mathew.j.martineau@linux.intel.com \
--cc=matthieu.baerts@tessares.net \
--cc=netdev@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=saeedm@mellanox.com \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).