Re: [PATCH net-next 4/6] xdp: add multi-buff support to xdp_return_{buff/frame}

[PATCH net-next 0/6] mvneta: introduce XDP multi-buffer support · Lorenzo Bianconi <lorenzo@kernel.org> · 2020-08-19
[PATCH net-next 5/6] net: mvneta: add multi buffer support to XDP_TX · Lorenzo Bianconi <lorenzo@kernel.org> · 2020-08-19
[PATCH net-next 6/6] net: mvneta: enable jumbo frames for XDP · Lorenzo Bianconi <lorenzo@kernel.org> · 2020-08-19
Re: [PATCH net-next 6/6] net: mvneta: enable jumbo frames for XDP · Jakub Kicinski <kuba@kernel.org> · 2020-08-19
Re: [PATCH net-next 6/6] net: mvneta: enable jumbo frames for XDP · Lorenzo Bianconi <hidden> · 2020-08-19
Re: [PATCH net-next 6/6] net: mvneta: enable jumbo frames for XDP · Jakub Kicinski <kuba@kernel.org> · 2020-08-19
Re: [PATCH net-next 6/6] net: mvneta: enable jumbo frames for XDP · John Fastabend <john.fastabend@gmail.com> · 2020-08-19
Re: [PATCH net-next 6/6] net: mvneta: enable jumbo frames for XDP · Jesper Dangaard Brouer <hidden> · 2020-08-20
Re: [PATCH net-next 6/6] net: mvneta: enable jumbo frames for XDP · Lorenzo Bianconi <lorenzo@kernel.org> · 2020-08-20
[PATCH net-next 2/6] xdp: initialize xdp_buff mb bit to 0 in all XDP drivers · Lorenzo Bianconi <lorenzo@kernel.org> · 2020-08-19
[PATCH net-next 4/6] xdp: add multi-buff support to xdp_return_{buff/frame} · Lorenzo Bianconi <lorenzo@kernel.org> · 2020-08-19
Re: [PATCH net-next 4/6] xdp: add multi-buff support to xdp_return_{buff/frame} · Jesper Dangaard Brouer <hidden> · 2020-08-20
Re: [PATCH net-next 4/6] xdp: add multi-buff support to xdp_return_{buff/frame} · Lorenzo Bianconi <lorenzo@kernel.org> · 2020-08-20
[PATCH net-next 3/6] net: mvneta: update mb bit before passing the xdp buffer to eBPF layer · Lorenzo Bianconi <lorenzo@kernel.org> · 2020-08-19
Re: [PATCH net-next 3/6] net: mvneta: update mb bit before passing the xdp buffer to eBPF layer · Jesper Dangaard Brouer <hidden> · 2020-08-20
Re: [PATCH net-next 3/6] net: mvneta: update mb bit before passing the xdp buffer to eBPF layer · Lorenzo Bianconi <lorenzo@kernel.org> · 2020-08-20
Re: [PATCH net-next 3/6] net: mvneta: update mb bit before passing the xdp buffer to eBPF layer · Maciej Fijalkowski <maciej.fijalkowski@intel.com> · 2020-08-20
Re: [PATCH net-next 3/6] net: mvneta: update mb bit before passing the xdp buffer to eBPF layer · Lorenzo Bianconi <hidden> · 2020-08-21
[PATCH net-next 1/6] xdp: introduce mb in xdp_buff/xdp_frame · Lorenzo Bianconi <lorenzo@kernel.org> · 2020-08-19
Re: [PATCH net-next 1/6] xdp: introduce mb in xdp_buff/xdp_frame · Shay Agroskin <hidden> · 2020-08-23
Re: [PATCH net-next 1/6] xdp: introduce mb in xdp_buff/xdp_frame · Jesper Dangaard Brouer <hidden> · 2020-08-24
Re: [PATCH net-next 1/6] xdp: introduce mb in xdp_buff/xdp_frame · Shay Agroskin <hidden> · 2020-08-26
Re: [PATCH net-next 0/6] mvneta: introduce XDP multi-buffer support · Jesper Dangaard Brouer <hidden> · 2020-08-20
Re: [PATCH net-next 0/6] mvneta: introduce XDP multi-buffer support · Lorenzo Bianconi <hidden> · 2020-08-20

From: Lorenzo Bianconi <lorenzo@kernel.org>
Date: 2020-08-20 07:56:12
Also in: bpf

On Wed, 19 Aug 2020 15:13:49 +0200
Lorenzo Bianconi [off-list ref] wrote:

quoted

diff --git a/net/core/xdp.c b/net/core/xdp.c
index 884f140fc3be..006b24b5d276 100644
--- a/net/core/xdp.c
+++ b/net/core/xdp.c

@@ -370,19 +370,55 @@ static void __xdp_return(void *data, struct xdp_mem_info *mem, bool napi_direct)
 
 void xdp_return_frame(struct xdp_frame *xdpf)
 {
+	struct skb_shared_info *sinfo;
+	int i;
+
 	__xdp_return(xdpf->data, &xdpf->mem, false);

There is a use-after-free race here.  The xdpf->data contains the
shared_info (xdp_get_shared_info_from_frame(xdpf)). Thus you cannot
free/return the page and use this data area below.

right, thx for pointing this out. I will fix it in v2.

Regards,
Lorenzo

quoted

+	if (!xdpf->mb)
+		return;
+
+	sinfo = xdp_get_shared_info_from_frame(xdpf);
+	for (i = 0; i < sinfo->nr_frags; i++) {
+		struct page *page = skb_frag_page(&sinfo->frags[i]);
+
+		__xdp_return(page_address(page), &xdpf->mem, false);
+	}
 }
 EXPORT_SYMBOL_GPL(xdp_return_frame);
 
 void xdp_return_frame_rx_napi(struct xdp_frame *xdpf)
 {
+	struct skb_shared_info *sinfo;
+	int i;
+
 	__xdp_return(xdpf->data, &xdpf->mem, true);

Same issue.

quoted

+	if (!xdpf->mb)
+		return;
+
+	sinfo = xdp_get_shared_info_from_frame(xdpf);
+	for (i = 0; i < sinfo->nr_frags; i++) {
+		struct page *page = skb_frag_page(&sinfo->frags[i]);
+
+		__xdp_return(page_address(page), &xdpf->mem, true);
+	}
 }
 EXPORT_SYMBOL_GPL(xdp_return_frame_rx_napi);
 
 void xdp_return_buff(struct xdp_buff *xdp)
 {
+	struct skb_shared_info *sinfo;
+	int i;
+
 	__xdp_return(xdp->data, &xdp->rxq->mem, true);

Same issue.

quoted

+	if (!xdp->mb)
+		return;
+
+	sinfo = xdp_get_shared_info_from_buff(xdp);
+	for (i = 0; i < sinfo->nr_frags; i++) {
+		struct page *page = skb_frag_page(&sinfo->frags[i]);
+
+		__xdp_return(page_address(page), &xdp->rxq->mem, true);
+	}
 }



-- 
Best regards,
  Jesper Dangaard Brouer
  MSc.CS, Principal Kernel Engineer at Red Hat
  LinkedIn: http://www.linkedin.com/in/brouer

Attachments

signature.asc [application/pgp-signature] 228 bytes

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help