Re: [PATCH net-next] virtio-net: invoke zerocopy callback on xmit path if no tx napi
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: 2017-08-22 18:39:24
Possibly related (same subject, not in this thread)
- 2017-09-06 · Re: [PATCH net-next] virtio-net: invoke zerocopy callback on xmit path if no tx napi · "Michael S. Tsirkin" <mst@redhat.com>
- 2017-09-05 · Re: [PATCH net-next] virtio-net: invoke zerocopy callback on xmit path if no tx napi · Willem de Bruijn <willemdebruijn.kernel@gmail.com>
- 2017-09-04 · Re: [PATCH net-next] virtio-net: invoke zerocopy callback on xmit path if no tx napi · Jason Wang <jasowang@redhat.com>
- 2017-09-01 · Re: [PATCH net-next] virtio-net: invoke zerocopy callback on xmit path if no tx napi · Willem de Bruijn <willemdebruijn.kernel@gmail.com>
- 2017-09-01 · Re: [PATCH net-next] virtio-net: invoke zerocopy callback on xmit path if no tx napi · Willem de Bruijn <willemdebruijn.kernel@gmail.com>
On Tue, Aug 22, 2017 at 11:28:28AM -0700, Eric Dumazet wrote:
On Tue, 2017-08-22 at 11:01 -0700, David Miller wrote:quoted
From: "Michael S. Tsirkin" <mst@redhat.com> Date: Tue, 22 Aug 2017 20:55:56 +0300quoted
Which reminds me that skb_linearize in net core seems to be fundamentally racy - I suspect that if skb is cloned, and someone is trying to use the shared frags while another thread calls skb_linearize, we get some use after free bugs which likely mostly go undetected because the corrupted packets mostly go on wire and get dropped by checksum code.Indeed, it does assume that the skb from which the clone was made never has it's geometry changed. I don't think even the TCP retransmit queue has this guarantee.TCP retransmit makes sure to avoid that. if (skb_unclone(skb, GFP_ATOMIC)) return -ENOMEM; ( Before cloning again skb )
I'm pretty sure not all users of skb_clone or generally __pskb_pull_tail are careful like this. E.g. skb_cow_data actually intentionally pulls pages when skb is cloned. -- MST