From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 65F06C46CD2 for ; Wed, 24 Jan 2024 09:30:35 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id F2EC46B007B; Wed, 24 Jan 2024 04:30:34 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id EDE7D6B0080; Wed, 24 Jan 2024 04:30:34 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id DA72E6B0082; Wed, 24 Jan 2024 04:30:34 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id C55636B007B for ; Wed, 24 Jan 2024 04:30:34 -0500 (EST) Received: from smtpin10.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 8DB12C0B1E for ; Wed, 24 Jan 2024 09:30:34 +0000 (UTC) X-FDA: 81713684388.10.270C525 Received: from szxga03-in.huawei.com (szxga03-in.huawei.com [45.249.212.189]) by imf28.hostedemail.com (Postfix) with ESMTP id 55367C0017 for ; Wed, 24 Jan 2024 09:30:30 +0000 (UTC) Authentication-Results: imf28.hostedemail.com; dkim=none; dmarc=pass (policy=quarantine) header.from=huawei.com; spf=pass (imf28.hostedemail.com: domain of zhangpeng362@huawei.com designates 45.249.212.189 as permitted sender) smtp.mailfrom=zhangpeng362@huawei.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1706088632; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=tU/yyc5KgJOGJ0mB7GQ1WhZyoaYBc/Og0SE9sTz5Jx4=; b=vQDPgEWb1n4cCXWnx8BbYhST0yp1HZFM9QZbYQZgqGq0AgTDcuWiwPKfusU4zM/vAu9Aih p/783/AAmBEcCz+pa6QhsW+eU8SWkIemCpTayhXlmuOhD4cQDjuKBET92JFBgwHI1rKJJ/ 8FC+76X9XlGPhMj0iuN60PRaEdBIN+0= ARC-Authentication-Results: i=1; imf28.hostedemail.com; dkim=none; dmarc=pass (policy=quarantine) header.from=huawei.com; spf=pass (imf28.hostedemail.com: domain of zhangpeng362@huawei.com designates 45.249.212.189 as permitted sender) smtp.mailfrom=zhangpeng362@huawei.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1706088632; a=rsa-sha256; cv=none; b=t2dZKrFtGE1q7ZqXlMBc7bQ2k5h/uclfXLR+Zc1aEek1kAnq6KcEAzys1CjfKEFjHNgUSC 22k3IQfuK8TYIevWU03HnRHiJi9XuKI+/oCWCRoeQLoCbADFpsktSePBVqJyKBIapgA5/V RXeilwXJokRfteX/dSnSTnk3retPnCg= Received: from mail.maildlp.com (unknown [172.19.163.48]) by szxga03-in.huawei.com (SkyGuard) with ESMTP id 4TKdvc69lnzNlS9; Wed, 24 Jan 2024 17:29:32 +0800 (CST) Received: from kwepemm600020.china.huawei.com (unknown [7.193.23.147]) by mail.maildlp.com (Postfix) with ESMTPS id A500D18005E; Wed, 24 Jan 2024 17:30:25 +0800 (CST) Received: from [10.174.179.160] (10.174.179.160) by kwepemm600020.china.huawei.com (7.193.23.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Wed, 24 Jan 2024 17:30:24 +0800 Message-ID: <4f78fea2-ced6-fc5a-c7f2-b33fcd226f06@huawei.com> Date: Wed, 24 Jan 2024 17:30:23 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.9.0 From: "zhangpeng (AS)" Subject: Re: SECURITY PROBLEM: Any user can crash the kernel with TCP ZEROCOPY To: Eric Dumazet , Matthew Wilcox CC: , , , , , , , , , References: <20240119092024.193066-1-zhangpeng362@huawei.com> <5106a58e-04da-372a-b836-9d3d0bd2507b@huawei.com> Content-Language: en-US In-Reply-To: Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-Originating-IP: [10.174.179.160] X-ClientProxiedBy: dggems706-chm.china.huawei.com (10.3.19.183) To kwepemm600020.china.huawei.com (7.193.23.147) X-Rspam-User: X-Stat-Signature: n6a6yyowwf57n8yw7ggc6zrxk4hkt7hj X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: 55367C0017 X-HE-Tag: 1706088630-522612 X-HE-Meta: U2FsdGVkX18IGg7/emJpEEW3uhKeBaJcSRQgVSVYZ9W3bKfDw4NklK+C8E+cwxfLb0mU/R6vhta0rd9un+i6Szzt+XjkSlZUf9D+DTa2e85Pbx8W7rL7W520dmR38zKrwPYdb37N8vxTartypg2UwiBdtvRIaYrhTydc8UXHq8g7EB6spb5nPqmhu4II1F807DMT4M6srNFRZhfvfY51yg+c2FeKVLI/vHiSfO6qsX3/6iE7VaWrcxdDJdNfSNI2mw05tc6Y8KMAmpHsWSKFxfBPUOuLf6LnyxZxR2bTkjLKjl6LwecqOjEZ2DxudxM0Dd0/25RuqqTqTm0YQ8SCubqdozPDpmCNr0PpS3+MLcmwAmIhFiDZcrFyoJpw4yjXQsJ0iSRmOWCkONVZNr5vq2toCZabH2ujr5zZVV5y3djF6k4u0IBkc93w3B5khaTXQVRP9bqVM2P7il0lp1zVXRc2PjOmpPDu7L/hiD1e6BmosnfIGwZGM3eqlJ5QkJ/NPh5RLCyI8Q4/3CuObIuFlNZ57sQEJ+sqD92jkF3FcnnlN8VGFuOEOCGbMS+XemC9R4dHvFolh8WGlRq1xfccDcAs9EyDiXzEXWrHip1P1LRl9ivbQNIiUXCqFjXLE7zAx+XEBr5byT6BuskimRni9Eu/QfV6a20HWcW1bllrMU08PJwTs4twFMARU1QRwx1jKpIfm/7TDzDwdQKY1sjtaZ+U+isiHdU0+seQhYvOKDZhYGoiz6tOJCbKY64rJYAwjevBzNteldfw0hUL4/MXNxc6bvQ7hRLu8HOGh+0PAwH2PCVinyFWD6VEEpu94KYettCJAxI4TGkhcf2QKt985awpeEPtk0sYhPWiSmaXx/kQtsjPFvM/6WiYmFfFwTMagV0aOMHfPK+pVt3q3rmZViQ7HFtaePYEBX9VLp+FwGPDe2rqY8dhQqMVIe+5PWA2lN4ypoXlUAyk5olDdia XYq1tD7t F/0SNVBqD6kNqPYMTul3WrqRvOh4NH4aYUolExUcAmnM9nNLANBBcfZ+GAXh/v93OXa297wsgAHfnECHwJw+cbbmtf0WE8AvweATSU9zG8ekBN81SdcdeprV9dlo/yJqVEELq4XparrZ2PYhpdIFsclBay5/YDMvwqM3sSLDrtNLrDQD7GK3/3Hg+OqnkWRvmwKNw X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 2024/1/23 1:39, Eric Dumazet wrote: > On Mon, Jan 22, 2024 at 6:12 PM Matthew Wilcox wrote: >> On Mon, Jan 22, 2024 at 05:30:18PM +0100, Eric Dumazet wrote: >>> On Mon, Jan 22, 2024 at 5:04 PM Matthew Wilcox wrote: >>>> I'm disappointed to have no reaction from netdev so far. Let's see if a >>>> more exciting subject line evinces some interest. >>> Hmm, perhaps some of us were enjoying their weekend ? >> I am all in favour of people taking time off! However the report came >> in on Friday at 9am UTC so it had been more than a work day for anyone >> anywhere in the world without response. >> >>> I don't really know what changed recently, all I know is that TCP zero >>> copy is for real network traffic. >>> >>> Real trafic uses order-0 pages, 4K at a time. >>> >>> If can_map_frag() needs to add another safety check, let's add it. >> So it's your opinion that people don't actually use sendfile() from >> a local file, and we can make this fail to zerocopy? > Certainly we do not do that at Google. > I am not sure if anybody else would have used this. > > > > That's good >> because I had a slew of questions about what expectations we had around >> cache coherency between pages mapped this way and write()/mmap() of >> the original file. If we can just disallow this, we don't need to >> have a discussion about it. >> >>> syzbot is usually quite good at bisections, was a bug origin found ? >> I have the impression that Huawei run syzkaller themselves without >> syzbot. I suspect this bug has been there for a good long time. >> Wonder why nobody's found it before; it doesn't seem complicated for a >> fuzzer to stumble into. > I is strange syzbot (The Google fuzzer) have not found this yet, I > suspect it might be caused > by a recent change somewhere ? > > A repro would definitely help, I could start a bisection. By using git-bisect, the patch that introduces this issue is 05255b823a617 ("tcp: add TCP_ZEROCOPY_RECEIVE support for zerocopy receive."). v4.18-rc1. Currently, there are no other repro or c reproduction programs can reproduce the issue. The syz log used to reproduce the issue is as follows: r3 = socket$inet_tcp(0x2, 0x1, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0) r4 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10) connect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10) r5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x181e42, 0x0) fallocate(r5, 0x0, 0x0, 0x85b8818) sendfile(r4, r5, 0x0, 0x3000) getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23, &(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x10) r6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x181e42, 0x0) -- Best Regards, Peng