From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 004D6C47422
	for <linux-mm@archiver.kernel.org>; Thu, 25 Jan 2024 08:57:25 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 743FA8D0014; Thu, 25 Jan 2024 03:57:25 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 6F5928D000C; Thu, 25 Jan 2024 03:57:25 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 593BC8D0014; Thu, 25 Jan 2024 03:57:25 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17])
	by kanga.kvack.org (Postfix) with ESMTP id 455E98D000C
	for <linux-mm@kvack.org>; Thu, 25 Jan 2024 03:57:25 -0500 (EST)
Received: from smtpin25.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay09.hostedemail.com (Postfix) with ESMTP id D9EA78028D
	for <linux-mm@kvack.org>; Thu, 25 Jan 2024 08:57:24 +0000 (UTC)
X-FDA: 81717229608.25.CF06560
Received: from mail-ed1-f48.google.com (mail-ed1-f48.google.com [209.85.208.48])
	by imf11.hostedemail.com (Postfix) with ESMTP id 0ED614000E
	for <linux-mm@kvack.org>; Thu, 25 Jan 2024 08:57:22 +0000 (UTC)
Authentication-Results: imf11.hostedemail.com;
	dkim=pass header.d=google.com header.s=20230601 header.b=QTQvhnCG;
	spf=pass (imf11.hostedemail.com: domain of edumazet@google.com designates 209.85.208.48 as permitted sender) smtp.mailfrom=edumazet@google.com;
	dmarc=pass (policy=reject) header.from=google.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1706173043; a=rsa-sha256;
	cv=none;
	b=MorGp+ojSHJsiZ7ufHMfcVlM/2wumoIk61TQlbV7IKSYc8taoNH8wediRkqd+5AoqkuJbR
	1sIjvfmIglrJ3kTiTNymFZKAjH4Wkri2G1iFNw6gGU+vQnnbqcCfs1K3fqWlg5EDiYvnzZ
	4tRIJUw9kc8IKlGs4VfHB2JeXQBwC30=
ARC-Authentication-Results: i=1;
	imf11.hostedemail.com;
	dkim=pass header.d=google.com header.s=20230601 header.b=QTQvhnCG;
	spf=pass (imf11.hostedemail.com: domain of edumazet@google.com designates 209.85.208.48 as permitted sender) smtp.mailfrom=edumazet@google.com;
	dmarc=pass (policy=reject) header.from=google.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1706173043;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=9r7lJ7sqN6ad0sss1zSzMT057tYjk1irl2K8XfZBIhM=;
	b=hpyjVWhwxVUWY+yapCLsguv7AZTTTKzjKMTRn+2LTdrfk0O9loZl33IHQf343IsE8LiU3y
	Ew8+iXSC6yTjTTAIwMC8rJtrUblsmai5la6+WvPN6znVOH1YwlNQ91Fy8fmhfuF0nWswYU
	7qngj8ZDprNwgmcN6imFS3x3UAf/G8E=
Received: by mail-ed1-f48.google.com with SMTP id 4fb4d7f45d1cf-55c89dbef80so5188a12.1
        for <linux-mm@kvack.org>; Thu, 25 Jan 2024 00:57:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1706173041; x=1706777841; darn=kvack.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=9r7lJ7sqN6ad0sss1zSzMT057tYjk1irl2K8XfZBIhM=;
        b=QTQvhnCGiGdYf7VM+3hgPOINQwQYrT7DelXbwewkio9MdkPOgNH80c5O6C9G41Vy5C
         azwiLvDmmqnuq7efrmTG8KK+6o6xSeU7G2f12jt8TVhZgHYpUUBPuPUa/8SUUot31C9w
         7UJmlMMSmBFpeiBO7//69gC0YbmtgrSoDNOAerPaXOTQW9ssTO99SWrZoEyTuWUdWqIo
         8mJtdWJkJaGVTvJVzQQrQnq3el6fTJVlWs2oywOKy1Iar34J5LlZ9iq588dZnjTA4coT
         QcfoaUuISbjm/PUas1IrKItlucQ6ua2roIjnTk4gIBx/5Yeiqm/zY/v/vFJTyoiTtHEG
         6zGw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1706173041; x=1706777841;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=9r7lJ7sqN6ad0sss1zSzMT057tYjk1irl2K8XfZBIhM=;
        b=t45QVfr9MiFybBBGIRhsH4srqsHvJ4t8lfIoCUfPds86UcQuZgD5fWhrCcaux2lzb8
         8SfwZL0uJKWyFxz6AX7mClV9nUvkrUIjhL74bpJ0OXbx4/C8kvY4ydKJaFiWbWEbokhI
         kfR4bR0324R35JigAVr6chcho+OXMCfEDTVcVaUGlHpUUg5pB3sWB433ezW2sH7iEeU0
         H9HkMp02/jkVhkr17BG67z4IEqCqMQ7oeSsW0JFTlMH+l0I2JOJ2sCysyP1UvfNf+MkI
         oSeVZC3u6JAPdR5ecpS86y1+vvZEo6YsDV1i+ImeY9O0fTs3/ZXekp9cp3B5QQGc72x4
         LqCQ==
X-Gm-Message-State: AOJu0YxsFaYiy0kJ30L1RppzeYqDWsib37jhgtRqeqnqxLI3jsS10tp6
	Fs4nf9cfhHLaiF7PFWLYTAc63uP/zZ5fPG7TLNgFp0URrgzDRsoVbGh7eQudcnX80xT0wdWvmcy
	9bfIfWp6Q8mPgCYpCCkKVU/v8vMO+4L2qDtOk
X-Google-Smtp-Source: AGHT+IFb+LIomVFJLxtbxSDpe6zo+tHbcilYXj7QQv606bK/OZ61L+h8gWh+oUEOpBPLNWikPfrmSKdILBy/PKO3PEI=
X-Received: by 2002:a05:6402:290b:b0:55c:2493:2b31 with SMTP id
 ee11-20020a056402290b00b0055c24932b31mr109377edb.3.1706173041208; Thu, 25 Jan
 2024 00:57:21 -0800 (PST)
MIME-Version: 1.0
References: <20240119092024.193066-1-zhangpeng362@huawei.com>
 <Zap7t9GOLTM1yqjT@casper.infradead.org> <5106a58e-04da-372a-b836-9d3d0bd2507b@huawei.com>
 <Za6SD48Zf0CXriLm@casper.infradead.org> <CANn89iL4qUXsVDRNGgBOweZbJ6ErWMsH+EpOj-55Lky8JEEhqQ@mail.gmail.com>
 <Za6h-tB7plgKje5r@casper.infradead.org> <CANn89iJDNdOpb6L6PkrAcbGcsx6_v4VD0v2XFY77g7tEnJEXXQ@mail.gmail.com>
 <4f78fea2-ced6-fc5a-c7f2-b33fcd226f06@huawei.com> <CANn89iKbyTRvWEE-3TyVVwTa=N2KsiV73-__2ASktt2hrauQ0g@mail.gmail.com>
 <d68f50a5-8d83-99ba-1a5a-7f119cd52029@huawei.com>
In-Reply-To: <d68f50a5-8d83-99ba-1a5a-7f119cd52029@huawei.com>
From: Eric Dumazet <edumazet@google.com>
Date: Thu, 25 Jan 2024 09:57:10 +0100
Message-ID: <CANn89iJSxsx_6oTM+ggo90vacNM33e_DpgJJg1HQRfkdj3ewqg@mail.gmail.com>
Subject: Re: SECURITY PROBLEM: Any user can crash the kernel with TCP ZEROCOPY
To: "zhangpeng (AS)" <zhangpeng362@huawei.com>
Cc: Matthew Wilcox <willy@infradead.org>, linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, 
	netdev@vger.kernel.org, akpm@linux-foundation.org, davem@davemloft.net, 
	dsahern@kernel.org, kuba@kernel.org, pabeni@redhat.com, arjunroy@google.com, 
	wangkefeng.wang@huawei.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Server: rspam08
X-Rspamd-Queue-Id: 0ED614000E
X-Stat-Signature: g9mw3tti7fawra4yarbobzpb4kct4rue
X-Rspam-User: 
X-HE-Tag: 1706173042-203531
X-HE-Meta: U2FsdGVkX1/S0bpPuS3P4FWAan/P9NGYyQG73D/sxPZaYgeAvwXMqSTOOp/CuVuXKau3xFp5YeD349T5JTAtg3LrJKlg9MXdzEnPC6O5OC7aYUJL+jQ/k08qErdL+/uaW4L4gIUZVxgIhnZbCSc61x18jtOpszCmT/2eIONN67T13s19Je0i6/yltZdbmh86yjNmYDVDjiDOkO9O2Qa7EIvO9T1O2XlDszel2bpkxk691SdZP2T+fjB427XDP/b446V4K0MUb/1GTK2DPMMBeRTqRamugpHa6zgvvZ4dX0glV9GzDLr0vkwWojeMPDszKvqIwlXHpyJOAwmOc+dExXnS/cobhNq4CVOqnj7wBHQJWcECziSAORAUajhEsuWdQKTAMJtmGjVwnh5A971iJvjQY28orKERs3cTCxM3PqREhhEZ1ogu10Qt5pHH9klb8pdhkrSBmQjZQUx4Sa23kfbuum+w55XW6mgKPLHRoMT1aLw0Y4slYqj/DCIDFeogyeLfQ016li28Mj1ID1ftr0hFBdoRNVoPbv2A/cdEykW+LD/e6dppCuBose+UijKMWOoZWtGjWT4JGx0htT5OIYz2WrNI1FNyZC/6q3eBZhzcQxzs2W6LXaSuJ5iGq0QCWn5q73FHZwUou1LP9nrRrox96XKNmirhVmMKXg999FyhUsbbWCOmdsJHtEotUBygMq4LhyYmiUsWBA4IyxxE+NWpLMuzirFWLsnDKW56islNccbY0P7uk+eAJIBLHQehUH4lnqu04OhryzwSG+DWlvAuFIV5InFJjPxQ38lIPRzd0yciDuRaQuYRCQCRpB+3p3u0Yhfx/kqbNrYDbLn58eHsSJycpG2br2L6OB8ndma3e49imTqGqc0tIhDmYfMxPRJ0A+yhDNW3TTmAaSMeSJvybXx7I8dyIb7MkRsGUHIQ4W5wW5HYtasUMLrYhY5p24EweKN3MciBR/PQnyn
 Nat9ZK5S
 Y0UWI3jLGnbpGSG+WPLka6t0Aq30Kc8gsJZUPq8+KFxyEHkvzXgjIW5AZwc07gOgO8JyKtrSfvYJJ9utBmFXVHAx8PZ32TuYD++9vh6IzS9qhQ0dE8jEcj3ckgKdZ6/m2RMT54npmCJsa2vbq8f6fhMuy16uoGbkmMGFYwRv6FMyxdY6yefVZzNbx1MCuY4rpbnhuQVWNxmLGUXgXnt+aY4xllGNU6tTu2u+bbfR1P96bY7lY0aSNvQpFCQFspPLS4ng3YfZ8qu4AinFey8TxP+YliYIy3iEpWPmT
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On Thu, Jan 25, 2024 at 3:18=E2=80=AFAM zhangpeng (AS) <zhangpeng362@huawei=
.com> wrote:
>
> On 2024/1/24 18:11, Eric Dumazet wrote:
>
> > On Wed, Jan 24, 2024 at 10:30=E2=80=AFAM zhangpeng (AS) <zhangpeng362@h=
uawei.com> wrote:
> >>
> >> By using git-bisect, the patch that introduces this issue is 05255b823=
a617
> >> ("tcp: add TCP_ZEROCOPY_RECEIVE support for zerocopy receive."). v4.18=
-rc1.
> >>
> >> Currently, there are no other repro or c reproduction programs can rep=
roduce
> >> the issue. The syz log used to reproduce the issue is as follows:
> >>
> >> r3 =3D socket$inet_tcp(0x2, 0x1, 0x0)
> >> mmap(&(0x7f0000ff9000/0x4000)=3Dnil, 0x4000, 0x0, 0x12, r3, 0x0)
> >> r4 =3D socket$inet_tcp(0x2, 0x1, 0x0)
> >> bind$inet(r4, &(0x7f0000000000)=3D{0x2, 0x4e24, @multicast1}, 0x10)
> >> connect$inet(r4, &(0x7f00000006c0)=3D{0x2, 0x4e24, @empty}, 0x10)
> >> r5 =3D openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)=3D'./file0\x00=
',
> >> 0x181e42, 0x0)
> >> fallocate(r5, 0x0, 0x0, 0x85b8818)
> >> sendfile(r4, r5, 0x0, 0x3000)
> >> getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23,
> >> &(0x7f00000001c0)=3D{&(0x7f0000ffb000/0x3000)=3Dnil, 0x3000, 0x0, 0x0,
> >> 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=3D0x10)
> >> r6 =3D openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)=3D'./file0\x00=
',
> >> 0x181e42, 0x0)
> >>
> > Could you try the following fix then ?
> >
> > (We also could remove the !skb_frag_off(frag) condition, as the
> > !PageCompound() is necessary it seems :/)
> >
> > Thanks a lot !
> >
> > diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
> > index 1baa484d21902d2492fc2830d960100dc09683bf..ee954ae7778a651a9da4de0=
57e3bafe35a6e10d6
> > 100644
> > --- a/net/ipv4/tcp.c
> > +++ b/net/ipv4/tcp.c
> > @@ -1785,7 +1785,9 @@ static skb_frag_t *skb_advance_to_frag(struct
> > sk_buff *skb, u32 offset_skb,
> >
> >   static bool can_map_frag(const skb_frag_t *frag)
> >   {
> > -       return skb_frag_size(frag) =3D=3D PAGE_SIZE && !skb_frag_off(fr=
ag);
> > +       return skb_frag_size(frag) =3D=3D PAGE_SIZE &&
> > +              !skb_frag_off(frag) &&
> > +              !PageCompound(skb_frag_page(frag));
> >   }
> >
> >   static int find_next_mappable_frag(const skb_frag_t *frag,
>
> This patch doesn't fix this issue. The page cache that can trigger this i=
ssue
> doesn't necessarily need to be compound. =F0=9F=99=81

Ah, too bad :/

So the issue is that the page had a mapping. I am no mm expert,
I am not sure if we need to add more tests (like testing various
illegal page flags) ?

Can you test this ?

(I am still  converting the repro into C)

Thanks.

diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 1baa484d21902d2492fc2830d960100dc09683bf..2128015227a5066ea74b3911eca=
efe7992da132f
100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -1785,7 +1785,17 @@ static skb_frag_t *skb_advance_to_frag(struct
sk_buff *skb, u32 offset_skb,

 static bool can_map_frag(const skb_frag_t *frag)
 {
-       return skb_frag_size(frag) =3D=3D PAGE_SIZE && !skb_frag_off(frag);
+       struct page *page;
+
+       if (skb_frag_size(frag) !=3D PAGE_SIZE || skb_frag_off(frag))
+               return false;
+
+       page =3D skb_frag_page(frag);
+
+       if (PageCompound(page) || page->mapping)
+               return false;
+
+       return true;
 }

 static int find_next_mappable_frag(const skb_frag_t *frag,