In patch [1], tun_msg_ctl was added to allow pass batched xdp buffers to
tun_sendmsg. Although we donot use msg_controllen in this path, we should
check msg_controllen to make sure the caller pass a valid msg_ctl.
[1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fe8dd45bb7556246c6b76277b1ba4296c91c2505
Reported-by: Eric Dumazet <[email protected]>
Suggested-by: Jason Wang <[email protected]>
Signed-off-by: Harold Huang <[email protected]>
---
drivers/net/tap.c | 3 ++-
drivers/net/tun.c | 3 ++-
drivers/vhost/net.c | 1 +
3 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/net/tap.c b/drivers/net/tap.c
index 8e3a28ba6b28..ba2ef5437e16 100644
--- a/drivers/net/tap.c
+++ b/drivers/net/tap.c
@@ -1198,7 +1198,8 @@ static int tap_sendmsg(struct socket *sock, struct msghdr *m,
struct xdp_buff *xdp;
int i;
- if (ctl && (ctl->type == TUN_MSG_PTR)) {
+ if (m->msg_controllen == sizeof(struct tun_msg_ctl) &&
+ ctl && ctl->type == TUN_MSG_PTR) {
for (i = 0; i < ctl->num; i++) {
xdp = &((struct xdp_buff *)ctl->ptr)[i];
tap_get_user_xdp(q, xdp);
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 969ea69fd29d..2a0d8a5d7aec 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -2501,7 +2501,8 @@ static int tun_sendmsg(struct socket *sock, struct msghdr *m, size_t total_len)
if (!tun)
return -EBADFD;
- if (ctl && (ctl->type == TUN_MSG_PTR)) {
+ if (m->msg_controllen == sizeof(struct tun_msg_ctl) &&
+ ctl && ctl->type == TUN_MSG_PTR) {
struct tun_page tpage;
int n = ctl->num;
int flush = 0, queued = 0;
diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
index 28ef323882fb..792ab5f23647 100644
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -473,6 +473,7 @@ static void vhost_tx_batch(struct vhost_net *net,
goto signal_used;
msghdr->msg_control = &ctl;
+ msghdr->msg_controllen = sizeof(ctl);
err = sock->ops->sendmsg(sock, msghdr, 0);
if (unlikely(err < 0)) {
vq_err(&nvq->vq, "Fail to batch sending packets\n");
--
2.27.0
On Tue, 1 Mar 2022 14:43:14 +0800 Harold Huang wrote:
> In patch [1], tun_msg_ctl was added to allow pass batched xdp buffers to
> tun_sendmsg. Although we donot use msg_controllen in this path, we should
> check msg_controllen to make sure the caller pass a valid msg_ctl.
>
> [1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fe8dd45bb7556246c6b76277b1ba4296c91c2505
>
> Reported-by: Eric Dumazet <[email protected]>
> Suggested-by: Jason Wang <[email protected]>
> Signed-off-by: Harold Huang <[email protected]>
Would you mind resending the same patch? It looks like it depended on
your other change so the build bot was unable to apply and test it.
On Wed, Mar 2, 2022 at 10:05 AM Jakub Kicinski <[email protected]> wrote:
>
> On Tue, 1 Mar 2022 14:43:14 +0800 Harold Huang wrote:
> > In patch [1], tun_msg_ctl was added to allow pass batched xdp buffers to
> > tun_sendmsg. Although we donot use msg_controllen in this path, we should
> > check msg_controllen to make sure the caller pass a valid msg_ctl.
> >
> > [1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fe8dd45bb7556246c6b76277b1ba4296c91c2505
> >
> > Reported-by: Eric Dumazet <[email protected]>
> > Suggested-by: Jason Wang <[email protected]>
> > Signed-off-by: Harold Huang <[email protected]>
>
> Would you mind resending the same patch? It looks like it depended on
> your other change so the build bot was unable to apply and test it.
Yes, it depends on this patch [1] which has been applied to netdev. I
see this patch could be applied to netdev by git am. But if I use
another patch that could be applied to linux master, it could not be
applied to netdev anymore.
[1]: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/commit/?id=fb3f903769e8
In patch [1], tun_msg_ctl was added to allow pass batched xdp buffers to
tun_sendmsg. Although we donot use msg_controllen in this path, we should
check msg_controllen to make sure the caller pass a valid msg_ctl.
[1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fe8dd45bb7556246c6b76277b1ba4296c91c2505
Reported-by: Eric Dumazet <[email protected]>
Suggested-by: Jason Wang <[email protected]>
Signed-off-by: Harold Huang <[email protected]>
---
drivers/net/tap.c | 3 ++-
drivers/net/tun.c | 3 ++-
drivers/vhost/net.c | 1 +
3 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/net/tap.c b/drivers/net/tap.c
index 8e3a28ba6b28..ba2ef5437e16 100644
--- a/drivers/net/tap.c
+++ b/drivers/net/tap.c
@@ -1198,7 +1198,8 @@ static int tap_sendmsg(struct socket *sock, struct msghdr *m,
struct xdp_buff *xdp;
int i;
- if (ctl && (ctl->type == TUN_MSG_PTR)) {
+ if (m->msg_controllen == sizeof(struct tun_msg_ctl) &&
+ ctl && ctl->type == TUN_MSG_PTR) {
for (i = 0; i < ctl->num; i++) {
xdp = &((struct xdp_buff *)ctl->ptr)[i];
tap_get_user_xdp(q, xdp);
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 969ea69fd29d..2a0d8a5d7aec 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -2501,7 +2501,8 @@ static int tun_sendmsg(struct socket *sock, struct msghdr *m, size_t total_len)
if (!tun)
return -EBADFD;
- if (ctl && (ctl->type == TUN_MSG_PTR)) {
+ if (m->msg_controllen == sizeof(struct tun_msg_ctl) &&
+ ctl && ctl->type == TUN_MSG_PTR) {
struct tun_page tpage;
int n = ctl->num;
int flush = 0, queued = 0;
diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
index 28ef323882fb..792ab5f23647 100644
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -473,6 +473,7 @@ static void vhost_tx_batch(struct vhost_net *net,
goto signal_used;
msghdr->msg_control = &ctl;
+ msghdr->msg_controllen = sizeof(ctl);
err = sock->ops->sendmsg(sock, msghdr, 0);
if (unlikely(err < 0)) {
vq_err(&nvq->vq, "Fail to batch sending packets\n");
--
2.27.0
在 2022/3/3 上午10:24, Harold Huang 写道:
> In patch [1], tun_msg_ctl was added to allow pass batched xdp buffers to
> tun_sendmsg. Although we donot use msg_controllen in this path, we should
> check msg_controllen to make sure the caller pass a valid msg_ctl.
>
> [1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fe8dd45bb7556246c6b76277b1ba4296c91c2505
>
> Reported-by: Eric Dumazet <[email protected]>
> Suggested-by: Jason Wang <[email protected]>
> Signed-off-by: Harold Huang <[email protected]>
Acked-by: Jason Wang <[email protected]>
> ---
> drivers/net/tap.c | 3 ++-
> drivers/net/tun.c | 3 ++-
> drivers/vhost/net.c | 1 +
> 3 files changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/tap.c b/drivers/net/tap.c
> index 8e3a28ba6b28..ba2ef5437e16 100644
> --- a/drivers/net/tap.c
> +++ b/drivers/net/tap.c
> @@ -1198,7 +1198,8 @@ static int tap_sendmsg(struct socket *sock, struct msghdr *m,
> struct xdp_buff *xdp;
> int i;
>
> - if (ctl && (ctl->type == TUN_MSG_PTR)) {
> + if (m->msg_controllen == sizeof(struct tun_msg_ctl) &&
> + ctl && ctl->type == TUN_MSG_PTR) {
> for (i = 0; i < ctl->num; i++) {
> xdp = &((struct xdp_buff *)ctl->ptr)[i];
> tap_get_user_xdp(q, xdp);
> diff --git a/drivers/net/tun.c b/drivers/net/tun.c
> index 969ea69fd29d..2a0d8a5d7aec 100644
> --- a/drivers/net/tun.c
> +++ b/drivers/net/tun.c
> @@ -2501,7 +2501,8 @@ static int tun_sendmsg(struct socket *sock, struct msghdr *m, size_t total_len)
> if (!tun)
> return -EBADFD;
>
> - if (ctl && (ctl->type == TUN_MSG_PTR)) {
> + if (m->msg_controllen == sizeof(struct tun_msg_ctl) &&
> + ctl && ctl->type == TUN_MSG_PTR) {
> struct tun_page tpage;
> int n = ctl->num;
> int flush = 0, queued = 0;
> diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
> index 28ef323882fb..792ab5f23647 100644
> --- a/drivers/vhost/net.c
> +++ b/drivers/vhost/net.c
> @@ -473,6 +473,7 @@ static void vhost_tx_batch(struct vhost_net *net,
> goto signal_used;
>
> msghdr->msg_control = &ctl;
> + msghdr->msg_controllen = sizeof(ctl);
> err = sock->ops->sendmsg(sock, msghdr, 0);
> if (unlikely(err < 0)) {
> vq_err(&nvq->vq, "Fail to batch sending packets\n");
Hello:
This patch was applied to netdev/net-next.git (master)
by Jakub Kicinski <[email protected]>:
On Thu, 3 Mar 2022 10:24:40 +0800 you wrote:
> In patch [1], tun_msg_ctl was added to allow pass batched xdp buffers to
> tun_sendmsg. Although we donot use msg_controllen in this path, we should
> check msg_controllen to make sure the caller pass a valid msg_ctl.
>
> [1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fe8dd45bb7556246c6b76277b1ba4296c91c2505
>
> Reported-by: Eric Dumazet <[email protected]>
> Suggested-by: Jason Wang <[email protected]>
> Signed-off-by: Harold Huang <[email protected]>
>
> [...]
Here is the summary with links:
- [net-next] tuntap: add sanity checks about msg_controllen in sendmsg
https://git.kernel.org/netdev/net-next/c/74a335a07a17
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html