Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp1418206pxb; Fri, 27 Aug 2021 08:25:50 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy+/YqHpjB/pWZvsWsl/rV8OLofPS9sj5xLW2lqg8kwYG27NuoooMFYEnT7I+gMQKGm+EDJ X-Received: by 2002:a5e:a601:: with SMTP id q1mr7929104ioi.51.1630077949994; Fri, 27 Aug 2021 08:25:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1630077949; cv=none; d=google.com; s=arc-20160816; b=WwP2NWTWDq+SLqDXTE+D8brbhIQig9qCBtA5V1M3bzpailju8in9/W/IE+pLccL+dG JJkUDEjnSEK7ASHADLc340fB/gfuZ9VKZetbMV4WBsg9lUMzL8Ck/Wm44wD7K0/jxXcv YPHoisSBbwIJa3LwBvb/lmQtQkEpvicNmsCmtHwLMkP+6H9Ulp5ueNvrL/pf4j6hZ6aQ lLgSLDsEseUx9T5AH9cERpLT4YGS4x/PQkqu6+delzY3rr2jOrBTKuU4IGQFcMTZJCHS I7xycAqamXG+mWTHwL0huU++3/y3BbioLdrw9D58ZBilo6Adfhe4OdyjcYYMuyG5Z/Xy wJMA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=NUKgTdLlD/xJl95girMo67C/b/8wQUOpTWYlkwSy0Yc=; b=rPsH+8mLEluV00HVu57qVjDd1FxVjggZOmqu4iPxJRS0nUPIWsyFER49QI5m5Qz6Sv 6mPe8bMsGp6GaIPAZhS3u5zmWHyZRaKioi87dmvddfymYdi8qojI95yTEK+Ukxn1oNlJ ZDadi1US7OTQTnYhFvIWhqTYVLZODJaoELlTBSw3ppxJd9enuo//n1EmhDhs57nKb2fO BTR48kvKFOBiEntkiHAITNTKjr62scGo0LL8OfG1W3auAQPF4h4VlOkGRRtL2rskW+Gb ReFNYjtVz46x78kOUvV9Ema0VHWLgFI6xD6qGLbN4Xrf3UDaZjMGvllTmR+bjDjcUbIV U0Sg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@virtuozzo.com header.s=relay header.b=b+c1ORXf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=virtuozzo.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b7si6336223ilr.75.2021.08.27.08.25.37; Fri, 27 Aug 2021 08:25:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@virtuozzo.com header.s=relay header.b=b+c1ORXf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=virtuozzo.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245486AbhH0PYg (ORCPT + 99 others); Fri, 27 Aug 2021 11:24:36 -0400 Received: from relay.sw.ru ([185.231.240.75]:54228 "EHLO relay.sw.ru" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234186AbhH0PYf (ORCPT ); Fri, 27 Aug 2021 11:24:35 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=virtuozzo.com; s=relay; h=Content-Type:MIME-Version:Date:Message-ID:From: Subject; bh=NUKgTdLlD/xJl95girMo67C/b/8wQUOpTWYlkwSy0Yc=; b=b+c1ORXfRj09WzUM5 /JtFp2IsYiQ4/mdN2XlWvqQS14Dhq+h8L1tRNLFlQL2oiFRK9LiQjF+Hihy9hXuB0shNGyLSqCBBG aEmzEDP0KZbhsd1JTP5Lx1xkvaspz8c2y6wxfpJ2A+RcAta8uVnXhKsG+977j4TNlwAQa8tKsAMUM =; Received: from [10.93.0.56] by relay.sw.ru with esmtp (Exim 4.94.2) (envelope-from ) id 1mJdhg-0092Kq-Ng; Fri, 27 Aug 2021 18:23:36 +0300 Subject: Re: [PATCH NET-NEXT] ipv6: skb_expand_head() adjust skb->truesize incorrectly To: Eric Dumazet , Christoph Paasch Cc: "David S. Miller" , Hideaki YOSHIFUJI , David Ahern , Jakub Kicinski , netdev , LKML , kernel@openvz.org, Julian Wiedmann , Alexey Kuznetsov References: <6858f130-e6b4-1ba7-ed6f-58c00152be69@virtuozzo.com> <1c12b056-79d2-126a-3f78-64629f072345@gmail.com> <2d8a102a-d641-c6c1-b417-7a35efa4e5da@gmail.com> From: Vasily Averin Message-ID: <7a6588ad-00fe-cfb9-afcd-d8b31be229cd@virtuozzo.com> Date: Fri, 27 Aug 2021 18:23:35 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 8/24/21 1:23 AM, Eric Dumazet wrote: > On 8/23/21 2:51 PM, Eric Dumazet wrote: >> On 8/23/21 2:45 PM, Eric Dumazet wrote: >>> On 8/23/21 10:25 AM, Christoph Paasch wrote: >>>> Hello, >>>> >>>> On Mon, Aug 23, 2021 at 12:56 AM Vasily Averin wrote: >>>>> >>>>> Christoph Paasch reports [1] about incorrect skb->truesize >>>>> after skb_expand_head() call in ip6_xmit. >>>>> This happen because skb_set_owner_w() for newly clone skb is called >>>>> too early, before pskb_expand_head() where truesize is adjusted for >>>>> (!skb-sk) case. >>>>> >>>>> [1] https://lkml.org/lkml/2021/8/20/1082 >>>>> >>>>> Reported-by: Christoph Paasch >>>>> Signed-off-by: Vasily Averin >>>>> --- >>>>> net/core/skbuff.c | 24 +++++++++++++----------- >>>>> 1 file changed, 13 insertions(+), 11 deletions(-) >>>>> >>>>> diff --git a/net/core/skbuff.c b/net/core/skbuff.c >>>>> index f931176..508d5c4 100644 >>>>> --- a/net/core/skbuff.c >>>>> +++ b/net/core/skbuff.c >>>>> @@ -1803,6 +1803,8 @@ struct sk_buff *skb_realloc_headroom(struct sk_buff *skb, unsigned int headroom) >>>>> >>>>> struct sk_buff *skb_expand_head(struct sk_buff *skb, unsigned int headroom) >>>>> { >>>>> + struct sk_buff *oskb = skb; >>>>> + struct sk_buff *nskb = NULL; >>>>> int delta = headroom - skb_headroom(skb); >>>>> >>>>> if (WARN_ONCE(delta <= 0, >>>>> @@ -1811,21 +1813,21 @@ struct sk_buff *skb_expand_head(struct sk_buff *skb, unsigned int headroom) >>>>> >>>>> /* pskb_expand_head() might crash, if skb is shared */ >>>>> if (skb_shared(skb)) { >>>>> - struct sk_buff *nskb = skb_clone(skb, GFP_ATOMIC); >>>>> - >>>>> - if (likely(nskb)) { >>>>> - if (skb->sk) >>>>> - skb_set_owner_w(nskb, skb->sk); >>>>> - consume_skb(skb); >>>>> - } else { >>>>> - kfree_skb(skb); >>>>> - } >>>>> + nskb = skb_clone(skb, GFP_ATOMIC); >>>>> skb = nskb; >>>>> } >>>>> if (skb && >>>>> - pskb_expand_head(skb, SKB_DATA_ALIGN(delta), 0, GFP_ATOMIC)) { >>>>> - kfree_skb(skb); >>>>> + pskb_expand_head(skb, SKB_DATA_ALIGN(delta), 0, GFP_ATOMIC)) >>>>> skb = NULL; >>>>> + >>>>> + if (!skb) { >>>>> + kfree_skb(oskb); >>>>> + if (nskb) >>>>> + kfree_skb(nskb); >>>>> + } else if (nskb) { >>>>> + if (oskb->sk) >>>>> + skb_set_owner_w(nskb, oskb->sk); >>>>> + consume_skb(oskb); >>>> >>>> sorry, this does not fix the problem. The syzkaller repro still >>>> triggers the WARN. >>>> >>>> When it happens, the skb in ip6_xmit() is not shared as it comes from >>>> __tcp_transmit_skb, where it is skb_clone()'d. >>>> >>>> >>> >>> Old code (in skb_realloc_headroom()) >>> was first calling skb2 = skb_clone(skb, GFP_ATOMIC); >>> >>> At this point, skb2->sk was NULL >>> So pskb_expand_head(skb2, SKB_DATA_ALIGN(delta), 0, ...) was able to tweak skb2->truesize >>> >>> I would try : >>> >>> diff --git a/net/core/skbuff.c b/net/core/skbuff.c >>> index f9311762cc475bd38d87c33e988d7c983b902e56..326749a8938637b044a616cc33b6a19ed191ac41 100644 >>> --- a/net/core/skbuff.c >>> +++ b/net/core/skbuff.c >>> @@ -1804,6 +1804,7 @@ EXPORT_SYMBOL(skb_realloc_headroom); >>> struct sk_buff *skb_expand_head(struct sk_buff *skb, unsigned int headroom) >>> { >>> int delta = headroom - skb_headroom(skb); >>> + struct sk_buff *oskb = NULL; >>> >>> if (WARN_ONCE(delta <= 0, >>> "%s is expecting an increase in the headroom", __func__)) >>> @@ -1813,19 +1814,21 @@ struct sk_buff *skb_expand_head(struct sk_buff *skb, unsigned int headroom) >>> if (skb_shared(skb)) { >>> struct sk_buff *nskb = skb_clone(skb, GFP_ATOMIC); >>> >>> - if (likely(nskb)) { >>> - if (skb->sk) >>> - skb_set_owner_w(nskb, skb->sk); >>> - consume_skb(skb); >>> - } else { >>> + if (unlikely(!nskb)) { >>> kfree_skb(skb); >>> + return NULL; >>> } >>> + oskb = skb; >>> skb = nskb; >>> } >>> - if (skb && >>> - pskb_expand_head(skb, SKB_DATA_ALIGN(delta), 0, GFP_ATOMIC)) { >>> + if (pskb_expand_head(skb, SKB_DATA_ALIGN(delta), 0, GFP_ATOMIC)) { >>> kfree_skb(skb); >>> - skb = NULL; >>> + kfree_skb(oskb); >>> + return NULL; >>> + } >>> + if (oskb) { >>> + skb_set_owner_w(skb, oskb->sk); >>> + consume_skb(oskb); >>> } >>> return skb; >>> } >> Oh well, probably not going to work. >> >> We have to find a way to properly increase skb->truesize, even if skb_clone() is _not_ called. > > I also note that current use of skb_set_owner_w(), forcing skb->destructor to sock_wfree() > is probably breaking TCP Small queues, since original skb->destructor would be tcp_wfree() or __sock_wfree() I asked Alexey Kuznetsov to look at this problem. Below is his answer: "I think the current scheme is obsolete. It was created when we had only two kinds of skb accounting (rmem & wmem) and with more kinds of accounting it just does not work. Even there we had ignored problems with adjusting accounting. Logically the best solution would be replacing ->destructor, set_owner* etc with skb_ops. Something like: struct skb_ops { void init(struct sk_buff * skb, struct skb_ops * ops, struct sock * owner); void fini(struct sk_buff * skb); void update(struct sk_buff * skb, int adjust); void inherit(struct sk_buff * skb2, struct sk_buff * skb); }; init - is replacement for skb_set_owner_r|w fini - is replacement for skb_orphan update - is new operation to be used in places where skb->truesize changes, instead of awful constructions like: if (!skb->sk || skb->destructor == sock_edemux) skb->truesize += size - osize; Now it will look like: if (skb->ops) skb->ops->update(skb, size - osize); inherit - is replacement for also awful constructs like: if (skb->sk) skb_set_owner_w(skb2, skb->sk); Now it will be: if (skb->ops) skb->ops->inherit(skb2, skb); The implementation looks mostly obvious. Some troubles can be only with new functionality: update of accounting was never done before. More efficient, functionally equivalent, but uglier and less flexible alternative would be removal of ->destructor, replaced with a small numeric indicator of ownership: enum { SKB_OWNER_NONE, /* aka destructor == NULL */ SKB_OWNER_WMEM, /* aka destructor == sk_wfree */ SKB_OWNER_RMEM, /* aka destructor == sk_rfree */ SKB_OWNER_SK, /* aka destructor == sk_edemux */ SKB_OWNER_TCP, /* aka destructor == tcp_wfree */ } And the same init,fini,inherit,update become functions w/o any inidirect calls. Not sure it is really more efficient though." Thank you, Vasily Averin