Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp6275139rwi; Tue, 18 Oct 2022 10:11:59 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5zTdwvqmPbtfSV2xPPjRotsJ3UczEgBLHYRWQuEKUO5xy+gFVfFTYUZilNT984h3wu00O1 X-Received: by 2002:a17:902:6bc8:b0:178:81db:c6d9 with SMTP id m8-20020a1709026bc800b0017881dbc6d9mr4122035plt.56.1666113119324; Tue, 18 Oct 2022 10:11:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666113119; cv=none; d=google.com; s=arc-20160816; b=olhY248LwAhCSaQzZUpmI0F9Tqk/yR3r+3vuNoxWlcga1a0UBXSkgeIkPvOJ2+DSFy taiwHHASGDWdk95mYzFK05q5RhtKC32+OeQ9qbjnENLLbcUMSwwD5ZyXSn/6HKrYYtjN vY9/9P18vFUqS0SdL5WH2cVON9JhWipld9Dzpushpt36IP23JmVor+mAFzToXpNJZVNU YpRYyIMfMvo6ZGv2Ai7rZR4XIEQVm99Mw6zUFUADderCRIY5FF2Ue1GHvvmaLpKkVbem qiLrQFrkxivdR5Bt0VL92/zFZWPVTngSmoNGg8rpeEJGhz4ur1MUU/uXYRS0+F2oBcJ7 cFbA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=blGUrUhYP+SApQpxHVK/AlYz98zBcf/OOrItMBTbDZE=; b=YKT2jq8MIFEH83bMpRfdrnzRI9vkVFby2uwKCsUvFfyHwlUIXUf0KQKxf4gHTLnYyV ndFDbipovSik3skq5zgxVxW1cjIsZBwNYdb0RhLzZ5vMe+/LPnKfTl/4ndmRawrUAXbA rKifs18q4e6eOOeyFFjE4hlDIwaI6tn1ndflnMdDstVNry8bsez4ns6y57EpZz7qAsgq TkVy1x5O87O0a97Mru5xlfj7op2OQfP6NsW7fETBjEE3iAHW4V3omE9Esna8I/2C2nI4 15fr6AfRTfDhxLn2a7vnlA4DHdKHc9WgvRZew23GcqICIv07ix766dZsTEBgpWf2w3MQ G+dA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=McnbNKem; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id k13-20020a63d84d000000b0045287c1978esi16606846pgj.402.2022.10.18.10.11.45; Tue, 18 Oct 2022 10:11:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=McnbNKem; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229907AbiJRQlk (ORCPT + 99 others); Tue, 18 Oct 2022 12:41:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46078 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229882AbiJRQlj (ORCPT ); Tue, 18 Oct 2022 12:41:39 -0400 Received: from mail-yw1-x112f.google.com (mail-yw1-x112f.google.com [IPv6:2607:f8b0:4864:20::112f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 12FFFE9863 for ; Tue, 18 Oct 2022 09:41:38 -0700 (PDT) Received: by mail-yw1-x112f.google.com with SMTP id 00721157ae682-3608b5e634aso142558237b3.6 for ; Tue, 18 Oct 2022 09:41:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=blGUrUhYP+SApQpxHVK/AlYz98zBcf/OOrItMBTbDZE=; b=McnbNKemxZD43xb0EoChh/IKXBFVNODtkMIE0D9IEYxfoR7YwooZxVs52OwztG5gXL eFS42+vN6x3NGTFQA23GAJRdsqUutMYne5GWGibdnvFXdUCIl9k87MaBb75s9ZEX8QbQ 5n7MG35Tqmx1xUOQvv9KxXwkgijt96J0VIKxpPkkFzw12b2CXbYC5gyXYMj4rP4Thq0/ VLin8FnlezLV6sxSCt/5/fo6amrEOkJyYn2hTEoRzSaWzw1zOYfR4uUl3bnJVt1GwQPK kOCGa4zbZIkf00MrEpNNHNnmsYoq4ge9PE8tEwIKN7mBtOrO0Pe4XfDoMFAfvwPyT6v8 OtjQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=blGUrUhYP+SApQpxHVK/AlYz98zBcf/OOrItMBTbDZE=; b=fdhOPw7BkxPngUEO40ozq/XYT8io1rfiMfwlKRR1vuwE6C+E/YH5CL/Qu190/6s9Yr BRf0Z8z18jh3rJNNGE5iu5gdtpYcKx9AKpqRXemZ7YyP0xakqz3XzNCiiVHWF5/oMoNR E99axSR9gg8RtilWbsnXEo290AYAmMod5TuzQQDRwbjjY/u5ZRnjjIBZrKwZkC0MlVCI +cGPSlt/TFF/yxire3WoaWVM3DTyE+9XsDWOhGc6S9aBowaKP1G4XnsriOUQruNA97g0 /w3eGJOM0YiVptFF5x5OITgynwkEJsMecP6NKnBn/zceQIsAhCeL295/22HPY81Q/hzS FXOg== X-Gm-Message-State: ACrzQf25aeDyelo0V/4c8LY87rV2kflNyGFXh/8MQegQxBVTA1vUwJWR 8EWm9bCa6VfNAonVUj63rg+q/TwjRbuxOC+gD6lY7A== X-Received: by 2002:a81:48d6:0:b0:355:8d0a:d8a1 with SMTP id v205-20020a8148d6000000b003558d0ad8a1mr3140500ywa.467.1666111296891; Tue, 18 Oct 2022 09:41:36 -0700 (PDT) MIME-Version: 1.0 References: <20221012103844.1095777-1-luwei32@huawei.com> <15e10efe-f357-ac99-6733-3aefa9bd9525@huawei.com> In-Reply-To: <15e10efe-f357-ac99-6733-3aefa9bd9525@huawei.com> From: Eric Dumazet Date: Tue, 18 Oct 2022 09:41:25 -0700 Message-ID: Subject: Re: [PATCH -next] tcp: fix a signed-integer-overflow bug in tcp_add_backlog() To: "luwei (O)" Cc: davem@davemloft.net, kuba@kernel.org, pabeni@redhat.com, yoshfuji@linux-ipv6.org, dsahern@kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 18, 2022 at 12:45 AM luwei (O) wrote: > > > =E5=9C=A8 2022/10/12 8:31 PM, Eric Dumazet =E5=86=99=E9=81=93: > > On Wed, Oct 12, 2022 at 2:35 AM Lu Wei wrote: > >> The type of sk_rcvbuf and sk_sndbuf in struct sock is int, and > >> in tcp_add_backlog(), the variable limit is caculated by adding > >> sk_rcvbuf, sk_sndbuf and 64 * 1024, it may exceed the max value > >> of u32 and be truncated. So change it to u64 to avoid a potential > >> signed-integer-overflow, which leads to opposite result is returned > >> in the following function. > >> > >> Signed-off-by: Lu Wei > > You need to add a Fixes: tag, please. > > > >> --- > >> include/net/sock.h | 4 ++-- > >> net/ipv4/tcp_ipv4.c | 6 ++++-- > >> 2 files changed, 6 insertions(+), 4 deletions(-) > >> > >> diff --git a/include/net/sock.h b/include/net/sock.h > >> index 08038a385ef2..fc0fa29d8865 100644 > >> --- a/include/net/sock.h > >> +++ b/include/net/sock.h > >> @@ -1069,7 +1069,7 @@ static inline void __sk_add_backlog(struct sock = *sk, struct sk_buff *skb) > >> * Do not take into account this skb truesize, > >> * to allow even a single big packet to come. > >> */ > >> -static inline bool sk_rcvqueues_full(const struct sock *sk, unsigned = int limit) > >> +static inline bool sk_rcvqueues_full(const struct sock *sk, u64 limit= ) > >> { > >> unsigned int qsize =3D sk->sk_backlog.len + atomic_read(&sk->= sk_rmem_alloc); > > qsize would then overflow :/ > > > > I would rather limit sk_rcvbuf and sk_sndbuf to 0x7fff0000, instead of > > 0x7ffffffe > > > > If really someone is using 2GB for both send and receive queues, I > > doubt removing 64KB will be a problem. > > . > > thanks for reply, I will change the type of qsize to u64 in V2. Besides, > how to limit sk_rcvbuf and sk_sndbuf Please do not add u64 where not really needed. TCP stack is not ready for huge queues, we still have O(N) pathological functions, especially when dealing with memory pressure. Unless you want to solve this difficult problem, let's not send wrong signa= ls. > > to 0x7ffff0000, do you mean in sysctl interface? If so, the varible > limit will still overflow since it's calculated > > by adding sk_rcvbuf and sk_sndbuf. u32 limit =3D (u32) rcvbuf + (u32) sndbuf + 64*1024; does not overflow. 0x7fff0000U + 0x7fff0000U + 0x10000 =3D 0xffff0000 > > -- > Best Regards, > Lu Wei >