[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] net/xen-netback: Break build if netback slots > max_skbs + 1



This change was suggested by Juergen and looked okay and straightforward to me.

On Wed, Oct 4, 2023 at 9:48 PM Jakub Kicinski <kuba@xxxxxxxxxx> wrote:
>
> On Wed, 27 Sep 2023 11:29:18 +0300 David Kahurani wrote:
> > If XEN_NETBK_LEGACY_SLOTS_MAX and MAX_SKB_FRAGS have a difference of
> > more than 1, with MAX_SKB_FRAGS being the lesser value, it opens up a
> > path for null-dereference. It was also noted that some distributions
> > were modifying upstream behaviour in that direction which necessitates
> > this patch.
>
> MAX_SKB_FRAGS can now be set via Kconfig, this allows us to create
> larger super-packets. Can XEN_NETBK_LEGACY_SLOTS_MAX be made relative
> to MAX_SKB_FRAGS, or does the number have to match between guest and
> host?

Historically, netback driver allows for a maximum of 18 fragments.
With recent changes, it also relies on the assumption that the
difference between MAX_SKB_FRAGS and XEN_NETBK_LEGACY_SLOTS_MAX is one
and MAX_SKB_FRAGS is the lesser value.

Now, look at Ubuntu kernel for instance( a change has been made and,
presumably, with good reason so we have reason to assume that the
change will persist in future releases).

/* To allow 64K frame to be packed as single skb without frag_list we
 * require 64K/PAGE_SIZE pages plus 1 additional page to allow for
 * buffers which do not start on a page boundary.
 *
 * Since GRO uses frags we allocate at least 16 regardless of page
 * size.
 */
#if (65536/PAGE_SIZE + 1) < 16
#define MAX_SKB_FRAGS 16UL
#else
#define MAX_SKB_FRAGS (65536/PAGE_SIZE + 1)
#endif

So, MAX_SKB_FRAGS can sometimes be 16. This is exactly what we're
trying to avoid with this patch. I host running with this change is
vulnerable to attack by the guest(though, this will only happen when
PAGE_SIZE > 4096).

Option #2 would be to add a Kconfig dependency for the driver
> to make sure high MAX_SKB_FRAGS is incompatible with it.

netback doesn't support larger super-packets. At least as of now. The
maximum number of fragments in a packet is 18. Any packets with the
number of fragments above that value from the guest are dropped. I
would assume that support for super-packets is probably something that
should be worked on or maybe even is already being worked on. However,
this is not the issue we are trying to fix in this patch.

>
> Breaking the build will make build bots very sad.

This patch build should not break build for upstream. It will only
break for those patching upstream behaviour. My intent is not to break
build bots but to alert someone building that netback doesn't work
with the particular MAX_SKB_FRAGS value. Seeing as they have modified
upstream behaviour, then, they might as well take a look at the issue
and make a decision themselves. Seeing as this issue will hit the
distros before it goes downstream, I don't think it should be a
problem for users.

>
> We'll also need a Fixes tag, I presume this is a fix?

Yeah, I guess that would be needed too.

> --
> pw-bot: cr



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.