[net,2/2] netdev: Enforce index cap in netdev_get_tx_queue

Commit Message

Nick Child March 17, 2023, 6:19 p.m. UTC

When requesting a TX queue at a given index, prevent out-of-bounds
referencing by ensuring that the index is within the allocated number
of queues.

If there is an out-of-bounds reference then inform the user and return
a reference to the first tx queue instead.

Fixes: e8a0464cc950 ("netdev: Allocate multiple queues for TX.")
Signed-off-by: Nick Child <nnac123@linux.ibm.com>
---
 include/linux/netdevice.h | 7 +++++++
 1 file changed, 7 insertions(+)

Comments

Piotr Raczynski March 17, 2023, 6:45 p.m. UTC | #1

On Fri, Mar 17, 2023 at 01:19:41PM -0500, Nick Child wrote:
> When requesting a TX queue at a given index, prevent out-of-bounds
> referencing by ensuring that the index is within the allocated number
> of queues.
> 
> If there is an out-of-bounds reference then inform the user and return
> a reference to the first tx queue instead.
> 
> Fixes: e8a0464cc950 ("netdev: Allocate multiple queues for TX.")
> Signed-off-by: Nick Child <nnac123@linux.ibm.com>
> ---
>  include/linux/netdevice.h | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
> index 23b0d7eaaadd..fe88b1a7393d 100644
> --- a/include/linux/netdevice.h
> +++ b/include/linux/netdevice.h
> @@ -2482,6 +2482,13 @@ static inline
>  struct netdev_queue *netdev_get_tx_queue(const struct net_device *dev,
>  					 unsigned int index)
>  {
> +	if (unlikely(index >= dev->num_tx_queues)) {
> +		net_warn_ratelimited("%s selects TX queue %d, but number of TX queues is %d\n",
> +				     dev->name, index,
> +				     dev->num_tx_queues);
> +		return &dev->_tx[0];

Why return first queue here instead of NULL, wouldn't that confuse the
caller instead of return proper (NULL) value?

Piotr.
> +	}
> +
>  	return &dev->_tx[index];
>  }
>  
> -- 
> 2.31.1
>

Nick Child March 17, 2023, 7:01 p.m. UTC | #2

On 3/17/23 13:45, Piotr Raczynski wrote:
> On Fri, Mar 17, 2023 at 01:19:41PM -0500, Nick Child wrote:
>> When requesting a TX queue at a given index, prevent out-of-bounds
>> referencing by ensuring that the index is within the allocated number
>> of queues.
>>
>> If there is an out-of-bounds reference then inform the user and return
>> a reference to the first tx queue instead.
>>
>> Fixes: e8a0464cc950 ("netdev: Allocate multiple queues for TX.")
>> Signed-off-by: Nick Child <nnac123@linux.ibm.com>
>> ---
>>   include/linux/netdevice.h | 7 +++++++
>>   1 file changed, 7 insertions(+)
>>
>> diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
>> index 23b0d7eaaadd..fe88b1a7393d 100644
>> --- a/include/linux/netdevice.h
>> +++ b/include/linux/netdevice.h
>> @@ -2482,6 +2482,13 @@ static inline
>>   struct netdev_queue *netdev_get_tx_queue(const struct net_device *dev,
>>   					 unsigned int index)
>>   {
>> +	if (unlikely(index >= dev->num_tx_queues)) {
>> +		net_warn_ratelimited("%s selects TX queue %d, but number of TX queues is %d\n",
>> +				     dev->name, index,
>> +				     dev->num_tx_queues);
>> +		return &dev->_tx[0];
> 
> Why return first queue here instead of NULL, wouldn't that confuse the
> caller instead of return proper (NULL) value?
> 

Thanks for reviewing Piotr.
netdev_get_tx_queue has over 300 callers, most of these calls
use the returned queue immediately without any checking on
the returned value. I don't expect all of these callers
to go and add conditionals to handle this case either.

So I opted for the warning message and a valid return value.
That being said, I am open to more opinions.


> Piotr.
>> +	}
>> +
>>   	return &dev->_tx[index];
>>   }
>>   
>> -- 
>> 2.31.1
>>

Jakub Kicinski March 21, 2023, 4:49 a.m. UTC | #3

On Fri, 17 Mar 2023 13:19:41 -0500 Nick Child wrote:
> diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
> index 23b0d7eaaadd..fe88b1a7393d 100644
> --- a/include/linux/netdevice.h
> +++ b/include/linux/netdevice.h
> @@ -2482,6 +2482,13 @@ static inline
>  struct netdev_queue *netdev_get_tx_queue(const struct net_device *dev,
>  					 unsigned int index)
>  {
> +	if (unlikely(index >= dev->num_tx_queues)) {
> +		net_warn_ratelimited("%s selects TX queue %d, but number of TX queues is %d\n",
> +				     dev->name, index,
> +				     dev->num_tx_queues);
> +		return &dev->_tx[0];
> +	}
> +

Should we maybe do DEBUG_NET_WARN_ON_ONCE() instead?
It will likely run multiple times per each Tx packet,
so I wonder if we really want to add a branch for what's
effectively defensive programming...

Patch

diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index 23b0d7eaaadd..fe88b1a7393d 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -2482,6 +2482,13 @@  static inline
 struct netdev_queue *netdev_get_tx_queue(const struct net_device *dev,
 					 unsigned int index)
 {
+	if (unlikely(index >= dev->num_tx_queues)) {
+		net_warn_ratelimited("%s selects TX queue %d, but number of TX queues is %d\n",
+				     dev->name, index,
+				     dev->num_tx_queues);
+		return &dev->_tx[0];
+	}
+
 	return &dev->_tx[index];
 }