[RFC,v3,02/20] tcp: don't allow non-devmem originated ppiov

Message ID	20231219210357.4029713-3-dw@davidwei.uk (mailing list archive)
State	New
Headers	show Received: from mail-pg1-f174.google.com (mail-pg1-f174.google.com [209.85.215.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 06E6D3A269 for <io-uring@vger.kernel.org>; Tue, 19 Dec 2023 21:04:07 +0000 (UTC) From: David Wei <dw@davidwei.uk> To: io-uring@vger.kernel.org, netdev@vger.kernel.org Cc: Jens Axboe <axboe@kernel.dk>, Pavel Begunkov <asml.silence@gmail.com>, Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>, "David S. Miller" <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>, Jesper Dangaard Brouer <hawk@kernel.org>, David Ahern <dsahern@kernel.org>, Mina Almasry <almasrymina@google.com> Subject: [RFC PATCH v3 02/20] tcp: don't allow non-devmem originated ppiov Date: Tue, 19 Dec 2023 13:03:39 -0800 Message-Id: <20231219210357.4029713-3-dw@davidwei.uk> In-Reply-To: <20231219210357.4029713-1-dw@davidwei.uk> References: <20231219210357.4029713-1-dw@davidwei.uk> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Zero copy Rx using io_uring \| expand [RFC,v3,00/20] Zero copy Rx using io_uring [RFC,v3,01/20] net: page_pool: add ppiov mangling helper [RFC,v3,02/20] tcp: don't allow non-devmem originated ppiov [RFC,v3,03/20] net: page pool: rework ppiov life cycle [RFC,v3,04/20] net: enable napi_pp_put_page for ppiov [RFC,v3,05/20] net: page_pool: add ->scrub mem provider callback [RFC,v3,06/20] io_uring: separate header for exported net bits [RFC,v3,07/20] io_uring: add interface queue [RFC,v3,08/20] io_uring: add mmap support for shared ifq ringbuffers [RFC,v3,09/20] netdev: add XDP_SETUP_ZC_RX command [RFC,v3,10/20] io_uring: setup ZC for an Rx queue when registering an ifq [RFC,v3,11/20] io_uring/zcrx: implement socket registration [RFC,v3,12/20] io_uring: add ZC buf and pool [RFC,v3,13/20] io_uring: implement pp memory provider for zc rx [RFC,v3,14/20] net: page pool: add io_uring memory provider [RFC,v3,15/20] io_uring: add io_recvzc request [RFC,v3,16/20] net: execute custom callback from napi [RFC,v3,17/20] io_uring/zcrx: add copy fallback [RFC,v3,18/20] veth: add support for io_uring zc rx [RFC,v3,19/20] net: page pool: generalise ppiov dma address get [RFC,v3,20/20] bnxt: enable io_uring zc page pool

Message ID

20231219210357.4029713-3-dw@davidwei.uk (mailing list archive)

State

New

Headers

From: David Wei <dw@davidwei.uk>
To: io-uring@vger.kernel.org,
	netdev@vger.kernel.org
Cc: Jens Axboe <axboe@kernel.dk>,
	Pavel Begunkov <asml.silence@gmail.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jesper Dangaard Brouer <hawk@kernel.org>,
	David Ahern <dsahern@kernel.org>,
	Mina Almasry <almasrymina@google.com>
Subject: [RFC PATCH v3 02/20] tcp: don't allow non-devmem originated ppiov
Date: Tue, 19 Dec 2023 13:03:39 -0800
Message-Id: <20231219210357.4029713-3-dw@davidwei.uk>
In-Reply-To: <20231219210357.4029713-1-dw@davidwei.uk>
References: <20231219210357.4029713-1-dw@davidwei.uk>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Zero copy Rx using io_uring | expand

Commit Message

David Wei Dec. 19, 2023, 9:03 p.m. UTC

From: Pavel Begunkov <asml.silence@gmail.com>

NOT FOR UPSTREAM

There will be more users of struct page_pool_iov, and ppiovs from one
subsystem must not be used by another. That should never happen for any
sane application, but we need to enforce it in case of bufs and/or
malicious users.

Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: David Wei <dw@davidwei.uk>
---
 net/ipv4/tcp.c | 7 +++++++
 1 file changed, 7 insertions(+)

Comments

Mina Almasry Dec. 19, 2023, 11:24 p.m. UTC | #1

On Tue, Dec 19, 2023 at 1:04 PM David Wei <dw@davidwei.uk> wrote:
>
> From: Pavel Begunkov <asml.silence@gmail.com>
>
> NOT FOR UPSTREAM
>
> There will be more users of struct page_pool_iov, and ppiovs from one
> subsystem must not be used by another. That should never happen for any
> sane application, but we need to enforce it in case of bufs and/or
> malicious users.
>
> Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
> Signed-off-by: David Wei <dw@davidwei.uk>
> ---
>  net/ipv4/tcp.c | 7 +++++++
>  1 file changed, 7 insertions(+)
>
> diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
> index 33a8bb63fbf5..9c6b18eebb5b 100644
> --- a/net/ipv4/tcp.c
> +++ b/net/ipv4/tcp.c
> @@ -2384,6 +2384,13 @@ static int tcp_recvmsg_devmem(const struct sock *sk, const struct sk_buff *skb,
>                         }
>
>                         ppiov = skb_frag_page_pool_iov(frag);
> +
> +                       /* Disallow non devmem owned buffers */
> +                       if (ppiov->pp->p.memory_provider != PP_MP_DMABUF_DEVMEM) {
> +                               err = -ENODEV;
> +                               goto out;
> +                       }
> +

Instead of this, I maybe recommend modifying the skb->dmabuf flag? My
mental model is that flag means all the frags in the skb are
specifically dmabuf, not general ppiovs or net_iovs. Is it possible to
add skb->io_uring or something?

If that bloats the skb headers, then maybe we need another place to
put this flag. Maybe the [page_pool|net]_iov should declare whether
it's dmabuf or otherwise, and we can check frag[0] and assume all
frags are the same as frag0.

But IMO the page pool internals should not leak into the
implementation of generic tcp stack functions.

>                         end = start + skb_frag_size(frag);
>                         copy = end - offset;
>
> --
> 2.39.3
>

Pavel Begunkov Dec. 20, 2023, 1:29 a.m. UTC | #2

On 12/19/23 23:24, Mina Almasry wrote:
> On Tue, Dec 19, 2023 at 1:04 PM David Wei <dw@davidwei.uk> wrote:
>>
>> From: Pavel Begunkov <asml.silence@gmail.com>
>>
>> NOT FOR UPSTREAM
>>
>> There will be more users of struct page_pool_iov, and ppiovs from one
>> subsystem must not be used by another. That should never happen for any
>> sane application, but we need to enforce it in case of bufs and/or
>> malicious users.
>>
>> Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
>> Signed-off-by: David Wei <dw@davidwei.uk>
>> ---
>>   net/ipv4/tcp.c | 7 +++++++
>>   1 file changed, 7 insertions(+)
>>
>> diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
>> index 33a8bb63fbf5..9c6b18eebb5b 100644
>> --- a/net/ipv4/tcp.c
>> +++ b/net/ipv4/tcp.c
>> @@ -2384,6 +2384,13 @@ static int tcp_recvmsg_devmem(const struct sock *sk, const struct sk_buff *skb,
>>                          }
>>
>>                          ppiov = skb_frag_page_pool_iov(frag);
>> +
>> +                       /* Disallow non devmem owned buffers */
>> +                       if (ppiov->pp->p.memory_provider != PP_MP_DMABUF_DEVMEM) {
>> +                               err = -ENODEV;
>> +                               goto out;
>> +                       }
>> +
> 
> Instead of this, I maybe recommend modifying the skb->dmabuf flag? My
> mental model is that flag means all the frags in the skb are

That's a good point, we need to separate them, and I have it in my
todo list.

> specifically dmabuf, not general ppiovs or net_iovs. Is it possible to
> add skb->io_uring or something?

->io_uring flag is not feasible, converting ->devmem into a type
{page,devmem,iouring} is better but not great either.

> If that bloats the skb headers, then maybe we need another place to
> put this flag. Maybe the [page_pool|net]_iov should declare whether
> it's dmabuf or otherwise, and we can check frag[0] and assume all

ppiov->pp should be enough, either not mixing buffers from different
pools or comparing pp->ops or some pp->type.

> frags are the same as frag0.

I think I like this one the most. I think David Ahern mentioned
before, but would be nice having it on per frag basis and kill
->devmem flag. That would still stop collapsing if frags are
from different pools or so.

> But IMO the page pool internals should not leak into the
> implementation of generic tcp stack functions.

Mina Almasry Jan. 2, 2024, 4:11 p.m. UTC | #3

On Tue, Dec 19, 2023 at 5:34 PM Pavel Begunkov <asml.silence@gmail.com> wrote:
>
> On 12/19/23 23:24, Mina Almasry wrote:
> > On Tue, Dec 19, 2023 at 1:04 PM David Wei <dw@davidwei.uk> wrote:
> >>
> >> From: Pavel Begunkov <asml.silence@gmail.com>
> >>
> >> NOT FOR UPSTREAM
> >>
> >> There will be more users of struct page_pool_iov, and ppiovs from one
> >> subsystem must not be used by another. That should never happen for any
> >> sane application, but we need to enforce it in case of bufs and/or
> >> malicious users.
> >>
> >> Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
> >> Signed-off-by: David Wei <dw@davidwei.uk>
> >> ---
> >>   net/ipv4/tcp.c | 7 +++++++
> >>   1 file changed, 7 insertions(+)
> >>
> >> diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
> >> index 33a8bb63fbf5..9c6b18eebb5b 100644
> >> --- a/net/ipv4/tcp.c
> >> +++ b/net/ipv4/tcp.c
> >> @@ -2384,6 +2384,13 @@ static int tcp_recvmsg_devmem(const struct sock *sk, const struct sk_buff *skb,
> >>                          }
> >>
> >>                          ppiov = skb_frag_page_pool_iov(frag);
> >> +
> >> +                       /* Disallow non devmem owned buffers */
> >> +                       if (ppiov->pp->p.memory_provider != PP_MP_DMABUF_DEVMEM) {
> >> +                               err = -ENODEV;
> >> +                               goto out;
> >> +                       }
> >> +
> >
> > Instead of this, I maybe recommend modifying the skb->dmabuf flag? My
> > mental model is that flag means all the frags in the skb are
>
> That's a good point, we need to separate them, and I have it in my
> todo list.
>
> > specifically dmabuf, not general ppiovs or net_iovs. Is it possible to
> > add skb->io_uring or something?
>
> ->io_uring flag is not feasible, converting ->devmem into a type
> {page,devmem,iouring} is better but not great either.
>
> > If that bloats the skb headers, then maybe we need another place to
> > put this flag. Maybe the [page_pool|net]_iov should declare whether
> > it's dmabuf or otherwise, and we can check frag[0] and assume all
>
> ppiov->pp should be enough, either not mixing buffers from different
> pools or comparing pp->ops or some pp->type.
>
> > frags are the same as frag0.
>
> I think I like this one the most. I think David Ahern mentioned
> before, but would be nice having it on per frag basis and kill
> ->devmem flag. That would still stop collapsing if frags are
> from different pools or so.
>

This sounds reasonable to me. I'll look into applying this change to
my next devmem TCP RFC, thanks.

> > But IMO the page pool internals should not leak into the
> > implementation of generic tcp stack functions.
>
> --
> Pavel Begunkov

diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 33a8bb63fbf5..9c6b18eebb5b 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2384,6 +2384,13 @@  static int tcp_recvmsg_devmem(const struct sock *sk, const struct sk_buff *skb,
 			}
 
 			ppiov = skb_frag_page_pool_iov(frag);
+
+			/* Disallow non devmem owned buffers */
+			if (ppiov->pp->p.memory_provider != PP_MP_DMABUF_DEVMEM) {
+				err = -ENODEV;
+				goto out;
+			}
+
 			end = start + skb_frag_size(frag);
 			copy = end - offset;

[RFC,v3,02/20] tcp: don't allow non-devmem originated ppiov

Commit Message

Comments

Patch