| Message ID | 171154167446.2671062.9127105384591237363.stgit@firesoul (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 037965402a010898d34f4e35327d22c0a95cd51f |
| Headers | show |
| Series | [net] xen-netfront: Add missing skb_mark_for_recycle | expand |
On Wed, Mar 27, 2024 at 01:14:56PM +0100, Jesper Dangaard Brouer wrote: > Notice that skb_mark_for_recycle() is introduced later than fixes tag in > 6a5bcd84e886 ("page_pool: Allow drivers to hint on SKB recycling"). > > It is believed that fixes tag were missing a call to page_pool_release_page() > between v5.9 to v5.14, after which is should have used skb_mark_for_recycle(). > Since v6.6 the call page_pool_release_page() were removed (in 535b9c61bdef > ("net: page_pool: hide page_pool_release_page()") and remaining callers > converted (in commit 6bfef2ec0172 ("Merge branch > 'net-page_pool-remove-page_pool_release_page'")). > > This leak became visible in v6.8 via commit dba1b8a7ab68 ("mm/page_pool: catch > page_pool memory leaks"). > > Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for xen-netfront") > Reported-by: Arthur Borsboom <arthurborsboom@gmail.com> > Signed-off-by: Jesper Dangaard Brouer <hawk@kernel.org> > --- > Compile tested only, can someone please test this I've got a confirmation it fixes the issue: https://github.com/QubesOS/qubes-linux-kernel/pull/926#issuecomment-2026226944 > drivers/net/xen-netfront.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c > index ad29f370034e..8d2aee88526c 100644 > --- a/drivers/net/xen-netfront.c > +++ b/drivers/net/xen-netfront.c > @@ -285,6 +285,7 @@ static struct sk_buff *xennet_alloc_one_rx_buffer(struct netfront_queue *queue) > return NULL; > } > skb_add_rx_frag(skb, 0, page, 0, 0, PAGE_SIZE); > + skb_mark_for_recycle(skb); > > /* Align ip header to a 16 bytes boundary */ > skb_reserve(skb, NET_IP_ALIGN); > > >
Hello: This patch was applied to netdev/net.git (main) by Jakub Kicinski <kuba@kernel.org>: On Wed, 27 Mar 2024 13:14:56 +0100 you wrote: > Notice that skb_mark_for_recycle() is introduced later than fixes tag in > 6a5bcd84e886 ("page_pool: Allow drivers to hint on SKB recycling"). > > It is believed that fixes tag were missing a call to page_pool_release_page() > between v5.9 to v5.14, after which is should have used skb_mark_for_recycle(). > Since v6.6 the call page_pool_release_page() were removed (in 535b9c61bdef > ("net: page_pool: hide page_pool_release_page()") and remaining callers > converted (in commit 6bfef2ec0172 ("Merge branch > 'net-page_pool-remove-page_pool_release_page'")). > > [...] Here is the summary with links: - [net] xen-netfront: Add missing skb_mark_for_recycle https://git.kernel.org/netdev/net/c/037965402a01 You are awesome, thank you!
On Wed, 27 Mar 2024 at 13:15, Jesper Dangaard Brouer <hawk@kernel.org> wrote: > > Notice that skb_mark_for_recycle() is introduced later than fixes tag in > 6a5bcd84e886 ("page_pool: Allow drivers to hint on SKB recycling"). > > It is believed that fixes tag were missing a call to page_pool_release_page() > between v5.9 to v5.14, after which is should have used skb_mark_for_recycle(). > Since v6.6 the call page_pool_release_page() were removed (in 535b9c61bdef > ("net: page_pool: hide page_pool_release_page()") and remaining callers > converted (in commit 6bfef2ec0172 ("Merge branch > 'net-page_pool-remove-page_pool_release_page'")). > > This leak became visible in v6.8 via commit dba1b8a7ab68 ("mm/page_pool: catch > page_pool memory leaks"). > > Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for xen-netfront") > Reported-by: Arthur Borsboom <arthurborsboom@gmail.com> > Signed-off-by: Jesper Dangaard Brouer <hawk@kernel.org> > --- > Compile tested only, can someone please test this I have tested this patch on Xen 4.18.1 with VM (Arch Linux) kernel 6.9.0-rc1. Without the patch there are many trace traces and cloning the Linux mainline git repository resulted in failures (same with kernel 6.8.1). The patched kernel 6.9.0-rc1 performs as expected; cloning the git repository was successful and no kernel traces observed. Hereby my tested by: Tested-by: Arthur Borsboom <arthurborsboom@gmail.com> > drivers/net/xen-netfront.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c > index ad29f370034e..8d2aee88526c 100644 > --- a/drivers/net/xen-netfront.c > +++ b/drivers/net/xen-netfront.c > @@ -285,6 +285,7 @@ static struct sk_buff *xennet_alloc_one_rx_buffer(struct netfront_queue *queue) > return NULL; > } > skb_add_rx_frag(skb, 0, page, 0, 0, PAGE_SIZE); > + skb_mark_for_recycle(skb); > > /* Align ip header to a 16 bytes boundary */ > skb_reserve(skb, NET_IP_ALIGN); > >
On Fri, 29 Mar 2024 at 10:47, Arthur Borsboom <arthurborsboom@gmail.com> wrote: > > On Wed, 27 Mar 2024 at 13:15, Jesper Dangaard Brouer <hawk@kernel.org> wrote: > > > > Notice that skb_mark_for_recycle() is introduced later than fixes tag in > > 6a5bcd84e886 ("page_pool: Allow drivers to hint on SKB recycling"). > > > > It is believed that fixes tag were missing a call to page_pool_release_page() > > between v5.9 to v5.14, after which is should have used skb_mark_for_recycle(). > > Since v6.6 the call page_pool_release_page() were removed (in 535b9c61bdef > > ("net: page_pool: hide page_pool_release_page()") and remaining callers > > converted (in commit 6bfef2ec0172 ("Merge branch > > 'net-page_pool-remove-page_pool_release_page'")). > > > > This leak became visible in v6.8 via commit dba1b8a7ab68 ("mm/page_pool: catch > > page_pool memory leaks"). > > > > Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for xen-netfront") > > Reported-by: Arthur Borsboom <arthurborsboom@gmail.com> > > Signed-off-by: Jesper Dangaard Brouer <hawk@kernel.org> > > --- > > Compile tested only, can someone please test this > > I have tested this patch on Xen 4.18.1 with VM (Arch Linux) kernel 6.9.0-rc1. > > Without the patch there are many trace traces and cloning the Linux > mainline git repository resulted in failures (same with kernel 6.8.1). > The patched kernel 6.9.0-rc1 performs as expected; cloning the git > repository was successful and no kernel traces observed. > Hereby my tested by: > > Tested-by: Arthur Borsboom <arthurborsboom@gmail.com> > > > > > drivers/net/xen-netfront.c | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c > > index ad29f370034e..8d2aee88526c 100644 > > --- a/drivers/net/xen-netfront.c > > +++ b/drivers/net/xen-netfront.c > > @@ -285,6 +285,7 @@ static struct sk_buff *xennet_alloc_one_rx_buffer(struct netfront_queue *queue) > > return NULL; > > } > > skb_add_rx_frag(skb, 0, page, 0, 0, PAGE_SIZE); > > + skb_mark_for_recycle(skb); > > > > /* Align ip header to a 16 bytes boundary */ > > skb_reserve(skb, NET_IP_ALIGN); > > > > I don't see this patch yet in linux-next. https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/log Any idea in which kernel release this patch will be included?
After having a better look, I have found the patch in linux-next https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=0cd74ffcf4fb0536718241d59d2c124578624d83 On Tue, 2 Apr 2024 at 10:20, Arthur Borsboom <arthurborsboom@gmail.com> wrote: > > On Fri, 29 Mar 2024 at 10:47, Arthur Borsboom <arthurborsboom@gmail.com> wrote: > > > > On Wed, 27 Mar 2024 at 13:15, Jesper Dangaard Brouer <hawk@kernel.org> wrote: > > > > > > Notice that skb_mark_for_recycle() is introduced later than fixes tag in > > > 6a5bcd84e886 ("page_pool: Allow drivers to hint on SKB recycling"). > > > > > > It is believed that fixes tag were missing a call to page_pool_release_page() > > > between v5.9 to v5.14, after which is should have used skb_mark_for_recycle(). > > > Since v6.6 the call page_pool_release_page() were removed (in 535b9c61bdef > > > ("net: page_pool: hide page_pool_release_page()") and remaining callers > > > converted (in commit 6bfef2ec0172 ("Merge branch > > > 'net-page_pool-remove-page_pool_release_page'")). > > > > > > This leak became visible in v6.8 via commit dba1b8a7ab68 ("mm/page_pool: catch > > > page_pool memory leaks"). > > > > > > Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for xen-netfront") > > > Reported-by: Arthur Borsboom <arthurborsboom@gmail.com> > > > Signed-off-by: Jesper Dangaard Brouer <hawk@kernel.org> > > > --- > > > Compile tested only, can someone please test this > > > > I have tested this patch on Xen 4.18.1 with VM (Arch Linux) kernel 6.9.0-rc1. > > > > Without the patch there are many trace traces and cloning the Linux > > mainline git repository resulted in failures (same with kernel 6.8.1). > > The patched kernel 6.9.0-rc1 performs as expected; cloning the git > > repository was successful and no kernel traces observed. > > Hereby my tested by: > > > > Tested-by: Arthur Borsboom <arthurborsboom@gmail.com> > > > > > > > > > drivers/net/xen-netfront.c | 1 + > > > 1 file changed, 1 insertion(+) > > > > > > diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c > > > index ad29f370034e..8d2aee88526c 100644 > > > --- a/drivers/net/xen-netfront.c > > > +++ b/drivers/net/xen-netfront.c > > > @@ -285,6 +285,7 @@ static struct sk_buff *xennet_alloc_one_rx_buffer(struct netfront_queue *queue) > > > return NULL; > > > } > > > skb_add_rx_frag(skb, 0, page, 0, 0, PAGE_SIZE); > > > + skb_mark_for_recycle(skb); > > > > > > /* Align ip header to a 16 bytes boundary */ > > > skb_reserve(skb, NET_IP_ALIGN); > > > > > > > > I don't see this patch yet in linux-next. > > https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/log > > Any idea in which kernel release this patch will be included?
Greg, We're issuing an XSA for this; can you issue a CVE? Thanks, -George Dunlap On Tue, Apr 2, 2024 at 9:25 PM Arthur Borsboom <arthurborsboom@gmail.com> wrote: > After having a better look, I have found the patch in linux-next > > > https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=0cd74ffcf4fb0536718241d59d2c124578624d83 > > On Tue, 2 Apr 2024 at 10:20, Arthur Borsboom <arthurborsboom@gmail.com> > wrote: > > > > On Fri, 29 Mar 2024 at 10:47, Arthur Borsboom <arthurborsboom@gmail.com> > wrote: > > > > > > On Wed, 27 Mar 2024 at 13:15, Jesper Dangaard Brouer <hawk@kernel.org> > wrote: > > > > > > > > Notice that skb_mark_for_recycle() is introduced later than fixes > tag in > > > > 6a5bcd84e886 ("page_pool: Allow drivers to hint on SKB recycling"). > > > > > > > > It is believed that fixes tag were missing a call to > page_pool_release_page() > > > > between v5.9 to v5.14, after which is should have used > skb_mark_for_recycle(). > > > > Since v6.6 the call page_pool_release_page() were removed (in > 535b9c61bdef > > > > ("net: page_pool: hide page_pool_release_page()") and remaining > callers > > > > converted (in commit 6bfef2ec0172 ("Merge branch > > > > 'net-page_pool-remove-page_pool_release_page'")). > > > > > > > > This leak became visible in v6.8 via commit dba1b8a7ab68 > ("mm/page_pool: catch > > > > page_pool memory leaks"). > > > > > > > > Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for > xen-netfront") > > > > Reported-by: Arthur Borsboom <arthurborsboom@gmail.com> > > > > Signed-off-by: Jesper Dangaard Brouer <hawk@kernel.org> > > > > --- > > > > Compile tested only, can someone please test this > > > > > > I have tested this patch on Xen 4.18.1 with VM (Arch Linux) kernel > 6.9.0-rc1. > > > > > > Without the patch there are many trace traces and cloning the Linux > > > mainline git repository resulted in failures (same with kernel 6.8.1). > > > The patched kernel 6.9.0-rc1 performs as expected; cloning the git > > > repository was successful and no kernel traces observed. > > > Hereby my tested by: > > > > > > Tested-by: Arthur Borsboom <arthurborsboom@gmail.com> > > > > > > > > > > > > > drivers/net/xen-netfront.c | 1 + > > > > 1 file changed, 1 insertion(+) > > > > > > > > diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c > > > > index ad29f370034e..8d2aee88526c 100644 > > > > --- a/drivers/net/xen-netfront.c > > > > +++ b/drivers/net/xen-netfront.c > > > > @@ -285,6 +285,7 @@ static struct sk_buff > *xennet_alloc_one_rx_buffer(struct netfront_queue *queue) > > > > return NULL; > > > > } > > > > skb_add_rx_frag(skb, 0, page, 0, 0, PAGE_SIZE); > > > > + skb_mark_for_recycle(skb); > > > > > > > > /* Align ip header to a 16 bytes boundary */ > > > > skb_reserve(skb, NET_IP_ALIGN); > > > > > > > > > > > > I don't see this patch yet in linux-next. > > > > https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/log > > > > Any idea in which kernel release this patch will be included? >
On Thu, Apr 25, 2024 at 02:39:38PM +0100, George Dunlap wrote: > Greg, > > We're issuing an XSA for this; can you issue a CVE? To ask for a cve, please contact cve@kernel.org as per our documentation. Please provide the git id of the commit you wish to have the cve assigned to. thanks, greg k-h
Hello, Please could we request a CVE for "xen-netfront: Add missing skb_mark_for_recycle" which is 037965402a010898d34f4e35327d22c0a95cd51f in Linus' tree. This is a kernel memory leak trigger-able from unprivileged userspace. I can't see any evidence of this fix having been assigned a CVE thus far on the linux-cve-annouce mailing list. Thanks, ~Andrew On 25/04/2024 4:13 pm, Greg KH wrote: > On Thu, Apr 25, 2024 at 02:39:38PM +0100, George Dunlap wrote: >> Greg, >> >> We're issuing an XSA for this; can you issue a CVE? > To ask for a cve, please contact cve@kernel.org as per our > documentation. Please provide the git id of the commit you wish to have > the cve assigned to. > > thanks, > > greg k-h
On Tue, May 07, 2024 at 02:57:08PM +0100, Andrew Cooper wrote: > Hello, > > Please could we request a CVE for "xen-netfront: Add missing > skb_mark_for_recycle" which is 037965402a010898d34f4e35327d22c0a95cd51f > in Linus' tree. > > This is a kernel memory leak trigger-able from unprivileged userspace. > > I can't see any evidence of this fix having been assigned a CVE thus far > on the linux-cve-annouce mailing list. CVE-2024-27393 is now created for this, thanks. greg k-h
diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c index ad29f370034e..8d2aee88526c 100644 --- a/drivers/net/xen-netfront.c +++ b/drivers/net/xen-netfront.c @@ -285,6 +285,7 @@ static struct sk_buff *xennet_alloc_one_rx_buffer(struct netfront_queue *queue) return NULL; } skb_add_rx_frag(skb, 0, page, 0, 0, PAGE_SIZE); + skb_mark_for_recycle(skb); /* Align ip header to a 16 bytes boundary */ skb_reserve(skb, NET_IP_ALIGN);
Notice that skb_mark_for_recycle() is introduced later than fixes tag in 6a5bcd84e886 ("page_pool: Allow drivers to hint on SKB recycling"). It is believed that fixes tag were missing a call to page_pool_release_page() between v5.9 to v5.14, after which is should have used skb_mark_for_recycle(). Since v6.6 the call page_pool_release_page() were removed (in 535b9c61bdef ("net: page_pool: hide page_pool_release_page()") and remaining callers converted (in commit 6bfef2ec0172 ("Merge branch 'net-page_pool-remove-page_pool_release_page'")). This leak became visible in v6.8 via commit dba1b8a7ab68 ("mm/page_pool: catch page_pool memory leaks"). Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for xen-netfront") Reported-by: Arthur Borsboom <arthurborsboom@gmail.com> Signed-off-by: Jesper Dangaard Brouer <hawk@kernel.org> --- Compile tested only, can someone please test this drivers/net/xen-netfront.c | 1 + 1 file changed, 1 insertion(+)