From patchwork Fri Mar 27 03:24:07 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fletcher Dunn X-Patchwork-Id: 1262515 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Original-To: incoming-bpf@patchwork.ozlabs.org Delivered-To: patchwork-incoming-bpf@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=bpf-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=valvesoftware.com Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=valvesoftware.com header.i=@valvesoftware.com header.a=rsa-sha256 header.s=mc20150811 header.b=hDbBLCr8; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 48pSKq1LHfz9sRR for ; Fri, 27 Mar 2020 14:40:14 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727509AbgC0DkN (ORCPT ); Thu, 26 Mar 2020 23:40:13 -0400 Received: from us-smtp-delivery-172.mimecast.com ([63.128.21.172]:41304 "EHLO us-smtp-delivery-172.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727446AbgC0DkM (ORCPT ); Thu, 26 Mar 2020 23:40:12 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valvesoftware.com; s=mc20150811; t=1585280411; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=93NrP1J5ob0+Gg1hAqxUnhANzJSLqVrWUmGujX9AQ0k=; b=hDbBLCr8dERDRzS3uE/SrG50N4EVigu3g8dW39rT5zaPO3aK7jmLR19PDzh9lPJYnWW24b ZmG9nva6GmdKMPKb+2fXtvng5nEV182VotMqxaaeHtszpoFgO2ABCj738SQ3wlcVG60eYN wIsdTaI2fLGDp++obJp55UbxXQ5ok0I= Received: from smtp01.valvesoftware.com (smtp01.valvesoftware.com [208.64.203.181]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-183-MzPpUS9uMYGspFvS-Rd3sw-1; Thu, 26 Mar 2020 23:24:08 -0400 X-MC-Unique: MzPpUS9uMYGspFvS-Rd3sw-1 Received: from [172.16.1.107] (helo=antispam.valve.org) by smtp01.valvesoftware.com with esmtp (Exim 4.86_2) (envelope-from ) id 1jHfbL-0001Ck-HI; Thu, 26 Mar 2020 20:24:07 -0700 Received: from antispam.valve.org (127.0.0.1) id hflote0171sr; Thu, 26 Mar 2020 20:24:07 -0700 (envelope-from ) Received: from mail1.valvemail.org ([172.16.144.22]) by antispam.valve.org ([172.16.1.107]) (SonicWALL 9.0.5.2081 ) with ESMTP id o202003270324070010485-5; Thu, 26 Mar 2020 20:24:07 -0700 Received: from mail1.valvemail.org (172.16.144.22) by mail1.valvemail.org (172.16.144.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Thu, 26 Mar 2020 20:24:07 -0700 Received: from mail1.valvemail.org ([fe80::3155:e19a:4b5e:b8f7]) by mail1.valvemail.org ([fe80::3155:e19a:4b5e:b8f7%8]) with mapi id 15.01.1913.007; Thu, 26 Mar 2020 20:24:07 -0700 From: Fletcher Dunn To: 'Alexei Starovoitov' , 'Daniel Borkmann' CC: 'Martin KaFai Lau' , 'Song Liu' , 'Yonghong Song' , 'Andrii Nakryiko' , "'netdev@vger.kernel.org'" , "'bpf@vger.kernel.org'" , Brandon Gilmore , "Steven Noonan" Subject: [PATCH bpf-next] xsk: Init all ring members in xsk_umem__create and xsk_socket__create Thread-Topic: [PATCH bpf-next] xsk: Init all ring members in xsk_umem__create and xsk_socket__create Thread-Index: AdYD5ybf0ykyxQWeQrqqAmtRPVTlSw== Date: Fri, 27 Mar 2020 03:24:07 +0000 Message-ID: <85f12913cde94b19bfcb598344701c38@valvesoftware.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [172.18.42.19] x-exclaimer-md-config: fe5cb8ea-1338-4c54-81e0-ad323678e037 x-c2processedorg: d7674bc1-f4dc-4fad-9e9e-e896f8a3f31b MIME-Version: 1.0 X-Mlf-CnxnMgmt-Allow: 172.16.144.22 X-Mlf-Version: 9.0.5.2081 X-Mlf-License: BSVKCAP__ X-Mlf-UniqueId: o202003270324070010485 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: valvesoftware.com Sender: bpf-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org Fix a sharp edge in xsk_umem__create and xsk_socket__create. Almost all of the members of the ring buffer structs are initialized, but the "cached_xxx" variables are not all initialized. The caller is required to zero them. This is needlessly dangerous. The results if you don't do it can be very bad. For example, they can cause xsk_prod_nb_free and xsk_cons_nb_avail to return values greater than the size of the queue. xsk_ring_cons__peek can return an index that does not refer to an item that has been queued. I have confirmed that without this change, my program misbehaves unless I memset the ring buffers to zero before calling the function. Afterwards, my program works without (or with) the memset. Signed-off-by: Fletcher Dunn Acked-by: Magnus Karlsson diff --git a/tools/lib/bpf/xsk.c b/tools/lib/bpf/xsk.c index 9807903f121e..f7f4efb70a4c 100644 --- a/tools/lib/bpf/xsk.c +++ b/tools/lib/bpf/xsk.c @@ -280,7 +280,11 @@ int xsk_umem__create_v0_0_4(struct xsk_umem **umem_ptr, void *umem_area, fill->consumer = map + off.fr.consumer; fill->flags = map + off.fr.flags; fill->ring = map + off.fr.desc; - fill->cached_cons = umem->config.fill_size; + fill->cached_prod = *fill->producer; + /* cached_cons is "size" bigger than the real consumer pointer + * See xsk_prod_nb_free + */ + fill->cached_cons = *fill->consumer + umem->config.fill_size; map = mmap(NULL, off.cr.desc + umem->config.comp_size * sizeof(__u64), PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, umem->fd, @@ -297,6 +301,8 @@ int xsk_umem__create_v0_0_4(struct xsk_umem **umem_ptr, void *umem_area, comp->consumer = map + off.cr.consumer; comp->flags = map + off.cr.flags; comp->ring = map + off.cr.desc; + comp->cached_prod = *comp->producer; + comp->cached_cons = *comp->consumer; *umem_ptr = umem; return 0; @@ -672,6 +678,8 @@ int xsk_socket__create(struct xsk_socket **xsk_ptr, const char *ifname, rx->consumer = rx_map + off.rx.consumer; rx->flags = rx_map + off.rx.flags; rx->ring = rx_map + off.rx.desc; + rx->cached_prod = *rx->producer; + rx->cached_cons = *rx->consumer; } xsk->rx = rx; @@ -691,7 +699,11 @@ int xsk_socket__create(struct xsk_socket **xsk_ptr, const char *ifname, tx->consumer = tx_map + off.tx.consumer; tx->flags = tx_map + off.tx.flags; tx->ring = tx_map + off.tx.desc; - tx->cached_cons = xsk->config.tx_size; + tx->cached_prod = *tx->producer; + /* cached_cons is r->size bigger than the real consumer pointer + * See xsk_prod_nb_free + */ + tx->cached_cons = *tx->consumer + xsk->config.tx_size; } xsk->tx = tx;