Re: [PATCH net] xen-netfront: Add missing skb_mark_for_recycle
On Tue, May 07, 2024 at 02:57:08PM +0100, Andrew Cooper wrote: > Hello, > > Please could we request a CVE for "xen-netfront: Add missing > skb_mark_for_recycle" which is 037965402a010898d34f4e35327d22c0a95cd51f > in Linus' tree. > > This is a kernel memory leak trigger-able from unprivileged userspace. > > I can't see any evidence of this fix having been assigned a CVE thus far > on the linux-cve-annouce mailing list. CVE-2024-27393 is now created for this, thanks. greg k-h
Re: [PATCH net] xen-netfront: Add missing skb_mark_for_recycle
Hello, Please could we request a CVE for "xen-netfront: Add missing skb_mark_for_recycle" which is 037965402a010898d34f4e35327d22c0a95cd51f in Linus' tree. This is a kernel memory leak trigger-able from unprivileged userspace. I can't see any evidence of this fix having been assigned a CVE thus far on the linux-cve-annouce mailing list. Thanks, ~Andrew On 25/04/2024 4:13 pm, Greg KH wrote: > On Thu, Apr 25, 2024 at 02:39:38PM +0100, George Dunlap wrote: >> Greg, >> >> We're issuing an XSA for this; can you issue a CVE? > To ask for a cve, please contact c...@kernel.org as per our > documentation. Please provide the git id of the commit you wish to have > the cve assigned to. > > thanks, > > greg k-h
Re: [PATCH net] xen-netfront: Add missing skb_mark_for_recycle
On Thu, Apr 25, 2024 at 02:39:38PM +0100, George Dunlap wrote: > Greg, > > We're issuing an XSA for this; can you issue a CVE? To ask for a cve, please contact c...@kernel.org as per our documentation. Please provide the git id of the commit you wish to have the cve assigned to. thanks, greg k-h
Re: [PATCH net] xen-netfront: Add missing skb_mark_for_recycle
Greg,
We're issuing an XSA for this; can you issue a CVE?
Thanks,
-George Dunlap
On Tue, Apr 2, 2024 at 9:25 PM Arthur Borsboom
wrote:
> After having a better look, I have found the patch in linux-next
>
>
> https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=0cd74ffcf4fb0536718241d59d2c124578624d83
>
> On Tue, 2 Apr 2024 at 10:20, Arthur Borsboom
> wrote:
> >
> > On Fri, 29 Mar 2024 at 10:47, Arthur Borsboom
> wrote:
> > >
> > > On Wed, 27 Mar 2024 at 13:15, Jesper Dangaard Brouer
> wrote:
> > > >
> > > > Notice that skb_mark_for_recycle() is introduced later than fixes
> tag in
> > > > 6a5bcd84e886 ("page_pool: Allow drivers to hint on SKB recycling").
> > > >
> > > > It is believed that fixes tag were missing a call to
> page_pool_release_page()
> > > > between v5.9 to v5.14, after which is should have used
> skb_mark_for_recycle().
> > > > Since v6.6 the call page_pool_release_page() were removed (in
> 535b9c61bdef
> > > > ("net: page_pool: hide page_pool_release_page()") and remaining
> callers
> > > > converted (in commit 6bfef2ec0172 ("Merge branch
> > > > 'net-page_pool-remove-page_pool_release_page'")).
> > > >
> > > > This leak became visible in v6.8 via commit dba1b8a7ab68
> ("mm/page_pool: catch
> > > > page_pool memory leaks").
> > > >
> > > > Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for
> xen-netfront")
> > > > Reported-by: Arthur Borsboom
> > > > Signed-off-by: Jesper Dangaard Brouer
> > > > ---
> > > > Compile tested only, can someone please test this
> > >
> > > I have tested this patch on Xen 4.18.1 with VM (Arch Linux) kernel
> 6.9.0-rc1.
> > >
> > > Without the patch there are many trace traces and cloning the Linux
> > > mainline git repository resulted in failures (same with kernel 6.8.1).
> > > The patched kernel 6.9.0-rc1 performs as expected; cloning the git
> > > repository was successful and no kernel traces observed.
> > > Hereby my tested by:
> > >
> > > Tested-by: Arthur Borsboom
> > >
> > >
> > >
> > > > drivers/net/xen-netfront.c |1 +
> > > > 1 file changed, 1 insertion(+)
> > > >
> > > > diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
> > > > index ad29f370034e..8d2aee88526c 100644
> > > > --- a/drivers/net/xen-netfront.c
> > > > +++ b/drivers/net/xen-netfront.c
> > > > @@ -285,6 +285,7 @@ static struct sk_buff
> *xennet_alloc_one_rx_buffer(struct netfront_queue *queue)
> > > > return NULL;
> > > > }
> > > > skb_add_rx_frag(skb, 0, page, 0, 0, PAGE_SIZE);
> > > > + skb_mark_for_recycle(skb);
> > > >
> > > > /* Align ip header to a 16 bytes boundary */
> > > > skb_reserve(skb, NET_IP_ALIGN);
> > > >
> > > >
> >
> > I don't see this patch yet in linux-next.
> >
> > https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/log
> >
> > Any idea in which kernel release this patch will be included?
>
Re: [PATCH net] xen-netfront: Add missing skb_mark_for_recycle
After having a better look, I have found the patch in linux-next
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=0cd74ffcf4fb0536718241d59d2c124578624d83
On Tue, 2 Apr 2024 at 10:20, Arthur Borsboom wrote:
>
> On Fri, 29 Mar 2024 at 10:47, Arthur Borsboom
> wrote:
> >
> > On Wed, 27 Mar 2024 at 13:15, Jesper Dangaard Brouer
> > wrote:
> > >
> > > Notice that skb_mark_for_recycle() is introduced later than fixes tag in
> > > 6a5bcd84e886 ("page_pool: Allow drivers to hint on SKB recycling").
> > >
> > > It is believed that fixes tag were missing a call to
> > > page_pool_release_page()
> > > between v5.9 to v5.14, after which is should have used
> > > skb_mark_for_recycle().
> > > Since v6.6 the call page_pool_release_page() were removed (in 535b9c61bdef
> > > ("net: page_pool: hide page_pool_release_page()") and remaining callers
> > > converted (in commit 6bfef2ec0172 ("Merge branch
> > > 'net-page_pool-remove-page_pool_release_page'")).
> > >
> > > This leak became visible in v6.8 via commit dba1b8a7ab68 ("mm/page_pool:
> > > catch
> > > page_pool memory leaks").
> > >
> > > Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for
> > > xen-netfront")
> > > Reported-by: Arthur Borsboom
> > > Signed-off-by: Jesper Dangaard Brouer
> > > ---
> > > Compile tested only, can someone please test this
> >
> > I have tested this patch on Xen 4.18.1 with VM (Arch Linux) kernel
> > 6.9.0-rc1.
> >
> > Without the patch there are many trace traces and cloning the Linux
> > mainline git repository resulted in failures (same with kernel 6.8.1).
> > The patched kernel 6.9.0-rc1 performs as expected; cloning the git
> > repository was successful and no kernel traces observed.
> > Hereby my tested by:
> >
> > Tested-by: Arthur Borsboom
> >
> >
> >
> > > drivers/net/xen-netfront.c |1 +
> > > 1 file changed, 1 insertion(+)
> > >
> > > diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
> > > index ad29f370034e..8d2aee88526c 100644
> > > --- a/drivers/net/xen-netfront.c
> > > +++ b/drivers/net/xen-netfront.c
> > > @@ -285,6 +285,7 @@ static struct sk_buff
> > > *xennet_alloc_one_rx_buffer(struct netfront_queue *queue)
> > > return NULL;
> > > }
> > > skb_add_rx_frag(skb, 0, page, 0, 0, PAGE_SIZE);
> > > + skb_mark_for_recycle(skb);
> > >
> > > /* Align ip header to a 16 bytes boundary */
> > > skb_reserve(skb, NET_IP_ALIGN);
> > >
> > >
>
> I don't see this patch yet in linux-next.
>
> https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/log
>
> Any idea in which kernel release this patch will be included?
Re: [PATCH net] xen-netfront: Add missing skb_mark_for_recycle
On Fri, 29 Mar 2024 at 10:47, Arthur Borsboom wrote:
>
> On Wed, 27 Mar 2024 at 13:15, Jesper Dangaard Brouer wrote:
> >
> > Notice that skb_mark_for_recycle() is introduced later than fixes tag in
> > 6a5bcd84e886 ("page_pool: Allow drivers to hint on SKB recycling").
> >
> > It is believed that fixes tag were missing a call to
> > page_pool_release_page()
> > between v5.9 to v5.14, after which is should have used
> > skb_mark_for_recycle().
> > Since v6.6 the call page_pool_release_page() were removed (in 535b9c61bdef
> > ("net: page_pool: hide page_pool_release_page()") and remaining callers
> > converted (in commit 6bfef2ec0172 ("Merge branch
> > 'net-page_pool-remove-page_pool_release_page'")).
> >
> > This leak became visible in v6.8 via commit dba1b8a7ab68 ("mm/page_pool:
> > catch
> > page_pool memory leaks").
> >
> > Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for
> > xen-netfront")
> > Reported-by: Arthur Borsboom
> > Signed-off-by: Jesper Dangaard Brouer
> > ---
> > Compile tested only, can someone please test this
>
> I have tested this patch on Xen 4.18.1 with VM (Arch Linux) kernel 6.9.0-rc1.
>
> Without the patch there are many trace traces and cloning the Linux
> mainline git repository resulted in failures (same with kernel 6.8.1).
> The patched kernel 6.9.0-rc1 performs as expected; cloning the git
> repository was successful and no kernel traces observed.
> Hereby my tested by:
>
> Tested-by: Arthur Borsboom
>
>
>
> > drivers/net/xen-netfront.c |1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
> > index ad29f370034e..8d2aee88526c 100644
> > --- a/drivers/net/xen-netfront.c
> > +++ b/drivers/net/xen-netfront.c
> > @@ -285,6 +285,7 @@ static struct sk_buff
> > *xennet_alloc_one_rx_buffer(struct netfront_queue *queue)
> > return NULL;
> > }
> > skb_add_rx_frag(skb, 0, page, 0, 0, PAGE_SIZE);
> > + skb_mark_for_recycle(skb);
> >
> > /* Align ip header to a 16 bytes boundary */
> > skb_reserve(skb, NET_IP_ALIGN);
> >
> >
I don't see this patch yet in linux-next.
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/log
Any idea in which kernel release this patch will be included?
Re: [PATCH net] xen-netfront: Add missing skb_mark_for_recycle
On Wed, 27 Mar 2024 at 13:15, Jesper Dangaard Brouer wrote:
>
> Notice that skb_mark_for_recycle() is introduced later than fixes tag in
> 6a5bcd84e886 ("page_pool: Allow drivers to hint on SKB recycling").
>
> It is believed that fixes tag were missing a call to page_pool_release_page()
> between v5.9 to v5.14, after which is should have used skb_mark_for_recycle().
> Since v6.6 the call page_pool_release_page() were removed (in 535b9c61bdef
> ("net: page_pool: hide page_pool_release_page()") and remaining callers
> converted (in commit 6bfef2ec0172 ("Merge branch
> 'net-page_pool-remove-page_pool_release_page'")).
>
> This leak became visible in v6.8 via commit dba1b8a7ab68 ("mm/page_pool: catch
> page_pool memory leaks").
>
> Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for xen-netfront")
> Reported-by: Arthur Borsboom
> Signed-off-by: Jesper Dangaard Brouer
> ---
> Compile tested only, can someone please test this
I have tested this patch on Xen 4.18.1 with VM (Arch Linux) kernel 6.9.0-rc1.
Without the patch there are many trace traces and cloning the Linux
mainline git repository resulted in failures (same with kernel 6.8.1).
The patched kernel 6.9.0-rc1 performs as expected; cloning the git
repository was successful and no kernel traces observed.
Hereby my tested by:
Tested-by: Arthur Borsboom
> drivers/net/xen-netfront.c |1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
> index ad29f370034e..8d2aee88526c 100644
> --- a/drivers/net/xen-netfront.c
> +++ b/drivers/net/xen-netfront.c
> @@ -285,6 +285,7 @@ static struct sk_buff *xennet_alloc_one_rx_buffer(struct
> netfront_queue *queue)
> return NULL;
> }
> skb_add_rx_frag(skb, 0, page, 0, 0, PAGE_SIZE);
> + skb_mark_for_recycle(skb);
>
> /* Align ip header to a 16 bytes boundary */
> skb_reserve(skb, NET_IP_ALIGN);
>
>
Re: [PATCH net] xen-netfront: Add missing skb_mark_for_recycle
Hello:
This patch was applied to netdev/net.git (main)
by Jakub Kicinski :
On Wed, 27 Mar 2024 13:14:56 +0100 you wrote:
> Notice that skb_mark_for_recycle() is introduced later than fixes tag in
> 6a5bcd84e886 ("page_pool: Allow drivers to hint on SKB recycling").
>
> It is believed that fixes tag were missing a call to page_pool_release_page()
> between v5.9 to v5.14, after which is should have used skb_mark_for_recycle().
> Since v6.6 the call page_pool_release_page() were removed (in 535b9c61bdef
> ("net: page_pool: hide page_pool_release_page()") and remaining callers
> converted (in commit 6bfef2ec0172 ("Merge branch
> 'net-page_pool-remove-page_pool_release_page'")).
>
> [...]
Here is the summary with links:
- [net] xen-netfront: Add missing skb_mark_for_recycle
https://git.kernel.org/netdev/net/c/037965402a01
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
Re: [PATCH net] xen-netfront: Add missing skb_mark_for_recycle
On Wed, Mar 27, 2024 at 01:14:56PM +0100, Jesper Dangaard Brouer wrote:
> Notice that skb_mark_for_recycle() is introduced later than fixes tag in
> 6a5bcd84e886 ("page_pool: Allow drivers to hint on SKB recycling").
>
> It is believed that fixes tag were missing a call to page_pool_release_page()
> between v5.9 to v5.14, after which is should have used skb_mark_for_recycle().
> Since v6.6 the call page_pool_release_page() were removed (in 535b9c61bdef
> ("net: page_pool: hide page_pool_release_page()") and remaining callers
> converted (in commit 6bfef2ec0172 ("Merge branch
> 'net-page_pool-remove-page_pool_release_page'")).
>
> This leak became visible in v6.8 via commit dba1b8a7ab68 ("mm/page_pool: catch
> page_pool memory leaks").
>
> Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for xen-netfront")
> Reported-by: Arthur Borsboom
> Signed-off-by: Jesper Dangaard Brouer
> ---
> Compile tested only, can someone please test this
I've got a confirmation it fixes the issue:
https://github.com/QubesOS/qubes-linux-kernel/pull/926#issuecomment-2026226944
> drivers/net/xen-netfront.c |1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
> index ad29f370034e..8d2aee88526c 100644
> --- a/drivers/net/xen-netfront.c
> +++ b/drivers/net/xen-netfront.c
> @@ -285,6 +285,7 @@ static struct sk_buff *xennet_alloc_one_rx_buffer(struct
> netfront_queue *queue)
> return NULL;
> }
> skb_add_rx_frag(skb, 0, page, 0, 0, PAGE_SIZE);
> + skb_mark_for_recycle(skb);
>
> /* Align ip header to a 16 bytes boundary */
> skb_reserve(skb, NET_IP_ALIGN);
>
>
>
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
signature.asc
Description: PGP signature
[PATCH net] xen-netfront: Add missing skb_mark_for_recycle
Notice that skb_mark_for_recycle() is introduced later than fixes tag in
6a5bcd84e886 ("page_pool: Allow drivers to hint on SKB recycling").
It is believed that fixes tag were missing a call to page_pool_release_page()
between v5.9 to v5.14, after which is should have used skb_mark_for_recycle().
Since v6.6 the call page_pool_release_page() were removed (in 535b9c61bdef
("net: page_pool: hide page_pool_release_page()") and remaining callers
converted (in commit 6bfef2ec0172 ("Merge branch
'net-page_pool-remove-page_pool_release_page'")).
This leak became visible in v6.8 via commit dba1b8a7ab68 ("mm/page_pool: catch
page_pool memory leaks").
Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for xen-netfront")
Reported-by: Arthur Borsboom
Signed-off-by: Jesper Dangaard Brouer
---
Compile tested only, can someone please test this
drivers/net/xen-netfront.c |1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
index ad29f370034e..8d2aee88526c 100644
--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -285,6 +285,7 @@ static struct sk_buff *xennet_alloc_one_rx_buffer(struct
netfront_queue *queue)
return NULL;
}
skb_add_rx_frag(skb, 0, page, 0, 0, PAGE_SIZE);
+ skb_mark_for_recycle(skb);
/* Align ip header to a 16 bytes boundary */
skb_reserve(skb, NET_IP_ALIGN);
