• Willem de Bruijn's avatar
    packet: copy user buffers before orphan or clone · 67f6fba7
    Willem de Bruijn authored
    [ Upstream commit 5cd8d46e ]
    
    tpacket_snd sends packets with user pages linked into skb frags. It
    notifies that pages can be reused when the skb is released by setting
    skb->destructor to tpacket_destruct_skb.
    
    This can cause data corruption if the skb is orphaned (e.g., on
    transmit through veth) or cloned (e.g., on mirror to another psock).
    
    Create a kernel-private copy of data in these cases, same as tun/tap
    zerocopy transmission. Reuse that infrastructure: mark the skb as
    SKBTX_ZEROCOPY_FRAG, which will trigger copy in skb_orphan_frags(_rx).
    
    Unlike other zerocopy packets, do not set shinfo destructor_arg to
    struct ubuf_info. tpacket_destruct_skb already uses that ptr to notify
    when the original skb is released and a timestamp is recorded. Do not
    change this timestamp behavior. The ubuf_info->callback is not needed
    anyway, as no zerocopy notification is expected.
    
    Mark destructor_arg as not-a-uarg by setting the lower bit to 1. The
    resulting value is not a valid ubuf_info pointer, nor a valid
    tpacket_snd frame address. Add skb_zcopy_.._nouarg helpers for this.
    
    The fix relies on features introduced in commit 52267790 ("sock:
    add MSG_ZEROCOPY"), so can be backported as is only to 4.14.
    
    Tested with from `./in_netns.sh ./txring_overwrite` from
    http://github.com/wdebruij/kerneltools/tests
    
    Fixes: 69e3c75f ("net: TX_RING and packet mmap")
    Reported-by: default avatarAnand H. Krishnan <anandhkrishnan@gmail.com>
    Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    67f6fba7
af_packet.c 108 KB