Re: [PATCH bpf 1/2] xsk: fix to reject invalid flags in xsk_bind

Björn Töpel <bjorn.topel@xxxxxxxxx> · Fri, 8 Mar 2019 11:11:05 +0100

On Fri, 8 Mar 2019 at 11:00, Maciej Fijalkowski
<maciejromanfijalkowski@xxxxxxxxx> wrote:
>
> On Fri,  8 Mar 2019 08:57:26 +0100
> Björn Töpel <bjorn.topel@xxxxxxxxx> wrote:
>
> > From: Björn Töpel <bjorn.topel@xxxxxxxxx>
> >
> > Passing a non-existing flag in the sxdp_flags member of struct
> > sockaddr_xdp was, incorrectly, silently ignored. This patch addresses
> > that behavior, and rejects any non-existing flags.
> >
> > We have examined existing user space code, and to our best knowledge,
> > no one is relying on the current incorrect behavior. AF_XDP is still
> > in its infancy, so from our perspective, the risk of breakage is very
> > low, and addressing this problem now is important.
> >
> > Fixes: 965a99098443 ("xsk: add support for bind for Rx")
> > Signed-off-by: Björn Töpel <bjorn.topel@xxxxxxxxx>
> > ---
> >  net/xdp/xsk.c | 5 ++++-
> >  1 file changed, 4 insertions(+), 1 deletion(-)
> >
> > diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
> > index 6697084e3fdf..a14e8864e4fa 100644
> > --- a/net/xdp/xsk.c
> > +++ b/net/xdp/xsk.c
> > @@ -407,6 +407,10 @@ static int xsk_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
> >       if (sxdp->sxdp_family != AF_XDP)
> >               return -EINVAL;
> >
> > +     flags = sxdp->sxdp_flags;
> > +     if (flags & ~(XDP_SHARED_UMEM | XDP_COPY | XDP_ZEROCOPY))
> > +             return -EINVAL;
> > +
>
> What about setting more than one flag at a time? Is it allowed/make any sense?
> After a quick look it seems that they exclude each other, e.g. you can't force
> a zero copy and copy mode at the same time. And for XDP_SHARED_UMEM two
> remaining flags can't be set.
>
> So maybe check here also that only one particular flag is set by doing:
>
> if (hweight32(flags & (XDP_SHARED_UMEM | XDP_COPY | XDP_ZEROCOPY)) > 1)
>         return -EINVAL;
>
> just like we do it for IFLA_XDP_FLAGS in net/core/rtnetlink.c?
>

We have flag semantic checks further down, and my rational was to
*only* check unknown flags first. IMO the current patch is easier to
understand, than your suggested one.

Thanks for taking a look!

Cheers,
Björn

> >       mutex_lock(&xs->mutex);
> >       if (xs->dev) {
> >               err = -EBUSY;
> > @@ -425,7 +429,6 @@ static int xsk_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
> >       }
> >
> >       qid = sxdp->sxdp_queue_id;
> > -     flags = sxdp->sxdp_flags;
> >
> >       if (flags & XDP_SHARED_UMEM) {
> >               struct xdp_sock *umem_xs;
>