lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CANn89iL5-w3NzupmR4LgskvW2yw1jgnhdFg1HRg+k+JY38G6+w@mail.gmail.com>
Date: Fri, 24 May 2024 11:24:30 +0200
From: Eric Dumazet <edumazet@...gle.com>
To: Yue Haibing <yuehaibing@...wei.com>
Cc: davem@...emloft.net, kuba@...nel.org, pabeni@...hat.com, jhs@...atatu.com, 
	xiyou.wangcong@...il.com, jiri@...nulli.us, hannes@...essinduktion.org, 
	netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH net] net/sched: Add xmit_recursion level in sch_direct_xmit()

On Fri, May 24, 2024 at 10:49 AM Yue Haibing <yuehaibing@...wei.com> wrote:
>
> packet from PF_PACKET socket ontop of an IPv6-backed ipvlan device will hit
> WARN_ON_ONCE() in sk_mc_loop() through sch_direct_xmit() path while ipvlan
> device has qdisc queue.
>
> WARNING: CPU: 2 PID: 0 at net/core/sock.c:775 sk_mc_loop+0x2d/0x70
> Modules linked in: sch_netem ipvlan rfkill cirrus drm_shmem_helper sg drm_kms_helper
> CPU: 2 PID: 0 Comm: swapper/2 Kdump: loaded Not tainted 6.9.0+ #279
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> RIP: 0010:sk_mc_loop+0x2d/0x70
> Code: fa 0f 1f 44 00 00 65 0f b7 15 f7 96 a3 4f 31 c0 66 85 d2 75 26 48 85 ff 74 1c
> RSP: 0018:ffffa9584015cd78 EFLAGS: 00010212
> RAX: 0000000000000011 RBX: ffff91e585793e00 RCX: 0000000002c6a001
> RDX: 0000000000000000 RSI: 0000000000000040 RDI: ffff91e589c0f000
> RBP: ffff91e5855bd100 R08: 0000000000000000 R09: 3d00545216f43d00
> R10: ffff91e584fdcc50 R11: 00000060dd8616f4 R12: ffff91e58132d000
> R13: ffff91e584fdcc68 R14: ffff91e5869ce800 R15: ffff91e589c0f000
> FS:  0000000000000000(0000) GS:ffff91e898100000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f788f7c44c0 CR3: 0000000008e1a000 CR4: 00000000000006f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  <IRQ>
>  ? __warn+0x83/0x130
>  ? sk_mc_loop+0x2d/0x70
>  ? report_bug+0x18e/0x1a0
>  ? handle_bug+0x3c/0x70
>  ? exc_invalid_op+0x18/0x70
>  ? asm_exc_invalid_op+0x1a/0x20
>  ? sk_mc_loop+0x2d/0x70
>  ip6_finish_output2+0x31e/0x590
>  ? nf_hook_slow+0x43/0xf0
>  ip6_finish_output+0x1f8/0x320
>  ? __pfx_ip6_finish_output+0x10/0x10
>  ipvlan_xmit_mode_l3+0x22a/0x2a0 [ipvlan]
>  ipvlan_start_xmit+0x17/0x50 [ipvlan]
>  dev_hard_start_xmit+0x8c/0x1d0
>  sch_direct_xmit+0xa2/0x390
>  __qdisc_run+0x66/0xd0
>  net_tx_action+0x1ca/0x270
>  handle_softirqs+0xd6/0x2b0
>  __irq_exit_rcu+0x9b/0xc0
>  sysvec_apic_timer_interrupt+0x75/0x90

Please provide full symbols in stack traces.

>  </IRQ>
>
> Fixes: f60e5990d9c1 ("ipv6: protect skb->sk accesses from recursive dereference inside the stack")
> Signed-off-by: Yue Haibing <yuehaibing@...wei.com>
> ---
>  include/linux/netdevice.h | 17 +++++++++++++++++
>  net/core/dev.h            | 17 -----------------
>  net/sched/sch_generic.c   |  8 +++++---
>  3 files changed, 22 insertions(+), 20 deletions(-)

This patch seems unrelated to the WARN_ON_ONCE(1) met in sk_mc_loop()

If sk_mc_loop() is called with a socket which is not inet, we are in trouble.

Please fix the root cause instead of trying to shortcut sk_mc_loop() as you did.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ