| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 24 May 2024 11:24:30 +0200
From: Eric Dumazet <edumazet@...gle.com>
To: Yue Haibing <yuehaibing@...wei.com>
Cc: davem@...emloft.net, kuba@...nel.org, pabeni@...hat.com, jhs@...atatu.com,
xiyou.wangcong@...il.com, jiri@...nulli.us, hannes@...essinduktion.org,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH net] net/sched: Add xmit_recursion level in sch_direct_xmit()
On Fri, May 24, 2024 at 10:49 AM Yue Haibing <yuehaibing@...wei.com> wrote:
>
> packet from PF_PACKET socket ontop of an IPv6-backed ipvlan device will hit
> WARN_ON_ONCE() in sk_mc_loop() through sch_direct_xmit() path while ipvlan
> device has qdisc queue.
>
> WARNING: CPU: 2 PID: 0 at net/core/sock.c:775 sk_mc_loop+0x2d/0x70
> Modules linked in: sch_netem ipvlan rfkill cirrus drm_shmem_helper sg drm_kms_helper
> CPU: 2 PID: 0 Comm: swapper/2 Kdump: loaded Not tainted 6.9.0+ #279
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> RIP: 0010:sk_mc_loop+0x2d/0x70
> Code: fa 0f 1f 44 00 00 65 0f b7 15 f7 96 a3 4f 31 c0 66 85 d2 75 26 48 85 ff 74 1c
> RSP: 0018:ffffa9584015cd78 EFLAGS: 00010212
> RAX: 0000000000000011 RBX: ffff91e585793e00 RCX: 0000000002c6a001
> RDX: 0000000000000000 RSI: 0000000000000040 RDI: ffff91e589c0f000
> RBP: ffff91e5855bd100 R08: 0000000000000000 R09: 3d00545216f43d00
> R10: ffff91e584fdcc50 R11: 00000060dd8616f4 R12: ffff91e58132d000
> R13: ffff91e584fdcc68 R14: ffff91e5869ce800 R15: ffff91e589c0f000
> FS: 0000000000000000(0000) GS:ffff91e898100000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f788f7c44c0 CR3: 0000000008e1a000 CR4: 00000000000006f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> <IRQ>
> ? __warn+0x83/0x130
> ? sk_mc_loop+0x2d/0x70
> ? report_bug+0x18e/0x1a0
> ? handle_bug+0x3c/0x70
> ? exc_invalid_op+0x18/0x70
> ? asm_exc_invalid_op+0x1a/0x20
> ? sk_mc_loop+0x2d/0x70
> ip6_finish_output2+0x31e/0x590
> ? nf_hook_slow+0x43/0xf0
> ip6_finish_output+0x1f8/0x320
> ? __pfx_ip6_finish_output+0x10/0x10
> ipvlan_xmit_mode_l3+0x22a/0x2a0 [ipvlan]
> ipvlan_start_xmit+0x17/0x50 [ipvlan]
> dev_hard_start_xmit+0x8c/0x1d0
> sch_direct_xmit+0xa2/0x390
> __qdisc_run+0x66/0xd0
> net_tx_action+0x1ca/0x270
> handle_softirqs+0xd6/0x2b0
> __irq_exit_rcu+0x9b/0xc0
> sysvec_apic_timer_interrupt+0x75/0x90
Please provide full symbols in stack traces.
> </IRQ>
>
> Fixes: f60e5990d9c1 ("ipv6: protect skb->sk accesses from recursive dereference inside the stack")
> Signed-off-by: Yue Haibing <yuehaibing@...wei.com>
> ---
> include/linux/netdevice.h | 17 +++++++++++++++++
> net/core/dev.h | 17 -----------------
> net/sched/sch_generic.c | 8 +++++---
> 3 files changed, 22 insertions(+), 20 deletions(-)
This patch seems unrelated to the WARN_ON_ONCE(1) met in sk_mc_loop()
If sk_mc_loop() is called with a socket which is not inet, we are in trouble.
Please fix the root cause instead of trying to shortcut sk_mc_loop() as you did.
Powered by blists - more mailing lists