| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 1 Oct 2012 15:57:02 -0700
From: Stephen Hemminger <shemminger@...tta.com>
To: ebiederm@...ssion.com (Eric W. Biederman)
Cc: netdev@...r.kernel.org
Subject: Re: network namespace and kernel bind issue
On Mon, 01 Oct 2012 15:40:56 -0700
ebiederm@...ssion.com (Eric W. Biederman) wrote:
> Stephen Hemminger <shemminger@...tta.com> writes:
>
> > On Mon, 1 Oct 2012 14:16:09 -0700
> > Stephen Hemminger <shemminger@...tta.com> wrote:
> >
> >> When testing VXLAN I noticed that the kernel bind seems to be a problem for
> >> network tunnels. The init_net function is called repeatedly for the same
> >> network namespace!
>
> It definitely should not be.
>
> >> 1. Create vxlan device:
> >> # ip li add vxlan0 type vxlan id 11 group 239.1.1.1 dev eth0
> >> # dmesg | tail
> >> [11580.671016] vxlan: vxlan_init_net in net 1
>
> Net 1? What are you printing out? It isn't the net_id by any chance?
Yes it is the net_id which is passed to net_generic() to find the
per-namespace data structure.
>
> >> 2. Start Chrome (or other application using namespaces)
> >>
> >> dmesg | tail
> >> [11587.371195] vxlan: vxlan_init_net in net 1
> >> [11587.371211] vxlan: bind for UDP socket 0.0.0.0:8472 (-98)
> >>
> >>
> >> Isn't init_net supposed to be unique. The current semantics also break
> >> L2TP.
>
> The init method should be called exactly once per network namespace.
>
> The timing of the init methods you report seems correct.
>
> The vxlan code isn't in net-next or I would take a look.
>
> I took a quick look at l2tp and the code is doing some weird things.
> There are a bunch of references to &init_net that I would expect
> to references to either sk_net() or dev_net().
>
> Adding support for multiple network namespaces and then reaching
> out to the initial network namespace for things is definitely a recipe
> for getting confused.
>
> So my blind guess would be that someone half implemented network
> namespace support for l2tp and vxlan copied the bugs.
The vxlan driver has one UDP socket per namespace.
There are no references to init_net in it.
I think the problem is the call chain
copy_net_ns -> setup_net -> ops_init
There is nothing that nothing increments the id after register_pernet_operations.
Shouldn't there be an increment so each new namespace gets a unique id?
--- a/net/core/net_namespace.c 2012-08-15 08:59:22.938704423 -0700
+++ b/net/core/net_namespace.c 2012-10-01 15:54:50.293088913 -0700
@@ -161,6 +161,7 @@ static __net_init int setup_net(struct n
#endif
list_for_each_entry(ops, &pernet_list, list) {
+ ++*ops->id;
error = ops_init(ops, net);
if (error < 0)
goto out_undo;
Or maybe you need to keep track of IDR map for each pernet_operations structure?
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists