lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAMArcTX5bCQgcjLrJPhOPTkLXfpO1c8_mQW1VdTUY9UQaqZijg@mail.gmail.com>
Date:   Mon, 17 Dec 2018 16:31:04 +0900
From:   Taehee Yoo <ap420073@...il.com>
To:     David Miller <davem@...emloft.net>
Cc:     Netdev <netdev@...r.kernel.org>,
        Daniel Borkmann <daniel@...earbox.net>, ast@...nel.org
Subject: Re: [PATCH net 1/2] net: bpfilter: restart bpfilter_umh when error occurred

On Mon, 17 Dec 2018 at 07:20, David Miller <davem@...emloft.net> wrote:
>
> From: Taehee Yoo <ap420073@...il.com>
> Date: Sat, 15 Dec 2018 13:22:39 +0900
>
> > If bpfilter_umh process is killed, shutdown_umh() is executed via __stop_umh().
> > because, __kernel_write() or kernel_read() will be failed in
> > __bpfilter_process_sockopt() if bpfilter_umh process had killed
> > or crashed. then, __bpfilter_process_sockopt() makes error message and
> > calls __stop_umh().
>
> Now I understand, thank you.
>
> This is what happens in the second command of your example:
>
> > >    $ iptables -vnL
> > >    $ kill -9 <pid of bpfilter_umh>
> > >    $ iptables -vnL
> > >    [  480.045136] bpfilter: write fail -32
>
> This second iptables command, which fails, triggers the cleanup.
>
> This second iptables command, however, should not fail either.
>
> What should happen is that when bpfilter_umh is killed, the cleanup is
> synchronous, and the next iptables command will cleanly restart
> bpftiler_umh and the command will succeeed.
>
> Perhaps what should happen is that fork_usermode_blob() somehow
> registers a mechanism by which if the the process forked dies
> or exits for some reason, an installed callback is invoked to
> perform cleanups.
>
> That would solve all of these problems, and all three iptables
> commands in your example would succeed.
>
> What do you think?
>

I agree with second iptables should not fail.
I think calling cleanup callback in usermodehelper will be userful
for other modules which uses fork_usermodehelper_blob().
So the usermodehelper should support to invoke cleanup callback when
error or crash occurred.
But I don't know how cleanup callback is invoked when
bpfilter_umh process is killed.
Could you let me know if it's possible?
If it is not possible, In order to avoid failure all iptables command,
I think below steps are needed.
1. check process status
2. if process was dead or crashed, cleanup and restart bpfilter_umh
3. perform normal routine

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ