lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 15 Mar 2019 11:56:01 -0700
From:   Eric Dumazet <eric.dumazet@...il.com>
To:     David Miller <davem@...emloft.net>, eric.dumazet@...il.com
Cc:     sbrivio@...hat.com, liuzhiqiang26@...wei.com, petrm@...lanox.com,
        idosch@...lanox.com, sd@...asysnail.net, mousuanming@...wei.com,
        netdev@...r.kernel.org, mingfangsen@...wei.com,
        zhoukang7@...wei.com, wangxiaogang3@...wei.com
Subject: Re: [PATCH v2] vxlan: remove the redundant gro_cells_destroy()
 calling.



On 03/15/2019 11:02 AM, David Miller wrote:
> From: Eric Dumazet <eric.dumazet@...il.com>
> Date: Fri, 15 Mar 2019 09:06:25 -0700
> 
>>
>>
>> On 03/15/2019 08:28 AM, Stefano Brivio wrote:
>>> On Fri, 15 Mar 2019 23:18:52 +0800
>>> Zhiqiang Liu <liuzhiqiang26@...wei.com> wrote:
>>>
>>>> In vxlan_destroy_tunnels func, unregister_netdevice_queue is called after
>>>> gro_cells_destroy func. However, in unregister_netdevice_queue func, the
>>>> gro_cells_destroy func will also call the gro_cells_destroy func as the
>>>> following routine:
>>>> unregister_netdevice_many() -> rollback_registered_many()
>>>> -> ndo_uninit() -> gro_cells_destroy()  
>>>>
>>>> Signed-off-by: Suanming.Mou <mousuanming@...wei.com>
>>>> Reviewed-by: Zhiqiang Liu <liuzhiqiang26@...wei.com>
>>>> Reviewed-by: Stefano Brivio <sbrivio@...hat.com>
>>>
>>> NACK, please read my and Eric's comments to v1 -- giving me more than 23
>>> minutes to answer would have been a nice touch as well :)
>>>
>>
>> Sorry for the confusion, I forgot to add the question marks to my sentences.
>>
>> In fact, this is a bug fix, that we missed in the previous fix.
>>
>> Technically the bug is older.
> 
> Please elaborate.
> 

Commit ad6c9986bcb62
("vxlan: Fix GRO cells race condition between receive and link delete")

fixed a race condition for the typical case a vxlan device is dismantled from the
current netns.

But if a netns is dismantled, we call vxlan_destroy_tunnels()
to schedule a unregister_netdevice_queue() of all the vxlan tunnels
that are related to this netns.

This means that the gro_cells_destroy() call is done too soon,
for the same reasons explained in above commit .

We need to fully respect the RCU rules, and thus must remove the
gro_cells_destroy() call or risk use after-free.

The bug is day-0 I think.

commit 58ce31cca1ffe057f4744c3f671e3e84606d3d4a
Author: Tom Herbert <tom@...bertland.com>
Date:   Wed Aug 19 17:07:33 2015 -0700

    vxlan: GRO support at tunnel layer

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ