| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <c691e3d2-8b16-744c-8918-5be042bd37dc@intel.com>
Date: Wed, 19 Aug 2020 10:31:02 +0200
From: Björn Töpel <bjorn.topel@...el.com>
To: "Li,Rongqing" <lirongqing@...du.com>,
Björn Töpel <bjorn.topel@...il.com>
Cc: Netdev <netdev@...r.kernel.org>,
intel-wired-lan <intel-wired-lan@...ts.osuosl.org>,
"Karlsson, Magnus" <magnus.karlsson@...el.com>,
bpf <bpf@...r.kernel.org>,
Maciej Fijalkowski <maciej.fijalkowski@...el.com>,
Piotr <piotr.raczynski@...el.com>,
Maciej <maciej.machnikowski@...el.com>
Subject: Re: 答复: 答复: [Intel-wired-lan] [PATCH 0/2] intel/xdp fixes for fliping rx buffer
On 2020-08-19 10:17, Li,Rongqing wrote:
>
>
>> -----邮件原件-----
>> 发件人: Björn Töpel [mailto:bjorn.topel@...el.com]
>> 发送时间: 2020年8月19日 14:45
>> 收件人: Li,Rongqing <lirongqing@...du.com>; Björn Töpel
>> <bjorn.topel@...il.com>
>> 抄送: Netdev <netdev@...r.kernel.org>; intel-wired-lan
>> <intel-wired-lan@...ts.osuosl.org>; Karlsson, Magnus
>> <magnus.karlsson@...el.com>; bpf <bpf@...r.kernel.org>; Maciej Fijalkowski
>> <maciej.fijalkowski@...el.com>; Piotr <piotr.raczynski@...el.com>; Maciej
>> <maciej.machnikowski@...el.com>
>> 主题: Re: 答复: [Intel-wired-lan] [PATCH 0/2] intel/xdp fixes for fliping rx buffer
>>
>> On 2020-08-19 03:37, Li,Rongqing wrote:
>> [...]
>> > Hi:
>> >
>> > Thanks for your explanation.
>> >
>> > But we can reproduce this bug
>> >
>> > We use ebpf to redirect only-Vxlan packets to non-zerocopy AF_XDP, First we
>> see panic on tcp stack, in tcp_collapse: BUG_ON(offset < 0); it is very hard to
>> reproduce.
>> >
>> > Then we use the scp to do test, and has lots of vxlan packet at the same
>> time, scp will be broken frequently.
>> >
>>
>> Ok! Just so that I'm certain of your setup. You receive packets to an i40e netdev
>> where there's an XDP program. The program does XDP_PASS or XDP_REDIRECT
>> to e.g. devmap for non-vxlan packets. However, vxlan packets are redirected to
>> AF_XDP socket(s) in *copy-mode*. Am I understanding that correct?
>>
> Similar as your description,
>
> but the xdp program only redirects vxlan packets to af_xdp socket, other packets will go to Linux kernel networking stack, like scp/ssh packets
>
>
>> I'm assuming this is an x86-64 with 4k page size, right? :-) The page flipping is a
>> bit different if the PAGE_SIZE is not 4k.
>>
>
> We use 4k page size, page flipping is 4k, we did not change the i40e drivers, 4.19 stable kernel
>
Would you mind testing on a newer kernel? Say the latest stable 5.8.2?
>> > With this fixes, scp has not been broken again, and kernel is not panic
>> again >
>>
>> Let's dig into your scenario.
>>
>> Are you saying the following:
>>
>> Page A:
>> +------------
>> | "first skb" ----> Rx HW ring entry X
>> +------------
>> | "second skb"----> Rx HW ring entry X+1 (or X+n)
>> +------------
>>
>
> Like:
>
> First skb will be into tcp socket rx queue
>
> Seconds skb is vxlan packet, will be copy to af_xdp socket, and released.
>
>> This is a scenario that shouldn't be allowed, because there are now two users
>> of the page. If that's the case, the refcounting is broken. Is that the case?
>>
>
> True, it is broken for copy mode xsk
>
Ok. However, the fix is not avoiding the page_frag_free, but finding and
fixing the refcount bug. I'll have a deeper look.
But please, try to reproduce with a newer kernel.
Thanks,
Björn
Powered by blists - more mailing lists