lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 20 Dec 2021 09:32:23 +0000
From:   Baowen Zheng <baowen.zheng@...igine.com>
To:     Eric Dumazet <eric.dumazet@...il.com>,
        Simon Horman <simon.horman@...igine.com>,
        David Miller <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>
CC:     Alexandre Belloni <alexandre.belloni@...tlin.com>,
        Andrew Lunn <andrew@...n.ch>,
        Claudiu Manoil <claudiu.manoil@....com>,
        Cong Wang <xiyou.wangcong@...il.com>,
        Florian Fainelli <f.fainelli@...il.com>,
        Ido Schimmel <idosch@...dia.com>,
        Jamal Hadi Salim <jhs@...atatu.com>,
        Jiri Pirko <jiri@...nulli.us>,
        Leon Romanovsky <leon@...nel.org>,
        Michael Chan <michael.chan@...adcom.com>,
        Oz Shlomo <ozsh@...dia.com>, Petr Machata <petrm@...dia.com>,
        Roi Dayan <roid@...dia.com>,
        Saeed Mahameed <saeedm@...dia.com>,
        Vivien Didelot <vivien.didelot@...il.com>,
        Vlad Buslov <vladbu@...dia.com>,
        Vladimir Oltean <vladimir.oltean@....com>,
        Louis Peens <louis.peens@...igine.com>,
        "UNGLinuxDriver@...rochip.com" <UNGLinuxDriver@...rochip.com>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "linux-rdma@...r.kernel.org" <linux-rdma@...r.kernel.org>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        oss-drivers <oss-drivers@...igine.com>
Subject: RE: [PATCH v8 net-next 06/13] flow_offload: allow user to offload tc
 action to net device

Hi Eric, thanks for bring this to us. We will make some verification and fix this ASAP.
Could you please make some description on how to trigger this issue? 

On December 20, 2021 4:48 PM, Eric Dumazet wrote:
>On 12/17/21 10:16 AM, Simon Horman wrote:
>> From: Baowen Zheng <baowen.zheng@...igine.com>
>>
>> Use flow_indr_dev_register/flow_indr_dev_setup_offload to offload tc
>> action.
>>
>> We need to call tc_cleanup_flow_action to clean up tc action entry
>> since in tc_setup_action, some actions may hold dev refcnt, especially
>> the mirror action.
>>
>> Signed-off-by: Baowen Zheng <baowen.zheng@...igine.com>
>> Signed-off-by: Louis Peens <louis.peens@...igine.com>
>> Signed-off-by: Simon Horman <simon.horman@...igine.com>
>> ---
>
>
>Hi there.
>
>
>I think this is causing the following syzbot splat, please take a look, thanks !
>
>
>WARNING: suspicious RCU usage
>5.16.0-rc5-syzkaller #0 Not tainted
>-----------------------------
>include/net/tc_act/tc_tunnel_key.h:33 suspicious
>rcu_dereference_protected() usage!
>
>other info that might help us debug this:
>
>
>rcu_scheduler_active = 2, debug_locks = 1
>1 lock held by syz-executor393/3602:
>  #0: ffffffff8d313968 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock
>net/core/rtnetlink.c:72 [inline]
>  #0: ffffffff8d313968 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock
>net/core/rtnetlink.c:72 [inline] net/core/rtnetlink.c:5567
>  #0: ffffffff8d313968 (rtnl_mutex){+.+.}-{3:3}, at:
>rtnetlink_rcv_msg+0x3be/0xb80 net/core/rtnetlink.c:5567
>net/core/rtnetlink.c:5567
>
>stack backtrace:
>CPU: 1 PID: 3602 Comm: syz-executor393 Not tainted 5.16.0-rc5-syzkaller #0
>Hardware name: Google Google Compute Engine/Google Compute Engine,
>BIOS
>Google 01/01/2011
>Call Trace:
>  <TASK>
>  __dump_stack lib/dump_stack.c:88 [inline]
>  __dump_stack lib/dump_stack.c:88 [inline] lib/dump_stack.c:106
>  dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 lib/dump_stack.c:106
>  is_tcf_tunnel_set include/net/tc_act/tc_tunnel_key.h:33 [inline]
>  is_tcf_tunnel_set include/net/tc_act/tc_tunnel_key.h:33 [inline]
>net/sched/act_tunnel_key.c:832
>  tcf_tunnel_key_offload_act_setup+0x4f2/0xa20
>net/sched/act_tunnel_key.c:832 net/sched/act_tunnel_key.c:832
>  offload_action_init net/sched/act_api.c:194 [inline]
>  offload_action_init net/sched/act_api.c:194 [inline]
>net/sched/act_api.c:263
>  tcf_action_offload_add_ex+0x279/0x550 net/sched/act_api.c:263
>net/sched/act_api.c:263
>  tcf_action_offload_add net/sched/act_api.c:294 [inline]
>  tcf_action_offload_add net/sched/act_api.c:294 [inline]
>net/sched/act_api.c:1439
>  tcf_action_init+0x601/0x860 net/sched/act_api.c:1439
>net/sched/act_api.c:1439
>  tcf_action_add+0xf9/0x480 net/sched/act_api.c:1940
>net/sched/act_api.c:1940
>  tc_ctl_action+0x346/0x470 net/sched/act_api.c:1999
>net/sched/act_api.c:1999
>  rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5570
>net/core/rtnetlink.c:5570
>  netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2492
>net/netlink/af_netlink.c:2492
>  netlink_unicast_kernel net/netlink/af_netlink.c:1315 [inline]
>  netlink_unicast_kernel net/netlink/af_netlink.c:1315 [inline]
>net/netlink/af_netlink.c:1341
>  netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1341
>net/netlink/af_netlink.c:1341
>  netlink_sendmsg+0x904/0xdf0 net/netlink/af_netlink.c:1917
>net/netlink/af_netlink.c:1917
>  sock_sendmsg_nosec net/socket.c:704 [inline]
>  sock_sendmsg_nosec net/socket.c:704 [inline] net/socket.c:724
>  sock_sendmsg+0xcf/0x120 net/socket.c:724 net/socket.c:724
>  ____sys_sendmsg+0x6e8/0x810 net/socket.c:2409 net/socket.c:2409
>  ___sys_sendmsg+0xf3/0x170 net/socket.c:2463 net/socket.c:2463
>  __sys_sendmsg+0xe5/0x1b0 net/socket.c:2492 net/socket.c:2492
>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>arch/x86/entry/common.c:80
>  do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
>arch/x86/entry/common.c:80
>  entry_SYSCALL_64_after_hwframe+0x44/0xae
>RIP: 0033:0x7f896932b2a9
>Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89
>f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
>f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
>RSP: 002b:00007ffeff6cc4d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
>RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f896932b2a9
>RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000003
>
>
>
>>   include/linux/netdevice.h  |  1 +
>>   include/net/flow_offload.h | 17 +++++++
>>   include/net/pkt_cls.h      |  5 ++
>>   net/core/flow_offload.c    | 42 +++++++++++++----
>>   net/sched/act_api.c        | 93
>++++++++++++++++++++++++++++++++++++++
>>   net/sched/act_csum.c       |  4 +-
>>   net/sched/act_ct.c         |  4 +-
>>   net/sched/act_gact.c       | 13 +++++-
>>   net/sched/act_gate.c       |  4 +-
>>   net/sched/act_mirred.c     | 13 +++++-
>>   net/sched/act_mpls.c       | 16 ++++++-
>>   net/sched/act_police.c     |  4 +-
>>   net/sched/act_sample.c     |  4 +-
>>   net/sched/act_skbedit.c    | 11 ++++-
>>   net/sched/act_tunnel_key.c |  9 +++-
>>   net/sched/act_vlan.c       | 16 ++++++-
>>   net/sched/cls_api.c        | 21 +++++++--
>>   17 files changed, 254 insertions(+), 23 deletions(-)
>>
>> diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
>> index a419718612c6..8b0bdeb4734e 100644
>> --- a/include/linux/netdevice.h
>> +++ b/include/linux/netdevice.h
>> @@ -920,6 +920,7 @@ enum tc_setup_type {
>>   	TC_SETUP_QDISC_TBF,
>>   	TC_SETUP_QDISC_FIFO,
>>   	TC_SETUP_QDISC_HTB,
>> +	TC_SETUP_ACT,
>>   };
>>
>>   /* These structures hold the attributes of bpf state that are being passed
>> diff --git a/include/net/flow_offload.h b/include/net/flow_offload.h
>> index 2271da5aa8ee..5b8c54eb7a6b 100644
>> --- a/include/net/flow_offload.h
>> +++ b/include/net/flow_offload.h
>> @@ -551,6 +551,23 @@ struct flow_cls_offload {
>>   	u32 classid;
>>   };
>>
>> +enum offload_act_command  {
>> +	FLOW_ACT_REPLACE,
>> +	FLOW_ACT_DESTROY,
>> +	FLOW_ACT_STATS,
>> +};
>> +
>> +struct flow_offload_action {
>> +	struct netlink_ext_ack *extack; /* NULL in FLOW_ACT_STATS
>process*/
>> +	enum offload_act_command  command;
>> +	enum flow_action_id id;
>> +	u32 index;
>> +	struct flow_stats stats;
>> +	struct flow_action action;
>> +};
>> +
[..]

Powered by blists - more mailing lists