| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20220307214550.2d2c26a9@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com>
Date: Mon, 7 Mar 2022 21:45:50 -0800
From: Jakub Kicinski <kuba@...nel.org>
To: Ilya Maximets <i.maximets@....org>
Cc: Roi Dayan <roid@...dia.com>, dev@...nvswitch.org,
Toms Atteka <cpp.code.lv@...il.com>, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, davem@...emloft.net,
David Ahern <dsahern@...il.com>,
Johannes Berg <johannes@...solutions.net>,
Jiri Pirko <jiri@...nulli.us>,
Pablo Neira Ayuso <pablo@...filter.org>
Subject: Re: [ovs-dev] [PATCH net-next v8] net: openvswitch: IPv6: Add IPv6
extension header support
On Tue, 8 Mar 2022 01:04:00 +0100 Ilya Maximets wrote:
> > Thanks for the explanation, we can apply a revert if that'd help your
> > CI / ongoing development but sounds like the fix really is in user
> > space. Expecting netlink attribute lists not to grow is not fair.
>
> I don't think it was intentional, just a careless mistake. Unfortunately,
> all OVS binaries built during the last 5 years rely on that unwanted
> expectation (re-build will also not help as they are using a copy of the
> uAPI header and the clash will be there anyway). If we want to keep them
> working, kernel uAPI has to be carefully updated with current userspace-only
> attributes before we add any new ones. That is not great, but I don't see
> any other option right now that doesn't require code changes in userspace.
>
> I'd say that we need to revert the current patch and re-introduce it
> later when the uAPI problem is sorted out. This way we will avoid blocking
> the net-next testing and will also avoid problems in case the uAPI changes
> are not ready at the moment of the new kernel release.
>
> What do you think?
Let me add some people I associate with genetlink work in my head
(fairly or not) to keep me fair here.
It's highly unacceptable for user space to straight up rewrite kernel
uAPI types but if it already happened the only fix is something like:
diff --git a/include/uapi/linux/openvswitch.h b/include/uapi/linux/openvswitch.h
index 9d1710f20505..ab6755621e02 100644
--- a/include/uapi/linux/openvswitch.h
+++ b/include/uapi/linux/openvswitch.h
@@ -351,11 +351,16 @@ enum ovs_key_attr {
OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4, /* struct ovs_key_ct_tuple_ipv4 */
OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6, /* struct ovs_key_ct_tuple_ipv6 */
OVS_KEY_ATTR_NSH, /* Nested set of ovs_nsh_key_* */
- OVS_KEY_ATTR_IPV6_EXTHDRS, /* struct ovs_key_ipv6_exthdr */
#ifdef __KERNEL__
OVS_KEY_ATTR_TUNNEL_INFO, /* struct ip_tunnel_info */
#endif
+ /* User space decided to squat on types 30 and 31 */
+ OVS_KEY_ATTR_IPV6_EXTHDRS = 32, /* struct ovs_key_ipv6_exthdr */
+ /* WARNING: <scary warning to avoid the problem coming back> */
+
__OVS_KEY_ATTR_MAX
};
right?
> > Since ovs uses genetlink you should be able to dump the policy from
> > the kernel and at least validate that it doesn't overlap.
>
> That is interesting. Indeed, this functionality can be used to detect
> problems or to define userspace-only attributes in runtime based on the
> kernel reply. Thanks for the pointer!
Powered by blists - more mailing lists