| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5a9d0e6a-2916-e791-a123-c8a957a3e3e5@nvidia.com>
Date: Wed, 28 Sep 2022 10:55:49 +0300
From: Paul Blakey <paulb@...dia.com>
To: Cong Wang <xiyou.wangcong@...il.com>
Cc: Daniel Borkmann <daniel@...earbox.net>,
Vlad Buslov <vladbu@...dia.com>, Oz Shlomo <ozsh@...dia.com>,
Roi Dayan <roid@...dia.com>, netdev@...r.kernel.org,
Saeed Mahameed <saeedm@...dia.com>,
Eric Dumazet <edumazet@...gle.com>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>
Subject: Re: [PATCH net v2 1/2] net: Fix return value of qdisc ingress
handling on success
On 25/09/2022 21:00, Cong Wang wrote:
> On Sun, Sep 25, 2022 at 11:14:21AM +0300, Paul Blakey wrote:
>> Currently qdisc ingress handling (sch_handle_ingress()) doesn't
>> set a return value and it is left to the old return value of
>> the caller (__netif_receive_skb_core()) which is RX drop, so if
>> the packet is consumed, caller will stop and return this value
>> as if the packet was dropped.
>>
>> This causes a problem in the kernel tcp stack when having a
>> egress tc rule forwarding to a ingress tc rule.
>> The tcp stack sending packets on the device having the egress rule
>> will see the packets as not successfully transmitted (although they
>> actually were), will not advance it's internal state of sent data,
>> and packets returning on such tcp stream will be dropped by the tcp
>> stack with reason ack-of-unsent-data. See reproduction in [0] below.
>>
>
> Hm, but how is this return value propagated to egress? I checked
> tcf_mirred_act() code, but don't see how it is even used there.
>
> 318 err = tcf_mirred_forward(want_ingress, skb2);
> 319 if (err) {
> 320 out:
> 321 tcf_action_inc_overlimit_qstats(&m->common);
> 322 if (tcf_mirred_is_act_redirect(m_eaction))
> 323 retval = TC_ACT_SHOT;
> 324 }
> 325 __this_cpu_dec(mirred_rec_level);
> 326
> 327 return retval;
>
>
> What am I missing?
for the ingress acting act_mirred it will return TC_ACT_CONSUMED above
the code you mentioned (since redirect=1, use_reinsert=1. Although
TC_ACT_STOLEN which is the retval set for this action, will also act the
same)
It is propagated as such (TX stack starting from tcp):
__tcp_transmit_skb
ip_queue_xmit
__ip_queue_xmit
ip_local_out
dst_output
ip_output
ip_finish_output
ip_finish_output2
neigh_output
neigh_hh_output
dev_queue_xmit
sch_handle_egress
tcf_classify
tcf_mirred_act
tcf_mirred_forward
netif_receive_skb
# here we moved to ingress processing
netif_receive_skb_internal
__netif_receive_skb
__netif_receive_skb_core
sch_handle_ingress
tcf_classify
tcf_mirred_act
tcf_mirred_forward
tcf_dev_queue_xmit
dev_queue_xmit
# sends packet ...
return TC_ACT_CONSUMED
return NULL, and leaves *ret untouched
return NET_RX_DROP
...
>
> Also, the offending commit is very old and this configuration is not
> uncommon at all, how could we even not notice this for such a long time?
I blamed the commit that left the ret value unset for the first time,
but normally netif_receive_skb return value is ignored (as mentioned in
the comment above it), this time it isn't ignored because it was chained
to egress processing of the tcp transmit path. And this specific case
where I chain tc ingress to tc egress came much later (with the commit
I blamed in v1 of this patch).
>
> Thanks.
Powered by blists - more mailing lists