lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Sun, 26 Feb 2023 16:36:37 -0800
From:   Kuniyuki Iwashima <kuniyu@...zon.com>
To:     <hauke@...ke-m.de>
CC:     <acme@...driva.com>, <davem@...emloft.net>, <edumazet@...gle.com>,
        <kuba@...nel.org>, <kuni1840@...il.com>, <kuniyu@...zon.com>,
        <netdev@...r.kernel.org>, <pabeni@...hat.com>, <tulup@...l.ru>,
        <yangshiji66@...com>
Subject: Re: [PATCH v3 net 1/2] dccp/tcp: Avoid negative sk_forward_alloc by ipv6_pinfo.pktoptions.

From:   Hauke Mehrtens <hauke@...ke-m.de>
Date:   Mon, 27 Feb 2023 01:17:55 +0100
> On 2/10/23 01:22, Kuniyuki Iwashima wrote:
> > Eric Dumazet pointed out [0] that when we call skb_set_owner_r()
> > for ipv6_pinfo.pktoptions, sk_rmem_schedule() has not been called,
> > resulting in a negative sk_forward_alloc.
> > 
> > We add a new helper which clones a skb and sets its owner only
> > when sk_rmem_schedule() succeeds.
> > 
> > Note that we move skb_set_owner_r() forward in (dccp|tcp)_v6_do_rcv()
> > because tcp_send_synack() can make sk_forward_alloc negative before
> > ipv6_opt_accepted() in the crossed SYN-ACK or self-connect() cases.
> > 
> > [0]: https://lore.kernel.org/netdev/CANn89iK9oc20Jdi_41jb9URdF210r7d1Y-+uypbMSbOfY6jqrg@mail.gmail.com/
> > 
> > Fixes: 323fbd0edf3f ("net: dccp: Add handling of IPV6_PKTOPTIONS to dccp_v6_do_rcv()")
> > Fixes: 3df80d9320bc ("[DCCP]: Introduce DCCPv6")
> > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> > Signed-off-by: Kuniyuki Iwashima <kuniyu@...zon.com>
> > ---
> > Cc: Andrii <tulup@...l.ru>
> > Cc: Arnaldo Carvalho de Melo <acme@...driva.com>
> > ---
> >   include/net/sock.h  | 13 +++++++++++++
> >   net/dccp/ipv6.c     |  7 ++-----
> >   net/ipv6/tcp_ipv6.c | 10 +++-------
> >   3 files changed, 18 insertions(+), 12 deletions(-)
> > 
> Hi,
> 
> Multiples people reported kernel warnings after the upgrade from kernel 
> 5.15.94 to 5.15.95 in OpenWrt master, see 
> https://github.com/openwrt/openwrt/pull/12071
> 
> This was seen on a MIPS and a x86 CPU. It is happening when a Windows 
> client connected, it works fine when an Android or iPad connects.
> 
> OpenWrt has some additional patches on top of the kernel, we haven't 
> checked yet if they are causing this problem in combination with this 
> new change. With kernel 5.15.94 as a base it works fine.
> 
> The problem is not showing up when the backport of this patch is reverted.
> 
> This warning was reported:
> 
> [  257.978586] ------------[ cut here ]------------
> [  257.987882] WARNING: CPU: 0 PID: 4377 at net/core/stream.c:212 
> inet_csk_destroy_sock+0x6c/0x17c

Hi,

Thanks for the report.

The both WARNINGs come from the same place which was removed in the
next patch in this series.

It seems the stable tree only backport this patch without the
following one.  I'll cook patches for 4.14/4.19/5.4/5.10/5.15/6.1.
Until they go into the stable, please apply this patch on top of
your tree.
https://lore.kernel.org/netdev/20230210002202.81442-3-kuniyu@amazon.com/

Thanks,
Kuniyuki


> [  258.005287] Modules linked in: rt2800soc rt2800mmio rt2800lib pppoe 
> ppp_async nft_fib_inet nf_flow_table_ipv6 nf_flow_table_ipv4 
> nf_flow_table_inet rt2x00soc rt2x00mmio rt2x00lib pppox ppp_generic 
> nft_reject_ipv6 nft_reject_ipv4 nft_reject_inet nft_reject nft_redir 
> nft_quota nft_objref nft_numgen nft_nat nft_masq nft_log nft_limit 
> nft_hash nft_flow_offload nft_fib_ipv6 nft_fib_ipv4 nft_fib nft_ct 
> nft_counter nft_chain_nat nf_tables nf_nat nf_flow_table nf_conntrack 
> mt76x2e mt76x2_common mt76x02_lib mt76 mac80211 lzo cfg80211 slhc 
> nfnetlink nf_reject_ipv6 nf_reject_ipv4 nf_log_syslog nf_defrag_ipv6 
> nf_defrag_ipv4 lzo_rle lzo_decompress lzo_compress libcrc32c crc_ccitt 
> compat sha256_generic libsha256 seqiv jitterentropy_rng drbg hmac cmac 
> crypto_acompress leds_gpio gpio_button_hotplug crc32c_generic
> [  258.146540] CPU: 0 PID: 4377 Comm: dnsmasq Tainted: G        W 
>   5.15.95 #0
> [  258.161475] Stack : 00000000 00000000 80c099dc 80860000 806b0000 
> 80608730 80f19830 806abe23
> [  258.178178]         808633b4 00001119 00000003 80061c60 80601eac 
> 00000001 80c09998 84245f1d
> [  258.194872]         00000000 00000000 80608730 80c09830 fffff171 
> 00000000 00000000 ffffffea
> [  258.211568]         00000000 80c0983c 00000171 806b2278 80860000 
> 00000009 00000000 804651e0
> [  258.228273]         00000009 00000003 00000002 00000006 00000018 
> 803347a4 00000000 80860000
> [  258.244993]         ...
> [  258.249877] Call Trace:
> [  258.254737] [<8000700c>] show_stack+0x28/0xf0
> [  258.263459] [<8002622c>] __warn+0x9c/0x124
> [  258.271649] [<80026310>] warn_slowpath_fmt+0x5c/0xac
> [  258.281564] [<804651e0>] inet_csk_destroy_sock+0x6c/0x17c
> [  258.292356] [<80479328>] tcp_reset+0x50/0xb0
> [  258.300896] [<8047973c>] tcp_validate_incoming+0x3b4/0x624
> [  258.311853] [<8047bc48>] tcp_rcv_state_process+0x32c/0xf80
> [  258.322810] [<80521fa0>] tcp_v6_do_rcv+0x290/0x4e4
> [  258.332400] [<80522da0>] tcp_v6_rcv+0xbac/0xc3c
> [  258.341454] [<804e6798>] ip6_protocol_deliver_rcu+0x118/0x640
> [  258.352945] [<804e6d6c>] ip6_input+0x84/0x9c
> [  258.361477] [<803e224c>] __netif_receive_skb_one_core+0x44/0x54
> [  258.373306] [<803e22ac>] netif_receive_skb+0x34/0xc8
> [  258.383221] [<8054ba34>] br_handle_frame_finish+0x330/0x5b0
> [  258.394362] [<8054c140>] br_handle_frame+0x48c/0x4fc
> [  258.404279] [<803dfa30>] __netif_receive_skb_core.constprop.0+0x268/0xc30
> [  258.417839] [<803e04e4>] __netif_receive_skb_list_core+0xec/0x224
> [  258.430008] [<803e07c0>] netif_receive_skb_list_internal+0x1a4/0x254
> [  258.442718] [<81c35b08>] ieee80211_rx_napi+0x84/0x8c [mac80211]
> [  258.454881] [<819e07c0>] rt2x00lib_rxdone+0x318/0x940 [rt2x00lib]
> [  258.467100] [<819bf08c>] rt2x00mmio_rxdone+0x8c/0xd8 [rt2x00mmio]
> [  258.479279] [<819f6df0>] rt2800mmio_rxdone_tasklet+0x18/0xac [rt2800mmio]
> [  258.492844] [<800294ec>] tasklet_action_common.constprop.0+0xc0/0xf8
> [  258.505545] [<8057742c>] __do_softirq+0x10c/0x2c4
> [  258.514934] [<80002950>] except_vec_vi_end+0xb8/0xc4
> [  258.524847] [<8013b058>] __do_munmap+0xac/0x54c
> [  258.533917] [<8013b55c>] __vm_munmap+0x64/0xd4
> [  258.542800] [<8000ea44>] syscall_common+0x34/0x58
> [  258.552197]
> [  258.555161] ---[ end trace 5910e4a6b837d518 ]---
> 
> And this one:
> [  259.281306] ------------[ cut here ]------------
> [  259.290596] WARNING: CPU: 0 PID: 502 at net/core/stream.c:212 
> inet_csk_destroy_sock+0x6c/0x17c
> [  259.307833] Modules linked in: rt2800soc rt2800mmio rt2800lib pppoe 
> ppp_async nft_fib_inet nf_flow_table_ipv6 nf_flow_table_ipv4 
> nf_flow_table_inet rt2x00soc rt2x00mmio rt2x00lib pppox ppp_generic 
> nft_reject_ipv6 nft_reject_ipv4 nft_reject_inet nft_reject nft_redir 
> nft_quota nft_objref nft_numgen nft_nat nft_masq nft_log nft_limit 
> nft_hash nft_flow_offload nft_fib_ipv6 nft_fib_ipv4 nft_fib nft_ct 
> nft_counter nft_chain_nat nf_tables nf_nat nf_flow_table nf_conntrack 
> mt76x2e mt76x2_common mt76x02_lib mt76 mac80211 lzo cfg80211 slhc 
> nfnetlink nf_reject_ipv6 nf_reject_ipv4 nf_log_syslog nf_defrag_ipv6 
> nf_defrag_ipv4 lzo_rle lzo_decompress lzo_compress libcrc32c crc_ccitt 
> compat sha256_generic libsha256 seqiv jitterentropy_rng drbg hmac cmac 
> crypto_acompress leds_gpio gpio_button_hotplug crc32c_generic
> [  259.449095] CPU: 0 PID: 502 Comm: napi/phy0-3 Tainted: G        W 
>      5.15.95 #0
> [  259.464551] Stack : 00000000 00000000 81a21934 80860000 806b0000 
> 80608730 80e38870 806abe23
> [  259.481251]         808633b4 000001f6 00000003 80061c60 80601eac 
> 00000001 81a218f0 22ee1ee2
> [  259.497945]         00000000 00000000 80608730 81a21788 fffff19a 
> 00000000 00000000 ffffffea
> [  259.514639]         00000000 81a21794 0000019a 806b2278 80860000 
> 00000009 00000000 804651e0
> [  259.531332]         00000009 00000003 00000002 00000006 00000018 
> 803347a4 00000000 80860000
> [  259.548030]         ...
> [  259.552907] Call Trace:
> [  259.557767] [<8000700c>] show_stack+0x28/0xf0
> [  259.566489] [<8002622c>] __warn+0x9c/0x124
> [  259.574672] [<80026310>] warn_slowpath_fmt+0x5c/0xac
> [  259.584584] [<804651e0>] inet_csk_destroy_sock+0x6c/0x17c
> [  259.595374] [<80479328>] tcp_reset+0x50/0xb0
> [  259.603909] [<8047973c>] tcp_validate_incoming+0x3b4/0x624
> [  259.614861] [<8047bc48>] tcp_rcv_state_process+0x32c/0xf80
> [  259.625817] [<80521fa0>] tcp_v6_do_rcv+0x290/0x4e4
> [  259.635399] [<80522da0>] tcp_v6_rcv+0xbac/0xc3c
> [  259.644451] [<804e6798>] ip6_protocol_deliver_rcu+0x118/0x640
> [  259.655939] [<804e6d6c>] ip6_input+0x84/0x9c
> [  259.664461] [<803e224c>] __netif_receive_skb_one_core+0x44/0x54
> [  259.676289] [<803e22ac>] netif_receive_skb+0x34/0xc8
> [  259.686201] [<8054ba34>] br_handle_frame_finish+0x330/0x5b0
> [  259.697339] [<8054c140>] br_handle_frame+0x48c/0x4fc
> [  259.707255] [<803dfa30>] __netif_receive_skb_core.constprop.0+0x268/0xc30
> [  259.720807] [<803e04e4>] __netif_receive_skb_list_core+0xec/0x224
> [  259.732979] [<803e07c0>] netif_receive_skb_list_internal+0x1a4/0x254
> [  259.745670] [<803e0bf8>] napi_complete_done+0x74/0x214
> [  259.755957] [<818f2484>] mt76_dma_rx_poll+0x4b0/0x50c [mt76]
> [  259.767307] [<803e0e08>] __napi_poll+0x70/0x1f8
> [  259.776358] [<803e1034>] napi_threaded_poll+0xa4/0x110
> [  259.786618] [<80045ef0>] kthread+0x140/0x164
> [  259.795161] [<80002458>] ret_from_kernel_thread+0x14/0x1c
> [  259.805942]
> [  259.808899] ---[ end trace 5910e4a6b837d519 ]---
> 
> Hauke

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ