lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87a5vp6vrv.fsf@nvidia.com>
Date: Fri, 21 Jul 2023 16:57:02 +0200
From: Petr Machata <petrm@...dia.com>
To: Daniel Borkmann <daniel@...earbox.net>
CC: <ast@...nel.org>, <andrii@...nel.org>, <martin.lau@...ux.dev>,
	<razor@...ckwall.org>, <sdf@...gle.com>, <john.fastabend@...il.com>,
	<kuba@...nel.org>, <dxu@...uu.xyz>, <joe@...ium.io>, <toke@...nel.org>,
	<davem@...emloft.net>, <bpf@...r.kernel.org>, <netdev@...r.kernel.org>
Subject: Re: [PATCH bpf-next v6 2/8] bpf: Add fd-based tcx multi-prog infra
 with link support

As of this patch (commit e420bed02507), TC qdisc installation and/or
removal cause memory access issues in the system.

A semi-minimal reproducer is:

    bash-5.2# ip l a name v1 type veth peer name v2
    bash-5.2# ip l s dev v1 up
    bash-5.2# ip l s dev v2 up
    bash-5.2# tc q a dev v1 ingress
    bash-5.2# tc q d dev v1 ingress
    bash-5.2# tc q a dev v1 ingress
    bash-5.2# tc q d dev v1 ingress

It's a bit finnicky, but only a little. For me, the first two "tc q"
operations never triggered a splat. Then it could take a few "tc q a"
"tc q d" iterations to get it to splat. So it looks like maybe the first
"tc q d" is the problematic bit? And then there's some likelihood of
failing on any following "tc q" operation. The above in particular
produced three warning splats for me (attached as decoded.txt,
decoded2.txt and decoded3.txt). Probing further:

    bash-5.2# tc q a dev v1 ingress

Produced two more splats from KASAN (decoded4.txt and decoded5.txt),
which look more serious.

Further attempts to prod the system deadlock it, I guess because RTNL
was left locked.

Reverting e420bed02507, and fe20ce3a5126 + 55cc3768473e that fail to
build without it, makes net-next/main work again.


View attachment "decoded.txt" of type "text/plain" (13473 bytes)

View attachment "decoded2.txt" of type "text/plain" (13363 bytes)

View attachment "decoded3.txt" of type "text/plain" (12055 bytes)

View attachment "decoded4.txt" of type "text/plain" (16024 bytes)

View attachment "decoded5.txt" of type "text/plain" (12805 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ