| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <726368f0-bbe9-6aeb-7007-6f974ed075f2@iogearbox.net>
Date: Wed, 25 Oct 2023 12:01:51 +0200
From: Daniel Borkmann <daniel@...earbox.net>
To: Ido Schimmel <idosch@...sch.org>
Cc: kuba@...nel.org, netdev@...r.kernel.org, bpf@...r.kernel.org,
jhs@...atatu.com, victor@...atatu.com, martin.lau@...ux.dev, dxu@...uu.xyz,
xiyou.wangcong@...il.com
Subject: Re: [PATCH net-next v2 1/2] net, sched: Make tc-related drop reason
more flexible
Hi Ido,
On 10/25/23 10:59 AM, Ido Schimmel wrote:
> On Mon, Oct 09, 2023 at 11:26:54AM +0200, Daniel Borkmann wrote:
>> diff --git a/net/core/dev.c b/net/core/dev.c
>> index 606a366cc209..664426285fa3 100644
>> --- a/net/core/dev.c
>> +++ b/net/core/dev.c
>> @@ -3910,7 +3910,8 @@ EXPORT_SYMBOL_GPL(netdev_xmit_skip_txqueue);
>> #endif /* CONFIG_NET_EGRESS */
>>
>> #ifdef CONFIG_NET_XGRESS
>> -static int tc_run(struct tcx_entry *entry, struct sk_buff *skb)
>> +static int tc_run(struct tcx_entry *entry, struct sk_buff *skb,
>> + enum skb_drop_reason *drop_reason)
>> {
>> int ret = TC_ACT_UNSPEC;
>> #ifdef CONFIG_NET_CLS_ACT
>> @@ -3922,12 +3923,14 @@ static int tc_run(struct tcx_entry *entry, struct sk_buff *skb)
>>
>> tc_skb_cb(skb)->mru = 0;
>> tc_skb_cb(skb)->post_ct = false;
>> + res.drop_reason = *drop_reason;
>>
>> mini_qdisc_bstats_cpu_update(miniq, skb);
>> ret = tcf_classify(skb, miniq->block, miniq->filter_list, &res, false);
>> /* Only tcf related quirks below. */
>> switch (ret) {
>> case TC_ACT_SHOT:
>> + *drop_reason = res.drop_reason;
>
> Daniel,
>
> Getting the following splat [1] with CONFIG_DEBUG_NET=y and this
> reproducer [2]. Problem seems to be that classifiers clear 'struct
> tcf_result::drop_reason', thereby triggering the warning in
> __kfree_skb_reason() due to reason being 'SKB_NOT_DROPPED_YET' (0).
>
> Fixed by maintaining the original drop reason if the one returned from
> tcf_classify() is 'SKB_NOT_DROPPED_YET' [3]. I can submit this fix
> unless you have a better idea.
Thanks for catching this, looks reasonable to me as a fix.
> [1]
> WARNING: CPU: 0 PID: 181 at net/core/skbuff.c:1082 kfree_skb_reason+0x38/0x130
> Modules linked in:
> CPU: 0 PID: 181 Comm: mausezahn Not tainted 6.6.0-rc6-custom-ge43e6d9582e0 #682
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc37 04/01/2014
> RIP: 0010:kfree_skb_reason+0x38/0x130
> [...]
> Call Trace:
> <IRQ>
> __netif_receive_skb_core.constprop.0+0x837/0xdb0
> __netif_receive_skb_one_core+0x3c/0x70
> process_backlog+0x95/0x130
> __napi_poll+0x25/0x1b0
> net_rx_action+0x29b/0x310
> __do_softirq+0xc0/0x29b
> do_softirq+0x43/0x60
> </IRQ>
>
> [2]
> #!/bin/bash
>
> ip link add name veth0 type veth peer name veth1
> ip link set dev veth0 up
> ip link set dev veth1 up
> tc qdisc add dev veth1 clsact
> tc filter add dev veth1 ingress pref 1 proto all flower dst_mac 00:11:22:33:44:55 action drop
> mausezahn veth0 -a own -b 00:11:22:33:44:55 -q -c 1
I didn't know you're using mausezahn, nice :)
> [3]
> diff --git a/net/core/dev.c b/net/core/dev.c
> index a37a932a3e14..abd0b13f3f17 100644
> --- a/net/core/dev.c
> +++ b/net/core/dev.c
> @@ -3929,7 +3929,8 @@ static int tc_run(struct tcx_entry *entry, struct sk_buff *skb,
> /* Only tcf related quirks below. */
> switch (ret) {
> case TC_ACT_SHOT:
> - *drop_reason = res.drop_reason;
> + if (res.drop_reason != SKB_NOT_DROPPED_YET)
> + *drop_reason = res.drop_reason;
> mini_qdisc_qstats_cpu_drop(miniq);
> break;
> case TC_ACT_OK:
>
When you submit feel free to add:
Acked-by: Daniel Borkmann <daniel@...earbox.net>
Powered by blists - more mailing lists