lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 28 Nov 2023 23:12:05 +0100
From: Antony Antony <antony@...nome.org>
To: Christian Hopps <chopps@...pps.org>
Cc: devel@...ux-ipsec.org, netdev@...r.kernel.org,
	Christian Hopps <chopps@...n.net>
Subject: Re: [devel-ipsec] [RFC ipsec-next v2 0/8] Add IP-TFS mode to xfrm

Hi Chris,

I got a crash when running inside a  namespace using veth. I got twice. It 
is not 100% reproducable. 

Note: I have KASAN enabled.

[  226.323824] BUG: KASAN: null-ptr-deref in 
iptfs_output_collect+0x1f5/0x61a
[  226.325155] Read of size 8 at addr 0000000000000478 by task ping/5276
[  226.325980]
[  226.326220] CPU: 2 PID: 5276 Comm: ping Not tainted 6.6.0-rc1-00528-gadd9146753b7 #95
[  226.327219] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[  226.328396] Call Trace:
[  226.328791]  <TASK>
[  226.329099]  dump_stack_lvl+0x33/0x42
[  226.329597]  kasan_report+0xa0/0xc3
[  226.330074]  ? iptfs_output_collect+0x1f5/0x61a
[  226.330678]  iptfs_output_collect+0x1f5/0x61a
[  226.331259]  ip_send_skb+0x25/0x58
[  226.331724]  raw_sendmsg+0xec4/0xfee
[  226.332223]  ? raw_hash_sk+0x224/0x224
[  226.332741]  ? kasan_unpoison+0x44/0x52
[  226.333258]  ? kernel_init_pages+0x42/0x51
[  226.333810]  ? post_alloc_hook+0xba/0xe0
[  226.334339]  ? prep_new_page+0x44/0x51
[  226.334849]  ? ma_data_end+0x6e/0x88
[  226.335338]  ? preempt_count_sub+0x14/0xb5
[  226.335894]  ? zone_watermark_fast.isra.0+0x12b/0x12b
[  226.336577]  ? __might_resched+0x8d/0x248
[  226.337116]  ? __might_sleep+0x27/0xa2
[  226.337626]  ? first_zones_zonelist+0x2c/0x43
[  226.338211]  ? do_raw_spin_lock+0x72/0xbb
[  226.338752]  ? __might_resched+0x8d/0x248
[  226.339291]  ? __might_sleep+0x27/0xa2
[  226.339801]  ? inet_send_prepare+0x59/0x59
[  226.340356]  ? sock_sendmsg_nosec+0x42/0x6c
[  226.340924]  sock_sendmsg_nosec+0x42/0x6c
[  226.341465]  __sys_sendto+0x172/0x1e1
[  226.341964]  ? __x64_sys_getpeername+0x44/0x44
[  226.342558]  ? folio_batch_add_and_move+0x6a/0x7d
[  226.343189]  ? find_vma+0x6b/0x8b
[  226.343646]  ? find_vma_intersection+0x8a/0x8a
[  226.344246]  ? handle_mm_fault+0xfa/0x163
[  226.344788]  ? preempt_latency_start+0x41/0x4c
[  226.345385]  ? preempt_count_sub+0x14/0xb5
[  226.345937]  __x64_sys_sendto+0x76/0x82
[  226.346456]  do_syscall_64+0x58/0x78
[  226.346946]  entry_SYSCALL_64_after_hwframe+0x46/0xb0
[  226.347611] RIP: 0033:0x7f378b00ba73
[  226.348095] Code: 8b 15 a9 83 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 80 3d 71 0b 0d 00 00 41 89 ca 74 14 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 75 c3 0f 1f 40 00 55 48 83 ec 30 44 89 4c 24
[  226.350433] RSP: 002b:00007fff58f9c148 EFLAGS: 00000202 ORIG_RAX: 000000000000002c
[  226.351400] RAX: ffffffffffffffda RBX: 00005591b05fa340 RCX: 00007f378b00ba73
[  226.352318] RDX: 0000000000000040 RSI: 00005591b06003c0 RDI: 0000000000000003
[  226.353233] RBP: 00005591b06003c0 R08: 00005591b05fc5c0 R09: 0000000000000010
[  226.354147] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000040
[  226.355061] R13: 00007fff58f9d830 R14: 0000001d00000001 R15: 00005591b05fd680
[  226.355978]  </TASK>
[  226.356301] ==================================================================
[  226.357274] Disabling lock debugging due to kernel taint
[  226.357973] BUG: kernel NULL pointer dereference, address: 0000000000000478
[  226.358865] #PF: supervisor read access in kernel mode
[  226.359540] #PF: error_code(0x0000) - not-present page
[  226.360220] PGD 0 P4D 0
[  226.360594] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN
[  226.361346] CPU: 2 PID: 5276 Comm: ping Tainted: G    B              6.6.0-rc1-00528-gadd9146753b7 #95
[  226.362520] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[  226.363693] RIP: 0010:iptfs_output_collect+0x1f5/0x61a
[  226.364376] Code: c1 ff ff 65 ff 0d 12 29 35 7e 75 05 e8 c3 f0 31 ff 48 8d 7b 10 e8 4b 16 6b ff 4c 8b 73 10 49 8d be 78 04 00 00 e8 3b 16 6b ff <4d> 8b b6 78 04 00 00 49 8d be c0 01 00 00 e8 28 16 6b ff 49 8b 86
[  226.366704] RSP: 0018:ffffc9000a357998 EFLAGS: 00010296
[  226.367389] RAX: 0000000000000001 RBX: ffff8881123a7a00 RCX: fffffbfff075e9f5
[  226.368308] RDX: fffffbfff075e9f5 RSI: fffffbfff075e9f5 RDI: ffffffff83af4fa0
[  226.369237] RBP: ffff88810f45ac00 R08: 0000000000000008 R09: 0000000000000001
[  226.370154] R10: ffffffff83af4fa7 R11: fffffbfff075e9f4 R12: 0000000000000000
[  226.371070] R13: 0000000000000000 R14: 0000000000000000 R15: ffff888114cbeb01
[  226.371984] FS:  00007f378ad4fc40(0000) GS:ffff88815ad00000(0000) knlGS:0000000000000000
[  226.373029] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  226.373777] CR2: 0000000000000478 CR3: 00000001083e9000 CR4: 0000000000350ee0
[  226.374693] Call Trace:
[  226.375042]  <TASK>
[  226.375352]  ? __die_body+0x1a/0x58
[  226.375828]  ? page_fault_oops+0x459/0x4c7
[  226.376387]  ? irq_work_queue+0x2c/0x41
[  226.376915]  ? dump_pagetable+0x1db/0x1db
[  226.377453]  ? vprintk_emit+0x187/0x195
[  226.377972]  ? iptfs_output_collect+0x1f5/0x61a
[  226.378576]  ? _printk+0xb2/0xe1
[  226.379021]  ? syslog_print+0x340/0x340
[  226.379541]  ? do_user_addr_fault+0x156/0x59f
[  226.380713]  ? exc_page_fault+0xaa/0xc3
[  226.381234]  ? asm_exc_page_fault+0x22/0x30
[  226.381795]  ? iptfs_output_collect+0x1f5/0x61a
[  226.382399]  ? iptfs_output_collect+0x1f5/0x61a
[  226.383002]  ip_send_skb+0x25/0x58
[  226.383469]  raw_sendmsg+0xec4/0xfee
[  226.383958]  ? raw_hash_sk+0x224/0x224
[  226.385083]  ? kasan_unpoison+0x44/0x52
[  226.385866]  ? kernel_init_pages+0x42/0x51
[  226.386687]  ? post_alloc_hook+0xba/0xe0
[  226.387559]  ? prep_new_page+0x44/0x51
[  226.388522]  ? ma_data_end+0x6e/0x88
[  226.389365]  ? preempt_count_sub+0x14/0xb5
[  226.390575]  ? zone_watermark_fast.isra.0+0x12b/0x12b
[  226.391555]  ? __might_resched+0x8d/0x248
[  226.392127]  ? __might_sleep+0x27/0xa2
[  226.392794]  ? first_zones_zonelist+0x2c/0x43
[  226.393684]  ? do_raw_spin_lock+0x72/0xbb
[  226.394501]  ? __might_resched+0x8d/0x248
[  226.395324]  ? __might_sleep+0x27/0xa2
[  226.396204]  ? inet_send_prepare+0x59/0x59
[  226.397042]  ? sock_sendmsg_nosec+0x42/0x6c
[  226.397879]  sock_sendmsg_nosec+0x42/0x6c
[  226.398704]  __sys_sendto+0x172/0x1e1
[  226.399465]  ? __x64_sys_getpeername+0x44/0x44
[  226.400367]  ? folio_batch_add_and_move+0x6a/0x7d
[  226.401327]  ? find_vma+0x6b/0x8b
[  226.401812]  ? find_vma_intersection+0x8a/0x8a
[  226.402442]  ? handle_mm_fault+0xfa/0x163
[  226.403014]  ? preempt_latency_start+0x41/0x4c
[  226.403641]  ? preempt_count_sub+0x14/0xb5
[  226.404224]  __x64_sys_sendto+0x76/0x82
[  226.404790]  do_syscall_64+0x58/0x78
[  226.405306]  entry_SYSCALL_64_after_hwframe+0x46/0xb0
[  226.406010] RIP: 0033:0x7f378b00ba73
[  226.406524] Code: 8b 15 a9 83 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 80 3d 71 0b 0d 00 00 41 89 ca 74 14 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 75 c3 0f 1f 40 00 55 48 83 ec 30 44 89 4c 24
[  226.408990] RSP: 002b:00007fff58f9c148 EFLAGS: 00000202 ORIG_RAX: 000000000000002c
[  226.410020] RAX: ffffffffffffffda RBX: 00005591b05fa340 RCX: 00007f378b00ba73
[  226.410992] RDX: 0000000000000040 RSI: 00005591b06003c0 RDI: 0000000000000003
[  226.411968] RBP: 00005591b06003c0 R08: 00005591b05fc5c0 R09: 0000000000000010
[  226.412948] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000040
[  226.413923] R13: 00007fff58f9d830 R14: 0000001d00000001 R15: 00005591b05fd680
[  226.414904]  </TASK>
[  226.415243] Modules linked in:
[  226.415697] CR2: 0000000000000478
[  226.416181] ---[ end trace 0000000000000000 ]---
[  226.416848] RIP: 0010:iptfs_output_collect+0x1f5/0x61a
[  226.417569] Code: c1 ff ff 65 ff 0d 12 29 35 7e 75 05 e8 c3 f0 31 ff 48 8d 7b 10 e8 4b 16 6b ff 4c 8b 73 10 49 8d be 78 04 00 00 e8 3b 16 6b ff <4d> 8b b6 78 04 00 00 49 8d be c0 01 00 00 e8 28 16 6b ff 49 8b 86
[  226.420031] RSP: 0018:ffffc9000a357998 EFLAGS: 00010296
[  226.420764] RAX: 0000000000000001 RBX: ffff8881123a7a00 RCX: fffffbfff075e9f5
[  226.421733] RDX: fffffbfff075e9f5 RSI: fffffbfff075e9f5 RDI: ffffffff83af4fa0
[  226.422704] RBP: ffff88810f45ac00 R08: 0000000000000008 R09: 0000000000000001
[  226.423671] R10: ffffffff83af4fa7 R11: fffffbfff075e9f4 R12: 0000000000000000
[  226.424646] R13: 0000000000000000 R14: 0000000000000000 R15: ffff888114cbeb01
[  226.425616] FS:  00007f378ad4fc40(0000) GS:ffff88815ad00000(0000) knlGS:0000000000000000
[  226.426709] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  226.427501] CR2: 0000000000000478 CR3: 00000001083e9000 CR4: 0000000000350ee0
[  226.428492] Kernel panic - not syncing: Fatal exception in interrupt
[  226.429587] Kernel Offset: disabled
[  226.430096] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---

(gdb) list *iptfs_output_collect+0x1f5
0xffffffff81ce40d6 is in iptfs_output_collect (./include/net/net_namespace.h:385).
380	}
381
382	static inline struct net *read_pnet(const possible_net_t *pnet)
383	{
384	#ifdef CONFIG_NET_NS
385		return pnet->net;
386	#else
387		return &init_net;
388	#endif
389	}


On Sun, Nov 12, 2023 at 10:52:11PM -0500, Christian Hopps via Devel wrote:
> From: Christian Hopps <chopps@...n.net>
> 
> This patchset adds a new xfrm mode implementing on-demand IP-TFS. IP-TFS
> (AggFrag encapsulation) has been standardized in RFC9347.
> 
> Link: https://www.rfc-editor.org/rfc/rfc9347.txt
> 
> This feature supports demand driven (i.e., non-constant send rate) IP-TFS to
> take advantage of the AGGFRAG ESP payload encapsulation. This payload type
> supports aggregation and fragmentation of the inner IP packet stream which in
> turn yields higher small-packet bandwidth as well as reducing MTU/PMTU issues.
> Congestion control is unimplementated as the send rate is demand driven rather
> than constant.
> 
> In order to allow loading this fucntionality as a module a set of callbacks
> xfrm_mode_cbs has been added to xfrm as well.
> -- 
> Devel mailing list
> Devel@...ux-ipsec.org
> https://linux-ipsec.org/mailman/listinfo/devel

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ