lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAMqyJG1aPBsRFz1XK2JvqY+QUg2HhxugVXG1ZaF8yKYg=KoP3Q@mail.gmail.com>
Date: Wed, 2 Oct 2024 12:40:15 +0200
From: En-Wei WU <en-wei.wu@...onical.com>
To: Eric Dumazet <edumazet@...gle.com>
Cc: Peter Seiderer <ps.report@....net>, steffen.klassert@...unet.com, 
	herbert@...dor.apana.org.au, davem@...emloft.net, kuba@...nel.org, 
	pabeni@...hat.com, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, 
	kai.heng.feng@...onical.com, chia-lin.kao@...onical.com, 
	anthony.wong@...onical.com, kuan-ying.lee@...onical.com, 
	chris.chiu@...onical.com
Subject: Re: [PATCH ipsec v2] xfrm: check MAC header is shown with both
 skb->mac_len and skb_mac_header_was_set()

Hi,

I would kindly ask if there is any progress :)

Thanks.
En-Wei.

On Fri, 13 Sept 2024 at 09:04, Eric Dumazet <edumazet@...gle.com> wrote:
>
> On Fri, Sep 13, 2024 at 7:29 AM En-Wei WU <en-wei.wu@...onical.com> wrote:
> >
> > > Could you try the following patch, and compile your test kernel with
> > > CONFIG_DEBUG_NET=y ?
> > [  323.870221] ------------[ cut here ]------------
> > [  323.870226] WARNING: CPU: 2 PID: 26 at include/linux/skbuff.h:2904
> > __netif_receive_skb_core.constprop.0+0x201/0x39d0
> > [  323.870369] CPU: 2 UID: 0 PID: 26 Comm: ksoftirqd/2 Not tainted
> > 6.11.0-rc6-c763c4339688+ #12
> > [  323.870372] Hardware name: Dell Inc. Latitude 5340/0SG010, BIOS
> > 1.15.0 07/15/2024
> > [  323.870373] RIP: 0010:__netif_receive_skb_core.constprop.0+0x201/0x39d0
> > [  323.870376] Code: 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 01 38 d0
> > 7c 08 84 d2 0f 85 b4 24 00 00 41 0f b7 87 ba 00 00 00 29 c3 66 83 f8
> > ff 75 04 <0f> 0b 31 db 48 b8 00 00 00 00 00 fc ff df 49 8d 7f 78 48 89
> > fa 48
> > [  323.870378] RSP: 0018:ffffc90000377838 EFLAGS: 00010246
> > [  323.870380] RAX: 000000000000ffff RBX: 00000000ffff0061 RCX: ffff88876cf48090
> > [  323.870381] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8881756b2e7a
> > [  323.870382] RBP: ffffc90000377a88 R08: ffff88876cf48184 R09: 0000000000000000
> > [  323.870383] R10: 0000000000000000 R11: 1ffff1102ead65b9 R12: ffff8881756b2dc0
> > [  323.870384] R13: ffffc90000377b20 R14: ffff8881635ca000 R15: ffff8881756b2dc0
> > [  323.870385] FS:  0000000000000000(0000) GS:ffff88876cf00000(0000)
> > knlGS:0000000000000000
> > [  323.870387] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > [  323.870388] CR2: 0000769acfa9d080 CR3: 0000000712498000 CR4: 0000000000f50ef0
> > [  323.870389] PKRU: 55555554
> > [  323.870390] Call Trace:
> > [  323.870391]  <TASK>
> > [  323.870393]  ? show_regs+0x71/0x90
> > [  323.870397]  ? __warn+0xce/0x270
> > [  323.870399]  ? __netif_receive_skb_core.constprop.0+0x201/0x39d0
> > [  323.870401]  ? report_bug+0x2ad/0x300
> > [  323.870404]  ? handle_bug+0x46/0x90
> > [  323.870407]  ? exc_invalid_op+0x19/0x50
> > [  323.870409]  ? asm_exc_invalid_op+0x1b/0x20
> > [  323.870413]  ? __netif_receive_skb_core.constprop.0+0x201/0x39d0
> > [  323.870415]  ? intel_iommu_iotlb_sync_map+0x1a/0x30
> > [  323.870418]  ? iommu_map+0xab/0x140
> > [  323.870421]  ? __pfx___netif_receive_skb_core.constprop.0+0x10/0x10
> > [  323.870423]  ? iommu_dma_map_page+0x159/0x720
> > [  323.870425]  ? dma_map_page_attrs+0x568/0xdc0
> > [  323.870427]  ? __kasan_slab_alloc+0x9d/0xa0
> > [  323.870430]  ? __pfx_dma_map_page_attrs+0x10/0x10
> > [  323.870431]  ? __kasan_check_write+0x14/0x30
> > [  323.870434]  ? __build_skb_around+0x23a/0x350
> > [  323.870437]  __netif_receive_skb_one_core+0xb4/0x1d0
> > [  323.870439]  ? __pfx___netif_receive_skb_one_core+0x10/0x10
> > [  323.870441]  ? __kasan_check_write+0x14/0x30
> > [  323.870443]  ? _raw_spin_lock_irq+0x8b/0x100
> > [  323.870445]  __netif_receive_skb+0x21/0x160
> > [  323.870447]  process_backlog+0x1c0/0x590
> > [  323.870449]  __napi_poll+0xab/0x560
> > [  323.870451]  net_rx_action+0x53e/0xd10
> > [  323.870453]  ? __pfx_net_rx_action+0x10/0x10
> > [  323.870455]  ? __pfx_wake_up_var+0x10/0x10
> > [  323.870457]  ? tasklet_action_common.constprop.0+0x22c/0x670
> > [  323.870461]  handle_softirqs+0x18f/0x5d0
> > [  323.870463]  ? __pfx_run_ksoftirqd+0x10/0x10
> > [  323.870465]  run_ksoftirqd+0x3c/0x60
> > [  323.870467]  smpboot_thread_fn+0x2f3/0x700
> > [  323.870470]  kthread+0x2b5/0x390
> > [  323.870472]  ? __pfx_smpboot_thread_fn+0x10/0x10
> > [  323.870474]  ? __pfx_kthread+0x10/0x10
> > [  323.870476]  ret_from_fork+0x43/0x90
> > [  323.870478]  ? __pfx_kthread+0x10/0x10
> > [  323.870480]  ret_from_fork_asm+0x1a/0x30
> > [  323.870483]  </TASK>
> > [  323.870484] ---[ end trace 0000000000000000 ]---
> > [  350.300485] Initializing XFRM netlink socket
> > [  351.586993] ------------[ cut here ]------------
> > [  351.586999] WARNING: CPU: 2 PID: 26 at include/linux/skbuff.h:2904
> > dev_gro_receive+0x172c/0x2860
> > [  351.587141] CPU: 2 UID: 0 PID: 26 Comm: ksoftirqd/2 Tainted: G
> >   W          6.11.0-rc6-c763c4339688+ #12
> > [  351.587144] Tainted: [W]=WARN
> > [  351.587145] Hardware name: Dell Inc. Latitude 5340/0SG010, BIOS
> > 1.15.0 07/15/2024
> > [  351.587147] RIP: 0010:dev_gro_receive+0x172c/0x2860
> > [  351.587149] Code: 07 83 c2 01 38 ca 7c 08 84 c9 0f 85 d2 09 00 00
> > 8d 14 c5 00 00 00 00 41 0f b6 45 46 83 e0 c7 09 d0 41 88 45 46 e9 ee
> > f9 ff ff <0f> 0b 45 31 f6 e9 64 f7 ff ff 45 31 e4 81 e3 c0 00 00 00 41
> > 0f 95
> > [  351.587151] RSP: 0018:ffffc90000377aa8 EFLAGS: 00010246
> > [  351.587153] RAX: ffff888128d72840 RBX: ffffffff95a0d9c0 RCX: 0000000000000000
> > [  351.587154] RDX: 000000000000ffff RSI: ffff88876cf52418 RDI: ffff88815880ad3a
> > [  351.587155] RBP: ffffc90000377b48 R08: 0000000000000000 R09: 0000000000000000
> > [  351.587156] R10: 1ffff110ed9ea481 R11: 0000000000000000 R12: ffffffff95a0d9d0
> > [  351.587157] R13: ffff88815880ac80 R14: 00000000ffff008d R15: ffff88815880acb8
> > [  351.587159] FS:  0000000000000000(0000) GS:ffff88876cf00000(0000)
> > knlGS:0000000000000000
> > [  351.587160] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > [  351.587161] CR2: 000078e9ea9e25b0 CR3: 0000000712498000 CR4: 0000000000f50ef0
> > [  351.587163] PKRU: 55555554
> > [  351.587163] Call Trace:
> > [  351.587164]  <TASK>
> > [  351.587167]  ? show_regs+0x71/0x90
> > [  351.587171]  ? __warn+0xce/0x270
> > [  351.587173]  ? dev_gro_receive+0x172c/0x2860
> > [  351.587175]  ? report_bug+0x2ad/0x300
> > [  351.587178]  ? handle_bug+0x46/0x90
> > [  351.587181]  ? exc_invalid_op+0x19/0x50
> > [  351.587182]  ? asm_exc_invalid_op+0x1b/0x20
> > [  351.587187]  ? dev_gro_receive+0x172c/0x2860
> > [  351.587188]  ? dev_gro_receive+0xcdd/0x2860
> > [  351.587190]  ? __pfx___netif_receive_skb_one_core+0x10/0x10
> > [  351.587192]  ? __mutex_lock.constprop.0+0x150/0x1180
> > [  351.587195]  napi_gro_receive+0x3a2/0x900
> > [  351.587197]  gro_cell_poll+0xe5/0x1d0
> > [  351.587200]  __napi_poll+0xab/0x560
> > [  351.587202]  net_rx_action+0x53e/0xd10
> > [  351.587204]  ? __pfx_net_rx_action+0x10/0x10
> > [  351.587206]  ? __pfx_wake_up_var+0x10/0x10
> > [  351.587209]  ? tasklet_action_common.constprop.0+0x22c/0x670
> > [  351.587212]  handle_softirqs+0x18f/0x5d0
> > [  351.587214]  ? __pfx_run_ksoftirqd+0x10/0x10
> > [  351.587216]  run_ksoftirqd+0x3c/0x60
> > [  351.587218]  smpboot_thread_fn+0x2f3/0x700
> > [  351.587220]  kthread+0x2b5/0x390
> > [  351.587223]  ? __pfx_smpboot_thread_fn+0x10/0x10
> > [  351.587224]  ? __pfx_kthread+0x10/0x10
> > [  351.587226]  ret_from_fork+0x43/0x90
> > [  351.587229]  ? __pfx_kthread+0x10/0x10
> > [  351.587231]  ret_from_fork_asm+0x1a/0x30
> > [  351.587234]  </TASK>
> > [  351.587235] ---[ end trace 0000000000000000 ]---
> >
> > Seems like the __netif_receive_skb_core() and dev_gro_receive() are
> > the places where it calls skb_reset_mac_len() with skb->mac_header =
> > ~0U.
>
> Ouch, let me take a look.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ