| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Z63zgLQ_ZFmkO9ys@shredder> Date: Thu, 13 Feb 2025 15:28:32 +0200 From: Ido Schimmel <idosch@...sch.org> To: Justin Iurman <justin.iurman@...ege.be> Cc: netdev@...r.kernel.org, davem@...emloft.net, dsahern@...nel.org, edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com, horms@...nel.org, Alexander Aring <alex.aring@...il.com>, David Lebrun <dlebrun@...gle.com> Subject: Re: [PATCH net v2 2/3] net: ipv6: fix lwtunnel loops in ioam6, rpl and seg6 On Tue, Feb 11, 2025 at 11:16:23PM +0100, Justin Iurman wrote: > When the destination is the same post-transformation, we enter a > lwtunnel loop. This is true for ioam6_iptunnel, rpl_iptunnel, and > seg6_iptunnel, in both input() and output() handlers respectively, where > either dst_input() or dst_output() is called at the end. It happens for > instance with the ioam6 inline mode, but can also happen for any of them > as long as the post-transformation destination still matches the fib > entry. Note that ioam6_iptunnel was already comparing the old and new > destination address to prevent the loop, but it is not enough (e.g., > other addresses can still match the same subnet). > > Here is an example for rpl_input(): > > dump_stack_lvl+0x60/0x80 > rpl_input+0x9d/0x320 > lwtunnel_input+0x64/0xa0 > lwtunnel_input+0x64/0xa0 > lwtunnel_input+0x64/0xa0 > lwtunnel_input+0x64/0xa0 > lwtunnel_input+0x64/0xa0 > [...] > lwtunnel_input+0x64/0xa0 > lwtunnel_input+0x64/0xa0 > lwtunnel_input+0x64/0xa0 > lwtunnel_input+0x64/0xa0 > lwtunnel_input+0x64/0xa0 > ip6_sublist_rcv_finish+0x85/0x90 > ip6_sublist_rcv+0x236/0x2f0 > > ... until rpl_do_srh() fails, which means skb_cow_head() failed. > > This patch prevents that kind of loop by redirecting to the origin > input() or output() when the destination is the same > post-transformation. A loop was reported a few months ago with a similar stack trace: https://lore.kernel.org/netdev/2bc9e2079e864a9290561894d2a602d6@akamai.com/ But even with this series applied my VM gets stuck. Can you please check if the fix is incomplete?
Powered by blists - more mailing lists