lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20250311141238.19862-1-justin.iurman@uliege.be>
Date: Tue, 11 Mar 2025 15:12:31 +0100
From: Justin Iurman <justin.iurman@...ege.be>
To: netdev@...r.kernel.org
Cc: davem@...emloft.net,
	dsahern@...nel.org,
	edumazet@...gle.com,
	kuba@...nel.org,
	pabeni@...hat.com,
	horms@...nel.org,
	justin.iurman@...ege.be
Subject: [PATCH net 0/7] net: fix lwtunnel reentry loops

When the destination is the same after the transformation, we enter a
lwtunnel loop. This is true for most of lwt users: ioam6, rpl, seg6,
seg6_local, ila_lwt, and lwt_bpf. It can happen in their input() and
output() handlers respectively, where either dst_input() or dst_output()
is called at the end. It can also happen in xmit() handlers. This patch
prevents that kind of reentry loop by redirecting to the origin input()
or output() when the destination is the same after the transformation.

Here is an example for rpl_input():

dump_stack_lvl+0x60/0x80
rpl_input+0x9d/0x320
lwtunnel_input+0x64/0xa0
lwtunnel_input+0x64/0xa0
lwtunnel_input+0x64/0xa0
lwtunnel_input+0x64/0xa0
lwtunnel_input+0x64/0xa0
[...]
lwtunnel_input+0x64/0xa0
lwtunnel_input+0x64/0xa0
lwtunnel_input+0x64/0xa0
lwtunnel_input+0x64/0xa0
lwtunnel_input+0x64/0xa0
ip6_sublist_rcv_finish+0x85/0x90
ip6_sublist_rcv+0x236/0x2f0

... until rpl_do_srh() fails, which means skb_cow_head() failed.

Justin Iurman (7):
  net: ipv6: ioam6: fix lwtunnel_output() loop
  net: ipv6: rpl: fix lwtunnel_input/output loop
  net: ipv6: seg6: fix lwtunnel_input/output loop
  net: ipv6: seg6_local: fix lwtunnel_input() loop
  net: ipv6: ila: fix lwtunnel_output() loop
  net: core: bpf: fix lwtunnel_input/xmit loop
  selftests: net: test for lwtunnel dst ref loops

 net/core/lwt_bpf.c                            |  21 ++
 net/ipv6/ila/ila_lwt.c                        |   8 +
 net/ipv6/ioam6_iptunnel.c                     |   8 +-
 net/ipv6/rpl_iptunnel.c                       |  14 +
 net/ipv6/seg6_iptunnel.c                      |  37 ++-
 net/ipv6/seg6_local.c                         |  85 +++++-
 tools/testing/selftests/net/Makefile          |   1 +
 tools/testing/selftests/net/config            |   2 +
 .../selftests/net/lwt_dst_cache_ref_loop.sh   | 250 ++++++++++++++++++
 9 files changed, 412 insertions(+), 14 deletions(-)
 create mode 100755 tools/testing/selftests/net/lwt_dst_cache_ref_loop.sh

-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ