lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <67db0295aca11_1367b2949e@willemb.c.googlers.com.notmuch>
Date: Wed, 19 Mar 2025 13:44:53 -0400
From: Willem de Bruijn <willemdebruijn.kernel@...il.com>
To: Paolo Abeni <pabeni@...hat.com>, 
 Willem de Bruijn <willemdebruijn.kernel@...il.com>, 
 netdev@...r.kernel.org
Cc: "David S. Miller" <davem@...emloft.net>, 
 David Ahern <dsahern@...nel.org>, 
 Eric Dumazet <edumazet@...gle.com>, 
 Jakub Kicinski <kuba@...nel.org>, 
 Simon Horman <horms@...nel.org>, 
 Willem de Bruijn <willemb@...gle.com>, 
 steffen.klassert@...unet.com
Subject: Re: [PATCH net-next] udp_tunnel: properly deal with xfrm gro encap.

Paolo Abeni wrote:
> 
> 
> On 3/19/25 3:35 PM, Willem de Bruijn wrote:
> > Paolo Abeni wrote:
> >> The blamed commit below does not take in account that xfrm
> >> can enable GRO over UDP encapsulation without going through
> >> setup_udp_tunnel_sock().
> >>
> >> At deletion time such socket will still go through
> >> udp_tunnel_cleanup_gro(), and the failed GRO type lookup will
> >> trigger the reported warning.
> >>
> >> We can safely remove such warning, simply performing no action
> >> on failed GRO type lookup at deletion time.
> >>
> >> Reported-by: syzbot+8c469a2260132cd095c1@...kaller.appspotmail.com
> >> Closes: https://syzkaller.appspot.com/bug?extid=8c469a2260132cd095c1
> >> Fixes: 311b36574ceac ("udp_tunnel: use static call for GRO hooks when possible")
> >> Signed-off-by: Paolo Abeni <pabeni@...hat.com>
> > 
> > Because XFRM does not call udp_tunnel_update_gro_rcv when enabling its
> > UDP GRO offload, from set_xfrm_gro_udp_encap_rcv. But it does call it
> > when disabling the offload, as called for all udp sockest from
> > udp(v6)_destroy_sock. (Just to verify my understanding.)
> 
> Exactly.
> 
> > Not calling udp_tunnel_update_gro_rcv on add will have the unintended
> > side effect of enabling the static call if one other tunnel is also
> > active, breaking UDP GRO for XFRM socket, right?
> 
> Ouch, right again. I think we can/should do better.
> 
> Given syzkaller has found another splat with no reproducer on the other
> UDP GRO change of mine [1] and we are almost at merge window time, I'm
> considering reverting entirely such changes and re-submit later
> (hopefully fixed). WDYT?

Your call. I suspect that we can forward fix this. But yes, that is
always the riskier approach. And from a first quick look at the
report, the right fix is not immediately glaringly obvious indeed.

> Thanks,
> 
> Paolo
> 
> [1] https://syzkaller.appspot.com/bug?extid=1fb3291cc1beeb3c315a
> I *think* moving:
> 
> 	if (!up->tunnel_list.pprev)
> 
> from udp_tunnel_cleanup_gro() into udp_tunnel_update_gro_lookup(), under
> the udp_tunnel_gro_lock spinlock should fix it, but without a repro it's
> a bit risky,
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ